External auditing and the human element

by | Feb 12, 2021 | Cybersecurity, External Audits, Internal Audits, IT Auditing, Security

audits-secure-your-info

External auditing and the human element

For the analysis of internet security, the subject can be broadly divided into three components: software, processes, and people.  They all function dependently on one another.  Like blocks in a wall, they need to function together.  This article is about people.  Internal and external audits begin and end with the human factor.

An adage that goes “extraordinary systems allow ordinary people to do extraordinary things.”  There is a corollary that can be derived from this expression, and that is “assume that your people are ordinary.” Extraordinary systems boost them to higher levels.  Similarly process improvement allows everyone to function with greater accountability. To get extraordinary systems there needs to be regular internal and external auditing. 

Most people are ordinary because that is the definition of ordinary, most, common.  It is not an insult, rather the recognition is a starting point, which businesses and organizations can only know with careful internal system audits.  The condition of ordinary only makes sense in context.  So, for instance, you could take all the sprinters entered in the Olympic games and talk about an ordinary Olympic sprinter, even though all those people would be considered extraordinary in the context of the general population.  Top sprinters follow an intense training and coaching regimen to get there process right. 

Likewise, the head of your IT department is undoubtably unusually intelligent, well-educated, and experienced, yet is most likely an ordinary IT department head.  There may be a few extraordinary people sprinkled throughout your organization, but there cannot be very many; otherwise, they would not be extraordinary.

If you assume that your people are ordinary, then your systems need to be extraordinary.  Fortunately, it is easier to create extraordinary systems than it is to find extraordinary people.  This is because it is easier to improve systems than it is to improve people, and knowledge gained about systems can be used by many actors, whereas an extraordinary person can only be in one place at a time.

Large organizations recognize all of this, and so they devote a lot of resources in systems analysis and in process improvement.  If a few extraordinary people (and there only a few, remember) can design an extraordinary system and have it followed by many ordinary people, then the entire organization benefits from the extraordinary talents of a few. 

GAO Report of October 2020

The federal government is a large organization with a lot of resources.  The largest federal agencies (other than Defense) are known as Chief Financial Officer agencies and are subject to special rules regarding cybersecurity.  Among those rules are procedures they are required to implement in order to mitigate the risk presented by the use of software produced by third parties, called Supply Chain Risk Management (SCRM).  These rules have been in place in their present form since 2015.

The Government Accounting Office (GAO) acts as the external auditor for the federal government.  In October 2020 it issued a report on CFO agencies’ compliance with seven standards for maintaining secure management of third-party software use.  Those standards are:

  1. establishing executive oversight of IT activities, including designating responsibility for leading agency wide SCRM activities.
  2. developing an agency-wide IT SCRM strategy for providing the organizational context in which risk-based decisions will be made.
  3. establishing an approach to identify and document agency IT supply chain(s).
  4. establishing a process to conduct agency-wide assessments of IT supply chain risks that identify, aggregate, and prioritize IT supply chain risks that are present across the organization.
  5. establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support IT products and services.
  6. developing organizational IT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with IT products and services; and
  7. developing organizational procedures to detect counterfeit and compromised IT products prior to their deployment.

 

internal-audit-redundancy

 

Notice that these procedures are directed at agency management, outlining the steps agency heads should take to exercise proper oversight of SCRM.  What the GAO did was to audit the behavior of the most senior people at these agencies to see if they were complying with guidelines that had been in place for five years.

What the GAO found was appalling:

None of the 23 agencies fully implemented all the SCRM practices and 14 of the 23 agencies had not implemented any of the practices. The practice with the highest rate of implementation was implemented by only six agencies. Conversely, none of the other practices were implemented by more than three agencies.  Moreover, one practice had not been implemented by any of the agencies.  The findings of the GAO are even more shocking given the recent history of foreign governments’ intrusions into the computer systems of some of these same agencies.  The GAO rather blandly notes that “[f]or example, in September 2019, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency reported that federal agencies faced approximately 180 different ICT supply chain-related threats.”

This incredible lack of compliance with basic IT security processes was committed by ordinary senior agency personnel who had extraordinary procedures at their disposal and failed to follow them.  The result was that their performance was ordinary, which in this context was frighteningly incompetent.  Their incompetence would have gone unnoticed without an external audit.  The external auditors developed specific protocols for senior management to follow but waited five years to audit compliance.  What protocols does your organization have in place to ensure that IT supply chain risk is properly managed?  Who wrote those protocols, and who is auditing compliance with them?