IS Audit in Practice: Watching Out for Workforce Risk in the New Normal

Author: Cindy Baxter, CISA, ITIL Foundation
Date Published: 31 December 2020
Related: Risk IT Framework, 2nd Edition | Print | English

What a year 2020 was: climate change marked by wildfires across the globe and record counts of tropical storms; health welfare at center stage from a pandemic that changed people’s lives and attitudes; elections that called cybersecurity effectiveness into question; and pervasive social media content that made “fact check” the buzz word of the year. Not only were such dramatic events headline news, they touched everyone somehow and, in most cases, left individuals in turmoil, forcing change and adjustment. People got acclimated to virtual birthday parties, families managed with distance caregiving, and parents conducted do-it-yourself (DIY) kitchen table education. As we leave 2020 behind, people’s interactions at home and at work have been changed forever. The concept of risk and the promise of technology is irrefutably intertwined and impacted forever.

Welcome to the new normal.

As auditors and risk managers, the approach to governance and control effectiveness has also changed to fit the times. Prior to last year, technology risk was focused on examining history on a short horizon. But what happens when the workforce, and even generations of individuals have no personal experience to rely upon? Workforce is the risk that cuts across all critical business factors, and the role of technology to shape behavior cannot be underestimated. The new normal provides an unprecedented opportunity for risk assurance and audit professionals to anticipate the unexpected by considering our current state of affairs through a longer lens of history and applying what we know to the risk framework. It is important to look at the workforce and change, and how auditing of security management and access governance can anticipate and channel workforce behaviors into positive outcomes.

Security, Management

If you are an information security officer (ISO), 2020 was a watershed year for security control management. You have always handled issues with remote workers; you have handled security incidents stemming from phishing and inappropriate access. You have probably worked jointly with the business continuity team to simulate secure disaster recovery. Last year, all your experience converged from one issue into another. At the onset, it was hard to know where to start. Within less than a week, the following security priorities took center stage:

Country-by-country security requirements changed what the workforce could do. Plans to go remote and plans to deploy hardware changed from day to day, as did the rules for supporting the workforce.
Individual worker requirements for devices, including bring your own device (BYOD), created an opportunity and a headache. Could personal devices relieve the burden of deploying laptops and corporate phones? Or would they add an even harder-to-manage dimension to the already uncertain times?
Communications requirements increased. Your security teams needed new playbooks to handle projects you were required to mobilize, while you had to find subject matter experts to educate the workforce on the new security standards. You may have had ownership of managing the information flow to the leadership team that was making minute-by-minute decisions. Everyone had to be informed right away, but the information you needed to provide was different for every single audience.
Core cybersecurity needed even more attention. Risk scenarios regarding ransomware increased; phishing campaigns triggered workforce anxiety with the words “COVID” and “pandemic.” Even the phrase “risk factor” was a hacker tool now, where anxious employees would click to see more, potentially giving access to cybercriminals. Hacker creativity increased, built upon taking advantage of the overtired and overworried. The following scenario may be a familiar one to you.

Helen sat at her third work desk of the day, going through the analytics that were just completed. Working from home had been a blessing and a curse for the clinical trial research associate. The flexibility to manage work and home commitments helped reduce the stress of what felt like impossible-to-meet deadlines. At the same time, Helen missed hanging out with colleagues just to talk and shake off the seriousness of her work. Not that Helen was a stranger to work from home (WFH). Research team members routinely worked remotely, unless specifically involved with lab work in the office. Helen’s work was focused on computer results from completed lab work, along with input from the research hospitals involved in the trials. Time in the office was a benefit, not a necessity, but working on the vaccine for COVID was stressful and, unlike other trials, the comraderie of getting together at lunch or for coffee just could not be replaced by the virtual yoga classes or even the after-hours cooking webinars Helen could Zoom into at the company’s sponsorship.

It had been a long enough day, why not clean up some easy-to-handle emails and update the vacation plan? Helen thought. She popped through several emails. How did she get on so many external industry-related newsletters? She opened an email, finally a follow-up from tech support on the issues she was having with the Microsoft Teams application. She was pleased to finally have a response that might work, and the message was short. It looked like a solution was available. A quick click to the site and…

Helen could not figure out what the help desk site was talking about. This did not seem to have anything to do with her problem. It was late, time to shut down, but first, one last look at the email, when Helen realized something was out of place. The email ID was slightly off from other messages she got regarding her technical issue. There was only the website where she clicked and it made no sense. Suddenly worried, especially with all her access to sensitive clinical research, she called the security office to get advice.

WORKFORCE IS THE RISK THAT CUTS ACROSS ALL CRITICAL BUSINESS FACTORS, AND THE ROLE OF TECHNOLOGY TO SHAPE BEHAVIOR CANNOT BE UNDERESTIMATED.

The question is how did successful ISO managers get through the turmoil? Their foundation was working against a risk framework and prioritizing the following:

The team approach—Security management, business continuity planning (BCP), and technology services leaders were most successful when risk and compliance managers and human resources (HR) facilitated the game plan. Focused on each discipline’s priorities and leveraging subject matter expertise across the team, these managers structured an approach that minimized conflicting priorities while establishing much-needed shared responsibility. The team approach brought credibility with the workforce who saw a single approach, with a mission designed by the collective leadership. Consensus was palpable, even over conference calls and with the risk-based priorities clearly outlined in the attack plan.
Dynamic change management—As conditions changed, workforce frustration was minimized by the availability of backup BCPs. Close review of risk and impacts required constant inspection and reevaluation. Effective teams leveraged knowledge from the risk and audit teams to examine status, kept data fresh on performance, and ensured that there was a spotlight on controls and their effectiveness.
Communications and transparency—Workforce risk increases with anxiety and anxiety increases with misinformation. Trigger points of bad information were spread knowingly by hackers, nation-state loyalists, and out-for-profit individuals and enterprises. It is not surprising that savvy business leaders with risk-based plans garnered success by gaining workforce trust through frequent and honest communications. In response, an informed workforce followed through with higher than expected productivity fueled by knowledge and access to what management planned to do next and clear direction on what was expected.
Control—Knowing what was going on and who was taking action was critical to promoting a sense of stability. If communications brought stability, controls and expectations kept people on track with work. The risk framework helped categorize and prioritize risk management, and controls set workforce boundaries. “Fake news” and misinformation lost strength when transparency to the workforce prevailed and what to do next was clear. Relevant and actionable controls targeted at appropriate workforce groups brought a sense of purpose that made workers feel engaged with the solution instead of burdened by an edict.

WHEN THE PANDEMIC HIT IN THE WINTER OF 2020, INFORMATION ACCESS BECAME ANALOGOUS TO BANK ACCESS A CENTURY AGO AT THE CRASH OF THE US STOCK MARKET AND THE GLOBAL ECONOMY IN 1929.

Access Management and the Workforce

The information technology team holds the keys to technology access for individuals. Parents gained peace-of-mind when given access to learning tools for their children, and caregivers felt a sense of hope when having healthcare and pandemic information available whenever they wanted to access it. The workforce saw technology access as the root of their control and stability. When the pandemic hit in the winter of 2020, information access became analogous to bank access a century ago at the crash of the US stock market and the global economy in 1929. Last year, when the mandate to send the workforce home was issued around the globe, the technology key-holders were faced with the conflict of keeping the enterprise running but avoiding access misuse, fraud or even cyberterrorism. Consider this story:

Jean looked through his team’s work list for the day. Access requests had been building up since COVID put everyone in a WFH mode. His manager team had been jumping into work queues to pitch in, and it looked like controls were in place and the backlog was going down. As he scanned through the night shift list, he saw a couple of unexpected names. He had not been in touch with his off-hours team in a day or so and, although he trusted his manager to run the show, he decided a check-in might make sense.

Damienne saw Jean’s call come in and smiled as she picked up the phone. Work was going smoothly and it was good to collaborate, especially during this time of pure command-and-control with limited downtime. After catching up on the weekend’s personal activities, Jean brought up the new names he saw on the activity log. They both screen-shared as they dug into the details. “Well,” Damienne noted, “As you know, everyone’s family here. We all know we can trust each other. I was jammed with trouble-shooting an access request with a new manager, so I gave Claude admin rights to my queue.” Jean agreed, “People do not realize that we are tight-knit and have each other’s backs.” They continued chatting as they went through the logs, until they noticed a multiple application access conflict. Better known as “toxic access,” where someone can take advantage of access in one system because of a special role in another system, toxic access can be a conduit for misuse that results in tampering, deception and even data or funds manipulation. Jean and Damienne realized they had a potential breach on their hands. Time was of the essence to minimize damage and figure out why the team trust fell apart.

The successful information access managers leveraged the same key criteria as the information security team as the following highlights:

The team approach—Risk and auditing principles, combined with a view to human resource best practices, allowed technology access managers to work with security and business continuity teams. Plans to manage workforce access allowed people to do their jobs with appropriate access to systems and tools. That said, “trust, but verify” meant additional structure, and teams needed to understand that heightened risk could be lurking from within the enterprise given personal stress in such unusual times.
Dynamic adoption of access role and entitlement changes—Managing remote access for all became a critical risk to handle. Increased security meant understanding the impact of change on the workforce and facilitating adoption that maximized access conformance. Small items such as access to printers had to be handled to avoid rogue workers taking care of their own needs in a hard-to-control remote environment. The risk-based framework allowed manageable change to occur and helped mitigate major breaches. The workforce felt enabled and could better focus on the tasks at hand, with access enabled as necessary, but without giving away the access keys.
Communications and transparency—By setting expectations, the technology access team kept access requests properly managed, leveraging employee supervisor controls, minimizing workforce requests, which, in turn, reduced the need to have access to “fix it myself.”
Control of access—Consistent administration kept structure in place and work on essential business intact. Focus on the key controls is a must:
- Ensure that modified access requests are appropriate for the job function. Engage supervisors when you are in doubt.
- Verify that access approvals are from appropriate individuals and at the proper level of management visibility.
- Confirm that prerequisites for access have been completed and return requests on a timely basis when they are not.
- Check to make sure that access IDs and emails allowed to have access follow business protocol, including no personal email IDs and other conditions established by the core access controls.
- Verify accuracy by reviewing access reports and gaining confirmation from management that provisioning has been completed correctly.

Information System Auditing Impact

The opportunity to structure plans and provide stability is as critical in 2021 as it was in 2020. Information system auditing and risk assurance work is center stage to keep workforce impacts under control and to manage an effective governance model. Here is how you can be part of the new normal as a risk management or information systems audit professional:

Remember that the traditional risk of information security breach and access compromise are underscored by behavior patterns. As your organization’s risk watchdog, evaluate areas where workforce uncertainty may be high and prioritize those areas to the top of the audit program list.
Let your high-risk areas continue to be your focal point. Your business will have business impact analysis (BIA) work on record that risk rates what is important. Time is always short, but with BIA knowledge in hand, you can focus on the critical business areas and the most impactful functions within those areas.
The traditional critical risk rating for information security and access management does not change but does intensify in the new normal. Use prior audit and risk assurance work as your foundation. Dig in from there to look for changes that enabled the workforce but may have introduced new uncontrolled risk areas that were necessary to keep business running.
Consult with potential control owners. Just as leadership success in 2020 was earmarked by collaboration and transparency, a successfully updated audit plan relies upon a common understanding between you as the auditor and the business. As an auditor, you can uncover risk, then meet with the business to discuss and agree upon actionable controls and issue resolution. As a trusted advisor to the business, your due diligence on testing and conferring on results as early as possible will reduce issue propagation.
Tackle the critical issues first. As you complete your audit, your results will impact the workforce. Consider the impact of your findings in terms of being actionable and relevant to your audience.
Stay up to date. Yesterday’s events are history the moment they occur. The global IT environment was dynamic before 2020 and is even more so now. The saving grace is that workforce behavior is predictable in many ways. Uncertainty causes a desire for control, and awareness can channel that need. Anxiety breeds emotional responses that malicious actors prey upon, but workforce education safeguards against the hacker and intensifies the positive workforce attitude of weathering the storm together.

What we know helps avoid the pitfalls of the unknown. Success in channeling behavior depends on a plan that resonates with enterprise priorities and provides clear, understandable guidelines to the workforce. The transparency of what the risk and gaps are with the certainty of how to handle those risk areas keeps everyone engaged in a positive, productive environment.

THE OPPORTUNITY TO STRUCTURE PLANS AND PROVIDE STABILITY IS AS CRITICAL IN 2021 AS IT WAS IN 2020.

Author’s Note

Cindy Baxter, CISA, ITIL Foundation

Is an assistant vice president at State Street Corporation, Boston, Massachusetts, USA, and a member of its risk assurance team, where she works on the first line of defense for State Street’s Global Markets business unit. Prior to working at State Street, Baxter managed a global application development management (ADM) compliance team at AIG focused on software development life cycle (SDLC), identity and access management (IAM), and IT security screening for AIG’s commercial market segment. Her technical experience comes from her role as IT director of operations at Johnson & Johnson’s global command center and her work in technical sales and engineering at AT&T as a relationship director for several Fortune 100 clients. She is grateful to have learned technology from the ground up, and happy to have arrived at a career in audit and risk management, which allows her to leverage her experience across four industries.

Home / Resources / ISACA Journal / Issues / 2021 / Volume 1 / Watching Out for Workforce Risk in the New Normal