IT Audit Controls that Matter
IT professionals talk about lots of different types of controls. Can this be simplified? Let's consider just three that really matter.
Recently an interesting discussion erupted on the GIAC Advisory Board list concerning the fundamental controls that we use in the IT world. For the last ten years or so I’ve been standing up in front of hundreds to thousands of auditors each year discussing controls and in that time I’ve figured some things out.
One of the first things that I realized is that while there are generally accepted definitions for “Controls” and “Objectives“, how any particular auditor or organization uses those terms varies greatly in the specifics. Yet, I’ve also derived another understanding about the nature of controls. In my discussions with classes over the past six years I’ve come to what is at least an anecdotal conclusion that this understanding is at least mostly correct.
Many frameworks and standards try to break controls into different disciplines or arenas, terming them “Security Controls“, ”Access Controls“, “IA Controls” and the like. In my opinion, the effort to distinguish controls in these ways has been a contributing factor to the overall state of confusion when administrators, auditors and management get together and try to have a conversation!
As an alternative, consider the following common framework for the definition of controls. After spending years discussing this with management and auditors I’ve come to the conclusion that any control that can be defined can be expressed within this single, simple, common framework. This simple concept is that controls can be defined in terms of three primary categories.
A set of common accounting rules are defined and must be followed by any publicly traded company. Each quarter any particular company must publicly state its current financial standing and accounting as reflected by an application of these rules. This should sound really familiar to anyone who deals with Sarbanes-Oxley. These accounting rules and the SEC requirements serve as Protective or Preventative controls.
Is it possible that mistakes, either intentional or unintentional, were made? Absolutely. Therefore, an additional Protective control is that these companies must have their financial results audited by an independent Certified Public Accountant. The role of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control! If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency which indicates that some control somewhere has failed.
Finally, either the internal Audit Committee or the SEC itself, based on the report generated by the external auditor, will take some corrective action. In this way they are acting as a Corrective or Reactive control.
Needless to say, the same can be said of any set of cooperating controls in an Information Technology or Information Assurance framework. In fact, what experience has shown is that when organizations suffer some loss, compromise or other security breach, the most common problem is that they are missing a control. Which control? That can’t be answered in a general way, but we can say that generally they are lacking either a Preventative, Detective or Reactive control.
Going one step further we can state that if you have a Preventative or Proactive control but lack Detective and/or Reactive controls to supplement it, you have a material weakness. Protective controls are valueless without the ability to detect and react. Similarly, having detective controls is good, but without a reactive capability or a preventative control (policy, procedure, standard, etc.) with which to enforce some compliance they become worthless. In a very large way we can say that this defines a fundamental problem with log monitoring today!
One of the first things that I realized is that while there are generally accepted definitions for “Controls” and “Objectives“, how any particular auditor or organization uses those terms varies greatly in the specifics. Yet, I’ve also derived another understanding about the nature of controls. In my discussions with classes over the past six years I’ve come to what is at least an anecdotal conclusion that this understanding is at least mostly correct.
Many frameworks and standards try to break controls into different disciplines or arenas, terming them “Security Controls“, ”Access Controls“, “IA Controls” and the like. In my opinion, the effort to distinguish controls in these ways has been a contributing factor to the overall state of confusion when administrators, auditors and management get together and try to have a conversation!
As an alternative, consider the following common framework for the definition of controls. After spending years discussing this with management and auditors I’ve come to the conclusion that any control that can be defined can be expressed within this single, simple, common framework. This simple concept is that controls can be defined in terms of three primary categories.
- Protective/Preventative – Protective or Preventative controls serve to proactively define and possibly enforce acceptable behaviors.
- Detective – Detective controls are often thought of as “Audit Controls” though we do not need to restrict them. Any control that performs a monitoring activity can likely be defined as a Detective Control
- Reactive – Reactive or corrective controls typically work in response to a detective control, responding in such a way as to alert or otherwise correct an unacceptable condition.
A set of common accounting rules are defined and must be followed by any publicly traded company. Each quarter any particular company must publicly state its current financial standing and accounting as reflected by an application of these rules. This should sound really familiar to anyone who deals with Sarbanes-Oxley. These accounting rules and the SEC requirements serve as Protective or Preventative controls.
Is it possible that mistakes, either intentional or unintentional, were made? Absolutely. Therefore, an additional Protective control is that these companies must have their financial results audited by an independent Certified Public Accountant. The role of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control! If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency which indicates that some control somewhere has failed.
Finally, either the internal Audit Committee or the SEC itself, based on the report generated by the external auditor, will take some corrective action. In this way they are acting as a Corrective or Reactive control.
Needless to say, the same can be said of any set of cooperating controls in an Information Technology or Information Assurance framework. In fact, what experience has shown is that when organizations suffer some loss, compromise or other security breach, the most common problem is that they are missing a control. Which control? That can’t be answered in a general way, but we can say that generally they are lacking either a Preventative, Detective or Reactive control.
Going one step further we can state that if you have a Preventative or Proactive control but lack Detective and/or Reactive controls to supplement it, you have a material weakness. Protective controls are valueless without the ability to detect and react. Similarly, having detective controls is good, but without a reactive capability or a preventative control (policy, procedure, standard, etc.) with which to enforce some compliance they become worthless. In a very large way we can say that this defines a fundamental problem with log monitoring today!