1 / 11

The Influence of Internal Audit on Information Security Effectiveness

The Influence of Internal Audit on Information Security Effectiveness. October 5, 2013. Perceptions of Internal Auditors Graham Gal With Paul Steinbart , Robyn Rascke , and Bill Dilla. Outline. Previous Work Method and Hypothesis Results Implications. Previous Work.

amma
Télécharger la présentation

The Influence of Internal Audit on Information Security Effectiveness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart, Robyn Rascke, and Bill Dilla

  2. Outline • Previous Work • Method and Hypothesis • Results • Implications

  3. Previous Work • Impact of monitoring on information security • Monitoring of controls reduces risk (R & M 2009) • Monitoring as an enabling process (ITGI 2012) • Relationship between IFOSEC and IA • Compliance with SOX (Wallace et al. 2011) • Infosec perceptions of effectiveness (Steinbart et al. 2013) • Frequency of interaction • Knowledge of domain • Incidents • Findings

  4. Method and Hypothesis Tested • Data Collection • Web Based Survey • Subjects -42 • Certifications (98%) • Work Experience (74% > 10 years) • Type of firm • For profit 82% • Across industries 42% financial services 26% Health/Education/Professional Services

  5. Hypothesis Tested • H1: Internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions will be positively related to the number of audit findings related to information security. • H2: Internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions will be negatively related to the frequency of security incidents. • H3: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be positively associated with internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions. • H4: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be positively associated the number of audit findings related to information security. • H5: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be negatively associated with the number and severity of security incidents.

  6. Relationship Quality Quality of Relationship between information security and internal audit Members of information security and internal audit work together to assure information systems are secure and reliable There is little friction between internal audit and information security The relationship between internal audit and information security staff is close and personal There is a good working relationship between internal audit and information security

  7. Frequency of Internal Audit Review of Info Security Quality of Relationship between IA and Infosec H3*** H1 & H2 H4 & H5 Outcomes (Findings and Security Incidents) Top Management Support ***

  8. Frequency of the Review Internal Audit Reviews of Information Security Topics: Business Continuity and Disaster Recovery Identity and Access Management Logging and System Monitoring Firewalls and Other Network Access Devices Encryption policies (including key management) Backup Procedures Change Management Controls Security Policies

  9. Frequency of Internal Audit Review Financial Items H3a*** Quality of Relationship between IA and Infosec Frequency of Internal Audit Review Technical Items H4a*** H1 & H2 H5a*** Outcomes (Findings) Top Management Support ***

  10. Frequency of Internal Audit Review Financial Items H3b*** Quality of Relationship between IA and Infosec Frequency of Internal Audit Review Technical Items H4b H1 & H2 H5b Outcomes (Incidents) Top Management Support ***

  11. Implications • Frequency improved perceptions of quality of relationship • Similar to our previous work • IA mean of overall frequency implies could be more involved • Impact on outcomes • Relationship is improved by frequency • No mediated impact on outcomes (findings or incidents) • Decomposed types of reviews • “Softer People Oriented” and “Technical” reviews impact findings • “Softer People Oriented” and “Technical” reviews do not impact incidents

More Related