Conflicted External Auditors at Heart of Equifax Data Breach

The US House Committee on Government Oversight and Reform published the results of its investigation into the Equifax breach, calling it "entirely preventable." The report highlighted multiple problems, but two issues stand out: overall incompetence by Equifax's IT security staff, and a reliance on "legacy" systems literally from the 1970's.

What has not been discussed, however, is the fact that since 2011 Equifax held third party certification to ISO 27001, the international standard for information security management systems. Companies typically pursue this certification in order to prove the excellence of their cybersecurity systems, and with such a certificate in hand, companies can gain the right to bid on government and industry contracts. More and more, Federal agencies require ISO 27001 certification as a minimum qualifier.

It does not seem possible that Equifax could have achieved ISO 27001 certification, given that it requires annual third-party audits of not only their documented procedures, but also their hardware and facilities. It's not clear how auditors could have missed equipment from the 1970s and, as the House report indicated, procedures that were grossly inadequate.

It begins to make sense, however, when one examines the entire ISO certification scheme and the actors involved. Companies like Equifax pay a "certification body" (CB) to audit it every year against the given standard, in this case ISO 27001. The CB is authorized to conduct this activity on the basis of their own accreditation, granted by an "Accreditation Body" (AB). The ABs audit the CBs every year against another ISO standard, ISO 17021. The ABs get their authority through membership in the International Accreditation Forum (IAF), through which they are audited under a different standard, ISO 17011. This network of auditing bodies and standards exists to ensure the results are valid, and not corrupted by conflicts of interest.

The problem is that the scheme itself is built upon a conflict of interest: each party pays their auditor, so there's little incentive for any auditor to actually find problems. If a CB de-certifies a client, they lose that client. If an AB de-accredits a CB, they lose that CB. And so on. Those at the top have the most to lose financially, so have the least incentive to do their job. As a result, failing an audit is very, very rare.

In the case of Equifax, the arrangement was even more conflicted. Equifax's ISO 27001 certification body was CertifyPoint, a division of Ersnt & Young. According to CertifyPoint's public records, they issued Equifax its ISO 27001 certificate in 2011; it now lists the certificate as expired. According to Annual Reports published by Equifax, its ISO 27001 certificate was suspended in 2017, only after the data breach. This means that from 2011 through until the breach, CertifyPoint was conducting annual IT security audits on Equifax, and awarding them a certificate each year. The certificate was only pulled after the breach was reported by news outlets.

But it gets worse. According to reporting by Marketwatch, Equifax was using accounting auditors from the financial division of Ernst & Young. That article quoted Bentley University professor Dr. Rani Hoitash who explained that while financial accountants would not directly audit IT systems, "Auditors, however, are required to look at policies and practices related to financial reporting-related information technology systems and data early in the annual audit process."

This, then, raises serious concerns about Equifax's external auditors. EY financial auditors would be disincentivized to raise findings regarding the company's IT security systems because that would reflect poorly on EY's CertifyPoint auditors, who had otherwise blessed them. The conflict extends in the opposite direction as well, as CertifyPoint auditors would be hesitant to raise any issues that might impact poorly on EY's financial auditing team.

Ironically, Equifax hired EY after its prior auditing firm, Arthur Andersen, was indicted and eventually shut down because of auditor-related conflicts of interest discovered during the Enron scandal. That incident resulted in the Sarbanes-Oxley law, which provides legislation to control conflicts between financial auditors and financial consultants. There are currently no laws governing conflicts of interest in the ISO certification scheme, however.

To date, representatives of CertifyPoint and its accreditation body, Raad Voor Accreditatie (RvA), are not answering questions on why none of them raised any concerns regarding Equifax's poor controls and systems, which are now a matter of public record. Also silent is the IAF, which oversees the entire scheme.

It's likely, therefore, that more such incidents will occur despite companies holding ISO certificates that claim their systems are fully compliant to international standards. Until regulators start paying attention, or until the IAF is called before Congress to testify on just what is happening on its watch, these problems will only worsen. 

About the Author: Christopher Paris is an aerospace quality management consultant, author and industry watchdog. His company, Oxebridge Quality Resources, provides independent reporting on the ISO certification scheme and its conflicts of interest.

Copyright 2010 Respective Author at Infosec Island

via Infosec Island Latest Articles https://ift.tt/2GcOHD3
RSS Feed

If New feed item from http://www.infosecisland.com/rss.html, then send m


Unsubscribe from these notifications or sign in to manage your Email Applets.

IFTTT

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more