Security Review, Assessment, Audit: What's the Difference?
Football vs. football. They’re two different sports that share the same name (at least, in some places). They also have some skills and attributes that overlap, such as controlling the ball, teamwork, quick footwork and running, scoring points and so on. But, at the end of the day, American football and European football (or futból), are distinctly unique in their own ways.
The same is true of security reviews, assessments and audits. Since the financial industry is heavily regulated, and especially so in terms of cybersecurity, it’s easy to get caught up in the idea that a review, an assessment and an audit are essentially one in the same. But don’t fall into the trap that many do, as these security tools are certainly not interchangeable, and they each serve their own purpose in determining your credit union’s overall compliance and risk posture.
So, what are the differences between them? Let’s take a look at each one a little more closely.
Review
By definition, a review is an inspection or examination by viewing. It’s a high-level, “at a glance” survey of what industry regulations dictate compared to what security controls you have in place at your credit union. A review, by nature, offers a very limited scope of your security infrastructure to help you determine (at a very minimal level) whether your credit union is in compliance with regulations.
For example, the NCUA requires that credit unions implement some sort of encryption system to protect sensitive member information as stated in the following verbiage from their information security guidelines: “Encryption of electronic member information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.”
If you are reviewing your credit union’s email controls, you may find that you have an email encryption system that is used when sending sensitive information. Documenting that system control exists is sufficient in a review, as it indicates compliance. Keep in mind, though, that compliance does not necessarily equal security, which may lead to discrepancies in an assessment and/or audit.
Assessment
Security assessments are a little more in-depth than a review. They, too, offer a review of your credit union’s security controls – such as policies, password parameters, user acceptance, etc. – but then dig deeper to compare them to an established security framework, such as the CIS Critical Controls, FFIEC guidance or the NIST Cybersecurity Framework. These frameworks offer best practices and a look at the current and foreseeable threats to financial institutions, which are part of the requirements of an assessment.
This extra “digging” is done through question and answer. Unlike a review, assessments ask questions beyond “do you have such-and-such security controls”? This allows them to uncover any gaps between your controls and the guidance laid out in the security frameworks we talked about above.
If we once again take a look at the example of email encryption, an assessment would entail a description of the type of system and how it is implemented, which is a step further than just stating that there is one in place. Let’s say you have a well-rated encryption system in place, but each employee has to manually turn on encryption within your email platform. That may be a gap.
Those gaps are critical in an assessment because they can then be prioritized by the level of severity and impact they have on your security controls. All findings – including gaps ranked from highest risk to lowest risk – are then submitted to the credit union via a report. Some vendors that perform assessments even offer generalized mitigation strategies to help credit unions address those gaps and decrease risk. Your credit union can then choose to accept those gaps as active risks or correct them as you see fit.
Please keep in mind that while an assessment provides a closer view of security controls than a review, it operates under the assumption that the controls work as the credit union has described them. There is no testing of controls until an audit.
Audit
A security audit or an NCUA exam is more invasive than both a review and an assessment. There are two reasons for that. First, an audit is all-encompassing of your entire security infrastructure, from your physical workstations and login procedures to your incident response plans. This is different from a review or an assessment, which can be segmented into smaller pieces. For example, an assessment may review just your password parameters, whereas those parameters are only a single item out of many that make up an audit. Second, an audit not only looks at the controls you have in place and any gaps that are present, but it also tests those controls. An audit requires actual proof that your credit union’s security controls are working properly and safeguarding against security risks.
Similar to assessments, audits and exams provide a written report of all findings. Those findings are then rated based on their level of risk exposure to your credit union. Regardless of their rating, these findings will be corrected in a specific timeframe agreed upon by management and the auditor/examiner. Here, the difference between an audit and an exam is that the NCUA examiner has authority and oversight to enforce these corrections.
Let’s go back to our email encryption example. We know that the encryption system is a good system, but it requires each individual employee to manually change their settings to encrypt outgoing emails. In an audit, this may be considered a major finding since it deals with members’ personal identifiable information (PII). Upon completion of the audit, your examiner may give you two months to put in place a program that automatically encrypts all emails sent from your credit union, and you must comply.
Other Factors
In addition to the fundamental differences between the three, there are other elements that separate a review, an assessment and an audit.
Who is performing the task?
This answer could vary depending on your credit union’s size and resources, but often times, a review is performed internally, while an assessment is handled through a third party and an audit is completed as part of your NCUA exam.
Who are the results reportable to?
In the case of a review, any findings may be escalated only to an immediate supervisor. Assessment results generally hold a bit more weight, so they may go as far as the credit union’s executive team. An audit, however, includes official findings that are reportable to all the credit union’s decisionmakers, including the board of directors, as well as regulating bodies.
Is it required?
Reviews are not necessarily required but recommended to keep track of your security controls. On the other hand, the NCUA does require annual security assessments, as stated in Regulation 748 Part A Section III:
B. Assess Risk. Each credit union should:
1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of member information or member information systems;
2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of member information; and
3. Assess the sufficiency of policies, procedures, member information systems and other arrangements in place to control risks.
In addition, the NCUA sends examiners to perform routine security audits for all credit unions every 12 to 18 months. Due to an exponential increase in cyberattacks and breaches over the past several years, the NCUA has increased their enforcement of cybersecurity regulations and elevated them to high priority items during exams, making security audits that much more important. For more information on the NCUA’s security assessments, audits and regulations, visit www.ncua.gov.
Difference Matters
While it’s true that all of these tools are meant to provide a look inside your security program by identifying gaps and vulnerabilities, ensuring regulatory compliance, indicating additional security measures and, ultimately, protecting sensitive information, the three are truly separate endeavors. Much like football and futból are very different, so are reviews, assessments and audits. It’s like comparing a soccer ball to a pigskin.
The key for credit unions is understanding the variations, as well as the weight, each one carries. It means the difference between satisfying internal parties or answering to regulators. More importantly, it means the difference between ensuring compliance with security standards and actually being secure.
John Cuneo is the VP of information security at Vizo Financial. With over 10 years of information technology experience, Mr. Cuneo is well-versed in conducting information system risk assessments, providing security awareness training and analyzing security controls and reports.