Carrying Out Information Security Audits In BFSI

In a world where investments, hedge funds, arbitrage pricing theory, uptick rule are part of daily vocabulary and the enhancement and sophistication of technology is gaining speed, financial institutes have ended up being data rich but information poor

Auditors in the financial sector must be compliant to the minimum requirement and also act beyond their call of duty to adequately, completely and effectively secure information systems for their institutions. To audit the completeness and effectiveness of the current security measures, we must first understand what the company want the controls to be. This is usually stated in its Information security strategy which includes definition of control objectives and corresponding implementation plan. Most financial institutions lack the existence of the same. As an IS auditor, we must make sure that the company has a well documented IS strategy. If it does not, this is the first gap to be closed. The strategy should majorly cover prevention, response and detection mechanism, multiple control points between company’s assets and threats being established by layered controls and atlast the standards and policies that help the employees in implementing effective security performance. Implementing minimum permissions and minimum privileges for any entity distinguishes your IS security strategy from others. This helps you achieve functionality and simultaneously limiting possible harmful actions.

Challenge everything, don’t take yes for an answer

Galileo once said and I quote “Question Everything, Accept Nothing”. And this stands true even for the auditors today. An auditor should not accept anything only because it has been accepted in the past and that’s the way it is supposed to be. Audit has no room for legacy, solely on the basis of legacy. The only way forward is to dig deeper till you have enough artifacts to support your assessment. To achieve this, we need to be skeptical and yet emphatic. Look for faults in every corner, no doubt but, also test your assessment taking on a point of view of the assessee and/or the business process. Most experienced auditors leverage the draft assessment submission meeting deftly to use the auditee as a sounding board for their assessment. This generally leads to a more accurate and prudent risk impact analysis for our organization.

Know thy partners!

Zurich Insurance Plc had to unfortunately pay £2.275 million charge only because one of their South African subcontractors lost an unencrypted backup disk with personal information for 46,000+ customers. Moral—Our data is being accessed, used and managed by entities beyond the scope of our organization. These entities like our partners, vendors and even customers, may lack the knowledge about security controls and or may not have the skills for same. It may seem daunting at first both from effort and cost perspective, but when one digs deeper, one realizes that the cost of not doing so is much higher. One of the first steps required is to enhance the adequacy and comprehensiveness of Business Associate Agreement (BAA). The next is to make sure that basic hygiene and minimum corporate governance is followed and maintained by our partner through appropriate and mutually acceptable control measures and reviews. It is easy to see that the best practices in this field is to recommend partners and associates about the minimum and mandatory skill and certification requirements.

A hands on approach

As per a recent survey by Department of Financial services, New York, 70% of companies reported their biggest barriers in implementing effective security program are constant enhancement of technology and sophistication of threats. In such a scenario, it would be wise to ask for help from our own IT team, enlightening us on the functionality and the limitations of the system. In real world, the process owner has more knowledge about his business process than the auditors, it is his forte. It is easy to drown with him in the gripping daily operations. However, we need to look beyond the security dashboards and the process limitations that the systems are used to, in order to adequately find the exact process or design gaps. An important tool to achieve this is leveraging walkthrough meetings and informal encounters, in understanding the process. You will be surprised at the insightful findings you discover.

Balance of payments

An auditor reports directly to the senior management or the board members. With such great responsibilities, we always want to give the best solutions to curb the IS security risks. More often than not, auditors will find themselves in an interesting quandary. We want to give solutions that make our systems resilient and resistant and neither would we want to give a second best solution, however, we need to keep in mind that “The cost of securing our assets can never be more than the cost of the asset itself.” One also needs to maintain balance amongst the three pillars of information security. Them being – Confidentiality, Availability and Integrity. While we can have the best of all three, but in practicality, we cannot have an asset so confidential that it is not available when required. Even if your job description of an IS auditor may not have formally taken new shape, the expectations of the customer, business whether internal or external have definitely scaled to levels that are no more satiated through conventional roles. A tight rope walk on business and budgets, a disciplined focus, a hands on techy geek all rolled into one is how the financial world wants to see an IS auditor!