Shedding light on information technology risks: IT auditing does not hinge solely on highly specialized reviews. Effective tech-related risk management rests just as much on basic, commonsense practices - Cover Story

Internal Auditor, Dec, 2003 by John Silltow

DUE TO INCREASED connectivity in the workplace, the average internal auditor receives considerably more exposure to IT systems than in the past, Technology plays a fundamental role in the way modern organizations function, and it has become integrated to the degree that virtually every type of audit requires at least some consideration of IT issues. Whereas technology was once considered the domain of specialized IT auditors, it is now the concern of all auditors, including audit generalists.

Although some technology areas still require the attention of IT audit specialists, several risks stemming from IT intersect almost every auditor's path. The modern auditor's purview, for example, encompasses areas such as access control, network security, data integrity, asset management, and software acquisition and development, each of which constitutes a mission-critical element of the organization's success. All auditors need to be aware of the risks associated with these areas to help their organizations review vital systems and ensure the enterprise runs smoothly.

ACCESS CONTROL

Security surveys conducted during the last decade have consistently shown that a large number of information security breaches originate from inside the organization. The Computer Security Institute's most recent "Computer Crime and Security Survey," for example, shows that 45 percent of U.S. organizations polled reported unauthorized access by insiders. In addition, financial fraud and theft of proprietary information--"opportunity crimes" that security experts say require access to company systems and insider knowledge--ranked as the most costly types of computer crime.

But potential damage from insiders is not limited to malicious attacks. Employees can inadvertently harm the organization's systems by accidentally deleting important files, opening e-mail attachments that contain viruses, or attempting to fix malfunctioning devices without adequate knowledge or training. Such incidents can cause extensive damage by crashing the network, corrupting important data, or causing hardware or software to malfunction.

To help mitigate the risk of both deliberate and unintentional damage, organizations need to establish effective access-control measures. Ideally, access control should keep intruders out and grant trusted users access only to the absolute minimum number of systems needed to perform their jobs. In addition, policies and procedures should clearly define individual responsibilities for supporting or changing the computing environment.

Access control becomes particularly important when organizations rely on databases that hold large amounts of key information, such as customer data or workflow arrangements. In systems that contain such high-risk content, the users' "view" of the data--or the amount of information visible to them--becomes vitally important.

But it is not only large databases that need control. Everyday functions carry similar risks, including some that may be recognized from general audit practice. For example, should a user be able to prepare an invoice online and then authorize it before sending it for payment? The principle of segregation of duties accepted for non-IT-related work needs to be built into access control systems to prevent employees from being able to bypass controls accidentally or deliberately.

In addition, granting employees too many views or access rights might enable them to extrapolate or conjecture further information and exploit confidential data. For example, if a financial institution allows employees access to a number of data fields showing customers' credit card information, an employee who has such a card may use his or her personal identification number (PIN) to identify other cards that have the same encryption code and, therefore, PIN.

Ultimately, the degree of access control necessary depends on the value of data being protected. Although most organizations use passwords for access control, systems containing highly sensitive information may require more rigorous measures such as biometric scans, smart cards, or one-time password devices. Auditors can help determine the degree of control necessary by evaluating the risks facing each system, including the value data might hold for a user with ill intentions. Areas of high risk vary, but typically include executive systems, especially just before a merger or acquisition; treasury functions; and research and development complexes.

Without delving into the complexities of the programs involved, however, how can internal auditors provide assurance that the organization's access control systems are adequate? When examining passwords--by far the most common form of access control--commonsense questions often yield the best results. For example, has the organization established clear guidance on constructing new passwords? Do systems allow the use of common passwords such as user name, spouses' or pets' names, favorite football teams, date of birth, and car registration numbers? Have limitations been established regarding password expiration and the degree to which the same password can be re-used? Password cracking software is freely available on the Internet and, coupled with a variety of dictionaries, these tools work quite effectively against organizations that fail to implement sufficient controls.