By Shawna Flanders
February 7, 2017
Is it historic or historical? Mass or weight? Mean or average? Coke or Pepsi?
The items in these pairs are similar to each other and certainly related, but have important distinctions that make them different in how they are defined and applied (or in that last case, enjoyed). The same can be said about information security and cybersecurity. These topics are related and can easily be confused. They are different, however, and understanding these differences may help internal auditors decide what to audit, how much assistance they will need during the audit, and how they provide assurance to the board of directors and executive management teams.
Did you know the origin of information security dates back to ancient times? Ever since humans had a need to protect information from others—say in times of war—information security was needed. When we think of modern information security, however, and the relationship to the CIA triad (confidentiality, integrity, and availability) the discussion generally starts around World War II and connected mainframes. This period is also the advent of cybersecurity.
Most experts agree that the characteristic that separates information security from cybersecurity is that information security includes all forms of data (electronic and physical), while cybersecurity, also referred by some as "information technology security," focuses on protecting data and information assets that are stored or transmitted via interconnected devices and networks.
Anthony Redlinger, senior manager of internal audit at HIS Markit, a data and analytics firm, agrees that cybersecurity is a subset of information security. "Cybersecurity is the protection of interconnected (i.e. networked) devices and data that is focused primarily, but not exclusively, on external threats," he says. "Information security encompasses cybersecurity and broadens it to include a greater level of diligence regarding internal threats as well as the compromise of sensitive information through non-technical means, such as eavesdropping on sensitive conversations being held in public locations and improper disposal of sensitive documents."
Put one more way: Information security is the protection of information, such as data, content, or analysis, that can be shared over a network, the internet, on paper, verbally, or chiseled into stone. Cybersecurity is the protection of information provided through controls on networks and on the internet. Information security has a broader scope than cybersecurity and can include physical security controls and controls of a third party securing organizational information.
No matter the intent of the engagement, “information security, IT security, or cybersecurity”, the main objectives of these audit projects are to validate that the organization’s sensitive data is kept confidential, its integrity maintained, and available when needed. However, there are advantages for internal auditors to think about these engagements differently.
More Clearly Defined Scope
The first advantage is the ability to more clearly scope each engagement. While there are many controls that may provide assurance over an organization’s data on its network, using a framework such as the CIS Top 20 Critical Cyber Security controls is a good place to start. These controls are prioritized in order of importance, and are used to protect data on an organization’s network from external threats, such as hackers from foreign states, as well as internal threats, such as employees or contractors with bad intentions.
An auditor performing an information security internal audit project, on the other hand, could leverage controls in the National Institute of Standards and Technology Special Publication 800.53 – Security and Privacy Controls for Federal Information Systems and Organizations, or NIST 800.53. While focused for a federal audience, it can be used by all industries to help scope information security projects.
Clearly defining the scope of these projects will also help the internal audit team determine the types of resources needed to provide assurance over these projects. With an audit of cybersecurity, for example, assessing the technical aspects of firewalls, a vulnerability management process, managing wireless access, and performing penetration tests is needed to provide assurance. If the internal audit department does not have that technical subject matter experience on their team, engaging with a consultant with that expertise will be needed. Engaging with a consultant on this type of experience can cost from $50,000 to $500,000, depending on the scope.
Leveraging Subject Matter Expertise
It is still important for internal auditors to leverage subject matter expertise for all audit projects, however, there are information security audit projects that can be completed without the need of that deep level of subject matter expertise.
For example, to protect organizational data, the organization first should understand or have clearly defined what type of data they consider key, where this data resides (either on the network or the physical location), who has access to it, and what are the controls in place protecting this data.
And speaking of physical locations, another information security internal audit engagement could include assessing the design and effectiveness of the physical security controls either protecting physical data stored by the company or an engaged third party, or evaluating controls in place that prevent individuals from accessing hardware that would grant access to the organization’s network.
These types of engagements can be out-sourced or co-sourced with an internal audit consulting firm, but these engagements can also be performed by receiving subject matter expertise gathered from guidance provided by the NIST 800.53 framework and other related thought leadership. These controls, and related processes, should be able to be evaluated by a proficient internal or IT auditor.
Because an organization’s cybersecurity controls are designed and have been proven to operate effectively by an internal audit project should not necessarily mean that the company’s data is necessarily secure. And because the scope of information security is so broad, a satisfactory-rated audit in this area could provide false assurance to the audit committee or executive management team that the company has adequate processes in place to secure and protect data on a company’s network.
When the internal audit department and chief audit executive have an appreciation of the differences of cyber and information security, only then can he or she provide better assurance to their stakeholders of how well controlled the processes protecting their data are being managed.
Shawna Flanders is Director of Instructional Technology and Innovations and Senior Trainer at MISTI. She can be reached at firstname.lastname@example.org.