Month: March 2021

Can you imagine entering a store like the Apple Store, but instead of seeing the nicely dressed Apple employees, you see some bouncers, bodyguards, and military officers with guns? You try to walk away but one of them tells you to stop so he could make sure you did not steal anything from the store. You are about to leave after a thorough body search, then you hear one of the gunmen say: “please come back again”. I believe you would most likely not return to that store. Their security might be at its best, but the customer’s shopping experience was obviously at its worst.  

                I remember my grandma telling me about a time when someone could leave a store unattended to; a customer might come in to make a purchase while you are away, and the customer would leave the money there for you. The funny thing is there was no closed-circuit television (CCTV) at that time; people were trustworthy and would not steal from you. Good news: those days are coming back. I mean you might be able to leave your store open without the need of a cashier and the customers could make their purchase without your presence while you would still get paid. I saw an ad about a prototype of this system. The company had invested so much into artificial intelligence and adopted a lot of other security measures to allow customers the luxury of a cashless system. With the use of an App on the customer’s phone, the customer could make purchases without the need for any cashier or attendant. This is a great combination of security and convenience. Aside from the fact that some customers like physical interactions, most customers may love this kind of system for the convenience it offers. 

As auditors, we are concerned with the security of information systems and data and our job description clearly defines that we are responsible for ensuring that the controls around our organization’s systems are designed appropriately and operating effectively. How can we ensure that the stakeholders enjoy some level of convenience while we attempt to maintain the security of our organization’s assets? The question is, “how can we add value to our organization through our projects without appearing to be policing the stakeholders”?

Here are some tips to help foster convenience around IT audit processes while we achieve our audit goals: 

• Determine your stakeholders: It is very easy to know who your stakeholders are. Who do you interact with during the audit processes? Who do you report the findings to?  On an external audit, you may work with different clients at different times, depending on your organization’s structure and how your audits are laid out. It is important that you list the stakeholders that would be involved in your audit during your audit planning phase. Asides from your direct contact person, you should learn about the other people that would affect your work process during your project. The list could span from the IT team or process owner you are auditing to the management you report to. The audit team should have a training session on how to facilitate a good working relationship with these stakeholders. The audit planning phase should address the need to send an email to the stakeholders that have been identified to inform them about the audit scope and the part being played by these stakeholders. It is very important to communicate with the stakeholders directly and not just send the engagement letter to the management while you ignore the other important stakeholder; remember you would most likely deal with these stakeholders even more than your deal with management during your projects.  
• Design the audit processes to be convenient for the stakeholders as well:  While it is important to follow your regular audit plan for the year, it is also important to remember that the stakeholders have their different plans for the year as well. They would appreciate it if they could spend more time on their core duties and not just use hours answering your questions and getting documents for you. For example, you could make the work of a system administrator more convenient by reviewing the company’s IT security policy covering privilege access if you would be auditing privileged access. After your review, you can go ahead and email your questions to the system administrator before you have a walkthrough meeting with him/her to discuss the questions around the controls that are in scope. Since most people don’t like surprises, seeing the questions ahead of the meeting could give him/her some time to prepare ahead. Maybe a response email from the system administrator might even reduce the amount of time you need to spend with him/her at the walkthrough meeting. The focus of your audit process should be to assess the controls but do it in such a way as to avoid adding additional stress to the normal workload of the stakeholders.  
• The PBC List (Prepared/provided by client): This list includes the items such as documentation and evidence that the auditor would need from the client to perform the audit. It is best practice to send the PBC request at least 3 weeks ahead of the audit, but this should also be determined based on the experience of the audit team with the clients. If based on past experience, the client was not able to provide the necessary documentation when needed, it is better to send the PBC request list much earlier. The benefit of doing this is also to help you keep up with your audit timeline as well as allow the client ample time to get all the documents requested at their own pace.  
• The Executive status tracker:  This tracker is used to communicate the status of the audit with the client. The tracker would list scheduled meetings between the audit team and the client. These meetings could be weekly status meetings with the client to discuss progress, delays, other needs, or might also involve validation of issues or potential audit findings. Just as it would be helpful to send the PBC request list earlier in a situation where the client had some challenges providing the necessary document in view of past experiences, it would also be very helpful to send the executive status tracker to the client as early as seen necessary or update the execute tracker as seen necessary based on the need. 

 These modifications to the audit process would help the stakeholders to adjust their schedule as needed, making it more convenient for them to work with you and you would still be able to achieve your audit goals. The clients and all stakeholders would most likely be happier when they know that you are not just adding value to the organization by your audit, but you also respect their time and other responsibilities, shown by how you make the process convenient for them while enhancing security. 

   Today, March 8 is International Women’s Day, and the month of March is celebrated as Women’s history month. What does that mean to you? What an opportunity to think about the contributions of women around the world as well as the challenges they face. Lots of women have influenced our lives in many ways. It is obvious that without women, the world of information technology, as well as information security, would not exist. A big thanks to organizations that are challenging the biases and gender inequalities affecting women in information technology as well as other areas. 

I would like to mention a few of the women who have influenced information technology and laid the foundation on which many of the technological advancements are built today. 

 Ada Lovelace: The first programmer

Ada was born in London and lived between 1815 and 1852. She became an English mathematician as well as writer because her Mother, who homeschooled her; insisted that Ada should be taught science and mathematics. 

It documented that Ada is the first programmer that ever lived. She wrote notes explaining how a specific engine could transition calculation to computation. The second Tuesday in October is known as Ada Lovelace Day to celebrate the achievements of women in STEM careers. 

 A woman who designed the very first compiler: Grace Hopper. 

She was born in New Your city and lived between 1906 and 1992. Grace attended Yale University, receiving a PhD in mathematics and in 1943, she joined the Naval Reserve, retiring in 1966. It was during her service as a Naval Reserve that Grace joined the Eckert-Mauchly Computer Corp in 1949, where she designed a compiler which translated programmer’s instructions into computer codes. In 1957, Grace’s division developed the first English language data processing complier. 

A woman developed and implemented codes which led to the development of the battery used in hybrid cars: Annie Easley. 

She was an African American woman who was born in Birmingham, Alabama and lived between 1933 and 2011. She attended Xavier University where she majored in pharmacy for about 2 years. Shortly after graduating from University, she met her husband and they moved to Cleveland. There was however no pharmaceutical school nearby, so Annie applied for a job at the National Advisory Committee for Aeronautics (NACA), and she was one of four African Americans who worked there. At this role, she developed and also implemented codes which led to the development of the battery used in hybrid cars. Annie has encouraged a lot of women and people of color to study and enter STEM fields. 

A woman helped in the development of the first personal computer: Mary Wilkes 

She was born in 1937 in Chicago Illinois, and she graduated from Wellesley College in 1959 with a degree in philosophy.  

Mary was involved in programming computers such as the IBM 709 and IBM 704. In 1961 Mary joined the digital computer group and contributed to the LINC development of TX-2. She designed and wrote the operators manual for the final console design of TX- 2 and she is known for helping in the development of the first personal computer and also known as the first person to have a PC in her home. 

She inspired Steve Jobs’ creation of the first Apple computer: 

Adele Goldberg 

She was born in 1973 in Ohio and received a bachelor’s degree in mathematics from the University of Michigan and a PhD in information science from the University of Chicago in 1973.  

In the 1970s, Adele was a researcher at the Xero Palo Alto Research Centre (PARC) and was the only women among the group of men who built the Smalltak-80.  She presented the Smalltalk system to Steve Jobs who implemented many ideas into the Apple products. As a result, Adele Goldberg is known as one of the famous women in technology who inspired Steve Jobs creation of the first Apple computer. The Apple desktop environment may not look the way it does today, without Adele’s work. 

 A roman catholic sister and advocate for women in computer science: 

Mary Keller  

She lived between 1913 and 1985. Mary was an American roman catholic sister. In 1958 she started at the National Science Foundation workshop in the computer science department at Dartmouth College which at the time was an all-male school. After teaming up with 2 other scientists, they develop the BASIC computer programming language. In 1965, Mary earned her PhD in computer science from the University of Michigan. She later developed a computer science department in a catholic college for women called Clarke College. For 20 years she chaired the department where she was an advocate for women in computer science and supported working mothers by encouraging them to bring their babies to class with them. She is known as one of the famous women in technology for being the first woman to receive a PhD in computer science at Clarke University (Clarke College).

           These are just a few of the women that have helped shaped the world of information technology over the years and there are still many more. Their contributions and the contributions of many women around the world should encourage every one of us to keep on challenging the biases and gender inequalities affecting women in information technology as well as other areas of life. If you are a woman subjected to some form of biases or gender inequality, please be encouraged by the great work of the women who have helped shape our world and keep your head up because you have a lot to offer our world; You bring both beauty and brains to our world.  

Happy international Women’s day and a lovely women’s history month. 

Bio source:

www.womenintech.co.uk

en.wikipedia.org

       While Mr. Bean would most definitely not send you some malicious e-mail; someone else might. What will you do? Most likely you’d not even open it; right? I once opened such e-mail. I received an e-mail that I was being given a performance-based award from the company. I was excited and decided to thank my manager; I just assumed she must have recommended me for the award. I should have seen a red flag from the fact that the award was not associated with any specific project. I however was excited because this kind of awards usually come with some dollar amount in gift cards, fifty or hundred dollars sometimes. I sent a thank you e-mail to my manager and then called her almost immediately. My manager started laughing on the phone while she told me it was just a test from the compliance team. They were trying to see how many employees would fall for a phishing e-mail that appears to be from the company. Well, I technically passed the test, as I had not yet clicked on the link; but I was planning to. I only wanted to say thank you to my manger before clicking on the link to claim my amazon gift card or something like that. I believe your company might also send out such emails to you as part of your organization’s cybersecurity awareness and training program.  

           I read a blog post from Neil Lappage on baselining cybersecurity skills for all IT professionals and it made me think of cybersecurity audit. When it comes to cybersecurity, most organizations are either trying to be as protected as possible or they have given up on worrying about the cyber threats that could possibly affect them or their enterprise. I believe it’s better to learn from other company’s experience and secure your organization’s information system as much as possible. According to ZDNET, some of the data and information system breaches in 2020 are below: 

• It was reported that about 30 million records of Wawa Inc. (a chain of convenience stores and gas stations) containing customers’ details were made available for sale online.  
• A Texas school district (Manor Independent school District) lost $2.3 million during a phishing scam. 
• A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users.  
• Clearview AI’s entire client list was stolen due to a software vulnerability. 
• GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service. 
• The Virginia Media reported that 900,000 users’ data was exposed through an open marketing database. 
• NutriBullet became a victim of a data skimming attack (Magecart attack), with payment card skimming code infecting the firm’s e-commerce store. 
•  Marriott disclosed a new data breach impacting 5.2 million hotel guests. 

These are just a few of the reported cybersecurity breaches in 2020. Auditing your cybersecurity program might be something you do on a yearly basis, but for those organizations that might want some direction on how to go about it; here are some steps to take: 

1.     Know the purpose, size, and scope of your organization’s cybersecurity program.

• Since different organizations have different goals, the form and structure of the cybersecurity program in organizations also vary. A business entity’s cybersecurity program would depend on several factors among which the kind of asset that needs to be protected and revenue size will be the most important.  
• Another factor that might determine the size of the cybersecurity program of an organization includes the perceived threats and vulnerabilities of an organization based on a comprehensive risk assessment or threat modelling.  
• Sometimes the size of the cybersecurity program of an organization would be determined by the amount of senior management support for IT projects or their perception of the potential and actual threats and vulnerabilities that affects their organization (this is the control environment as described by the COSO internal controls framework). So, your audit team has the responsibility to help your management have a good perception of the cyber threats affecting your organization.  

There are some industry specific requirements which could also determine the size of a company’s cybersecurity program.  Examples include: 

• PCI DSS (Payment Card Industry Data Security Standard) requirements for retail companies or companies that process customers’ credit card information beyond a specified threshold. 
• Companies that have operations in Europe would be required to comply with European Union General Data Protection Regulation (GDPR) and this regulation would affect the amount of budget as well as the investment of company personnel on the organization’s cybersecurity programs. 

To sum it up, the overall risk exposure of an organization and these other factors must be determined and documented to know the scope, size, and purpose of an organization’s cybersecurity program.  

2.     Have a well-documented audit program or steps to cover different areas of the program. 

The audit program should be developed based on the first step mentioned above and should be focused on the scope of the cybersecurity audit. If your organization has a team of cybersecurity auditors that specialize in auditing the different areas in scope, then the IT audit team might review their most recent past audit reports. 

• Determine the people involved in the organization’ cybersecurity program (e.g., the CIO and find out the process owner to have him walk you through the processes involved in the cybersecurity program. This is to obtain necessary understanding of the control processes and relevant evidence like documentations (e.g.  IT security policy covering the cybersecurity program, proof of its enforcement and the disaster recovery or response plan for the cybersecurity program). The IT security policy should cover various essential processes and systems to achieve the security needs of the assets. The focus should be on confidentiality, integrity, and availability of data as well as processes to secure the information system assets. It is important to verify how adequate the policy is in terms of coverage of your organization’s IT environment. 
• Performing your audit should also involve mapping the security attributes related to the assets in scope (which could be processes or systems) to the controls associated with those attributes. Just three attributes are mentioned above, but the list could be longer if the SABSA attributes (the Sherwood Applied Business Security Architecture attributes)  are adopted. 

3.     Another important step in the cybersecurity audit would be to examine the cybersecurity awareness training programs and cybersecurity information communication process of your organization. 

It is also important to evaluate the process of ensuring that the IT security employees have the required knowledge and skills to match the demand of securing the assets in scope. While it would be challenging to evaluate such criterion in the entire organization, sending out e-mail like the company generated test- phishing e-mail which I mentioned earlier would be helpful in training employees and accessing the risks of incoming threats.