They serve a valid purpose as part of a comprehensive security program. In fact quite a number of standards insist on internal audits being conducted. For example you cannot certify to ISO/IEC 27001 without an internal audit process. The internal audit can be conducted by specific groups, external parties or other staff in the section. However they often they suffer from a stigma. By some they are seen as an evil process where the nasty auditor is out to get you. This obviously doesn’t help and yes like some of you I’ve been in the situation where the auditor behaves like the smiling assassin. Smiling and agreeing, until the report comes out and your back starts to hurt.
But... I have also had the pleasure of being involved in internal audits where the main objective was to improve the overall security and the security group and the auditors work together to highlight issues that need to be addressed.
So are they useful? Why not just perform a security assessment or a penetration test? The security assessment or penetration test typically highlight some of the more obvious issues, but only an internal audit will get into the nuts and bolts of things. It is used to verify that what is written down is being done. They are more focussed and are often conducted by people who know and understand the organisation and therefore may be more aware of the subtle nuances that are present.
A good internal audit can help you identify gaps and issues with processes that have been implemented to manage security within the organisation. Those logs are they really being reviewed? Is the password reset procedure being followed? Or if in an outsourced situation, is the outsourcer really doing what the contract says they should? Are incidents handled correctly? One major benefit I’ve seen is that underlying issues are identified, another as I mentioned is that it helps highlight issues that often people have tried to raise previously. I’ve seen many an example where by a security issue was addressed only after an internal audit highlighted the problem, despite the fact that it had been raised previously by the security group. One reason may be because audit reports are often reviewed at board level whereas security issued raised may never reach that high.
So if you are being audited try and work with the auditor to get the issues you know exist addressed, possibly you may learn of some you weren’t aware of. If you are the auditor be upfront and make sure there are no surprises in the report. If you identify issues discuss them with the other party, there may be a simple explanations rather than a conspiracy to deceive.
Remember were all working towards the same goal.
Mark H. - Shearwater
Jun 11th 2007
1 decade ago