January 2, 2019
Top 7 IT Audit Findings for 2018
January 2, 2019
Human factor remains one of the weakest links in maintaining proper cyber-hygiene in an enterprise. Unfortunately addressing risks posed by humans via training and retraining is often sacrificed on the altar of acquiring fancy security tools… don’t get me wrong, there is nothing wrong with acquiring security tools excepting that they cannot by themselves atone for the information security risk a business is exposed to if it fails to train and retrain its personnel.
So, I took a survey amongst IT Risk/Audit practitioners with the objective of identifying 7 common IT Audit findings in 2018 which will shape perspectives in 2019.
See what the exercise revealed…
1.Weak Logical Access Control Management
It takes different forms - excessive privileges granted users, unrevoked privileges from users who no longer require such access, use of weak/convenient passwords, prevalent use of generic accounts which impairs user accountability, password sharing etc.
Asides having policies or procedural documents around access control, institutions must move to ensure the enforcement of these policies. Enforcing the principles of “need to know” and “least privilege” will go a long way in addressing this risk.
2.Poor Management of Third Party Risks
Enterprises continue to ignore the impact a breach from a third-party service provider could have on the enterprise. As dangerous as it was in 2013 during the Target hack so it is now.
Asides the implementation of Service Level Agreements with Third parties, Interfaces extended to Third-Parties should be developed in a manner that ensures that they only access services they need and nothing more. We cannot also overemphasize the need for monitoring of these vendor activities for out of order signals. Monitoring ensures that services are delivered as agreed and that third-party service providers do not exploit the relationship to offer services not within the confines of the agreement.
3.Weak Configuration Management
This has been traced to the absence of documented configuration baseline standards; where such baseline exists, its contents are either willfully or ignorantly flouted due to the convenience non-adherence to the document may offer. Either way, such actions leave the IT infrastructure vulnerable.
When it comes to Cybersecurity “Ignorance is not bliss”, Management should therefore commit to effective configuration management.
4.Non-Compliance with Regulatory Requirements
Regulators from time to time come up with policies and regulations to govern either digital products or cybersecurity based on the peculiarities of the localized environment enterprises operate in.
Most regulatory requirements are poorly implemented due to a minimal understanding of the intents of the regulation. Institutions should seek clarification when in doubt or seek deviations where compensating controls exist to address the intent of the regulation.
5.Inadequate Patch Management
Patch Management remains a burning concern. The “Wannacry” ransomware attack of 2017 is a case in point; however, justifications like “if it’s not broken why fix it?” amongst IT practitioners implies that a lot of enlightenment needs to be done in this area. The article in the link below helps to shed more light on this issue
6.Inadequate Vulnerability Management program
One of the major issues noted with vulnerability management is in the scoping, critical assets are often missed out because a complete inventory of information systems assets are either not properly maintained or not maintained at all; as the saying goes “you cannot protect what you do not know exist”
Then there are the issues regarding the delays in remediating identified vulnerabilities either due to internal organizational bureaucracies or the absence of skilled manpower.
Management should demonstrate a commitment to the effectiveness of its Vulnerability management program.
7.Inadequate Staff Training
The Cyberspace is constantly evolving, to remain relevant you must be willing to learn and unlearn Management must understand that not training staff is not a cost-cutting measure; It harms the institution.
“CFO: What happens if we train them and they leave?
CEO: What happens if we don’t and they stay?”
At the heart of all identified findings is the weakness in the human factor and not necessarily a failure in technology. These human issues stem from people not knowing the WHAT, HOW, WHY and WHEN certain activities should be performed.
If we must make progress in enhancing cybersecurity, a lot of emphases must be placed in strengthening the human factor.
Tony Ayaunor is an Information Systems Auditor and a Cyber Security enthusiast.