Typical IT Security Audit Findings

IT security is a longstanding concern for enterprises, especially those in highly regulated industries such as financial service providers governed by regulations from the Basel II Accords, the U.S. Gramm-Leach-Bliley (GLB) Act, the U.S. Securities and Exchange Commission (SEC), the U.S. Office of the Comptroller of the Currency, and some others.

IT security has become concern of top managers especially with the introduction by the Sarbanes-Oxley separation-of-duties requirements and the U.S. Health Insurance Portability and Accountability Act (HIPAA).

This article describes five typical findings of IT security auditors. This is the second part of our guide for IT security auditors. The first part of this article can be found here: Top 10 Risk and Security Audit Findings

Segregation of Duties in ERP Systems

Typical Finding: The enterprise is unable to control segregation of duties.

What It Means:

Segregation of duties is very important in systems that affect the integrity of financial reporting. The use of conflicting permissions could compromise the integrity of finance. Segregation of duties is also important in IT risks management. Segregation of duties is for example when one person can add data into the database and also edit and delete them. These roles should be segregated.

How to Avoid the Problem:

It is necessary to prevent segregation of duties conflicts and to implement controls necessary to prevent them. Segregation of duties violations are often a red flag as they represent an unnecessary vulnerability and sometimes indicate deliberate fraud.

Minimum Remediation Required:

You can detect segregation of duties violations by manually reviewing all users' permissions to identify conflicts.

Recommendation:

The detection and remediation processes for segregation of duties can be automated. The provisioning workflow can be formalized into an online system to prevent future conflicts.

Advanced Measures:

Transactions can be monitored continuously for risky use of conflicting permissions.

Physical Access

Typical Finding: Access permissions are not documented and unknown. Unauthorized access is achievable.

What It Means:

This finding is very common and means that persons gaining unauthorized access to facilities have the ability to damage, misuse, or alter the enterprise's critical systems, applications, and information assets.

How to Avoid the Problem:

Physical access to systems and assets must be controlled and addressed appropriately.

Minimum Remediation Required: 

Access policies and minimal controls are the basic measures in physical access. Controls can take the form of for example door locks, sign-in sheets, monitoring with camera, or just correct placement of the assets to a place less susceptible to an attack.

Advanced Measures:

More advanced measures include for example multifactor authentication, access control tracking integrated with log concentrators, or video surveillance.

Business Continuity Management and Disaster Recovery

Typical Finding: Business continuity plans and disaster recovery plans are not available and current. Evidence of periodic updating and review of such plans is not available.

What It Means:

This means that the company or process could be jeopardized in the event of disaster or other emergency.

How to Avoid the Problem:

It is vital for today's businesses to have a minimal plan in place to protect business operations in the event of reasonably anticipated threats (i.e. fire, flood, terrorist attack, etc.). It is important to consider not only traditional risks such as flood and fire but also other risks such as internet and phone connectivity outage, avian flu epidemic, etc.

Minimum Remediation Required:

At least a minimal business continuity and disaster recovery plan should be furnished and periodically reviewed.

Recommendation:

Formal plan using established best practices should be developed and then tested plan annually.

Advanced Measures:

Disaster recovery risk mitigation can take a form of a mirror production site with automated failover and failback capabilities.

Sourcing Controls and Partner Agreements

Typical Finding: Auditors often find out that agreements with third-party service providers and business partners do not specifically address data protection requirements.

What It Means:

It is important to realize that sensitive data may fall into the hands of unauthorized parties due to inadequate security measures taking place in the relationship with external parties. This can happen for example when a company outsources data processing activities to another company and that company outsources the activities further.

How to Avoid the Problem:

Controls for the transfer of the data between the enterprise and the external party should be developed. Controls should also be in place for the protection of the data while in control of the external party.

Minimum Remediation Required:

Security requirements of all agreements and contracts with business partners and third-party service providers should be reviewed.

Recommendation:

All external parties should be required to present evidence of security controls, conducting annual reviews of those controls. Risk and security requirements should be added to all contracts and other agreements with external parties.

Advanced Measures:

Require Statement on Auditing Standards (SAS) 70 Type 2 audits, or equivalent external review and attestation, of all controls.

Education and Awareness

Typical Finding: Security education is not provided to employees. Knowledge and understanding of data protection responsibilities of employees is not tested and documented.

What It Means:

Even well-intentioned but uninformed employees can represent a great risk to the enterprise. Disclosing information to a journalist by an employee can be meant well but can have far reaching consequences.

How to Avoid the Problem:

Very often, risks can be mitigated by just explaining to people what they are allowed to do, or what they should not be doing. For this reason, education and awareness programs usually offer the greatest return on investment.

Minimum Remediation Required:

Distributing a guide documenting approved best practices and conduct workshops explaning these best practices is a great way to educate employees.

Recommendation:

Training program should be formalized with a specific target and professionally produced instruction materials.

Advanced Measures:

Computer-based training is very common these days. Computer-based training is often supplemented with tracking, reporting on completion, and specific compliance goals.

Return to the first part of this article: Top 10 Risk and Security Audit Findings

Do you have more articles on security?

Yes, you are welcome to review other security related articles at this web site.

Wireless Wi-Fi network security tutorial 101
ISMS Information Security Management System
ISO 27001