Cyber security audits: A case for institutional support

A regulating body is needed to certify cyber auditors and also bind them under a code of conduct

sanjpandey

Sanjay Pandey | February 8, 2024


#cyber security   #business   #Technology  
(Illustration: Ashish Asthana)
(Illustration: Ashish Asthana)

Ever since the internet started being used for commercial purposes, cyber security audits have become a routine requirement.  Considering that this change is fairly recent, these audits too are quite new. Audits, however, have been in existence in the finance world since time immemorial. These financial audits are fairly standard and have a set process both in terms of form and delivery. However, in case of cyber security, audits scenario is quite different.  Let’s look at the process, persons and institutional framework under which these cyber audits are currently being conducted.

In common parlance, there are at least two types of audits which are prevalent. One is ‘black hat audit’, which tests systems from outside using the internet. The other is ‘white hat audit’, in which all details are shared with the audit team and they audit having full access to systems. There is an in-between system too, which is a mix of ‘black hat’ and ‘white hat’ and is called ‘grey hat’. These audits check weaknesses that may exists and also check non-compliances against standards like ISO 27001. These audits could cover the entire organisation or could be limited to specific areas like network, applications or websites.

These audits, in order to get initiated, require information about digital assets of the organisation. Information shared generally includes the makes of systems, network equipment, communication links etc. The entire network diagram is also sometimes shared. All documents of standards followed and operating procedures are handed over to the auditing teams.

To ensure confidentiality there are non-disclosure agreements. But the possibility of misuse starts from the time this information is shared. This is even more so, when these auditors are allowed inside as white hat auditors or certification auditors for granting certificates for compliance to standards like ISO 27001 etc.

One may argue that this is exactly the same in case of physical audits performed by erstwhile financial auditors. Well if one considers the output of these audits it is generally the same. Both produce audit reports and disclose of non compliances. Comparison, however, ends here.

When one considers misuse and manipulation of information in case of physical audits it is fairly limited. But the misuse of digital information in case of cyber audits is fairly widespread. It is no wonder that 74% of the corporates worldwide are exposed to insider threats and this includes these white hat auditors besides regular employees. [https://techreport.com/statistics/insider-threat-statistics/#:~:text=1.-,74%25%20of%20Companies%20Feel%20Moderately%20or%20Extremely%20Vulnerable%20to%20Consistent,in%202023%20is%20%2415.38%20million] This indeed raises a serious concern about confidentiality of these cyber audits.

Beside the issue of confidentiality, these audits can at best generate a report of compliance or non-compliance at a given time. Immediately after the audit, technically all parameters can be changed in a digital world. So these audit reports are of not much use beyond the date and time when these audits are conducted. This poses a huge question mark on the reliability of these audit reports, if they are used to certify a system. At best this could be a certificate for the compliance of the systems and processes at a given date and time. And nothing beyond that.

Still, these cyber security audits have been mandated as necessary compliance by regulators. Most common are vulnerability assessment and penetration testing audits required for IT infrastructure, applications and web sites. This is a requirement to be able to host website on an approved infrastructure. And surprising part is that many times these applications are not even on internet. Still it appears that compliance requires these to be audited and certificate obtained.

Besides vulnerability assessment and penetration testing audits, there are certification audits. Certification for ISO 27001 compliance has become an accepted norm. The process here is similar to normal cyber security audits but here all documentation which includes policies and processes are handed over for evaluation. This has its own pitfalls in terms of maintenance of confidentiality.

Ironically, in normal day-to-day life, when it comes to issues which need to be safe guarded, these kinds of certificates are not required. Valuables either in houses or in offices get stored in a safe place.  And these are kept outside the view of even insiders who are not considered part of inner circle. Now compare this with certification audit.

Complete outsiders come and look at all confidential systems and are made aware of all internal policies and procedures. This is done in the name of compliance to the standard. Even if one wants to avoid these, there is no escape. These cyber security audits and in some cases even certifications are required as a compliance measure by regulating organisations.

Needless to say, this exposure leads to possibility of compromise. In hindsight, it may be a good idea to assess whether one needs to get these audits and certifications at all. Even while mandating these audits, regulators may exclude sites and applications if they do not pose any risk. And in cases where there is a risk and assurance is required, it will be better that the same is done in house in a controlled environment.

Besides the process which leads to lack of confidentiality, let’s look at the persons carrying out these cyber security audits. Ever since these audits became common place, almost every one with some knowledge of operating computers has become or is trying to become a cyber security auditor. Qualifications are hardly ever specified. A few which are being asked for are also not controlled by any regulating body in India. For example, certification like CISA, CISSP, CEH etc which get advertised as requirement for security auditors are not controlled by any local body in India.

In stark contrast to this, chartered accountants who audit financial accounts have an institutional base in terms of ICAI (Institute of Chartered Accountants in India: https://www.icai.org/), cyber security auditors have none. They also have certification like DISA (Diploma in Information System Audits: https://www.iibf.org.in/DISACertificate.asp) which are locally administered and controlled by the Indian Institute of Banking and Finance.

CERT-in certifies organisations as capable of security auditing but beyond that has no control on the auditors either on their conduct or the qualifications. This is also because there is no certification body in India which certifies these individual security auditors on same lines as financial auditors.

Basically, this lack of controls on the process and persons along with absence of any institution to control and mandate the cyber security auditors, at least in current scenario, might lead to insecurity rather than security.

In order to address this situation, as a first, it is required that the qualification levels of cyber security auditors are fixed. This has to be coupled with tests of their competence by having local certification examinations. This can be on lines of DISA as it exists in financial world. Mere computer knowledge and having certifications from international agencies may not be the correct method of assessing and selecting the auditors.  

Besides individual certification, audit process itself needs a proper framework. This has to start with the audit reports. As of now there is neither a standard process nor a format of the report. Every auditing organisation and auditor produces his own version of the audit report and has its own process of conducting these audits. Even non disclosure agreements are not standard. Cyber security audit reports and non-disclosure agreements have to have a standard format which should be applied across organisations. Documents and information to be shared also needs to be standardised. With these standardisations, it will help not only in facilitating these audits but also evaluating security readiness of organisations across sectors.

All this, in the end, requires a regulating body which certifies cyber auditors and also binds them under a code of conduct. Failing which, these audits which are currently used for passing some compliance requirements may lead to phenomenal insecurities.

In the interim, for maintaining and assuring cyber security, it may be better to have in-house teams to look at these situations. Besides having internal teams, it is also important to consider the risk that the organisation is exposed to. If there is no risk then nothing needs to be done. For example, a website which has only information and no transaction-oriented processes is well left unaudited. Some basic security can be handled by the in-house team or those who develop the site. This would at least reduce the disclosure of confidential information, which may later be misused by persons who were knowingly welcomed inside in the name of cyber security auditors!

Pandey, a former Indian Police Service officer, has a BTech in Computer Science from IIT Kanpur and is a Certified Information System Security Professional (CISSP), apart from holding LLB from Bombay University and MPA from Harvard University.

Comments

 

Other News

Lost in Transmission: Why calls ‘drop’, what can be done about it

Random call drops across cellular networks has been a major nuisance for consumers. Despite the advent of technologies like 4G, 5G and users upgrading their phones, they continue face the same old problem of call drops. Earlier, with 2G, calling was the primary service from the mobile telephony firms, howe

India’s Semiconductor Mission takes giant leap

The union cabinet on Thursday approved the establishment of three semiconductor units under ‘Development of Semiconductors and Display Manufacturing Ecosystems in India’. Involving a total investment of nearly Rs 1.26 lakh crore, the three units  -- two in Gujarat, one in Assam – wil

Mumbai Airport: Less congestion, fewer delays, says MoCA

Mumbai is one of busiest airports in India, handling a large volume of domestic and international flights including military, non-scheduled and general aviation flights. Mumbai`s Chhatrapati Shivaji Maharaj International Airport (CSMIA) has two intersecting runways which cannot be operated

“900 tenders worth Rs 150 crore?” For ward-level works: BMC

BrihanMumbai municipal corporation is floating nearly 900 tenders worth of Rs 150 crore in the next 10 days, but that is only for ward-level civic works, the BMC clarified on Monday, reacting to reports in a section of media.    “Since there are 25 wards in BMC, it involves m

Elections 2024: Banks, post offices to chip in for voter education

In a first-of-its-kind initiative, Election Commission of India (ECI) on Monday signed a memorandum of understanding (MoU) with two prominent organisations, the Indian Banks’ Association (IBA) and the Department of Posts (DoP), to amplify its voter outreach and awareness efforts ahead of the forthcom

Charming tales of the Snakeman’s early years

Snakes, Drugs and Rock ’N’ Roll: My Early Years By Romulus Whitaker with Janaki Lenin HarperCollins, 400 pages, Rs 699

Visionary Talk: Amitabh Gupta, Pune Police Commissioner with Kailashnath Adhikari, MD, Governance Now


Archives

Current Issue

Opinion

Facebook Twitter Google Plus Linkedin Subscribe Newsletter

Twitter