Being Honest About Finding Your Security Weaknesses: It’s What Strong Leaders Do
Conformance with the ISM and PSPF
Crisp audits on key ISM controls; Horizontal/vertical assessment at an enterprise & system level; Innovative approach via self-assessments & workshops
Identification of security weaknesses; Executive awareness on importance of security; Ability to demonstrate a plan to improve security to the ANAO
Security threats are constantly changing and evolving. Identifying security weaknesses is not a one way street. Internal Audit has a role to play in identifying ISM conformance gaps to assist organisations improve security.
Managing a complex large government department is no easy task, especially when embarking on a large transformation program, budget shortfalls and tight delivery time frames. This department is currently pioneering shared services within the Commonwealth and recently lead several technology initiatives for the broader Australian Government. That’s great news. But with great initiatives often comes challenge.
Because the department merged with several other organisations, it found itself in the position of having to deal with different types of systems and applications on a variety of platforms. To make it even more challenging, each had applications with different levels of security.
Complexity may be good when it comes to fine wine. Not so much when it comes to IT security. Fortunately the department had a proactive IT Audit function that did not count on luck alone. It sought to take action before the systems caused any real-world problems. The Chief Audit Executive directed the Internal Audit function to undertake an assessment of the department security posture and conformance with the Information Security Manual (ISM) including the Protective Security Policy Framework (PSPF) to identify gaps and create awareness amongst senior executive on potential security weaknesses.
To undertake this program of work the department engaged Protiviti who brought in a team of IT security specialists and IT auditors. The first task for the Protiviti team was to undertake an assessment of the current environment within the organisation. The Protiviti team consulted with key stakeholders within the technology division to understand the key environments, platforms and systems. Subsequently the team identified the relevant business and system owners and determined if the systems had been accredited or certified.
The ISM has approximately 1,000 controls that apply at an enterprise level and at an individual system level. The Protiviti IT audit team developed a three pronged methodology to assess conformance within the organisation by categorising the controls into three groups:
- Controls that need to be applied at an enterprise level.
- Controls that need to be applied at a system level.
- Controls to demonstrate conformance with ASD Top 4 mandatory controls.
The IT Audit team subsequently developed a plan to test conformance at an enterprise and system level through a 12 month program focusing on the following:
- Enterprise level - controls were further grouped to key areas such as governance, documentation, accreditation, physical security etc. so that smaller audits can be performed through-out the year.
- System level - key controls that impacted a generic system were identified. Following the earlier assessment of the environment a list of high risk systems were identified.
An innovative approach and methodology was developed to perform the IT audits to manage audit effort and maximise coverage. The Protiviti IT Audit team developed:
- Detailed self assessment questionnaires to be sent to key stakeholders at the enterprise and system level.
- Conducted self-assessment workshops to discuss the outcomes of the questionnaires, obtain further evidence and finalise observations.
- Developed detailed test programs to test design and operating effectiveness of conformance with the ASD Top 4 security controls.
The comprehensive tiered approach paid off for the department. The Protiviti team identified a number of weaknesses at the enterprise and system level. The team was also able to provide the department with key areas which they needed to focus on to improve security posture within the organisation.
Through-out the audit the Protiviti team consulted with key security stakeholders within the organisation including the CISO, ITSA, executive level staff responsible for security, IT risk and system owners. The observations and outcomes were communicated and discussed regularly. This created significant awareness within the organisation on the importance of security. Senior stakeholders within the technology division utilised the audit outcomes to demonstrate to the ANAO the plan of action to improve security within the organisation.
For many government departments, it is increasingly important to protect key data and information. An assessment of security conformance is no guarantee that the organisation will never have a security breach. However, it will enable management to respond to security weaknesses and reduce the possibility of a compromise.