Organizations today are facing increased compliance pressures in a complex regulatory environment that continues to expand. As the internal audit leader at one of the top research universities in the United States, my organization is no different — our operations span many different industries: higher education, agriculture, veterinary research, medical research, utilities, real estate, food safety, healthcare, entertainment/performing arts, and venue operations.
This diversity of activity means IT risk is not always centrally managed — and siloed risk management efforts can be further exacerbated by the rapid digital transformation and development many organizations experienced during and after the global pandemic. As an organization’s security footprint increases, many teams struggle to manage the risks that increase along with it.
In such an environment, utilizing an IT framework can make all the difference by providing a guiding structure and support. In this article, I share lessons that I and my team of 12 auditors learned on our journey in assisting our institution into better IT risk management.
Getting Familiar With Frameworks
The Oxford English Dictionary Online defines a framework as “a basic structure underlying a system, concept, or text.” When it comes to IT risk management, a security framework provides context for activities to be performed in a meaningful way through:
- A series of documented processes that define policies and procedures around IT security controls.
- Defining and prioritizing the tasks required to manage security enterprise-wide.
- Providing assistance for complying with industry standards and other regulations.
In addition to providing a foundation for risk management, frameworks can offer additional potential benefits to organizations with large and/or decentralized IT security environments by providing a starting point for the establishment of robust administrative activities. Two added benefits of utilizing a strong framework is that it can A) be customized to your organization’s specific needs or problems and B) help demonstrate compliance with overlapping regulatory requirements through effective crosswalks. Based on my experiences, the following are some tips for using a framework to guide your IT risk management program.
Tips for Using a Framework to Guide an IT Security Review
1. Pick a robust IT framework and perform a control self-assessment.
Lean on your auditors and compliance professionals when undertaking this process to optimize interdepartmental communication and understanding. Some IT security frameworks that are commonly used across a wide variety of industries include:
- International Organization for Standardization (ISO) 27000 series
- National Institute of Standards and Technology (NIST)
- NIST 800-53: An InfoSec benchmark for U.S. Government agencies that is widely used in the private sector.
- NIST 800-171: More popular, based on the U.S. Dept. of Defense requirements on contractors.
- Control Objectives for Information and Related Technologies (COBIT)
- Center for Internet Security (CIS) Critical Security Controls: User-friendly, accessible for free, does not require you to be an IT auditor to understand.
- Committee of Sponsoring Organizations (COSO)
2. Leverage framework mapping and crosswalks for efficiency and effectiveness.
There are many resources that are widely available; for example, my team utilized the ones available at the CIS Critical Security Controls website. Our team used the controls outlined in the CIS framework safeguard descriptions to help guide the creation of our audit program. Some benefits we experienced when using the CIS Critical Security Controls included:
- Simplicity: They are written in easy-to-understand terms with sufficient definitions.
- Easy crosswalking: They easily map to NIST, COBIT, ISO, and other common frameworks.
- Commonality: CIS controls are widely known and understood, this lowers the “acceptance” threshold.
3. Prioritize relationships.
Like so many things in life, the key is to start by building strong relationships. As head of internal audit at my institution, I prioritized and built a productive working relationship with central IT and our other distributed partners. This is not only prudent from a CAE perspective, but for the staff auditors as well. Everyone needs to prioritize building such relationships because it is these working relationships that directly impact the efficiency and effectiveness of your audit activities throughout the year.
4. Do your homework.
While it is not mandatory that you sit down and read all hundred pages of your security framework — I did. When educating yourself about your framework, ask yourself questions about what it means for your organization.
In addition, make an effort to understand the governance structure of your organization, from how decisions are made to who the influencers are — whether the CEO or the CISO — and what their priorities are. This is important because you will need to interface with these decision-makers when, for example, you find a significant deficiency or a risk that is being overlooked. This information will allow you to strategically advocate for the changes you need to deploy your resources in the most effective way.
5. Consider the most effective testing approach that makes sense for your organization and its specific use cases.
Because my particular institution is large and disbursed, we must tailor our approach to the overall objective in the review. Often, we will review a single process across the institution. For instance, if we are looking at Windows server security, we will determine the university-wide controls and then select a sample of servers from across the decentralized units to assess the level of overall compliance or security. In doing so, we are seeking to understand the central controls and decentralized compliance. We also will take a single unit look at more broad topics. This is most often the case if we are reviewing IT security within a single department or unit.
6. If you don’t know where to start, begin with inventory and the risk assessment.
Inventory is an easy place to begin if you are just beginning to build out your IT risk program. Backup and Patching are also excellent places to set your initial targets for action. Start by asking yourself questions as you approach each area, for example:
Inventory
- How do we protect what we don’t know about?
- Since we can’t protect everything, how do we determine what we must protect?
Backup
- How are we backing up our systems?
- How are we backing up remote systems?
- How do we know the backups are effective?
Patching/Encryption/Malware
- How are we monitoring patching on high-risk systems?
- How are we enforcing encryption?
- How are we ensuring up-to-date malware protection?
7. Leverage technology that can help you organize your organization-wide controls data.
A connected risk platform will not only organize your controls, but will pull in your framework(s) of choice to help you gain a comprehensive view of the status of your risk environment. An integrated technology solution, such as AuditBoard, can help you gain an overview of your issues status and know what areas require attention, as well as provide a comprehensive picture of compliance across your framework of choice.
Making an Impact With IT Risk Management
While internal audit is one among many groups responsible for IT risk management at my organization, this does not mean our role is insignificant. In fact, my team found that we could make a significant impact on improving risk management practices at our institution by leveraging a framework to efficiently and effectively address our compliance needs. Ultimately, taking these steps enormously benefitted the audit, risk, and compliance teams at my institution — all it took was a little creative thinking, great working relationships, and a good bit of patience.
For a deeper dive into the topic, watch the full presentation on-demand.
Justin Noble, CIA, is the Chief Audit Executive, Office of Audit, Risk, and Compliance for Virginia Tech, where he provides management direction in planning all risk-based compliance, IT, investigative, and advisory reviews. Justin brings 20 years experience as an internal auditor with over 15 years in higher education, having previously held roles at Texas Tech University System, University of Texas Southwestern Medical Center at Dallas, and Southwest Airlines. Connect with Justin on LinkedIn.