|Pawan Kumar Singh Chief Information Security Officer, Tulip Telecom Limited|
The following practices may be adopted to ensure effective internal security audits.
1. Ensure independence
It is of utmost importance that the internal security audit function reports to a body which has oversight of management activities. (In most cases, this body is the audit committee.) This provides the auditor with freedom to determine the scope of internal auditing, and perform the audit activities in an unbiased manner. It also diminishes the probability of any influence in communicating the findings. Independence is critical for any internal security audit function to act effectively.
2. Favor third-party auditors
A third-party team of internal auditors is preferred because of their unbiased approach toward audit activity, as well as because of their wide experience due to their exposure to different industries—and hence different best practices. If an internal team is mature enough to meet the above criteria, it can also perform an internal security audit as effectively.
It is important that auditors communicate the schedules, scope and methodologies of internal security audits to the auditee. Flash audits should be discouraged.
4. Remember that audits are about fact-finding, not fault-finding
Make your auditee comfortable. Make him understand that internal security audits may bring to light certain facts or possible gaps which may have probable business impacts. There is a great deal of value-add that an internal security audit exercise brings about in an organization to take the organization to a higher level of risk sensitivity. Most businesses realize this only after a few audit cycles.
5. Understand the business
The information security auditor should understand the business of its auditee. This helps in identifying the risks which may be specific to that kind of business. Interactive sessions with the auditee can help the auditor to get a deep insight into the business.
6. Understand the culture
It is important for an auditor to understand the culture and current risk sensitivity of the organization. An organization which has adopted information security very recently will not have the maturity of an organization where information security has already become part of the organizational DNA.
7. Understand the two kinds of audits
Internal security audits are generally conducted against a given baseline. Compliance-based audits are oriented toward validating the effectiveness of the policies and processes that have been documented and adopted by the organization, whereas risk-based audits are meant to validate the adequacy of the adopted policies and processes. A risk-based audit should also be accounted for in the internal security audit schedule in order to enhance the organizational policies and processes. A mix of both the approaches can also be adopted by the auditors.
An internal security audit exercise is very often based on smart sampling. There are widely available methods such as random sampling and statistical sampling. The risk with sampling is the possibility that the chosen sample is not representative of the entire population. Through his judgment, the auditor should ensure that this risk is minimized.
An internal auditor should provide recommendations to the management for every observation in such a way that it not only corrects the problem, but also addresses the root cause.
10. Submit the audit report
An internal security audit report is the deliverable of the auditor. It is the result of the audit work. It is a good practice for the audit report to start with an executive summary. Apart from the observations, the internal security audit report should carry a brief on the background, the methodology and concluding statements. A statistical view of the criticality of the findings will make it easier for the management team to digest the report. It is also important that you proof read your report so as to avoid any misinterpretations.
About the author: Pawan Kumar Singh is a CISSP and is currently the CISO of Tulip Telecom Ltd. He is specialized in Information Security Management and its governance and has extensive experience in Information Security Audits with large organizations.
This was first published in July 2010