The US House Committee on Government Oversight and Reform revealed the outcomes of its investigation into the Equifax breach, calling it “totally preventable.” The& report& highlighted multiple problems, however two issues stand out: general incompetence by Equifax’s IT security employees, and a reliance on “legacy” techniques literally from the 1970’s.
What has not been discussed, nevertheless, is the fact that since 2011 Equifax held third social gathering certification to ISO 27001, the international normal for info safety management methods. Corporations sometimes pursue this certification with a view to show the excellence of their cybersecurity methods, and with such a certificate in hand, corporations can achieve the fitting to bid on authorities and business contracts. Increasingly more, Federal businesses require ISO 27001 certification at least qualifier.
It doesn't seem potential that Equifax might have achieved ISO 27001 certification, provided that it requires annual third-party audits of not solely their documented procedures, but in addition their hardware and amenities. It’s not clear how auditors might have missed gear from the 1970s and, because the Home report indicated, procedures that have been grossly inadequate.
It begins to make sense, nevertheless, when one examines the whole ISO certification scheme and the actors concerned. Corporations like Equifax pay a “certification body” (CB) to audit it yearly towards the given normal, in this case ISO 27001. The CB is permitted to conduct this exercise on the idea of their own accreditation, granted by an “Accreditation Body” (AB). The ABs audit the CBs yearly towards one other ISO commonplace, ISO 17021. The ABs get their authority by way of membership in the Worldwide Accreditation Discussion board (IAF), via which they are audited beneath a unique normal, ISO 17011. This community of auditing bodies and standards exists to ensure the outcomes are valid, and not corrupted by conflicts of interest.
The problem is that the scheme itself is& constructed& upon a conflict of interest: every get together pays their auditor, so there’s little incentive for any auditor to truly discover problems. If a CB de-certifies a shopper, they lose that shopper. If an AB de-accredits a CB, they lose that CB. And so on. Those at the prime have probably the most to lose financially, so have the least incentive to do their job. Consequently, failing an audit could be very, very uncommon.
Within the case of Equifax, the association was even more conflicted. Equifax’s ISO 27001 certification physique was CertifyPoint, a division of Ersnt & Young. Based on CertifyPoint’s& public records, they issued Equifax its ISO 27001 certificate in 2011; it now lists the certificate as expired. In accordance with& Annual Reports& revealed by Equifax, its ISO 27001 certificates was suspended in 2017, only after the info breach. Because of this from 2011 by means of till the breach, CertifyPoint was conducting annual IT safety audits on Equifax, and awarding them a certificate annually. The certificates was only pulled after the breach was reported by information retailers.
However it will get worse. Based on reporting by& Marketwatch, Equifax was utilizing accounting auditors from the monetary division of Ernst & Younger. That article quoted Bentley College professor Dr.& Rani Hoitash who defined that while financial accountants wouldn't immediately audit IT methods, “Auditors, nevertheless, are required to take a look at insurance policies and practices associated to monetary reporting-related info know-how techniques and knowledge early in the annual audit process.”
This, then, raises critical considerations about Equifax’s external auditors. EY financial auditors can be disincentivized to boost findings relating to the corporate’s IT safety techniques as a result of that may mirror poorly on EY’s CertifyPoint auditors, who had in any other case blessed them. The battle extends in the other way as properly, as CertifyPoint auditors can be hesitant to boost any issues which may influence poorly on EY’s financial auditing staff.
Mockingly, Equifax hired EY after its prior auditing agency, Arthur Andersen, was indicted and ultimately shut down due to auditor-related conflicts of curiosity found in the course of the Enron scandal. That incident resulted within the Sarbanes-Oxley regulation, which supplies laws to regulate conflicts between financial auditors and financial consultants. There are presently no legal guidelines governing conflicts of curiosity within the ISO certification scheme, nevertheless.
Up to now, representatives of CertifyPoint and its accreditation body, Raad Voor Accreditatie (RvA), usually are not answering questions on why none of them raised any considerations relating to Equifax’s poor controls and techniques, which at the moment are a matter of public report. Additionally silent is the IAF, which oversees your complete scheme.
It’s probably, subsequently, that more such incidents will happen regardless of corporations holding ISO certificates that claim their techniques are absolutely compliant to worldwide standards. Till regulators start paying attention, or till the IAF known as earlier than Congress to testify on simply what is occurring on its watch, these problems will solely worsen.&
Concerning the Writer: Christopher Paris is an aerospace quality management advisor, writer and business watchdog. His company, Oxebridge Quality Resources, offers unbiased reporting on the ISO certification scheme and its conflicts of curiosity.Copyright 2010 Respective Writer at Infosec Island