Doug Murray, Principal and Chief Information Security Officer at Hyundai/Kia Motor America, described the value of Audit to Information Security and how to create synergy between the two.
Audit can be a powerful ally of Information Security because of the authority it has with the business, announced Murray at the outset of his keynote presentation at the 2016 Chief Information Security Officer Leadership Forum held in Los Angeles on May 10. “However, we often don’t see eye to eye with internal auditors,” he pointed out. “It’s frequently a confrontational and complex relationship, because Audit and Information Security have two different agendas. The key is creating synergy between the two. Synergy can be built by the CISO making a good impression on the Audit peer, embedding each organization into one another’s processes, and developing an audit protocol with SLAs and guidelines.”
“We often don’t see eye to eye with internal auditors. It’s frequently a confrontational and complex relationship, because Audit and Information Security have two different agendas.”
The protocol that Murray uses at Hyundai/Kia to involve Audit in Information Security is the following:
• Embed Audit into the IT risk life cycle.
• Ask Audit to embed Information Security into the IT audit planning process.
• Embed Audit into the secure SDLC process to work alongside Information Security to provide assurance to the business, board, and Audit Committee that appropriate controls are in place (which eliminates pre/post-implementation reviews by Audit).
• Ensure identified project risks are mitigated in a timely manner.
Audit is embedded into the following four phases of the IT risk life cycle: risk identification, risk analysis and assessment, risk treatment, and risk monitoring/review and control compliance.
Jones noted that Info Sec meets with the business monthly to do the following:
• Identify emerging risk.
• Discuss current risk and mitigation efforts.
• Discuss current state of security, etc.
• Ensure transparency, which makes it clear to business how value is being added.
Although Audit conducts similar meetings with the business, Murray advised that Information Security’s perspective should come into play during the Audit planning process. “For example, Audit’s perceived emerging risks should align with Information Security’s perception of emerging risks.” In addition, resources denied by the business to put in controls to address material risk should be communicated to Audit and included in the audit plan for validation. With the authority of the Audit Committee, these gaps get remediated.
“Audit’s perceived emerging risks should align with Information Security’s perception of emerging risks.”
Developing an Audit protocol with SLAs and guidelines facilitates clarity and consistency in the interactions between the two organizations during the audit process. This protocol involves:
• Planning to ensure scheduled audits containing a sufficient amount of person-hours for independent substantive testing (e.g. control effectiveness and detailed design).
• Notification, fact find, and terms of reference to assure that Audit and Information Security collaborate during the fact-find process to identify those material risks pertinent to the audit.
• Execution, which focuses on performing risk-based versus control-based auditing and assures that auditors don’t rely on assessments to uncover issues previously identified by Information Security with remediation efforts underway. Audit requests for evidence require a five-day SLA. For requests that require more than 10 man-hours, a 10-day SLA is required to minimize impact to IT operations.
• Reporting, which includes providing sufficient time for management to respond to report drafts (at least 10 working days).
A goal going forward, said Murray, is for Information Security to provide a status of the action on a monthly basis for the open issues in its Risk Register to ensure timely remediation and keep them “on-track” for closure.
“In summary,” said Murray, “we, in Information Security, are tasked with putting in the controls necessary to minimize the risk to the business, and often the business balks at investing in this if Information Security asks for it. Audit has a lot of authority, so if they make the request, it will happen.”
ABOUT DOUG MURRAY:
With over two decades of information security and technology experience, Doug Murray joined Hyundai AutoEver America (HAEA) in February 2015 to lead and mature the information security program. As the Chief Information Security Officer and Principal at HAEA, he’s responsible for Hyundai and Kia Motor America, including twenty-one other Hyundai and Kia affiliates in the Americas region. Doug’s information technology career spans multiple industries including aerospace, automotive, financial/banking, insurance, healthcare, real estate, and telecommunications/electric utilities.
Besides his extensive experience in information security, his background also includes IT governance, risk, and compliance; information systems audit; systems development, network administration/engineering, IT operations, and IT infrastructure.
Doug has a Bachelor of Science degree in Business/Management Information Systems from Pepperdine University and holds the following designations: CISSP, CISA, CISM, CRISC, and PCIP.