Who Sets The Audit Standards? Part 2 of 3

by John Madelin on 4/5/2006

Did you miss Part 1 of John Madelin's Who Sets the Audit Standards?

C. The Perfect Storm -- IT Conditions Conspire To Create a State of Readiness
We can see similar environmental factors conspiring together today to re-enforce the need for professionalism in the fabric of trust supported through "good security" in its broadest sense. The major environmental factors coalescing to create a perfect storm (in the context of profound commercial, social, cultural and economic impact) -- and re-enforcing the need for a "professional body" -- might reasonably be considered as follows:

(from a Booz Allen Hamilton report commissioned by the Alliance for Enterprise Security Risk Management.)

We can argue that this list is not exhaustive. For example, on the apparently simple question of Device Proliferation (another facet directly associated with questions of security and accountability) the normally restrained investment bank Jefferies Broadview is quoted as follows:

"We believe we are poised for a wealth creation opportunity that is as powerful as the Internet and an order of magnitude more pervasive. Untethering and distributing the Internet to the myriad mobile devices from phones to iPods to Blackberries is an even more powerful wave than the internetworking of the computing world in the 90's."

That is rather uncharacteristic hyperbole from an investment banker, but quite appropriate to the sheer scale and importance of device proliferation and its impact on all of us. Other examples of similar importance and magnitude might include high capacity network availability, mobile working and a whole list of other "mega trends" all of which have a direct correlation with risk, trust, control and accountability. Finally, and not to labour the point too heavily, all of these elements seem to be occurring simultaneously and coalescing in a form, strength, and combination that characterises our epoch as one of great change.

The analogy between the birth of the accounting and audit profession, and the birth of security as a profession seems to have substance in that we now see a security profession evolving and emerging, albeit in an ad hoc and piecemeal fashion. I can list the following "security bodies" just off the top of my head, I am sure a quick trawl of Google would unearth many more:

• SANS Institute
  
• ISACA
  
• (ISC)²
  
• NIST
  
• ASIS
  
• ISSA
  
• DTI
  
• SAINT
  
• BSI
  
• 50msc.com
  
• OECD
  
• CCEVS
  
• CIAC
  
• CERTIFIED MAIL ITGI
  
• ISF

Furthermore, as demand for security specialists increases we see a growing community of self-trained individuals specialising in one or other particular facet of security and with no real accreditation. The CISSP qualification is being somewhat de-valued, because rather than re-enforcing years of experience with the stamp of "letters after your name" there is a growing breed of aspiring security specialists cramming to pass the exam with little or no real experience. An old colleague of mine, Yves Le Roux (representing both (ISC)² and ISACA) tells me that the Institute of Information Security Professionals was discussed in both (ISC)² European Advisory Board and ISACA/ITGI Security Management Advisory Committee recently. In common with others among the professional bodies listed above, many of whom were actively involved in the long process of establishing the IISP, these two important bodies recognise the good foundations, the synergy, the quality and weight of key players sponsoring the initiative, and that ISACA and (ISC)² should continue to be involved with the IISP since many ISACA and (ISC)² members were involved with the formation of the group. It was also recommended that members should individually join the IISP.

Conclusion
The world has changed so comprehensively thanks to the conditions outlined, that complexity, control, accountability, responsibility, trust and risk have become much more challenging and fluid concepts. IT, and in particular Information Security, are now more significant in establishing a fabric of trust than almost any other discipline, including accounting and law. To quote Alun Michael, the UK Minister of State for Industry:

"The department has long recognised the critical importance of information security as a discipline that underlines trust in the information age."

D. What Constitutes a "Professional Body"?
Continuing from the dual themes -- of "many bodies, each with a perspective", and an immediate acknowledgement that the training and professionalism of security specialists is paramount - leads us to consider the whole question of what other specific components could be included to constitute a "professional body". Some of those referred to are technical; some are educational; some are government departments publishing on security issues and recognising such issues to be of public importance; some of them are communities for information sharing. Of all of these various points, which are the most important ingredients of a body that could be described as "professional"?

This is a subject nicely covered in the IISP Blueprint, introducing the following basic elements common to most professions and between them constituting the main ingredients of our trust in lawyers and accountants:

• a community of practitioners and theoreticians
  
• a formal education process
  
• an intellectual domain/common body of knowledge
  
• a tradition
  
• a communications network for the members
  
• entry requirements and concomitant barriers to entry
  
• a recognition of public responsibility amongst the members
  
• a willingness to act with restraint for the common good by the members
  
• adoption of a code of good conduct
  
• Legal charter/recognition

In other words, a profession must be consistent, responsibly-behaved, current, and have "teeth".

Many of the bodies outlined have a number of the elements suggested, but none have everything.

...It's Technical, Isn't It?
Most people in our industry immediately associate security professionalism with good technical capability, either in the development process itself, or in the architectures and solutions.

A quick straw poll of random people in the few weeks running up to the RSA Conference, when asked what I meant by "professional body", concluded that NIST already provides for such standards. I was encouraged chatting with Mathew Scholl from NIST immediately before the panel to hear him emphatically acknowledge both the need for professionalism and the fact that - in its broadest sense -- it wasn't something he associated with NIST. Mathew was quite clear that NIST has a responsibility for doing one piece (the technical piece) very well, but that this doesn't incorporate the broader knowledge capital, charter, training and other "people, process, strategy" facets outside the realm of the technical.

I can't emphasise this piece enough -- that most people instantly associate "audit standards" (in relation to information security) as being just about technical standards. Security is so much more: with most threats acknowledged as coming from the inside; with a growing recognition that social engineering is the weakest link; with "brand" and "trust" blending in so many consumer-facing models; and with complexity translating to more human error of greater impact on our lives -- to name but a few.

Can't We Just Hand the Problem to the Auditors to Deal With?
Another common suggestion I had was that audit firms could simply broaden the scope of their audit.

Well, I can certainly talk from the perspective of a solid understanding of the scope here, since I am a qualified auditor with years of hands-on experience in the early stage of my career.

Accounting is an extensive, arcane and important subject that affects every one of us both directly and indirectly. It took me four-and-a-half years to qualify, during which time I was completing my formally accredited "on the job experience"; and a further two years to upgrade from an "ACCA" (meaning that I passed the exams) to an "FCCA" (a "professional" accountant/auditor), during which time I was expected to continue to demonstrate growth and "relevant" experience. To maintain the audit certificate one must continue to earn professional points through an ongoing process of accredited professional education.

There are whole ecosystems of subject material in the qualification, incorporating taxation, financing and leveraging, stock valuation, intangibles such as brand, work in progress, manufacturing, and so on. Each of these elements reflects a broad and intellectually challenging area in its own right just at the mechanical level. Beyond the mechanics of how each component works we extend to the auditablity and judgement of any one of these issues individually, but more importantly, combining them together in a living and breathing business ecosystem requires great depth and professionalism.

To think that one might conveniently add "security" to the curriculum is at best unrealistic. I have spent 10 years in the security industry, and as members of the Jericho Forum sometimes remind me -- I am a relative beginner. How appropriate is it to conveniently append a huge and highly specialised additional industry to the existing remit of "accounting-based audit" -- thereby risking the dilution in effectiveness of both sides of the equation?

Stay tuned for Part 3 of John Madelin's Who Sets The Audit Standards?