By Published on

Internal audit questions the quality of antimalware

In one major financial institution, there is an internal audit department, completely independent of the information security team, which audits - in addition to the purchasing, human resources and other departments - this technical department as well.

Independence is a good thing, as is the fact that auditors report directly to the top management, while information security department only reports to the head of IT, who then reports to another member of top management.

In one of the audit reports of the internal audit department there was criticism of the antivirus solution, going something like, "the deployed solution is not among the best..." And the justification? "We have read some reviews in the PC Magazine and they wrote that the best product is XY".

How would you, as a person responsible for cybersecurity, defend your position about the specific antimalware product?

This is a classic — and delicate — situation where independence is correct, but competence boundaries are crossed.

As the person responsible for cybersecurity, I would not attack the auditors, and I would not defend the product emotionally. I would defend the decision-making process.

That distinction is everything.

What to say

I'd start with saying "I appreciate your concern and your input is always valuable".

But: "the justification - reading a popular magazine - is not a sufficient or appropriate audit criterion for a security control in our context."

The pivotal audit question

Auditors should understand how to frame a risk. So, the relevant audit question is not "is this the best antivirus on the market? The relevant question from auditors should be:

"Does the deployed solution adequately mitigate the identified malware risks for this organization, given our environment, constraints, and threat model?

Presenting our decision framework

If you do select cybersecurity products in a formal way, based on agreed-on criteria, then it's easy to prove that our antimalware solution was selected by applying the following:

  • a documented risk assessment,
  • functional and technical evaluation,
  • proof-of-concept testing,
  • alignment with our endpoint security architecture,
  • approval through IT governance.

This is unrefutable since auditors (should) respect the process defensibility more than brand names.