IS Audit Basics: Lessons From History

So, in case you have been living in a cave somewhere, ISACA is 50—a significant historical milestone. History, we are taught, can often be better understood through artifacts, “An object made by a human being, typically one of cultural or historical interest.”¹ One of the most significant artifacts to have been created in ISACA’s history is, undoubtedly, COBIT. To me, it represents a large part of the collective knowledge of ISACA volunteers—knowledge that was acquired both before and after its first release in 1996.

Of course, history is important because we can learn from it. Certainly, that humans do not learn very much from the lessons of history is the most important of all the lessons that history has to teach.² In the world of IT audit, we learn from history in the form of case studies such as data breaches. In fact, in December 2018, the US House of Representatives Committee on Oversight and Government Reform produced a report on the Equifax data breach.³ The report contains a section titled, “Specific Points of Failure,” from which I believe learning can be found. Could COBIT have helped identify any of these issues?

Equifax IT Management Structure Lacked Accountability and Coordination

In 2005, as working relationships between senior executives became strained, Equifax reorganized its IT organization structure (figure 1) so that the chief security officer (CSO), who was responsible for IT security, reported to the chief legal officer (CLO) rather than the chief information officer (CIO). The company did not revert the IT organizational structure back to its original form (where the CSO reported to the CIO) following new appointees despite there being multiple discussions to do so.

The functional result of the CIO/CSO structure meant IT operational and security responsibilities were split, creating an accountability gap. At the time of the breach, the organizational structure did not facilitate a strong CIO and CSO partnership.⁴

Depending on the organizational reporting structure an organization adopts, the CSO and CIO roles can be conflicting or complementary. At Equifax, the IT and security organizations were siloed, meaning information rarely flowed from one group to the other. Collaboration between IT and security mostly occurred when required, such as when security needed IT to authorize a change on the network. Communication and coordination between these groups was often inconsistent and ineffective.

One example of the lack of IT-security coordination was that multiple and incomplete software inventory lists were kept independently by each group. Both IT and security rely on accurate inventory lists to operate, patch and monitor the organization’s IT systems. In a more collaborative environment, these lists would be merged into a single master document with both teams working together to complete the inventory.⁵

In addition, the organization did not prioritize cybersecurity. Quarterly senior leadership team meetings were held where IT security was just one of the many topics discussed. Further, the CSO did not regularly attend these meetings because the CSO was not considered part of the senior leadership team. As a result of this, the chief executive officer (CEO) was not receiving timely information on Equifax’s security posture. The information he did receive was presented by the chief legal officer (CLO), who did not have any background in IT or security. 

Clearly this was not a tenable situation, but how could COBIT have helped? COBIT has defined the mandate, operating principles, span of control and authority level of the chief information security officer (CISO) (figure 2).⁶ COBIT does indicate that, depending on a variety factors within the enterprise, the CISO may report to the CEO, chief operating officer (COO), CIO, chief risk officer (CRO) or other senior executive management,⁷ however, it also specifies the CISO as the liaison between executive management and the information security program.⁸ This, in my opinion, can be done through the CIO, however, ideally, the CISO should report to the CEO.⁹ In February 2018, Equifax announced a revised reporting structure elevating the (now renamed) CISO to directly report to the CEO.¹⁰

Equifax Had Serious Gaps Between IT Policy Development and Execution

At the time of the breach, Equifax’s internal IT management process failed to establish clear lines of accountability for developing IT security policies and executing these policies.¹¹

The disconnect between policy development and execution was especially pronounced with respect to the patch management policy. This policy defined roles and responsibilities, and established guidelines for the patching process. The policy designated two employees to lead implementation—a policy manager and a senior leadership team owner. The responsibility of the policy manager was to ensure that all of the work they needed to do was tracked, while the senior leadership team owner’s role was to ensure that the organization conformed to the policy.

The patch management policy also identified the roles and responsibilities for various individuals within their portfolios. The business owner was informed of the need to patch and was responsible for approving downtime so the patch could be applied. The system owner was responsible for applying the patch, and the application owner was then responsible for ensuring the patch was applied correctly. While roles and responsibilities were defined in the policy, there were no official designees for these roles. Again, this was not an acceptable situation.

COBIT 2019 process Deliver, Service and Support (DSS) includes the management practice DSS05.01 Protect against malicious software, which requires an organization to implement and maintain preventive detective and corrective measures in place (especially up-to-date security patches and virus control) across the enterprise to protect information systems and technology from malicious software (e.g., ransomware, malware, viruses, worms, spyware, spam).¹²

In addition, COBIT 2019 defines who is responsible and accountable (figure 3) for each of its key management practices. Clearly, the message here is that these roles should be mapped to named individuals in each of our enterprises.

Also noteworthy was the fact that internal audit had reported issues with the patching process. These included the failure to patch or remediate vulnerabilities in a timely manner. The lesson here is clearly to follow up on audit recommendations through to their implementation.¹³

Equifax Ran Business-Critical Systems on Legacy IT With Documented Security Risks

Equifax faced increased security risk due, in part, to its complex legacy IT environment. Legacy technology is both a security issue and a hindrance to innovation, and legacy systems are tough to secure because they are often extremely difficult to patch, monitor or upgrade. Equifax ran a number of its business-critical systems on legacy infrastructure, including the system compromised by attackers during the 2017 data breach.¹⁴

The use of legacy technologies and applications resulted in a dwindling number of employees with knowledge of how to operate and maintain the aging system. For example, Equifax did not have a comprehensive picture of the software used within the application. This was a key issue, as the patch management policy relied on its employees knowing the source and version of all software running on a certain application in order to manually initiate the patching process. 

Equifax recognized the risk posed by continued operation of its legacy IT systems, had documented some security risk factors and even planned an upgrade, however, it failed to move quickly enough, resulting in the breach of the system.

Again, COBIT has documented these risk scenarios. Build, Acquire and Implement (BAI) BAI03.10 Maintain solutions requires an enterprise to develop and execute on a plan for the maintenance of solution and infrastructure components, and to include periodic reviews against business needs and operational requirements. Organizations should also develop and execute on a plan for the maintenance of solution components that includes periodic reviews against business needs and operational requirements such as patch management, upgrade strategies, risk, vulnerabilities assessment and security requirements (figure 4).

Conclusion

It has not been my intention to single out Equifax and point fingers. Certainly, let he or she who is without security vulnerabilities cast the first aspersion. However, in this historical year for ISACA, I do believe that it is important that we learn from what is an excellent report from the US House of Representatives. ISACA’s artifacts, especially COBIT, can aid us in doing so and ensure that, in turn, history is kind to us. "Those who cannot remember the past are condemned to repeat it."¹⁵

Endnotes

¹ Oxford Dictionary, “Artifact,” https://en.oxforddictionaries.com/definition/artefact
² Huxley, A.; Collected Essays, Harper and Brothers, USA, 1958
³ US House of Representatives Committee on Oversight and Government Reform, The Equifax Data Breach, Majority Staff Report, 115^th Congress, December 2018, https://republicans-oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
⁴ Ibid., p. 58
⁵ Ibid., p. 61
⁶ ISACA, COBIT 5, USA, 2012, www.isaca.org/resources/cobit
⁷ Ibid.
⁸ Ibid.
⁹ Putrus, R.; “The Role of the CISO and the Digital Security Landscape,” ISACA Journal, vol. 2, 2019, https://www.isaca.org/resources/isaca-journal/issues
¹⁰ Op cit The Equifax Data Breach, p. 60
¹¹ Ibid., p. 61
¹² ISACA, COBIT 2019 Framework: Governance and Management Objectives, USA, 2018
¹³ Cooke, I.; “Enhancing the Audit Follow-up Process Using COBIT 5,” ISACA Journal, vol. 6, 2016, https://www.isaca.org/resources/isaca-journal/issues
¹⁴ Op cit The Equifax Data Breach, p. 71
¹⁵ Santayana, G.; The Life of Reason: Reason in Common Sense, Scribner’s, USA, 1905, https://www.iep.utm.edu/santayan/