With regulations such as Sarbanes-Oxley and HIPAA, and a seemingly endless stream of cyberthreats and vulnerabilities to worry about, CISOs are under more pressure than ever.
This is something Jay Taylor understands. As the general director of information technology audit at General Motors, he works closely with the company's security team and knows all too well how much security officers have on their plates these days.
"They've got so much responsibility. It's so broad. They have all these suppliers coming at them with supposedly great ideas for technologies, while they are also under pressure from operating management and their own IT department management to reduce costs and deliver results," he says. "Now the board of directors is asking CIOs and CISOs to attend audit committee meetings and talk about what they are doing to manage information security risk."
Taylor and the Institute of Internal Auditors (IIA) hope that guidelines the group plans to release in July will reduce some of the pain felt by CISOs.
Geared for chief audit executives (CAEs), IIA's Global Technology Audit Guide (GTAG) series is designed to provide technology guidance on topics such as IT controls and change management in straightforward business language.
"What these guides are designed to do is provide CAEs with IT-related information so they will have a better understanding of business risks and the challenges a CISO or CIO is facing.
"This will enhance the auditor's understanding of IT management's concerns and the technologies and processes that CISOs want to put in place. This will also enable better alignment of audit and information security goals," says Taylor, a member of IIA's advanced technology committee.
"CISOs are experts on information security, and internal auditors are experts on internal controls. Probably the most important thing we can do is to align our goals to support each other to protect the company and its stakeholders," he adds. "CISOs have much more expertise than the internal auditors about the areas in which we can partner to affect change."
Taylor hopes the guides can provide some consensus on key controls. If a company has not selected a control framework, friction can develop between various departments.
"Auditors come in and have tools and frameworks they use, which might be different from what the CISO feels should be applied, and that can cause conflict. Agreement is needed on the standards applied," he says.
IIA released the first report in the GTAG series, Information Technology Controls, in March 2005. The second guide in the series, Change and Patch Management Controls: Critical for Organizational Success, is slated for July release, when the IIA holds its international conference in Chicago. A third guide on continuous monitoring is scheduled for September, and one on privacy is planned for December.
The Center for Internet Security, Carnegie Mellon University Software Engineering Institute, and the SANS Institute all got involved in the development of the guides.
Heriot Prentice, IIA IT director of technology practices, says the guides are an attempt to provide audit managers with a better understanding of IT: "All auditors need to embrace technology."
The guides will also get the message out about the importance of security. "If we can help promote security to senior executives, and if they have a better understanding of what needs to be in place, all and well. If some people consider the cost of security as high, it's not as high as losing your business."
To that end, Prentice hopes the guides will help soften what can sometimes be an adversarial relationship between security officers and auditors.
"They don't always see auditors as friends. We're the ones that come in and tell you how to do things," he says.
"By publishing these guides, I hope security officers will read them and say: 'These guys can actually help us.' I've always had a sympathetic view of security officers. They always get beaten down and told: 'You don't have this [documentation],' while also trying to do their job."
Indeed, if the GTAGs help bridge the gap between security and audit, it will be beneficial, says Alan Paller, research director at the SANS Institute.
"One of the toughest jobs for a security team... is that the auditors are often unfamiliar with the methods and tests used by the security and operations people, and because they don't know what's being used, they tend to use their own tests, and that generates unnecessary conflict," he says.
"If the auditors and operations people can agree in advance about how they're going to measure security, then they're both working towards the same goal," adds Paller. "If the IIA booklet helps in any way towards that goal, it's valuable."
Gene Kim, CTO at Tripwire and a member of the IIA advanced technology committee, says the GTAG on change and patch management was modelled on research he conducted with Carnegie Mellon's Software Engineering Institute. The research looked at how high-performing security organizations operate.
"They understand that the foundation of control is change management, and that you need preventative, detective and corrective controls," says Kim.
"That's the language the chief audit executive understands."
High-security performers build a check and balance culture, run by a clear set of controls that allows them to be proactive and creates an affinity with auditors, he believes. Conversely, organizations that approach security from a perspective of technology fixes wind up doing a lot of reactive, unplanned work and might be blindsided by an audit.
If a security officer has a good set of controls that are authorized by management and implemented in a demonstrable way, then it is easy for the officer to prove to audit that management control objectives are being met, says Jennifer Bayuk, managing director of IT security at Bear Stearns and Co.
At GM, executives evaluated various IT security, audit and control frameworks and are considering the COBIT model published by the IT Governance Institute. They found there isn't just one framework that completely meets their needs. Their analysis indicated a need for a combination of components, since some focused only on technical issues or areas within certain IT or business areas.
"We're a totally outsourced environment. We don't do any data processing inside – we do it all through third parties," says Taylor. "To be effective, we need to have solid processes with the overall framework and metrics to communicate key controls to suppliers and ensure that they understand what is important. Having this kind of control framework helps us."
Taylor and his internal audit team work with the company's CISO in a variety of ways. For instance, internal auditors provide input on presentations made to the audit committee to ensure they meet committee expectations.
Audit has also provided input on information security initiatives to develop global requirements for secure server configurations, tailored to the company's outsourced model.
"We're looking at how we can help IT management clearly communicate its enhanced expectations to suppliers via contractual or other means, and how we can assist in monitoring them to ensure compliance," says Taylor.
Another joint project involved access controls for key applications, in which security and audit teamed up to build a global approach for improving site compliance.
"That's where internal auditors can add the most value – providing insight into the issues they see in the field audits and working together to address them," says Taylor. "Don't just say: 'Hey, we find them, you fix them'."
On a broader scope, Taylor is working with Tripwire's Kim on a research project that aims to ease the pain of IT control assessment by pinpointing which IT controls are most effective in reducing risk and increasing efficiency.
"We're hearing from a lot of companies that, regardless of the firm used as their external public accountant, they feel that they are being asked to do more work than really necessary to satisfy Sarbanes-Oxley.
"The more testing work the company does, the greater the level of comfort the public accountant can have about your system of controls," continues Taylor.
"If we can all agree that a particular subset of controls is most effective, we could ensure we are doing the right things and possibly reduce the number of controls that accounting firms and regulators are asking companies to test," he concludes."