When you ask your doctor for a second opinion, do you really want him to give you his opinion again?
No. You want a second opinion. An independent evaluation. Too many financial institutions do this very thing on a daily basis – they hire the same company that put their security systems in place to do a security audit on those very systems. How many fence-builders are going to find holes in their own fences? “Nope. No problems here. There’s supposed to be some information leakage. It’s called ‘natural seepage.’” Or, even worse – “The bad news is you have a massive gap in your firewall. The good news is we can fix it. For a small fee.”
Another common mistake that financial institutions make when choosing an security audit firm is to hire an all-in-one company that also sells security solutions. Gee, what are the odds that they’ll find a problem that their product just happens to fix?
The legal and regulatory requirements (FFIEC, GLBA, SOX, FDIC, etc.) further clarify the need for independence in the assessment of internal security controls and the protection of confidential information.
In this brief, we discuss some practical issues for financial institutions to consider when choosing a company to do a security audit, as well as summarize the compliance risks for institutions that lack objective evaluations.
The Practical Perspective
What could be more practical than having one company do all of your IT work for you? You only have to sign one contract, and you don’t have to go shopping for another auditor. It’s convenient, and it seems like a money-saver.
Not so much.
We had a bank client that had its internal IT security audit completed by the same firm that managed its technology infrastructure. During the examination, regulators rejected the objectivity of the security audit, and the bank was required to retain another firm to do the work all over again.
On another occasion, we met with a prospective client who was just about to implement a mitigation strategy proposed by their auditor for a minor security risk. The fix was going to cost $20,000 – for a product the auditor was selling. On the spot, we suggested an obvious no-cost fix that mitigated the risk by making some minor improvements to operational processes. This highlighted two problems with vendor-based auditors; 1) they’re likely to try to upsell their own products, and 2) they’re not likely to focus on or catch problems with simple operational issues.
The cost-savings in these two instances are obvious, but there are additional cost savings that are less obvious when your security audit is truly independent. The objective auditor has a broader, fresher perspective, and won’t hand you a list of 1,000 nit-picky problems. Rather, they’ll help you focus on any central issues that are uncovered, and suggest practical and cost effective solutions.
The Legal and Regulatory Perspective
While the practical considerations of security audit independence are clear, there is also substantial regulatory guidance. If the practical security and cost issues are not enough to clarify the need for independence, then a review of the compliance requirements certainly should.
Trivia question: How many times does the word independent or independence occur in the FFIEC Audit IT Examination Handbook? 76 times!
And now, for a little light reading.
The FFIEC – Federal Financial Institutions Examination Council
From the FFIEC’s Information Security IT Examination Handbook: “Independent diagnostic tests include penetration tests, audits, and assessments. Independence provides credibility to the test results. To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, as well as the policies and procedures that guide its operation. The reports generated from the tests should be prepared by individuals who also are independent of the design, installation, maintenance, and operation of the tested system.”
The FDIC – SOX Compliance
In consideration of the Sarbanes-Oxley Act, the FDIC recently updated their guidance regarding auditor independence. According to the associated Financial Institution Letter (FIL-21-2003), “The key characteristic of such reviews is that the person(s) directing and/or performing the review of internal controls is not also responsible for managing or operating those controls.” Furthermore, “If the agency staff concurs that the independence of the external auditor or other vendor appears to be compromised…the agency may conclude that the institution's external auditing program is inadequate and that it does not comply with auditing and reporting requirements”
The FDIC – GLBA Compliance
Section III of the FDICs Financial Institution Letter (FIL-68-2001) regarding compliance for section 501(b) of the Gramm-Leach-Bliley Act (GLBA) evaluates the adequacy of an institutions’ program to manage and control risk. The key question posed for examiners of security audits in this section is: “…assess whether tests are conducted or reviewed by independent third parties or qualified staff independent of those that develop or maintain the security program.”
Six Questions
Here are six questions you can ask yourself to help determine whether your auditor is independent:
1. Does my IT consulting firm say that their security auditing services are completed by another division within their company? Just because my two-year-old daughter is in the “Kid Division” of my family doesn’t mean she’s not still a part of my family (even if that division’s financials have been underperforming).
2. Is my security auditor also a vendor of other IT products or services, such as firewalls?
3. Does my security auditor offer to do remediation on the issues they find?
4. Does my security auditor work on our internal technology but claim that their penetration test only addresses the firewall, which they don’t manage, so there is independence? (Believe it or not, we see penetration test providers do nothing more than review the firewall, and miss the contextual issues of the entire network architecture.)
5. Is my vendor emphasizing the ease and benefits of a one-stop shop without clarifying the conflicts of interest?
6. Does my vendor meet this regulatory standard from the FFIEC Audit IT Examination Handbook: Tier I Examination Procedures - Objective 5: Determine the level of audit independence:
Determine whether independence is compromised by: Auditors responsible for operating a system of internal controls or actually performing operational duties or activities.
Conclusion
Wouldn't it be great if you could have graded your own finals in college? "Johnson, you're brilliant! I had no idea that the Wright Brothers were not only working for Enron, but also invented
the automobile! A+!" This is that glowing feeling you give companies that do your IT or try to sell you extra services when you hire them for your security audit.
While there are perceived benefits in one-stop shops or companies that can fix the issues they identify, ensuring that there is independence and objectivity in the auditing process will save time and money in the long run and keep an institution on a path of regulatory compliance. Consider asking yourselves the kinds of questions we pose here about your own security audit relationship.
John Abraham, President, Redspin, Inc.
Redspin is a provider of security and compliance audits for over 100 banks and credit untions throughout the country. Shockingly – who’d have guessed? – they do not sell any other products.
References
Financial Institution Letters - 501(b) EXAMINATION GUIDANCE
FIL-68-2001, August 24, 2001. Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information
Information Security IT Examination Handbook, FFIEC (Federal Financial Institutions Examination Council), December 2002.
Audit IT Examination Handbook, FFIEC (Federal Financial Institutions Examination Council), August 2003.
Financial Institution Letters - INTERNAL AUDITS
FIL-21-2003, March 17, 2003
Redspin specializes in security audit and security assessment services, which help identify potential threats. www.redspin.com |
|
