The three pillars of IT auditing: importance, timeliness, efficiency

IT auditing is a relatively new concept. Checking the security status and efficiency of the information system became a necessity for most medium and large businesses only 5-7 years ago. All the more valuable is the fact that in the market of Kyrgyzstan there is a company that can perform this type of audit at the highest level.


Vlad Tkachev, director of IT audit at Baker Tilly, discusses the details and nuances.


Vlad, tell me, what is it – IT audit?

— This is an independent verification and validation of the effectiveness of existing information technology and information security management processes. Everything is checked: the organizational and administrative documentation and the processes actually executed in it, the information processing and storage rooms, the personnel involved, the data transmission networks and corresponding data storage systems, computing and network equipment. The world has gone digital, it’s an irreversible process. And data operations in every sense are becoming the center of business operations. And with it comes problems that we didn’t even know we had 20 years ago. External well-being alone is not enough for everything to function efficiently and correctly. IT-auditing stands on three pillars: importance, timeliness, efficiency.


Who needs an IT-audit and what happens during the procedure?

In a good way, any business that involves more than three computers. Well, financial and banking structures in our country not only need it, it is mandatory. Our financial regulator, the National Bank of the Kyrgyz Republic, five years ago issued a regulation, according to which it is mandatory for all commercial banks and financial institutions to undergo an IT audit at least once every two years. It is due to this that the financial and credit system of the Kyrgyz Republic differs from its closest neighbors, as it seems to me, in a better — more secure — way.

We analyze risks related to the security of information systems and assess their current level of security. We localize the so-called “bottlenecks”, problems in the system of information security management, protection and operation. We check the manageability of processes, it is very important. And besides we make an assessment of compliance of information systems to existing requirements of operation and information security. And, of course, we prepare detailed, detailed recommendations for business management in this aspect.


Is it necessary to shut down the information system for the duration of the IT-audit?

— No, of course not. The work continues as usual. Our interference in the work of the audited organization is minimal. We coordinate all audit procedures that may affect the operation of systems. For example, the duration of an interview with an employee cannot exceed the standard of 1 hour. 


What results does the company receives as a result of IT-audit?

First of all, we present the results of audit, showing in detail what results we have obtained and attach the methodology for obtaining these results. This is done to ensure that any subsequent auditor, internal or external, could reproduce the sequence of our actions and get a similar result. In this way, we provide a guarantee of the quality of our IT audit.

The company management receives a list of information security management processes, in which there is a high risk of losing the management itself or there is a threat of damaging the organization. Damage to the organization can be the result of the actions of employees or due to third forces: natural disasters, cyber-attack or dismissal of a key IT specialist. Continuity of operations depends on many factors, not only on the availability of equipment in the data center and core information systems, but also on the availability of the local area network and employee workstations. For example, the accounting process can be halted, disrupted or damaged by a fire in the server room, failure of 1C system, a broken cable on the floor, a broken switch or “hang” the computer of the chief accountant, but also due to interference from third parties, virus or hacker attacks, sabotage by employees or their absence from their workplace.

Here we point to each problematic place: the risks of fire as a result of safety violations, the risks of loss of access to information as a result of problems with the local network or equipment, the risks of breach of confidentiality of information, if it becomes freely accessible at some point, the risks of integrity of information or loss of backups, when the backup should be done daily, but in fact the backups were done a year ago. Any abnormal situation in this case may ruin the company to the ground and take it out of the market forever. Thus, the result of our work allows the locomotive of the company not to go off these digital rails, so that the company feels confident for many years. We analyze each IT service in detail for likely points of failure and make recommendations on how to avoid the onset of damage. Note, we do not tell you how to fix this or that flaw — any qualified IT-specialist can do it without us — we help the company’s management to timely identify the risk and prevent damage.

In other words, our task is to identify broken or missing information security management processes that allow vulnerabilities to form, which in turn increase the risk of damage to the audited organization.


What is the state of information systems of your clients in Kyrgyzstan?

— In general, if we talk about the financial and banking sector in the Kyrgyz Republic, we see positive shifts. They have been outlined over the last five years. Many commercial banks are developing very well in terms of compliance with information security standards. We are now witnessing changes that cannot but rejoice. Information security departments have been created, NBKR requirements are being complied with, server rooms are in a normal state, and processes are beginning to be managed. All of this is happening thanks to our recommendations.


Tell us about the IT audit department in your company.

— Our department as a whole is young, the practice of IT auditing has appeared in our company relatively recently, in 2014. But it should be noted that the information security industry as we know it now is also very young and was finally formed at the end of the 2010s. I have been working at the company since 2017 and head this department. Despite the fact that I am a director, I am directly involved in IT audits. This is our approach: heads of departments are actively involved in operational work. Baker Tilly’s international team of experts has many years of experience in practical information security and information technology management. We provide a comprehensive approach in matters of independent assessment of IT efficiency and security. IT-audit and information security services are rendered in the whole territory of Central Asia: Kyrgyz Republic (Bishkek), Kazakhstan (Almaty), Uzbekistan (Tashkent), Tajikistan (Dushanbe) and Turkmenistan (Ashkhabad).


What are the most interesting cases from your practice?

— Usually these are stories for the initiated; they are not very understandable for a wide audience. Many people’s eyes immediately become sad when they hear such incomprehensible terms as “exploit”, “payload”, “pentest” or “zero-day vulnerability”, but okay, I’ll try! While investigating a local area network of one of our organizations for open ports and network connections we found, completely by accident, an open machine with some shared folders on it. We were not particularly interested in them because this is normal practice in a corporate network: people share information on common projects, exchange files, pass them to each other to print, consolidate common reports or send. But one of the folders caught our eye because of the name — it was similar to the name of the main information system on which the company worked. We went there and saw a file called Password. In a nutshell, the computer available to almost every employee contained a file that gave access to all — generally all — new passwords used by employees of this organization. Including access to the very classified information the company was trying to protect. Including the password of the CEO and the chief accountant.

There were other entertaining stories as well. When we do our due diligence, we pay enormous attention to many factors. The condition of the server room is an important criterion. We measure air speed in the aisles, humidity, temperature — not only of the air, but also of the walls, system units, power supplies, and more. This is necessary to have a holistic picture. One of the points is to measure the amount of dust. A special device is used that records the number of particles as small as 2.5 microns and 10 microns. The data center is a hermetically sealed room; there should be no air inflow from the outside. The dust that collects there circulates all the time. If people come in, bring boxes and other objects in and out, the amount of dust will increase. Without wet cleaning — exponentially. And sooner or later it can lead to a situation when this dust suspension, which consists of a lot of small particles and has a high specific surface area, at low values of air movement and in the presence of a heat source from the server equipment, is able to self-heat as a result of oxidation reactions. Do you understand what this means? It’s a risk of spontaneous combustion. So, during one of the audits, it turned out that the room was one step away from combustion. So it was inevitable that a fire would break out in the server room.


That is, the IT audit literally saved the business?

— It turns out that it did. Therefore, conducting regular IT audits by a professional team that specializes in this is a vital necessity.