There are some simple concepts that we encounter regularly within information security - conflict of interest, least privilege, and separation of duties to name a few. These simple concepts are what make independent auditing such an important concept. The concept of independent auditing is a requirement in order to get an honest, and true-to-life review. An accurate audit is important because it could identify weaknesses and/or flaws in processes. These weaknesses and/or flaws could lead to public embarrassment if not handled properly before becoming exploited, loss of trust, or even legal implications in some cases.
Conflict of Interest - Conflict of interest exists when someone has a vested interest in something that he or she is reviewing. Take for example an employee who does email management that is reviewing an email server for security compliance. This person isn't likely to report findings, or at least not too many findings to management. That would certainly taint his/her performance in managements eyes right? The dangerous part about this situation lies in both objectivity and subjectivity. Because the employee has a vested interest the review may not be objective, even if the person takes a step back and attempts to be objective. Let's face it! Many of us are bull-headed when it comes to our designs. What makes the review subjective is that the person doing the review may make a decision to "fix it later" and report findings as closed that are not. Then, inevitably, this person forgets to implement the fix/mitigation or becomes an over-utilized resource in someone's project management scheme and doesn't have the opportunity to address the issue. In either case the system becomes subject to flaw, which yields a higher probability for a tainted audit. Least Privilege - In organizations that are exercising good security practices, this concept will be enforced. Let's look again at our email administrator. This person should not have the permissions or roles that it takes to access auditing logs on their own systems, and therefore should not be auditing. This is of course largely based on what we just talked about; conflict of interest and could lead to an understated audit. It also would create a risk. If an admin has total control of everything on the system, then he/she could be malicious and cover up traces of evidence, making the perfect transition to... Separation of Duties - At first glance this concept may seem exactly like the other two. It is however different. I like to think of separation of duties as the control for thwarting conflict of interest and least privilege. Looking once again at our email administrator, separation of duties means that he/she should not be put into a position that would create conflict of interest, and he/she should not be put into a position of possessing higher permissions than are required to do his/her job. This concept ensures that auditors are auditors and admins are admins. At no time ever during auditing should plans be made for re-designs or tackling fix actions; something administrators acting as auditors are likely to attempt to do. In summary, independent auditing increases the likelihood of accurate assessments. Accurate assessments are crucial to any business since they identify weaknesses, some of which are legal obligations. Auditing doesn't have to be expensive to the conducting organization. This is a function that can be outsourced or contracted or it can be conducted internally by persons whose department or role is strictly auditing. As always, there are exceptions to the rule too, especially within small organizations. While it is certainly better to avoid mixing auditing with any other function there may be times that it is the only way to obtain an assessment. The rule of thumb here is to be intelligent about how your governance (policy) handles this. Perhaps you build in controls where the individual has to obtain written management approval before assigning themselves auditing rights. Maybe a technical line manager could audit for the employees and have them prove cases where necessary, which may also double as an up/down training experience for younger staff and management alike. These are just a few suggestions where many other methods may be applied. It just has to be documented in policy or stated in the audit charter.
