Auditors - hmm... most of the times, nobody really likes them right? And many people see them as a foe. As an Information Security Professional, I see them more of a friend rather than a foe. Although sometimes we don't really see each other eye to eye, especially when dealing with the "dinosaur" type of them, but most of the times I would say we do have common goals - that is to ensure adequate security measures are in place and enforced.
This story is about how you could "make use" of auditor to achieve your security goal. Hope this would help bring closer your "friendship" with the "foe" :)
Information Security lad: Mr. CEO, after various incidents of malware outbreaks within the company, we have come to the conclusion that we need to raise the awareness among the employee. Here is the business case for our security awareness campaign. As you can see, we will work together with HR to include this proposed Computer Based Training (CBT) program within the induction training...... blah blah blah.... For this to happen, we will require budget of EUR 20K to setup the CBT etc......
Mr. CEO: I like the idea of that CBT... however, as you may have known, budget is a bit tight right now with all these cost cutting initiatives going on. We don't have extra budget for this...
Information Security lad: But Mr. CEO, we really need to do this. If another outbreak were to happen again, it will cost us more resources handle the situation. At the end of the day, it will cost more than this business case.
Mr. CEO: It may and may not be the case... Why don't you just do the awareness campaign via email. Think about it. The email is free anyway.... Sorry, I have another meeting to attend. That's it. I have decided, your business case is not approved.
Information Security lad: <* speechless.... *>
3 months later..... a few colleagues from Internal Audit came down to perform audit on general IT management and they were reviewing HR processes.
Miss Internal Auditor: What can you tell us about induction training? What kind of induction trainings are given to a new joiner?
HR Manager sis: When a new employee joins, we provide them a series of induction courses. For example, company background, employee rights, do and don't etc... Here is the complete list of inductions courses.
Miss Internal Auditor: Seems that Information Security is part of the course. That's good. Can you tell in more details what are covered there?
Information Security lad: <* Ah ha! I was waiting for this one. This is a chance for me to get that budget *> I'll take this one. The induction course for information security covers basic stuffs like proper usage of PC and email, data classification, password protection etc... etc.... After that multiple devastating events of malware outbreak, we were thinking of creating a CBT to raise the awareness especially regarding malware, but unfortunately, the budget was not approved. Hence we could not proceed with it.
Miss Internal Auditor: Wait, you mentioned about malware outbreaks... could you provide more details?
Information Security lad: <* Brilliant! The fish has bitten the bait :) *> hmm... we had a total of 3 major outbreak for past 1 year. Upon investigation and root cause analysis, we came to the conclusion that the malware infection was due to "human" factor. We believe we need to educate the users more regarding malware and how to prevent infection. Hence, we mooted the idea of CBT.. but as I said, it was shot down by the CEO.
Miss Internal Auditor: I see. Could you send me the malware incidents reports, root cause analysis and the business case for the CBT?
2 weeks later... the audit closing meeting was held and guess what? There is a finding - Information Security awareness on malware needs improvement". Since it has been raised in a formal audit report, it will need to be addressed by the management. Need I say more? The budget for CBT has been approved immediately :)
2. Be creative on how to get your budget.
Ain't security fun? ;)
Acknowledgement: Photo taken from http://www.flickr.com/photos/dborman2/3258378233/