Information audits in a perimeter-less world Jayesh Kamat Practice Head Risk Advisory services Seclore Partner
The Business Challenge
Information Value Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it. ~Rear Admiral Grace Murray Hopper
Traditional Perimeter Definition Traditional definitions of perimeters have relied on a combination of the following concepts: Physical locations Managed computers Applications Business (automation, BI) Networks - Corporate (LAN, WAN) People Employees & Contractors What is the relevance of these constructs today?
Traditional Audit Approach Information security = Information System security. We secure and assess security of the information though the security of its containers. Secure Configuration Email controls Application controls Patches Updates Backup Maintenance Access privileges Access logs Authorization Authentication Antivirus Backup Physical & environmental Secure Configuration Antivirus Patches End point security Encryption Data backup Image Source: http://www.whoners.com/wp-content/uploads/2011/05/computer-network-support.jpg Vendor, third party security Network controls Remote policy enforcement Authorization Remote wipe End point security
The Challenge Information flows beyond these traditional assessment perimeters, it travels to people, external consultants/sme, Vendor systems & personnel, networks Sensitive data is created in many contexts Need to share information with internal and external stakeholders, partners, vendors, SME NDAs and legal contracts with employees and vendors Ineffective and difficult to enforce Methods of sharing confidential data are varied (Email, CD, FTP, USB, ) Complex policies for information security Sensitive Data generated, stored & processed on Cloud services/saas Data volume and business may not allow for audit of the providers Image source: http://www.bannerhousing.ie/support.html No control on confidential information once it leaves the perimeter
Securing information vs Info Systems? Apart from the enterprise/perimeter security systems information itself is protected today using technologies like DLP and IRM Extended Enterprise - IRM EXT. AUDITOR CONSULTANTS VENDORS CUSTOMERS Policy Enterprise Server TELEMARKETER Enterprise / DLP Perimeter LAWYERS Competitors GOVERNMENT
The New Paradigm
Change the Paradigm Along with the regular information system audit, information security audit itself should be considered Audit Information governance & sustenance controls? Focus on information itself along with the information system Focus on who sends and receives the information, how and what? Focus on enforcement of information security (policies, processes) Audit reporting & monitoring controls
Governance & Sustenance Ensure governance and sustenance roles, responsibilities & processes are designed well and their implementation is effective. Data governance framework or DSCI DFS guidelines can be adopted for this purpose. An established governance framework consisting of roles, responsibilities and accountability should be established Established Classification Schema DLP/IRM Tool Strategy Source: DGI Framework from www. Datagovernance.com DSCI - DSF Management, reporting and monitoring processes User awareness program
Focus on Information Ensure classification policies, data handling policies & processes are designed well and their implementation is effective. This includes the use of media encryption as well as information encryption if applicable Classification Control Design Control Effectiveness Encryption Access Policies Sender, receiver Access times, expiration Automatic enforcement User training and enforcement
Reporting & Monitoring Ensure regular and frequent reporting of the incidents is being carried out with timely investigations of all violations. Incident management processes control design & effectiveness Investigations & closure Program effectiveness
Audit Framework Creation IS audit framework are usually established based on compliance requirements, augmenting such a framework with DSCI & DGI guidance can help create information auditing framework Privacy Laws COBIT BS25999 ISO27001 ISO20000 PCI DSS Source DSCI DSCI - DSF - > Data Security (DSC) Source: DGI Framework from www. Datagovernance.com Data Governance Framework - Data Governance Institute Rationalized Audit framework Requirement 1 Requirement 2 Requirement3 Requirement 4 Rationalized Requirements IS Audit Framework Information Audit Framework
In Summary It is recommended that along with the traditional information systems audit an audit of information control design and effectiveness should also be conducted Traditional IS Audit IS Audit and Information Audit IT Governance, Business continuity Data governance & Sustenance principles Acquisition, system development control Data protection, operations Infrastructure & operations Incident management, reporting Info Sec Management Framework Physical & environmental controls
Thank You!