The internal audit team, A.K.A. red-headed step-children

Many big companies (and some SMB's) have an internal audit team that makes sure the company's policies and procedures are being followed.  But too often these teams are treated like internal affairs on cop movies.  They are looked at as the bad guys trying to catch someone screwing up and basically keeping people from getting their jobs done.  But this perception is wrong, and people need to realize that these folks are important to the company's security posture.

But in order to make this case, we need to come at it from a "separation of duties" perspective, specifically concerning separation of InfoSec and IT.  Let's look at how Anton describes it over at the InfoSec Blog:

- InfoSec says what it should be
- IT “makes it so”
- Audit makes sure that they did.

In other words, Information Security folks set the policies.  The IT folks actually do the dirty work to make the policy reality.  Auditors make sure it is done.  Now, as an ex-IT person, I understand the reluctance of having someone looking over your shoulder to make sure you are doing what you were told to do.  And I can see the idea that people have of InfoSec and Audit colluding and even being two different heads of the same serpent.  But in big companies (and even medium and small companies if resources make it possible), this power separation is completely necessary.

Anton makes this great analogy:

What I am suggesting in this separation of duties between InfoSec, IT and Audit is no different from a doctor writing a prescription and the patient
taking it to an apothecary to be filled. The apothecary isn’t doing the diagnosis or needs analysis, but he still plays an essential role.

The argument comes down to basic common sense.  Potential abuse is key to this argument.  Though I think Anton is coming at this from the angle of separating duties for the sake efficiency, his analogy stands up well.  The doctor can't prescribe AND handout drugs because of the potential abuse (I know they hand out samples, but work with me here).  In my analogy in the first paragraph, if the police department didn't have an internal affairs group, the potential for abuse would be high. The same is true with the Audit group and IT.  If the IT staff was responsible for auditing itself, the potential for abuse of policies is high.  If the person who sets the web surfing policy is the same person who checks to make sure no one is surfing porn, what is to keep him from surfing porn?

So the Audit group is necessary (not a necessary evil) to help companies get and stay secure.  Don't treat them cruelly or look at them like they are trying catch you playing computer games.  They have an important job to do, and they don't need our comtempt as they try to do it.