The Risk Based Audit

We have a meeting every Monday morning to do a status update on each of the 40 financial institutions we serve as their virtual Information Security Officers. It’s an opportunity to solve unique problems as a group, identify areas where some additional expertise is needed, and spot trends in our industry.

It’s one of the most important meetings of the week and anytime I hear a recurring theme, my ears perk up as potential blog material.

Lately, I’ve been hearing the need for an evolution of how IT audits are being scoped and performed.

The typical bank network has changed in the past 5-10 years.

• The advent of the cloud has made the perimeter more ambiguous and created data sprawl.
• Services like O365 are no longer just about email or Sharepoint, but they now manage key controls that are integrated throughout the bank environment.
• Roles and responsibilities are now shared across internal staff and external partnerships, so swim lanes can be confusing.

The crazy thing is, not all IT audits are keeping up.

• They are still spending time looking for double spaces in a policy (true story).
• They are not testing key controls in new assets that carry high inherent risk.
• They use the same scope, the same checklist that they’ve used for years—for every bank.

It’s time for the entire banking industry to adopt a risk-based approach to IT audits.

Where is your greater risk—a typo in policy or in a BEC attack caused by a misconfiguration?

How do we do this?

• Be proactive. Stop treating audits as the function that forces you to update your program (Policies, BCP, Risk Assessment). Your ISO or your “virtual ISO” should be updating all components of your ISP at least annually without fail—and those changes should reflect the environment and be appropriate to the size and complexity of the bank. (BTW I’ve had auditors personally tell me that when they have confidence that this is done properly, they can spend their time on other, more critical controls)
  
• Find an auditor that can flex their audit scope based on risk. The good ones want to have this conversation because they want you to get the most value from their services. You will likely pay more for this, but it’s worth it.
  
• Have a scoping call upfront. Make sure you review the risk assessment and any other major changes AHEAD OF TIME, not the day they show up—it’s too late then. This should be a detailed asset-based risk assessment. A threat-based risk assessment is too vague. (Ex. where does an auditor even start when you tell them that “ransomware” is a high risk? It’s much easier when you can tell them that your CRM is high inherent risk because it has all your customer data, but you are worried that “MFA” is the only key control. Now they can design an audit around testing that.)

Finally, all of this hinges on having a qualified CISO or ISO that knows your environment, understands risk, and can clearly communicate with the auditor. If your bank has found it hard to attract and retain expertise in that role, we have solutions that can help. Just contact us at support@bedelsecurity.com.