Maintaining Auditors' IndependenceShaping the Relationship Between Agency and Auditor
Would determining ahead of time which controls should be examined in an information security audit help the federal government - or for that matter, any organization - better identify vulnerabilities across the enterprise?
Last month, I interviewed Karen Evans, formerly the highest ranking IT executive in the federal government, about a paper she co-authored that calls on the Federal Chief Information Officers Council to help implement new federal cybersecurity requirements such as cloud services and mobility (see Agency Security Audits: A Better Way?).
Auditors need to be independent in providing a fair and objective assessment of information security controls.
The paper, issued by the not-for-profit SafeGov.org, says evaluations conducted by inspectors general under the Federal Information Security Management Act - the law that governs federal government IT security - should use the recommended standards and plans produced by the CIO Council panel in coordination with the IGs. Evans says that would be better than the IGs selecting their own monitoring plans based on National Institute of Standards and Technology guidance that fails to consider agency implementation plans.
The Office of Management and Budget uses those audits as fodder for its annual report to Congress on the information security programs of the government's 24 largest agencies. Evans says IGs and agency information security officials should have an agreed upon baseline to measure progress - or lack thereof - in securing digital assets. Designating specific controls to assess when evaluating IT security could help the government compare how different agencies secure their technology.
"That will allow you to have that picture across the board on what is the federal government risk posture," Evans says. "Right now, you can't really make a comparison across the board because IGs measure differently in each and every department."
A Perspective from a GAO Auditor
I was chatting the other day with Gregory Wilshusen, who oversees information security audits for the Government Accountability Office, and asked him whether auditors and the agencies being audited - which the CIO Council members represent - should identify which controls should be examined ahead of time. Actually, I asked him, Should auditors be adversaries or collaborators with those they examine? His answer: Neither.
"Auditors need to be independent in providing a fair and objective assessment of information security controls," Wilshusen says.
He says agency officials might have their own, narrower view of what constitutes best IT security practices than auditors because of their roles and responsibilities. Auditors being guided by OMB dictates and FISMA standards help provide a measure of accountability on how those officials address IT security, the GAO auditor says.
But Wilshusen doesn't have a problem with agencies and auditors agreeing on the metrics to be established by OMB. "There needs to be coordination and communications between the auditor and the agency but certainly the auditor, in accordance with audit standards, maintains its independence and objectivity. That does not preclude an IG or an auditor from communicating and coordinating the work that would be done under an audit."
Still, Wilshusen contends, agreed-upon metrics shouldn't prevent auditors from probing more deeply into the security of agencies' IT systems. Auditors use a wide range of metrics to test and measure the effectiveness of IT security programs, including Federal Information Processing Standards, commonly known as FIPS; NIST special reports; agencies' own guidelines and vendors' recommendations on how to use their wares.
"The metrics that OMB and DHS have identified - those are what OMB would like to report to the Congress," Wilshusen says. "We think they should be enhanced to address more clearly the effectiveness of agencies' procedures and practices and measure how effective agencies are implementing the security controls."
It's OK - from an auditor's perspective - that agencies and auditors collaborate on metrics to be reported to Congress so lawmakers can contrast one agency against another in implementing their IT security programs. Yet, that doesn't - and shouldn't - mean that auditors should be restricted to specific metrics when determining whether an agency's IT security program performs as it should.