Internal Audit’s Contribution to the Effectiveness of Information Security Management in Bakirkoy Municipality

Technology has become a vital and integral part of every organization; from multi-national corporations to public sector organizations like municipalities. Thanks to information technology, organizations work more efficiently and maximize productivity. With the help of computerized systems, our employees are free to work on other things while the computer runs their reports, creates queries, tracks projects…

Information technology functions also as an enabler to achieve e-government, it makes easier to serve the services to citizens. E-government/ e-municipality facilitates sharing of information and ideas between all public agencies and departments to build one mega database. Getting the government decisions and policies across to the citizens is easy as well since e-municipality gives every citizen access to information.

And thanks to technology we produce lots of information too. Our world is full of information. Amount of the information we store growing in tremendous rate. It has been spoken less than a decade, organizations will typically deal with 30 times more information than they do today. All are needed to be stored, categorized, searched and sorted. And information is an asset which, like other important business assets, has value to an organization and consequently needs to be protected.

Information security is the protection of information from a wide range of threats in order to ensure;

• business continuity,
• minimize business risk,
• and maximize return on investments and business opportunities.

This definition is important, it clearly shows us that information security is a tool, not the aim. Security always cost you something. It is not free. A cost-benefit analysis will show us how much security we need.

In reality, organizations have many other things to do than practice security. For example, businesses exist to make money and municipalities exist to offer some type of services. None of them exist specifically to deploy and maintain firewalls, intrusion detection systems, identity management technologies, guards, policies, and procedures.

But we need to secure our information. Currently, attackers directly aim our information assets. Organization secrets are commonly being stolen by internal and external entities for economic espionage purposes. Systems are being hijacked and being used within botnets to attack other organizations or to spread spam.

We commonly hear the term CIA Triad when information security professionals talk about the three goals of confidentiality, integrity, and availability of information. If a security mechanism offers confidentiality, it offers a high level of assurance that data, objects, or resources are restricted from unauthorized subjects. For integrity to be maintained, objects must retain their veracity and be intentionally modified by only authorized subjects. The third principle of the CIA Triad is availability, which means authorized subjects are granted timely and uninterrupted access to objects.

Today we can manage our money privately online, we can withdraw cash from an ATM anytime, day or night, and we can quickly place an online order for just about anything. But without information security, none of these things would be possible. A complete security solution should adequately address each of these tenets. Security controls are typically evaluated on how well they address these core information security tenets. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles.

What if we fail in managing our information within these tenets? Results vary widely:

• Ruined Reputation
• Theft
• Damaged Intellectual Property
• Violations of legal and regulatory requirements
• Financial loss.

How can we prevent these undesirable results? One effective answer is using information security management system that helps to create, control, store, find and access to this information in a secure way.

There are some information security frameworks: ISO/IEC 27001:2013 Information Security Management System, Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53, The IIA GTAG 15: Information Security Governance (2010),  ISACA Cybersecurity Nexus. At Bakirkoy municipality we use ISO/IEC 270001:2013.

ISO/IEC 27001:2013 ISMS covers whole organization and increases the level of information security in the organization. It helps organizations to;

• Protect client’s and employees’ information,
• Manage risks to information security effectively in a systematic verifiable way,
• Achieve information security compliance,
• Achieve enhanced customer and trading partner confidence,
• Protect the organization’s brand image and reputation,
• Reduce overall cost of delivering services to customers.

The Efforts of Bakirkoy Municipality

When our municipality gives service to citizens, it also collects data from them, it produces a huge amount of information. Some of this information is shared with other public agencies or private organizations. So it needs some mechanisms to keep all these information in secure, when it is at rest, in use or in transit. The efforts to develop and sustain this mechanism could be gathered in three titles:

• ISMS,
• Sustainability Project,
• Continues vulnerability scanning.

Bakirkoy Municipality gained ISO/IEC 27001:2013 certification in 2014. To gain and to keep on with this certification our organization conducts some recycling activities.

• Determination of its own risks related to information systems.
• Designing and implementation coherent and comprehensive controls
• Conducting audits at planned intervals (every three months)
• External audit once in a year
• Awareness programs

Sustainability reporting is the practice of measuring, disclosing, and being accountable to internal and external stakeholders for organizational performance towards the goal of sustainable development. From march 2017 sustainability reporting activities has been going on. During this period we see, digitalization, innovation, and change are the core driving forces of sustainability and this project enforces our organization reevaluates processing of the information it owns to create value. This project aimed to ensure Bakirkoy municipality to produce one combined financial, environmental and governance report that can illustrate how it is creating value over time.

ISO27001 and sustainability reporting activities, our organization is getting more aware of its use of information.

Here we see some applications our citizens and employees use. Through these applications;

• Our citizens can buy a theatre ticket,
• Learn pharmacy on duty,
• Learn and get information about Road or park construction/maintenance works,
• Learn and pay their tax debts through their own pcs, mobiles, and electronic devices positioned in crowded areas in Bakirkoy.

Vulnerability management tools include the ability to detect and identify assets in an IT infrastructure, detect vulnerabilities provide descriptions of vulnerabilities as well as links to patches and other forms of remediation and generate a host of reports. We have 24 directorates and 11 of them stationed out of settlement complex. And 26 police and health posts are stationed to give on-site service units. They connect to the main network through lines of connection. Our system is continuously scanned against vulnerabilities, this gives us the ability to identify threats and monitor unexpected changes in our network before they turn into breaches.

The picture I drew shows the idea and concerns of management in Bakirkoy Municipality. They are aware of the threat they face, and they try to manage it. But they need something more.

Internal Audit Department’s Role in Information Security

Our internal audit department works under our mayor and directly reports to him. Our training, quality assurance, and standards are ensured by internal audit coordination board which is stated under the ministry of finance.

The overall objective of the internal audit activity is to provide an independent assessment of the quality of the internal controls, administrative processes and the extent to which they are assisting the municipality in achieving its strategic objectives. In Turkey, public auditors need to obey public internal audit standards which are completely identical to IIA standards. And these standards tell us, as public auditors, update yourself, update your risk evaluations, and get into the battle, your organizations already have been in, for dealing with infosec risks.

It is important to regularly monitor and assess the effectiveness of controls. As we all know, the value of monitoring and assessment is enhanced when done by someone who was not responsible for designing, implementing, and performing the activities being reviewed. Like other controls, organization’s information security activities need to be independently monitored and assessed.

And internal audit function seems the right address for this demand. But it is an important decision the allocation of internal audit resources to information security reviews.

We use multiple layers of administrative, technical and physical controls to protect organizational assets against risks. This makes our defense intense and strong. The three lines of defense is a well-known model. This model ensures the fundamental tenet of risk management: “defense-in-depth”.

We can see "The Three Lines of Defense" model is good to simulate who oversees various aspects of information security risks and how those are to be governed by the organization. In this context, internal audit function, as the third line of defense, independently review the security measures and performance.

In Bakirkoy municipality, internal audits used to be conducted mostly in compliance and financial engagements. I suppose these two areas are safe play-grounds for auditors. But at the end of 2015, we felt a need for change in our audit focus after evaluating current and future risks of our organization. We made meetings with senior management to get their intents, concerns, and vision. At the end, we saw senior management had anxiety about technology, its usage in the organization and securing information. Increase in cyber attacks, and regulative changes about the usage of personal data influence this anxiety.

Yes in municipality there is an IT department implementing IT Works, reports to senior management, these guys also coordinating and conducting activities related to information security. But for us, it’s problematic. They check their own work and report to management. And their technical language needs to be interpreted into a more business/operational language. With all these facts, we saw the need for a change in auditing concept. We needed an integrated approach that would consider information technology, financial and operational controls as mutually dependent for establishing an effective and efficient internal control environment.  

As a result, we began our audit planning in the light of this concept. Our new audit universe includes IT processes and in all audit engagements, we try to plan tests for information technology and information security issues.

Commitment and support from senior management are important for successful establishment and continuance of an information security management. In the concept of consulting, our department makes presentations to the senior management about their roles and responsibilities in information security. Being an administrative and political body, municipality managers have an intense agenda. Daily hot issues take much of their time and energy. And our activities do a helpful job to keep information security concerns live on their agenda.

Internal audit is a profession that you can not stop learning, you need to improve your skills because risks are changing constantly. These presentations, reports seem time-consuming, tiring but they give us chance to show the importance of internal audit function and strengthen our reputation in the eyes of senior management. This brings financial support to improve our skills to conduct integrated audit approach. We send our auditors to training, conferences, meetings on information technology risks, IT audit and related topics. They cost much, but we need to update our skills.

IT audit skills have special importance when giving assurance about information security. But generally, IT auditing is seen as a special area just for the IT-oriented personnel. Unfortunately, this viewpoint discourages audit departments to engage information security topics. Actually, non-IT auditors have the capacity to test IT General controls and governance of IT. This kind of engagements will give courage and experience to auditors to go in deep with IT auditing and also increase the confidence to management about our job.

In Bakirkoy, currently two audit engagement is going on, ‘Management of Enterprise Information Technology Sources’ and ‘Wired and Wireless Communication Process’. First is almost completely IT auditing, bur second is a good example of integrated audit approach. 2 years before the same topic was audited and was resulted with a report mainly focused on financial issues. But this seems much more related to information security concerns.

All employees of an organization should receive appropriate training and regular updates to foster security awareness and compliance with written security policies and procedures. Training is a more detailed endeavor in which users learn much more than they actually need to know to perform their work tasks.

In the scope of consulting, our department has given facilitation support to the information security awareness programs of Human Resources Directorate. These programs consist of Information security training, security drills and simulated security incidents. In these programs we help in:

• Instructing employees
• Setting specific objectives and goals
• Providing feedback to the group
• Creating a positive environment where employees can work productively

I can easily tell, the involvement of internal auditors in such activities is a good message to employees, this topic is important and u need to pay attention.

In Bakirkoy Municipality 38 trained personnels have been implementing audits about ISO/IEC 27001:2013 requirements at planned intervals. Our department monitors these audits via;

• Accompanying to the auditors,
• Checking audit reports,
• Checking follow-ups on the action plans for nonconformities.

Furthermore, we attend to the meetings after audits and inform senior management about the process.

Our organization cooperates with consulting firms in ISMS and Sustainability Projects. And there is a coordination team consists of IT, legal, financial, human resources personnel and an internal auditor. This team monitors consulting firms activities. With our risk-oriented view, we check if these activities are aligned with organization’s strategic objectives, risks are managed properly in our risk appetite.

Public organizations face with a general problem, they buy more than they need, or they don't need. Our risk-oriented methodology helps management in this area. Maybe you think that our department gives more importance than needed in consulting activities according to this presentation. But showing the flag of internal audit function in all important areas help us to get management’s support in assurance engagements.

Bottom Line:

For an effective information security, these should exist;

• executive and senior management support.
• visible and consistent actions.
• employee education and awareness
• a culture for protection of organizational value,
• and independent review of security measures and performance by the internal audit function.

This article was released as a speech in "3rd. Annual Internal Audit Event in Thessaloniki/Greece" on 19.05.2017.