Top 10 Security and Privacy Topics for IT Auditors

ISACA published its “Top 10 Security and Privacy Topics for IT Auditors” for 2010 in this years second volume of the ISACA Journal. As an IT manager nearing an audit myself, I pay particular attention to what ISACA says “should be on very IT auditor’s list for 2010-2011″.

  1. Know Where Your Organization’s “Crown Jewels” Are: The IT manager will have a tough time safeguarding important resources if they do not know what and where they are. ISACA says many organizations still do not have a good handle on their critical assets. Accordingly, auditors will be looking at our risk management and asset management processes.
  2. Review Security and Privacy Policies and Standards: This is the obvious one…. auditors will be looking at our policies and standards related to access control, data classification, network security, vendor management, vulnerability management and data leakage prevention. Of course, the good auditors will not only be looking for the documentation, but also evidence that they are actually being implemented across our enterprise.
  3. Assess the Effectiveness of Identity and Access Management (IAM) Process: The IAM process is the foundation for ensuring that proper on-boarding, off-boarding and provisioning. Auditors will be checking our workflows, including the approval hierarchy.
  4. Verify That the Users Understand Their Roles and Responsibilities Related to Security and Privacy: How well has IT communicated the goals, specifics and the importance of security and compliance policies to its customers and the rest of the business.
  5. Assess the Effectiveness of the Monitoring Process: This is another one we expect, but need to remember it concerns monitoring as it relates to our security information and event management (SIEM) systems and the appropriate regulatory standard, e.g., US Sarbanes-Oxley Act, US Health Insurance Portability and Accountability Act (HIPAA), US Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standards (PCI DSS), Basel II, etc.  Auditor will look to see that those events that are of consequence are logged, classified and prioritized, then reviewed and escalated as appropriate.
  6. Review the Governance Processes for the Organization: While somewhat out of the IT manager’s hands, this concerns how the business and executive management are treating the importance of compliance. For those of us in smaller companies that face compliance requirements (i.e., no funding), this can be a tough one.
  7. Audit the Extended Enterprise: ISACA concedes audits in this area have traditionally fallen short and I agree. The extended enterprise involves extranets, partners, outsourcers and vendors – a huge area. I fear it is a Pandora’s Box. ISACA says there has been too much reliance on Statement on Auditing Standards No. 70 (SAS 70) Type II reports. In practice, I have noticed very few of my vendors seem to have these.
  8. Review the Plans for Business Continuity: Another obvious one.
  9. Verify That the Business Leaders Are Aware of and Understand IT Initiatives: Part and parcel with #4.
  10. Verify That the Organization’s Risks Are Covered by an Adequate Insurance Policy: I suspect this is really addressed with #6.