Better Information Security Audit? Focus on Assets, Not Controls
Posted on Mon, Jun 07, 2010 @ 08:46 AM
Authored by Mosi Platt, Sr. Audit Consultant, Pivot Point Security.
In this compliance-driven age of information security, regulatory requirements are increasing audit costs nearly as much as the auditors themselves. But the value of an audit is driven by the assets, not the controls. Let me explain why.
Controls have no intrinsic value - their value is determined by the assets they were put in place to protect (e.g. people, processes & technology). If you accept that as true, then the value of a controls assessment is not dictated by the controls being assessed but the value of the assets being protected by the controls under assessment. Therefore, a controls assessment is an evaluation of asset protection from loss/damage. The purpose of a controls assessment is to identify how effectively an assets' value is being protected from loss/damage. If the process itself is fundamentally asset-based, then how can the value of an assessment be legitimately based on anything else? A gap assessment is no different. It's a measurement of the gaps between actual & desired asset protection.
So with that in mind, some of the advantages of an asset-based assessment are as follows:
1. Provides a measure of asset protection from the loss/damage of value.
An asset-based assessment provides an evaluation of the impact controls have on the risks that threaten an assets' value. An assessment solely focused on the compliance of the controls' design with a standard doesn't provide an evaluation of asset protection from risk because the only "risk" that falls within the context of that type of assessment is the risk of non-compliance. That approach works for a compliance assessment like the PCI-DSS self-assessment but it doesn't work for ISO 27000 assessments because compliance is only important if the organization has already identified the necessary controls for effective asset protection and the purpose of the engagement is to support the requirements for monitoring & review. That type of engagement provides no value to an organization that doesn't already have an ISMS in place because it hasn't been established that compliance equals effective asset protection.
2. More cost-effective use of client resources.
An asset-based assessment only focuses on those controls necessary for asset protection while a compliance assessment will consume resources to evaluate controls that may not be necessary for asset protection. This extends beyond the costs of the auditor's time because the client will also spend resources reviewing the consultant's deliverables that include analysis of compliance with useless control requirements. A potential side effect resulting from this approach is waning support for the assurance effort as people begin to wonder why they're spending resources on analysis that doesn't impact actual security. Additionally, the work required for an asset-based assessment will have to be done sooner or later and will probably be cheaper if it's done up front than after an unnecessary compliance assessment.
3. Focus on long-term value instead of short-term gains.
An asset-based assessment provides long-term value by establishing a picture of asset protection that's independent of changing standards. It may be a snapshot of a point in time but it can still be used as a baseline. In a situation where compliance isn't mandatory, the only possible value of a compliance assessment is that it provides an estimate of work that may be required for asset protection. But even if the estimate turns out to be "very little work required," it's not very trustworthy because it was done outside the context of asset protection, so "very little work required" for one asset to be adequately protected may be "a lot of work" for another asset to be adequately protected.