Auditing Business Processes
Advancing ISECOM's list of projects and certifying more people are crucial steps to meet Herzog's goal for ISECOM: pushing security past a list of useful things to do—such as BS7799—to an actual auditing of business processes.
To that end, another ongoing project is the Business Integrity Testing Methodology Manual (BIT), which tests business processes along with the integrity and security controls of systems. The manual looks at business processes large and small and their interrelationships to discern security weaknesses, including potential points for corruption, embezzlement, and other types of theft or fraud. Currently the manual includes examples for testing such practices as accounting, human resources, inventory controls, and financial securities firms.
For example, take auditing ATM transactions. "[I]t's a complex system—not just the box. How do they interact with the reporting mechanism? How does the service come in and put in more cash? and so on," says Herzog.
Why is this important? Take the example of one telecommunications company that contacted ISECOM after a consultant failed the company in a security test. Having just used a consultancy to achieve BS7799 compliance, the firm wanted to know why it had failed the BIT, which the consultant applied after receiving training from Herzog. "According to the BIT, they failed the test miserably because all the people responsible for business processes and integrity knew nothing about how the actual processes worked," Herzog reports. For example, while BS7799 asks a company whether it uses antivirus software, the BIT wants the managers of the antivirus policy and process to know all the players in the process and to understand how it works. While technical depth is not necessarily a requirement, at least a basic understanding is essential.
"If you look on a process-by-process level, one of the processes might have had to do with mobile phone towers," says Herzog. Whenever someone uses a mobile phone tower, that information needs to be turned over to billing. Yet how is the process secured? "If there could be a mistake, if someone could change or circumvent the process, how would that affect the billing? These managers at the company knew nothing about billing except that a report comes, and that was enough for BS7799. In the BIT, that's not enough."