For those of you who have read previous articles, blogs or have had the opportunity to hear me present on the topic of information security, you will no doubtedly recognize today’s theme, an introduction to I.T. assessments.. While it is absolutely true that ownership/management of some organization choose to put their heads in the sand when it comes to security within Information Technology, the vast majority don’t intentionally ignore it; rather, they falsely believe that it is adequately being handled within their existing IT structure. Read along to find out why believing that may put your organization in jeopardy and what you can do about it.
The Wide World of IT
While a number of organizations that we come in contact with as clients or potential clients do in fact have a robust Information Technology staff, the vast majority of companies out there do not fall into this classification. Instead, they have a small staff, of maybe 8-12 IT personnel (or less). Yet, when asked the scope of their staff’s responsibilities the responses usually include things like:
- End-user Support
- Local Area Network (LAN) Design
- Network Administration
- Enterprise Software Support (ERP, MRP, etc.)
- Software Development
- Business-IT Strategic Vision
- Procurement of Technology Services & Equipment
- Internet Service
- Choosing Software Solutions
- Voicemail and other Telecommunications
- Photocopier, Scanners and other office equipment
- Video Conferencing
- Web-site Development
- Intranet/Extranet Site(s)
- Securing Data within the Organization
- Mobile Devices (Tablets, Phones, Laptops)
- Performance Monitoring
- End-User Training
- User Rights (Adds, Terminations, Changes)
- System Health Monitoring
- Log File Analysis / Monitoring
- Integration between Systems(i.e. ERP, CRM, BPI all talking to each other)
- Software License Compliance
- Regulatory Compliance
- Software Testing
- Upgrade End-User Software
- Operating System Maintenance/Upgrades
- Workstation Setup/Configuration
- Security Awareness Training
- Cloud Computing Initiatives
And this is only a partial list. It’s long, but I purposely included all those because I want you to really think about all the things that you are asking your IT staff to accomplish. The point of that list is to get Executives to understand a couple of principle take-aways:
- IT in one organization may mean something completely different in another and likely even over time within the same organization
- That it is very difficult, if not impossible, to find one person (or even a few) that has a handle on all of these areas at once; and,
- That each of these areas, in and of themselves, can be a specialty.
This broad range of Digital Forensic Services and the personnel in the various roles play an important part in how successful your IT systems are and how well they work for the organization.
Understanding that each of these areas require a unique set of skills, it’s no wonder then that organizations that don’t have dozens of individuals in their IT departments will naturally have some areas that aren’t getting the attention that they could if the organization had someone that just specialized in that area. Further, some of these areas require skillsets that are diametrically opposed to each other. For instance, what makes a Software Developer really good is exactly the opposite of what makes a Business Analyst with a view of the overall business strategy good at what they do. Place a Software Developer in a role with both of those responsibilities and you will be overwhelming pleased with the software that he/she develops, but scratching your head as to why it doesn’t adequately solve your business need. Reverse the hire and find someone that is great from the Business Analyst standpoint and they’ll be bored out-of-their-mind and you’ll be left with a lot of great talk about what the software will look and work like, but you’ll never see the fruits of it. Again—not their fault, it’s just that they take two different skillsets.
“Okay, that makes sense”, you say. But had you ever considered that in the past? If you’re like most business owners and management, you say that “my IT guy/gal/department” will handle it – and assume that you have the right resources already in-place. My guess, however, is if you took a really close look, you’d find that you don’t.
As a manager or owner, likely without a strong technical background, how then do you ensure that not only do you have the right resources available, but that the resources are doing the right things?
A Well Controlled IT Environment
Enter the Control Environment. In terms of Information Technology, the Control Environment are the things you put in place to measure, monitor and hold individuals accountable for their performance in those areas. This goes way beyond mere performance appraisals—afterall, without a strong technical background, how do you know whether they are performing well or not? Similar to the financial controls that your organization has in-place, you should strive to build a robust set of IT controls designed to ensure a well operating IT environment. In an ideal world, you would shoot to have your IT environment be one that is “well controlled”.
A well controlled environment is one in which the right things are being measured, at the right frequency and in which when the controls are functioning as designed they produce the results you are looking for from your Information Technology investment. There are two important components of this: 1) ensuring that the controls themselves actually drive the results you’re looking for – by design and 2) once properly designed, ensuring that design matches up with reality.
Determining Your Control Environment
The traditional manner in which an organization determines its performance against its control environment is by way of an IT Assessment. In general, an IT Assessment works from some “ideal” and then measures the gap between the ideal and reality. There are a number of approaches when it comes to identifying the ideal.
On the low end of the spectrum, a simple set of desires – call it a wish list – is enumerated by management. The assessment then takes an objective look at the organization’s performance against this wish list. While this is a straight-forward, easy approach, that ease comes with some sacrifices. The primary limitation of this approach is that it is too easy to fall into the trap of only measuring for things you know you’re already performing. This approach misses those things that you don’t know…therefore, it is not the method that I recommend.
The better alternatives approach the assessment from adopting a framework. There are several different frameworks depending on what overall objective one has for the assessment. For instance, ISO27001 is an excellent framework that approaches the IT Control Environment from an IT Security aspect, whereas CobIT is an equally fantastic framework when approaching the Control Environment from a more enterprise governance standpoint. The advantages to approaching from a framework standpoint is that the collective Best Practices of all of those that have gone before you are embodied in the framework. In this way you are doomed to fall victim to the unknowns of your own organization – the whole “you don’t know, what you don’t know” syndrome is addressed.
Types of Assessments
Assessments are performed for a number of different reasons – compliance/regulatory requirements, bank, insurance or other financial entity is interested in the results, an investor may require it or management may just be curious so as to continue to improve IT operations. Whatever the objective, that should be the primary guide in determining the framework and the level of assessment to perform.
The Level of an assessment determines the overall effort and scope that will be undertaken. For example, the lowest entry point is a Risk Assessment, whereby no review of the organization’s control environment is undertaken, nor any testing against those controls to see if they’re functioning. Instead, the Risk Assessment is a methodical approach for understanding the Risks involved within YOUR organization and to put some priority to addressing those. Typically an IT Security Risk Assessment involves interviews, completion of questionnaires, walk-throughs and in-depth observation of a variety of tasks, transactions and functions within your environment. A review of the likelihood of an event to occur is mapped onto a scale, along with the impact of the event should it occur. In this fashion, the organization obtains a picture of all of the systems, events and factors within the environment along with a means for understanding which risks should be addressed first (based either upon the probability of those events happening, the impact the event would have on the organization or in some cases, both).
The next type of assessment is a Review, whereby the organization looks at the Control Environment and assumes that the controls are in-place and working. Instead of testing whether the controls are working, the focus of a Review is on assessing the efficacy of the Controls. In essence, one is evaluating whether the Control Environment will actually accomplish what the organization is looking to achieve. By assuming that the controls are working, it allows the organization to take a step back from the “accountability” gamesmanship that can occur and simply evaluate the Control Environment at face value.
And finally, the highest level of an assessment is an Audit. With an audit the actual Control Environment is tested to ensure that individuals are carrying out their responsibilities correctly. The audit tests whether that perfect Control Environment that you designed on paper is reflected in reality. The most important aspect of an audit is that it does not rely upon merely interviewing and inquiring about how the controls are implemented – instead controls are observed and tested to ensure that they are actually working. The auditor collects evidence of the control in action and is looking for more than just proof that the control is in-place and working right now – but looking for evidence that it has been in place and working and is essentially “just the way the organization works” – in other words, “the organization’s habit”.
In future weeks we will look at the various types of I.T. assessments and objectives for choosing one, along with what to look for in choosing someone to perform an assessment. We will also focus these in a little tighter on IT Security – afterall, that’s what we get brought in to solve…but as you can see, establishing a methodical framework for discussing and navigating this area is a great starting point – to which we’ll continue to return.
By Damon S. Hacker, MBA, CCE, CISA,
President & CEO at Vestige Digital Investigations