Let’s get right to the point: There is an overdependence on information technology audits in the data security
field. This is because audits are usually conducted in response to compliance regulations and business partner pressures, rather than the longer-term goal of minimizing business risks.
Whether it’s after an outside audit or an internal one, many executives will proudly claim, “We’re secure because we just passed our audit.” But that’s the wrong approach.
Don’t get me wrong: Information technology and compliance audits have their place, and will no doubt uncover security gaps at the business level. But you should not rely on audits for security assurance. If you do, it’s virtually guaranteed that lower-level technical issues will be overlooked, and subsequently rear their ugly heads when you least expect it.
Just ask some of the people whose businesses ended up in the Chronology of Data Breaches. Here are some of the lapses that resulted in these data breaches:
- Personal information from more than 500 patients at a Wisconsin medical center was exposed when a nurse’s laptop was stolen. The laptop contained names, Social Security numbers, birthdates, home addresses, Medicare ID numbers and diagnostic information.
- Receipts, credit card numbers, addresses, phone numbers and other information were found in a dumpster that sat outside a closed Indianapolis fitness center. Owners of the fitness center may now face a fine of up to $305,000 for dumping the information.
- Information from students at an Orlando, Fla., college was exposed when an Excel spreadsheet with names, addresses, dates of birth and college IDs was listed online on a password-protected website. The password protection had expired, allowing anyone to access the information online.
- A printing error at a Pennsylvania company caused thousands of taxpayers to receive 1099-G forms from 2011 with the Social Security number and tax refund of another taxpayer. The mistake occurred because the company was trying to conserve paper: The forms were supposed to be cut below a certain point, but the bottom half remained attached.
These are just a few examples – from the past couple of weeks alone -- of what can happen when basic security measures are overlooked. Such vulnerabilities aren’t going to turn up in an audit. Some of these businesses no doubt “passed” recent IT audits and were compliant with several regulations. But neither audits nor compliance equal true information security.
The ideal scenario is to perform consistent technical security assessments and combine them with higher-level audits. This will create a checks-and-balances approach to information security, and ensure that all the right areas are getting the attention they deserve.
More compliance strategies
It’s important to remember traditional audits validate that controls exist. Technical security assessments validate that controls do not exist. You need to understand the difference. Looking at your in-depth technical issues can actually highlight some higher-level operational security issues that might not be uncovered otherwise, including areas such as patching, log monitoring and system hardening.
You can also take traditional information technology audits a few steps further by demonstrating what can actually happen during noncompliance. This provides much greater insight into the issues and how they affect your specific business. It’s important to know exactly what is at stake during noncompliance: High-level audit findings might not be given the appropriate priority if they’re not fully understood. It’s like a general physician finding a heart murmur or swollen lymph nodes in a patient and not sending him on to a specialist for further analysis and treatment. You have to ask yourself: What are we really trying to accomplish?
Never assume traditional audits are uncovering all the right security weaknesses. If you’re just looking at by-the-book controls and haven’t looked at your environment with a malicious eye using manual analysis and good security tools, you’re creating a false sense of security. There’s a saying that’s perfect for this situation: "Experience is something you don't get until just after you need it." Don’t get caught off guard.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheelsinformation security audiobooks and blog.