Ever since the internet started being used for commercial purposes, cyber security audits have become a routine requirement.  Considering that this change is fairly recent, these audits too are quite new. Audits, however, have been in existence in the finance world since time immemorial. These financial audits are fairly standard and have a set process both in terms of form and delivery. However, in case of cyber security, audits scenario is quite different.  Let’s look at the process, persons and institutional framework under which these cyber audits are currently being conducted.

In common parlance, there are at least two types of audits which are prevalent. One is ‘black hat audit’, which tests systems from outside using the internet. The other is ‘white hat audit’, in which all details are shared with the audit team and they audit having full access to systems. There is an in-between system too, which is a mix of ‘black hat’ and ‘white hat’ and is called ‘grey hat’. These audits check weaknesses that may exists and also check non-compliances against standards like ISO 27001. These audits could cover the entire organisation or could be limited to specific areas like network, applications or websites.

These audits, in order to get initiated, require information about digital assets of the organisation. Information shared generally includes the makes of systems, network equipment, communication links etc. The entire network diagram is also sometimes shared. All documents of standards followed and operating procedures are handed over to the auditing teams.

To ensure confidentiality there are non-disclosure agreements. But the possibility of misuse starts from the time this information is shared. This is even more so, when these auditors are allowed inside as white hat auditors or certification auditors for granting certificates for compliance to standards like ISO 27001 etc.

One may argue that this is exactly the same in case of physical audits performed by erstwhile financial auditors. Well if one considers the output of these audits it is generally the same. Both produce audit reports and disclose of non compliances. Comparison, however, ends here.

When one considers misuse and manipulation of information in case of physical audits it is fairly limited. But the misuse of digital information in case of cyber audits is fairly widespread. It is no wonder that 74% of the corporates worldwide are exposed to insider threats and this includes these white hat auditors besides regular employees. [https://techreport.com/statistics/insider-threat-statistics/#:~:text=1.-,74%25%20of%20Companies%20Feel%20Moderately%20or%20Extremely%20Vulnerable%20to%20Consistent,in%202023%20is%20%2415.38%20million] This indeed raises a serious concern about confidentiality of these cyber audits.

Beside the issue of confidentiality, these audits can at best generate a report of compliance or non-compliance at a given time. Immediately after the audit, technically all parameters can be changed in a digital world. So these audit reports are of not much use beyond the date and time when these audits are conducted. This poses a huge question mark on the reliability of these audit reports, if they are used to certify a system. At best this could be a certificate for the compliance of the systems and processes at a given date and time. And nothing beyond that.

Still, these cyber security audits have been mandated as necessary compliance by regulators. Most common are vulnerability assessment and penetration testing audits required for IT infrastructure, applications and web sites. This is a requirement to be able to host website on an approved infrastructure. And surprising part is that many times these applications are not even on internet. Still it appears that compliance requires these to be audited and certificate obtained.

Besides vulnerability assessment and penetration testing audits, there are certification audits. Certification for ISO 27001 compliance has become an accepted norm. The process here is similar to normal cyber security audits but here all documentation which includes policies and processes are handed over for evaluation. This has its own pitfalls in terms of maintenance of confidentiality.

Ironically, in normal day-to-day life, when it comes to issues which need to be safe guarded, these kinds of certificates are not required. Valuables either in houses or in offices get stored in a safe place.  And these are kept outside the view of even insiders who are not considered part of inner circle. Now compare this with certification audit.

Complete outsiders come and look at all confidential systems and are made aware of all internal policies and procedures. This is done in the name of compliance to the standard. Even if one wants to avoid these, there is no escape. These cyber security audits and in some cases even certifications are required as a compliance measure by regulating organisations.

Needless to say, this exposure leads to possibility of compromise. In hindsight, it may be a good idea to assess whether one needs to get these audits and certifications at all. Even while mandating these audits, regulators may exclude sites and applications if they do not pose any risk. And in cases where there is a risk and assurance is required, it will be better that the same is done in house in a controlled environment.

Besides the process which leads to lack of confidentiality, let’s look at the persons carrying out these cyber security audits. Ever since these audits became common place, almost every one with some knowledge of operating computers has become or is trying to become a cyber security auditor. Qualifications are hardly ever specified. A few which are being asked for are also not controlled by any regulating body in India. For example, certification like CISA, CISSP, CEH etc which get advertised as requirement for security auditors are not controlled by any local body in India.

In stark contrast to this, chartered accountants who audit financial accounts have an institutional base in terms of ICAI (Institute of Chartered Accountants in India: https://www.icai.org/), cyber security auditors have none. They also have certification like DISA (Diploma in Information System Audits: https://www.iibf.org.in/DISACertificate.asp) which are locally administered and controlled by the Indian Institute of Banking and Finance.

CERT-in certifies organisations as capable of security auditing but beyond that has no control on the auditors either on their conduct or the qualifications. This is also because there is no certification body in India which certifies these individual security auditors on same lines as financial auditors.

Basically, this lack of controls on the process and persons along with absence of any institution to control and mandate the cyber security auditors, at least in current scenario, might lead to insecurity rather than security.

In order to address this situation, as a first, it is required that the qualification levels of cyber security auditors are fixed. This has to be coupled with tests of their competence by having local certification examinations. This can be on lines of DISA as it exists in financial world. Mere computer knowledge and having certifications from international agencies may not be the correct method of assessing and selecting the auditors.  

Besides individual certification, audit process itself needs a proper framework. This has to start with the audit reports. As of now there is neither a standard process nor a format of the report. Every auditing organisation and auditor produces his own version of the audit report and has its own process of conducting these audits. Even non disclosure agreements are not standard. Cyber security audit reports and non-disclosure agreements have to have a standard format which should be applied across organisations. Documents and information to be shared also needs to be standardised. With these standardisations, it will help not only in facilitating these audits but also evaluating security readiness of organisations across sectors.

All this, in the end, requires a regulating body which certifies cyber auditors and also binds them under a code of conduct. Failing which, these audits which are currently used for passing some compliance requirements may lead to phenomenal insecurities.

In the interim, for maintaining and assuring cyber security, it may be better to have in-house teams to look at these situations. Besides having internal teams, it is also important to consider the risk that the organisation is exposed to. If there is no risk then nothing needs to be done. For example, a website which has only information and no transaction-oriented processes is well left unaudited. Some basic security can be handled by the in-house team or those who develop the site. This would at least reduce the disclosure of confidential information, which may later be misused by persons who were knowingly welcomed inside in the name of cyber security auditors!

Pandey, a former Indian Police Service officer, has a BTech in Computer Science from IIT Kanpur and is a Certified Information System Security Professional (CISSP), apart from holding LLB from Bombay University and MPA from Harvard University.