Audits are a regular part of corporate life, especially in the information technology field. Considering the importance...
of IT resources for business continuity, audits ensure that those resources are performing as they should. Among the audit metrics used for measuring IT performance are the Control Objectives for Information and Related Technologies framework (developed by the Information Systems Audit and Control Association), the National Institute for Standards and Technology SP 800-34 Contingency Planning Guide for Information Technology Systems and the Information Technology Infrastructure Library standards and practices for IT service management.
As numerous systems, applications, utilities and networks comprise a typical IT infrastructure, so too are there numerous audit attributes to address. However, before embarking on a detailed integrated audit -- e.g., auditing servers or cybersecurity -- an IT General Controls (ITGC) audit is usually a good start, as it provides a baseline measurement of IT infrastructure operations.
Audits are often performed with a focus on risk. Specifically, identifying potential risks, threats and vulnerabilities to IT operations is often a key objective of an ITGC audit. Whether performed by an internal IT audit department or external audit firm, IT audit procedures are specific in their design, execution and focus on risk. Most of the controls listed in the following sections can prevent situations that threaten data center operations and identify areas for improvement. Results of the ITGC audit, whether performed internally or by an external auditor, provide a useful risk assessment of the IT infrastructure.
There are six major controls to address in an ITGC audit:
Control 1: Physical and environmental security
Data centers, whether large freestanding buildings or small rooms, must be protected from unauthorized access and unplanned environmental events that could compromise their operations. Data center access is often controlled by proximity cards, keypad access or biometric access technologies. These approaches provide single-factor and -- in more cases -- two-factor authentication to minimize the likelihood of unauthorized personnel entering the data center. Closed circuit television cameras, typically part of a company-wide physical security monitoring system, provide another layer of protection from unauthorized access.
Heating, ventilation and air-conditioning systems provide a suitable work environment for employees working in a data center. They prevent damage to electronic components by controlling the temperature and relative humidity in the data center. Any significant changes in either of these two metrics should be identified and reported to data center managers. Fire control systems that detect smoke, excessive heat and fire can activate audible, visual and electronic alerts of the situation and activate fire suppression systems, such as FM200. Overhead sprinkler systems, typically using either dry-pipe or wet-pipe technologies, can also be activated by fire controls systems.
Examples of additional data center controls include:
- A limited number of employees having card access to the server room;
- Raised floors and water detectors installed under the floors; and
- Server room fire extinguishers checked quarterly.
Control 2: Logical security
Access to IT systems and services is generally provided to all employees. However, the amount of access to these resources must be carefully controlled. Not all employees need access to all resources; as such, security mechanisms must be established to manage employee access. A typical metric is to provide access based on an employee's job responsibilities. This is usually coordinated by HR and IT, which establishes access levels. Accessing system resources is granted using single-factor -- e.g., an employee ID -- or in most cases two-factor authentication -- e.g., an ID and unique password. Biometric authentication -- e.g., using a thumbprint reader -- is another effective way to authenticate users. Windows Active Directory is often used to authenticate users. Administrators can use techniques such as single sign-on to provide access to multiple applications and platforms with only one login.
Examples of additional logical security controls include:
- New employees are provided access to system resources after being approved by HR; an email noting that approval must be sent to IT;
- Terminated employees have their access credentials deleted within 15 minutes of notification by HR; and
- Passwords must be changed every 90 days.
Control 3: Change management
Having a well-structured change management function, which often includes a change review committee, is essential to ensure that all IT infrastructure changes are examined, tested, documented and approved before going into production. Lack of a change management function can mean deploying a system that damages the firm and potentially putting the entire organization at risk. This is especially true with patch management, which must be carefully controlled so that the patches perform as expected.
Examples of additional change management controls include:
- Test and production environments are segregated from each other, with the test environment used to validate changes and patches; and
- A change management committee reviews and approves/denies all change requests.
Control 4: Backup and recovery
Considering the amount of data that is created daily, backup and recovery have become increasingly important as they protect business processes, data, databases, applications and virtual machines. Options for backing up and recovering data are numerous and can be locally managed, remotely configured using managed -- e.g., cloud-based -- services or a combination of the two. Specialized technologies, such as data deduplication, ensure that vast quantities of data can be effectively stored. Backup and recovery are key components of technology disaster recovery plans, which are essential for business continuity management. Admins can use numerous audit controls for backup and recovery, such as type of data backed up, frequency of backups, speed of backups, recovery point objectives and speed of recovery in an emergency.
Examples of additional change management controls include:
- Data backup procedures are tested monthly to ensure proper operation;
- Recovery procedures are tested quarterly to ensure proper operation; and
- Disaster recovery plansare tested at least annually.
Control 5: Incident management
Rarely does a day go by without an event that affects IT operations. Whenever such events occur, a process must identify the event, assess it and make decisions as to its resolution. Incident response procedures are especially important with the growing threat from cybersecurity events. Regardless of the event, be it environmental, such as a fire, physical security, such as unauthorized access, or cybersecurity, such as a ransomware attack, incident response procedures must be documented and regularly exercised so that any incidents can be quickly addressed and remediated.
Examples of additional incident management controls include:
- An incident management team provides the first response to an incident;
- The team receives regular incident response training; and
- Daily incident activity reports are generated for review by IT management.
Control 6: Information security
Information security is perhaps the most important ITGC control, because there are so many ways that security can be breached. The media regularly reports on significant cybersecurity events, particularly involving theft of individual data records or ransomware attacks that block access to systems. The challenge is that as new security remedies appear on the market, the threat actors introduce yet more powerful attack vectors. Among the control areas most often addressed are an organization's network perimeter, desktop systems and non-technology security issues such as social engineering. Cybersecurity events typically turn into business continuity events, with the attacked firm fighting to protect its customers, business operations and its reputation.
Examples of additional information security controls include:
- Intrusion detection and intrusion prevention systems protect the network perimeter;
- Firewall rules are regularly reviewed and updated;
- Antivirus software is deployed on all desktop devices and company laptops;
- Penetration testing is performed twice annually to check for vulnerabilities; and
- Use of personal laptop devices, unless suitably modified by IT, is prohibited.
Performing the ITGC audit
ITGC audits follow typical audit procedures, such as having an audit team, preparing an audit plan, identifying controls to be audited, obtaining evidence -- such as policies, procedures and screen shots of specific activities -- for examination, identifying interview candidates, scheduling and conducting interviews, scheduling and conducting physical -- such as onsite -- examinations of IT activities -- such as data center walkabout -- preparing and conducting tests of the controls, analyzing the evidence and documenting the audit findings and recommendations.
Prepare an audit schedule and have it reviewed and approved by company management. Conduct a kickoff meeting to establish the audit ground rules, identify the audit team and review the audit schedule of activities. Access to key subject matter experts is often the biggest challenge in any audit, so be sure to discuss that issue with senior management when reviewing the audit plan and schedule.
Schedule periodic checkpoints with the audit sponsors to brief them on the audit's progress and identify issues that might be hampering the audit's progress. Carefully document all audit findings from interviews, physical examinations and review of evidence. Report any unusual and potentially damaging findings to the sponsors as soon as possible.
Auditors should have a specific work area for conducting interviews, examining evidence and writing their reports. Guest access to internet services and a telephone should be made available to the audit team.
Most reports have a list of recommended actions to address audit findings with timeframes for remediation. Once the draft audit report is complete, have it reviewed by the organization being audited, if possible.
Careful planning and good project management will ensure that the audit is completed on time and within budget.
Use risk assessments to improve business continuity
Business continuity in a remote working strategy
Add consequence management to your resilience plan