Last Updated on October 13, 2010
On June 22nd, Computerworld posted a story that immediately grabbed my attention as an information security auditor. What was the headline? “Trustwave buys application firewall maker.”
When Auditor Independence Becomes Co-Dependence
At Pivot Point Security, we use Certified Information Systems Auditors (CISAs) to perform security audits for clients and the second standard for CISAs is independence. As one of the largest organizations of Qualified Security Assessors (QSAs), I believe Trustwave has put the independence of its QSAs at risk with the acquisition of Breach Security (a web application firewall vendor) and other security products. The Information Systems and Audit Control Association (ISACA) provides the following standards and guidelines for independence of information systems auditors:
Standard S2 Independence
In all matters related to the audit, the IS auditor should be independent of the auditee in both attitude and appearance.
The IS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment.
Guideline G12 Organizational Relationship and Independence
IS auditors should not participate in an audit if their independence is impaired. For example, independence is impaired if IS auditors have some expectation of financial gain or other personal advantage due to their influence on the results of the audit.
According to the report posted on Computerworld.com, Trustwave plans to sell Breach Security’s web application firewall and other security technologies it purchased, including data-loss prevention, encryption and SIEM solutions from Vericept, BitArmor and Intellitactics. As both a seller and auditor of PCI compliance solutions, how can Trustwave’s PCI compliance customers trust that the findings and recommendations by their QSA weren’t driven by the sales team or vice versa? How can clients trust their auditors when the relationship shifts from independence to co-dependence? For example, if the client is found to be compliant with requirement 6.6 for securing public-facing web applications, how does the client know the QSA didn’t find them compliant simply because they were running a Trustwave web application firewall? How does the client know whether they were found non-compliant with requirement 6.6 because they aren’t using the Trustwave web application firewall or their web application firewall just wasn’t tuned correctly? These are the potential holes that Trustwave may have poked in the credibility of its QSAs.
Tools for Prevention and Treatment of Auditor Co-Dependence
I would assume that Trustwave is aware of the risks posed by their acquisitions and has tools in place to prevent the independence of their QSAs from being compromised but after searching their website for “conflict of interest” and “independence”, the only information I found was a report from GroceryHeadquarters.com that placed responsibility for avoiding codependent auditor relationships on the client. The PCI Security Standards Council (PCI SSC) does provide requirements for QSA independence in section 2.2.1 of the Validation Requirements For Qualified Security Assessors, v1.2.
The QSA must fully disclose in the Report on Compliance if they assess customers who use any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights, or that the QSA has configured or manages, , including the following:
• Application or Network Firewalls
• Intrusion Detection/Prevention Systems
• Database or other Encryption Solutions
• Security Audit Log Solutions
• File Integrity Monitoring Solutions
• Anti-virus solutions
The QSA agrees that when the QSA recommends remediation actions that include one of its own solutions or products, the QSA will also recommend other market options that exist.
Any QSA that does not meet the validation requirements can be placed into “remediation” in the PCI SSC quality assurance program. However, QSAs placed in the QA program’s remediation are not prevented from conducting audits but failure to remediate or additional non-compliance can result in revocation of their QSA qualification. Obviously, the best way to prevent your security assurance from being compromised by a co-dependent auditor relationship is to avoid it by only selecting auditors that do not audit the same security solution they sell. If you find yourself in a co-dependent audit relationship that negatively impacts your security assurance, then report the auditor to a certifying body or industry association. The PCI SSC provides a feedback form for QSAs that enables clients to report bad relationships with their auditors. Complaints about CISAs should be submitted to the ISACA Director of Standards. At Pivot Point, we take auditor independence seriously and take steps to ensure we don’t place our auditors in codependent relationships. Hopefully, Trustwave and other audit firms will do the same to protect their clients and auditors and if not, then hopefully this post will help clients protect themselves.