When you ask your doctor for a second opinion, you really want him to give his opinion again? No. You want a second opinion. An independent evaluation. Too many financial institutions are very present on a daily basis - they hire the same company that has placed its security systems in place to make a security audit much about these systems. How many fence-builders are going to find flaws in their own fences? " Nope. No problem here. There & 39; s supposed to be some information leakage. It& 39;s called " " natural seepage. " Or, worse yet - " The bad news is that you have a huge gap in your firewall. The good news is that we can correct. For a small fee. "
Another common mistake that financial institutions are to choose a company audit of safety is to hire an all-in-a company which also sells security solutions. Gee, what are the chances that they& 39;ll find a problem that your product just happens to correct?
The legal requirements and regulations (FFIEC, GLBA, SOX, FDIC, etc.) further clarify the need for independence in the evaluation of internal security controls and protection of confidentiality information.
In this brief, we will address some specific issues for financial institutions to consider when choosing a company to do an audit of security, and summarize about the risks for institutions that lack objective evaluations.
The Practical Perspective
What could be more practical than having one company do all their IT work for you? You only have to sign a contract, and you do not need to go shopping for another auditor. It& 39;s convenient, and it appears as a money-saver.
Not as much.
We bank had a client that had its internal IT security audit completed by the same company that managed its technological infrastructure. During the examination, regulators rejected the objectivity of the audit of security, and the bank was forced to retain another firm to do the work of the whole again.
On other time, we are satisfied with a potential client who was just about to implement a mitigation strategy proposed by its auditor to a lower security risk. The correction was vai cost $ 20000 - to sell a product was the auditor. On the spot, we suggest an obvious lack of cost determining the risk mitigated by making some minor improvements in operational processes. This highlighted two problems with the seller-based auditors, 1) they may try to upsell their own products, and 2) is not likely they are to concentrate on capturing or problems with simple issues.
The operational cost savings those are two obvious examples, but there are other cost savings that are less obvious when its audit of safety is really independent. The auditor has a larger goal, fresh perspective, and will not give you a list of 1,000 nit-picky problems. Instead, they help you any outbreak central issues that are discovered, and suggest practical solutions and profitable. The legal and regulatory Perspective
While the practical considerations of security audit independence are clear, there are also substantial regulatory guidance. If the cost of security issues and practical, are not sufficient to explain the need for independence, after an analysis of compliance with obligations certainly should.
Trivia question: How many times does the word independence or autonomy occur in the FFIEC IT Audit Review Manual? 76 times!
And now for a little light reading.
The FFIEC - Federal Financial Institutions Examination From the FFIEC Security Council Information IT Examination Manual: " Independent and diagnostic tests include penetration tests, audits and assessments. Independence gives credibility to the test results. To be considered independent, test personnel should not be responsible for the design, installation, maintenance and operation of the system tested, as well as the policies and procedures governing its operation. The reports generated from the tests should be made by people who are also independent of the design, installation, maintenance and operation of the system tested. "
The FDIC - SOX Compliance In consideration of the Sarbanes-Oxley Act, the FDIC recently updated its guidance for the independence of auditors. According to the Charter associated Financial Institution (IDF-21-2003), " The main feature of this analysis is that the person (s) directing and / or perform the review of internal controls is not also responsible for the management or operation these checks. " also, " If the agency staff agree that the independence of the external auditor or another vendor seems to be committed the agency may conclude that the imposition of external audit of the program is inadequate and does not meet requirements for audit and reporting "
The FDIC - GLBA Compliance Section III of FDICs Financial Institution Letter (FIL-68-2001) in relation to compliance with section 501 (b) of the Gramm-Leach-Bliley Act (GLBA) assesses the adequacy of institutions " a program to manage and control risks. The fundamental question posed for examiners to audit security in this section is: " assess whether tests are conducted or reviewed by independent third parties or independent of skilled people who develop or maintain the security programme. "
Six Questions
Here are six questions you can ask them to help determine if the auditor is independent:
1. My IT consulting company said that its audit services of security are met by another division within your company? Just because my two years of age, is the daughter " Kid " Division of my family does not mean that it is not yet a part of my family (even if the division& 39;s finances).
2. It is my safety auditor also a supplier of IT products or other services, such as firewalls?
3. My auditor security to offer rehabilitation on the issues they find?
4. Will my work on our internal auditor security technology, but argue that their penetration test only covers the firewall, they do not manage, so there is no independence? (Believe it or not, we see the penetration test suppliers do nothing more than review the firewall, and losing the contextual issues of the entire network architecture.)
5. It is my seller emphasizing the ease and benefits of a single window, without clarifying the conflicts of interest?
6. My seller meet this standard regulatory from the FFIEC IT Audit Manual Review: Tier I Examination Procedures - 5 Objective: To determine the level of audit independence:
Determine or independence is compromised by: Auditors responsible for operating a system of internal control or actually operational performance or duties activities.
Conclusion
Wouldn & 39; t it be great if you could have classified his own end in college? " Johnson, you are brilliant! I had no idea that the Wright brothers were not only working for Enron, but also invented the car! A +! " This feeling is brilliant that it gives companies that do their IT or try to sell extra services when you hire them for their safety audit.
While there are perceived benefits in one-stop shops or companies that can fix any problems identified by ensuring that there is independence and objectivity in the audit process will save time and money in the long run and maintain an institution on a path of regulatory compliance. Consider asking you the types of issues that arise here on their own security audit relationship.
John Abraham, president, Redspin, Inc.
Redspin (www.redspin.com) is a provider of security and compliance audits for more than 100 banks and untions of credit throughout the country. Chocante - who want to have guessed? -- They do not sell any other institution products.
References
Financial cards - 501 (b) EXAMINATION GUIDELINE IDF-68-2001, August 24, 2001. Examination Procedures for assessing compliance with the guidelines to safeguard customer information. http://www.fdic.gov/news/news/financial/2001/fil0168.html, http://www.fdic.gov/news/news/financial/2001/fil0168a.html
Information IT Security Examination Manual, FFIEC ( Examination of the Federal Financial Institutions), in December 2002. http://www.ffiec.gov/ffiecinfobase/index.html
Audit IT Examination Manual, FFIEC (Examination Council Federal Financial Institutions), August 2003. http://www.ffiec.gov/ffiecinfobase/index.html
Financial Institution cards - internal audits IDF-21-2003, March 17, 2003 http://www.fdic.gov/news/news/financial/2003/fil0321 . html http://www.fdic.gov/news/news/press/2003/pr2403a.html
Redspin specializes in security audit and assessment of security services, which help identify potential threats. http://www.redspin.com
Bookmark it: 
