Projects of external audit of IT and security in tch PCI DSS and SUIB

The main rendered services of IT audit:

• from testing for penetration (penetration testing, pentest)
• before complex security audits
• services in management of compliance to requirements of Payment Card Industry (PCI) of Security Council — a series of the standards relating to security issues of payment cards and affecting both banks, and other organizations accepting and processing payments using plastic cards. Includes services in scanning of network perimeter (PCI DSS ASV), audit on compliance to the standard (PCI DSS QSA), internal and external testing for penetration, to the analysis of source codes of payment applications within the PA-DSS standard.

2017: Research of "Institute of internal auditors"

For the last 2 years of the company uses of information technologies began to carry out efficiency evaluation much more often. Such result was shown by a research of a status and trends of development of the internal audit in Russia booked by Institute of Internal Auditors Non-profit partnership together with KPMG company. So, IT audits stand in plans for the next 12 months at 53% of respondents, 47% are occupied by them at the moment. According to a similar research of 2015, IT audits were modern only for 34% of the companies. Efficiency evaluation of use of information technologies in plans at 42% of respondents, 45% carry out it at the moment against 26% in 2015.

According to Maxim Kozlov, the head of department of IT audits Blok of internal control and audit, PJSC MTS, growth of interest of the companies in carrying out IT audits, as well as from interest in efficiency evaluation of use of IT, is connected with several factors:

First, now the IT is one of "hot" subjects for business. Business even more often realizes that receiving new points of growth in the traditional industries requires attraction of IT and the systems of advanced analytics which allow to obtain the most complete information about a behavioral model of the clients to get competitive advantage in the market. Traditional tools it is harder and harder to achieve such goals therefore the companies, even far from IT begin to involve and develop in the structures the new directions with involvement of the corresponding specialists in the field of advanced analytics of data (Big Data). Transformation of traditional approach to business aside IT global trend: now an era of information revolution and transition on digital-Wednesday. The companies are realized that the main thing in this process not to miss the moment and in time to begin digital transformation which will allow to receive the additional driver of development in the short term.

Secondly, development of the new digital directions in the companies means considerable investments into the equipment, the software (S), highly qualified specialists. Respectively, business process integration of the company with IT requires carrying out a complex of the actions directed to receiving by management of the company of independent opinion on how the company can successfully be transformed and develop in the conditions of business digitalization. For control of compliance the companies and its IT strategy are more whole and also the expediency of investments into IT is required attraction of function of IT audit.

Thirdly, separate specifics in terms of IT risks – increase in sanctions pressure from the western equipment manufacturers and software both on the separate Russian companies, and on the whole industries of the Russian economy. Adequate and timely response to new type of risks requires involvement of function of IT audit for assessment of feasible measures of reaction from management of IT.

IT solutions for automation of work of services of internal audit enter practice of work of SVA more and more. Now specialized software is set at a half of the services of internal audit which participated in a research (in 2015 this digit made 23%). Among those who do not use specialized software for internal audit 39% of respondents are going it to set within the next two years.

Leonid Dushatin, the director of the department of internal audit, PJSC Aeroflot, says that it demonstrates that with active development of digital technologies understanding of need of implementation of automation systems of processes of internal audit and monitoring of recommendations of SVA also grows in core business of the companies respondents at heads of services of internal audit; and the SVA organization should be adequate to the level of development of core business of the company.

As showed results of a research of Institute of internal auditors, the absolute majority of the companies (92%) involve external specialists in the field of information systems and technologies when carrying out IT audits (against 67% in 2015, 37% in 2013). At the same time, in 40% of the companies respondents there are regular auditors of information technologies (IT auditors).

As practice shows, with IT of a component it is necessary for carrying out IT audits and audits that in staff of the company there were specialists having the necessary level of IT competences. According to Maxim Kozlov, IT auditors with experience in the field of IT and/or information security (especially in the field of practical information security) should be PJSC MTS, ideally, such people. Without presence of the corresponding specialists of carrying out qualitative projects of IT audit by forces only of the staff of division of audit who does not have (or having only superficial ideas of specifics of IT) the required level of knowledge and experience, it is impossible. It is good when the employee who is already working as the IT auditor, at the same time having work experience in IT / cybersecurity comes to function. At the same time the person having the sufficient level of examination in a certain technical area but at the same time having also broad outlook in IT and cybersecurity areas which vividly is interested in the modern directions of development of technologies can be the good applicant.

The international certification on IT audit – one of certificates that the IT auditor has the necessary level of competences and experience in different technical areas (management of IT, processes of operational maintenance of IT, software development, information security, processes of audit of information systems).

Maxim Kozlov notes that for the IT auditor it is necessary to know bases of architecture of creation of information systems and mechanisms of their deployment, mechanisms of ensuring fault tolerance, key processes of operating activities of IT departments and their metrics (for example, incident analysis, work-related an information system, can provide information what it is necessary to pay attention during audit to or the analysis of magazines of information security systems / virus activity can identify the potential malefactor among the staff of the company), the best practices of creation of IT (ITIL, Cobit) which can be used as methodology of assessment of a maturity of the IT key functions and be used for further improvement and optimization of IT. Bases of information security and also the main technicians of the attack and methods of protection against them are also extremely important in work. For the IT auditor desire something is extremely important to make personal growth and learn new in technologies.

Involvement of third-party specialists to carrying out IT audits is caused by growth of amount of the used new technologies and complexity of the operated and implemented information systems in the companies. Also carrying out highly specialized projects of internal audit (for example, audit of development processes of software which can include including the analysis of the source code of the developed information system on existence of problems in terms of information security (malicious inclusion of different "tabs" by software developers) and the analysis of quality of writing of the code (the analysis of use of non-optimal constructions, outdated libraries, etc.) or the project on audit of cyber security of the company which can include testing of information systems and services of the company for resistance to the external attacks - "testing for penetration") requires existence in division of IT audit of the highly specialized specialists having a necessary set of technical skills and practical experience. Also It should be noted that there are requirements of different regulators for carrying out audits from an IT component (testing of ITGC) with participation of external auditors.

2011: Policy of control and measurement of system effectiveness of Information security management (SUIB)

The politician of performance monitoring of SUIB who the Information technology installs an instrumentation system and measures of measurements for control and efficiency evaluation of mechanisms of control of information security on the basis of provisions of ISO/IEC GOST P standard 27004-2011. Methods and security protections. Information security management. Measurements.

The purposes of Policy of performance monitoring of SUIB are providing information to the management of the organization for decision making for improvement of mechanisms of control of cybersecurity for the purpose of risk minimization the most effective and economically reasonable method and also providing reliable information to concerned parties about the existing risks of cybersecurity and also to a status of SUIB used for management of these risks.

Act as subjects to measurements:

• SUIB in general
• subsystems of SUIB, including the Management system for Information Risks, the Incident management system, the Management system for Business continuity and other subsystems
• the separate mechanisms and the fields of control in a scope of SUIB defined according to provisions of the international standard ISO/IEC 27001:2005 (Appendix A)
• security policies and the other organizational and administrative documents regulating questions of providing Information Security
• processes and procedures of providing Information Security
• program technical means and complexes of means of ensuring of cybersecurity

Process of measurements of efficiency of SUIB is implemented in the form of the Program of measurements. The program of measurements defines the sequence of actions for assessment of mechanisms of control of SUIB (and other subjects to measurements) by measurement of their efficiency.

The purposes of assessment of mechanisms of control of SUIB are:

• Identifications of the inefficient mechanisms of control which are not conforming to the requirements and criteria of efficiency set in the organization
• Estimates of return of investments into SUIB
• Determination of methods of increase in efficiency of SUIB and improvement of mechanisms of control

The main criterion for evaluation of mechanisms of control of SUIB is the return of investments provided with these mechanisms of control defined as reduction of the predicted annual average losses of the organization as a result of cybersecurity incidents. The technique of measurement of cost efficiency of SUIB is based on the risks assessment which is a starting point for the choice and assessment of mechanisms of control, and results of measurements, in turn, are used for risks assessment.

The program of measurements which is effectively implemented in compliance will allow to strengthen trust of concerned parties (clients, partners, partners, regulating authorities, shareholders, etc.) to results of measurements and assessment of the existing risks of cybersecurity and also to provide implementation of process of continual improvement of SUIB and to monitor progress in achievement of goals of information security on the basis of the saved-up results of measurements.

See Also

• Standard of the Bank of Russia of service station of BR IBBS
• ISO 9001:2008 (ISO 9001:2011)
• ISO 20022
• ISO 15926-1:2004
• ISO 9000
• ISO 21500, ISO 21504, ISO 21502 Project, Programme and Portfolio Management
• ISO 20000
• ISO 55001 Management of assets. Systems of management. Requirements
• ISO 15408 Common Criteria for Information Technology Security Evaluation