INFORMATION SECURITY AND

INTERNAL AUDIT
Working Together
COPYRIGHT

 Copyright Paul Lepkowski 2011. This work is the

intellectual property of the author. Permission is
granted for this material to be shared for non-
commercial, educational purposes, provided that
this copyright statement appears on the
reproduced materials and notice is given that the
copying is by permission of the author. To
disseminate otherwise or to republish requires
written permission from the author.
SUMMARY

 There are many ways whereby both Information

Security and Internal Audit departments can work
together. This session explores the successful
model that Rochester Institute of Technology (RIT)
has used to drive several IT security audits.
SESSION OUTCOMES

 At the end of the session, an audience member

would be able to:
 Identify the steps needed to utilize both audit and
information security departments in an audit
 Design a plan for their next IT security audit
 Implement their next IT security audit in a more efficient
manner
TOPICS

 Areas of discussion include:

 Using Infosec resources to complement audit resources
 Handling the politics of both groups working together
 Audit planning
 Technical interpretation and advisement
 Vulnerability and penetration testing

 Benefits of this relationship will be explored in-

depth
ABOUT THE SPEAKER
 Paul Lepkowski
 Enterprise Information Security Lead Engineer
 Rochester Institute of Technology (RIT)
 Certifications: CISSP, GIAC-GPEN
 Experience:
 19 years in both network engineering and security
 Worked in both university and corporate environments
 Specializations
 Network and systems security
 Vulnerability assessment
 Penetration testing
 Private Information (PI) protection
 Professional Organizations
 ISSA
 Rochester Infragard – Vice President
 IEEE
 Audit Role
 Provide technical assistance regarding all aspects of IT audits to RIT Internal Audit
SPECIAL ACKNOWLEDGMENT

 Elisa Cockburn, CPA

 Senior Internal Auditor
 RIT’s Institute Audit, Compliance, and Advisement
 Specializes in accounting and information systems auditing
 MBA in MIS
 Member of Association of Colleges and University Auditors
(ACUA), Institute of Internal Auditors (IIA), and Information
Systems Control and Audit Association (ISACA)
ABOUT RIT

 Rochester Institute of Technology

 Founded in 1829
 Rochester, NY
 17,500 active students
 11th largest private university in US
 3,600 faculty and staff
 Undergraduate and graduate level Information
Security programs
ORGANIZATIONAL CONSIDERATIONS
 At RIT - separate and independent groups:
Board of Chief
Directors – Financial
Audit Officer
Committee

Information
Global Risk
Internal Audit and Technology
Management
Services (ITS)

Information
Security
Office (ISO)
THE PROBLEM

 Often the internal audit department does not

have the time, technical expertise, or budget to
properly handle IT security audits.
 Audit groups consist of a small group of people and
some part-time auditors
 Audit needs to be as cost effective and efficient as
possible
 Audit needs specialized technical expertise for IT
security audits
THE PROBLEM (CON’T)
 Finding people with both audit and highly technical skill
sets can be challenging
 Funding for external auditors is limited
 At a high tech university, assistance is especially
needed for:
 Planning
 Interviewing
 Gathering data
 Interpreting data
 Reporting
THE PROBLEM (CON’T)

 The Institute of Internal Auditors (IIA) International

Professional Practices Framework (IPPF) requires
the following:
 1100 – Independence and Objectivity - The internal
audit activity must be independent, and internal
auditors must be objective in performing their work.
 1210.A1 – Proficiency – The chief audit executive
must obtain competent advice and assistance if the
internal auditors lack the knowledge, skills, or other
competencies needed to perform all or part of the
engagement.
A SOLUTION (FOR RIT ANYWAYS)
 The Information Security Office can provide
assistance to fill in these gaps.
 Both departments can be used for a successful audit
given the close synergies of audit and security.
 External auditors may be used on a limited basis for
cost efficiency.
 Synergetic work with ISO and Internal Audit complies
with the international standards for the internal audit
profession when they both are independent
organizations
PLANNING THE AUDIT
 Risk assessments
 Where to audit?
 Previous incidents or high risk areas with known issues
 ISO can provide valuable information especially with types of
incidents, knowledge of the environment and technology
 Politics
 Make sure groups being audited understand that you have
the best interests of the university in mind for the audit
 Audits could be used to help an IT group move forward with
processes and justification for projects and/or much needed
hardware/software
PLANNING THE AUDIT (CON’T)
 Setting expectations
 Scope
 Timelines
 Plan resource time (estimated number of hours for both
audit and ISO personnel)
 Roles and responsibilities
 Internal Audit runs the audit
 ISO assists with all phases of the audit and acts in an
advisory role
 ISO is a member of the audit team
 ISO is technical resource (i.e. vulnerability scanning, pen
testing, etc.)
PLANNING THE AUDIT (CON’T)

 Internal or external?
 Gaps in expertise or specialties needed?
 Workload and cost considerations
 RFP’s for external assistance
 Non-disclosure
 In place between Internal Audit and ISO
 Include co-ops, student employees, external auditors
 Handling work papers and sensitive documents
 Audit is the authoritative source for work papers
PLANNING THE AUDIT (CON’T)
 Audit format
 Define the audit steps
 Use frameworks such as COBIT, ISO 27001, ITIL
 Use best practices such as NIST, DISA STIGs, PCI, others
 Time estimates for all steps
 Define procedures that will be done by each office
 Interviews – Internal Audit and ISO
 Vulnerability scans, pen testing – ISO
 Code reviews – external auditor
 Tools needed
FIELDWORK
 Interviewing
 Audit and ISO both take notes and compare
 Gather screenshots for supporting data
 Standards checklists (internal standards)
 Configuration review
 Gather configuration files
 Show me “xyz” settings
 Testing
 Vulnerability scanning
 Penetration testing
 Configuration scanning and reporting
ANALYSIS

 Benchmarking other universities and the industry

 Prioritization
 Risk
 Impact
 Probability
 Ease of remediation

 Technical interpretation
 Consensus between ISO and Internal Audit
PRESENTATION

 Findings – major issues

 Discussion topics – low risk issues
 Periodic status reports to the group being audited
so there are no surprises
 Both Internal Audit and ISO in the final
presentation
IMPACT AND LESSONS LEARNED
 This effort has had a very positive impact on the university.
 It clearly shows the benefits that a teamwork based approach
has provided the university.
 Cost savings in both people time and external consulting time
were substantial (estimated to be $50,000+ per audit).
 It also builds trust amongst the groups.
 Achieved greater alignment between Risk Management, ISO,
and Internal Audit departments.
 Helps to “jump start” the audit process since ISO is already
familiar with the environment and allows the audit to get to
greater level of depth quickly.
IMPACT AND LESSONS LEARNED (CON’T)

 Audits can help the IT groups to obtain funding

and resources that they need to fill gaps
 Acquired expertise stays in house
 Integration with external consultants can work
well especially with clearly defined tasks (i.e.
code review)
 Allows easy follow-up on audit issues and audit
responses
QUESTIONS?

???