SDLC, Agile, and Auditors

SDLC is a tried and true process for systems development, however as the speed of business has increased, so has the demand for development frameworks that can keep up. Many takes on this concept have come and gone, but one that has increased in adoption and earned high regard in the process is the Agile Development Process. It has been adapted to many industries and many types of systems. I’ll talk a little about what Agile is, and what it should mean for the audit process.

First things first, I’ll take a moment to describe the Systems Development Life Cycle (SDLC). This is important because a true understanding if Agile requires an understanding of SDLC for context. The SDLC is a process that is defined by five key steps in the development of an application or system. The steps are:

Planning

Analysis

Design

Implementation

Maintenance

The steps are meant to begin once the previous one is completed which is why it is often referred to as “Waterfall Project Management.” It has a very structured flow. It is best suited for larger projects that will not change much over the course of its lifecycle. As mentioned earlier, as the speed of business increased, the need for project development to be adaptable on the fly as situations changed began to create real questions on the suitability of SDLC for modern project development.

Where SDLC is a process, Agile is considered more of a methodology. Where the waterfall style of project management that defines SDLC doesn’t meet the needs of systems development in an environment that includes constant changes, Agile was developed. The “Agile Manifesto” was written in 2001. This led to the formalization of Agile as a process.

Scrums and Sprints are key concepts to Agile. Agile is known for constant collaborative meetings that bring stakeholders, multiple cross-functional teams from across the development staff, and clients to discuss the work that was done and needs to be done. This allows for changes to be implemented relatively quickly as opposed to waiting until it is impractical or impossible. Scrums are the meetings that precede Sprint periods. Sprints are a predetermined period of time when development work is done. Changes are generally not allowed during a sprint period. This is mitigated by the fact that sprints tend to be relatively short, and changes can be discussed and applied as needed. Agile provides for accountability, as development team members are required to frequently brief their progress in between sprints, and their work is drawn into the big picture with all stakeholders present.

As this all pertains to the audit process, development of systems with SDLC is unquestionably friendlier to the audit process. System development where requirements are clearly defined from the very beginning and if all goes right, the work follows that predetermined plan. Audit requirements should be baked into the system from the very beginning, and audit processes can be designed, tested, and performed on the system throughout its lifecycle.

Agile certainly complicates matters. As requirements change for a system, this can change the audit environment significantly. In order to minimize the effect of this complication, the audit team must be active participants in the Agile process. During scrums, auditors must be present as changes are discussed and must be engaged in discussing their concerns. System audits are a key component to a system, and must be part of the development process. A slower moving development process would be much easier for the audit process. A faster moving development process simply requires more active engagement and a faster moving audit team that is well versed with the terminologies and the concepts of the Agile Framework.

A Look at Operating Systems

Selecting the Operating System (OS) for a corporate entity is no small endeavor. A company’s chosen operating system is not only responsible for being the “program that runs the programs”, but the company’s operating system can in many ways define some aspects of the company’s identity. A company that runs on Windows can be seen as practical and professional. A company that runs on Apple MacOS can be seen as modern and progressive. A company that runs on Linux can be seen as technologically savvy and perhaps a little edgy.

Besides the perceptions of what the chosen operating system implies about the company, there are very real implications from the company’s choice of OS. The company’s OS not only defines the company’s external perception, the company’s OS defines the way the company operates. It defines the way the company designs and procures software, hardware, and support equipment. It defines how the company communicates both internally and externally. It is a critical component to how the company does its day to day business and how it makes strategic decisions.

A company is requesting a recommendation for an operating system to be installed on 50 corporate computers. Several assumptions will be made so that the three candidate operating systems can be evaluated against one another as objectively as possible. The first assumption is that the industry of this particular company does not specifically require any features from one operating system that would give it a meaningful advantage over the others. The second assumption is that the company does not require any software that would make one OS advantageous over the others. The third is simply derivative of the first two. Either of the three operating systems would be as equally sufficient as the other two in meeting the company’s needs in their chosen OS.

Whenever desktop computer operating systems are compared to one another, it often comes down to a choice between three general players, choosing an OS from Microsoft, Apple or Linux. OS fragmentation, a situation where a particular operating system has multiple versions “in the wild”, is not as significant a problem as it was in the past. There are still cases where an enterprise will have devices with operating systems that are no longer supported for one reason or another, but the larger players have become better at keeping their user bases up to date with OS installs.

The three Operating Systems that will be evaluated against one another are:

Apple MacOS 10.14.5 Mojave

Microsoft Windows 10

Red Hat Enterprise Linux 8 

Windows

Released in the summer of 2015, Microsoft Windows 10 was the follow-up to the previous version, Windows 8/8.1. Windows 10 has a stated ten-year lifespan of extended support from Microsoft. Windows 10 is designed to function equally as well on desktop computers as well as mobile “tablet” devices. Microsoft has a substantial corporate sales and support capability and the client list is impressive. Microsoft offers a large catalog of software available in numerous formats for corporate licensing and use, and third-party software that runs on Windows is generally the norm.

MacOS

Apple MacOS 10.14.5 Mojave was released in 2018 in the type of extravagant media event that Apple has become known for. Apple products are best known for hardware and software devices that are engineered for synergy in their operation as they are both designed by the same company specifically to work with one another. Most modern Mac computers use the same “Intel” architecture that “PC’s” use, which can be advantageous for certain applications. MacOS is specifically a desktop computer OS, as Apple has a separate mobile operating system iOS for mobile devices, specifically Apple’s iPad tablets. Apple has a substantial catalog of first party software that has varying levels of compatibility with industry standard file types. The catalog of third-party software has become more substantial in recent years, particularly after Apple adopted the use of Intel CPUs in Mac computers, but generally it is up to software publishers to choose to create software that runs on MacOS. This could be problematic in the case of more niche types of software. But give the assumptions mentioned earlier, this will not factor into my recommendation. One last significant point; MacOS may only run on Apple Mac computers. There are virtualization and dual boot options that allow for other operating systems to run on Mac hardware, but the MacOS operating system license requires that it only be run on Apple Mac hardware.

Linux

Linux is an open source “kernel” that serves as the foundation for a huge assortment of “distributions” of the operating system collectively known as Linux. Linux is very scalable and adaptable to a wide variety of applications. A distribution is a unique interpretation of Linux that is distinct from other “distros.” Many different distros exist that are intended for different audiences. Arch Linux is constantly updated with new features and functionality and is intended for power users. Ubuntu and Linux Mint are intended to be general use operating systems with large software catalogs, and are praised for being excellent “introductions” to Linux for users that are used to other operating systems. Red Hat is the corporate/enterprise distro of choice because of its support structure and standardization mechanisms. Linux is recognized for being very efficient in terms of hardware requirements and for being secure.

Windows		MacOS		Linux
Hardware	Price	Virtualization	Price	Price	Software
Support			Hardware

Windows 10 has many advantages in a head to head comparison for corporate superiority. While Windows 10 has distinct hardware requirements that can be reasonably described as excessive in some cases, the fact is that Windows 10 can be installed on a large variety of devices. Computers can be purchased preinstalled with Windows, or they can be custom built and run Windows. Microsoft as well as a number of third-party manufacturers build desktop PCs as well as tablet PCs that run the same version of Windows with no gap in functionality which can be very advantageous in certain applications. Microsoft has a world class support infrastructure that is unmatched in size or scope. Microsoft has a long and distinguished track record in ensuring that its customers will be able to use Microsoft products to accomplish their corporate objectives. With this comes a price, however. That being said, if money is no object, Microsoft can provide hardware ( to a certain extent), software, and enterprise services to go with its operating system.

Apple is often regarded as a niche product in the corporate world. The reason for this is that regardless of the generally unquestioned level of quality Apple products are known for, they do not scale well in a corporate environment. Apple computers are notorious for the inability to perform routine maintenance or to upgrade components. While there is a lot of software available for macOS, software publishers must acknowledge the proportion of corporate users that do not use Apple computers and consider that when deciding whether to invest resources in making Mac compatible software. While virtualization can smooth over many compatibility issues, the complexity of configuring and supporting this functionality must be taken into consideration. Apple peripherals are very expensive. Apple Mac computers are very expensive. While MacOS tends to be designed to run well on older hardware, a capability unique to Apple, the simple fact remains that some software requires powerful, up-to-date hardware components. This can become problematic when considering that the solution is constant replacement of entire computers that are not only still fully functional, but are expensive to begin with.

Red Hat Enterprise Linux is a strong candidate for use in a corporate setting. The software is secure, it is fast, and the support is very good. There are a number of caveats though. In an industry where software is customized or is otherwise capable of running on a Linux platform, Linux is great. Linux runs on as large or larger assortment of hardware as Windows given that it is known for requiring a smaller computing overhead as Windows. Linux being open source, the pricing structure tends to revolve around the support an organization requires as opposed to outright licensing. The negatives revolve around software support and the relatively small number of support available for Linux installs compared to that available for Windows, or even Mac for that matter. While the assumptions mentioned above address some of these concerns, I must still take them into account when evaluating the three OS’ against one another.

That being said, my recommendation for a corporate client for an operating system to install on 50 computers is Windows 10. Windows being the most common operating system in use around the world allows for some significant advantages for its users. Off the Shelf software is often sufficient for most company’s needs, and it is generally not too difficult to develop custom software when needed. Microsoft provides cloud services, and a huge assortment of first party software that will run on Windows reliably. Windows allows for the use of a wide variety of hardware configurations, which means that computers can be upgraded and replaced without concern for operating system incompatibilities in most cases. Windows has numerous update structures that are designed around corporate users. Windows 10 runs on desktop computers as well as tablet computers, which enables mobility to a degree that neither of the other two can match. Windows 10 is the clear choice. 

Risk Management and Theranos

Theranos was a private company that was founded in 2003 by a 19 year old Stanford University undergraduate Chemical Engineering student. Theranos garnered a massive amount of hype and attention for its claims that it had developed technology for performing blood tests that required much smaller amounts of blood and were drastically less expensive than the types of tests in use at the time. The company raised substantial amounts of money from venture capitalists  and private investors.

Unfortunately, the company was never able to deliver on what it claimed it would be able to do. The company’s two founders were charged with “massive fraud” in which they “exaggerated or made false statements about the company’s technology, business, and financial performance” to continue to raise investment capital, ultimately resulting in the company being valued as high as 9 Billion USD. One of the company’s cofounders, the CEO, agreed to surrender her stake in the company and was ordered to be ineligible to be an officer in a public company for a period of ten years. The other cofounder, also its COO, had charges brought against him in Federal Court.

The company was universally hailed at the time as a breakthrough technology company that would be wildly successful as an industry disruptor. Over time however, the company doubled down on its failures to deliver on its incredible claims by deceiving its many business partners and using other technologies and claiming it was their own. The company was exposed by these business partners and eventually by the press.

The company was backed financially and otherwise by many prominent individuals, including Henry Kissinger, James Mattis, and Rupert Murdoch.

https://money.cnn.com/2018/03/14/technology/theranos-fraud-scandal/index.html

Risk management is a key concept anytime investment is concerned. To a very large degree, investing is a calculated gamble that the investment will pay off and result in profit for the investor. In the simplest terms, the risk in investing is that the investment will not be successful and the investor will not make any money. Therefore it is up to the investor to ensure that she is as well informed as possible before committing capital to any endeavor.

The investors and venture capitalists who supported the formation and growth of Theranos were badly burned by the company’s cofounders. Some of the company’s early investors made significantly large investments upwards of 100 Million USD, many under false pretenses of what the company’s technology was allegedly capable of doing, or even worse, what it was successfully doing when that simply was not the case. Ultimately, the asset that was compromised was the investors’ money.

The vulnerability was the tremendous hype that was generated by the company. The company’s founder was a charismatic and extremely intelligent young woman who had dropped out of the Stanford University College of Engineering to found the company on the back of extravagant claims of what the company’s technology would do, revolutionizing the healthcare industry in the process.

The threat was the reality that the technology that the company was promising was something that they simply were incapable of delivering. The company was rife with ambition and great ideas, but they were simply incapable of bringing them to reality. For instance, the company had applied for patents for a blood analyzer machine that would perform 200 specific tests. The company’s two founders were fully aware that the machine was only capable of performing 12 of those tests, but continued to lie to investors about it.

What should have been a simple case of another failed Silicon Valley tech startup became something far more sinister. The company was very much defined by the hype that it created for itself. Unfortunately, that also meant that the company carried a tremendously visible public profile. Everything that happened with the company as the wheels started to come off was big news in the technology press, the business press, and ultimately the mainstream media. The world watched the company fall apart and its cofounders’ reputations permanently sullied.

This was such an interesting case because Theranos became a train that, once it gathered the incredible momentum that it did, was nearly impossible to stop. The only real control that could have prevented the company becoming the scandal that it did would have been for one of the company’s two top executives to face the reality and be honest to the company’s investors and the SEC. Had the executives been lied to by the company’s employees, perhaps my perspective might be a little different. But there was every indication that the cofounders were fully aware of the company’s shortcomings and very willingly deceived everybody that was necessary to keep the train rolling. Their deceit caught up to them and they paid the price. Unfortunately, so did their investors.

A proper risk management would have done wonders to prevent much of what went wrong with Theranos. The investors could have been a little more skeptical about the company’s extravagant claims. The company’s employees could have been a little more aware of what was going on around them and been a little more compelled to blow the whistle to authorities if they were concerned about going to their own management. Ultimately, it was many of the company’s business partners that began to question what the company was promising and initiated inquiries and lodged complaints to regulatory bodies that eventually led to the company’s downfall.

The COSO Framework and Our Organization

The COSO framework is used to guide the audit processes for this company for some very important reasons. The risks that face any company operating today are as numerous as they are dynamic. The COSO Framework was created and developed to adapt to the risk environment that has evolved with time and the modernizations of the business world. Originally published in 1992 and continually refined to its most recent iteration in 2013, the COSO Framework has strived to embrace evolving technologies and their effect on business practices. It also has endeavored to remain mindful of the realities of the cyber-enabled business world operating in the information age, in an environment created for sharing information, not protecting it. Where the protection of all data is not possible, despite the grandest efforts and the most extravagant expenditures. As organizations change the way they operate, they broaden their attack surfaces whether knowingly or not. The COSO Framework aims to remain faithful to the development of internal controls for the management risk as opposed to becoming foolishly beholden to the fantasy that all risk can be prevented or avoided.

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are five components to the framework (Galligan & Rau, 2015):

Control Environment: Does the board of directors understand the organization’s cyber risk profile and are they informed of how the organization is managing the evolving cyber risks management faces?

Risk Assessment: Has the organization and its critical stakeholders evaluated its operations, reporting, and compliance objectives and gathered information to understand how cyber risk could impact such objectives?

Control Activities: Has the entity developed control activities, including general control activities over technology, that enable the organization to manage cyber risk within the level of tolerance acceptable to the organization? Have such control activities been deployed through formalized policies and procedures?

Information and Communication: Has the organization identified information requirements to manage internal control over cyber risk? Has the organization defined internal and external communication channels and protocols that support the functioning of internal control? How will the organization respond to, manage, and communicate a cyber risk event?

Monitoring Activities: How will the organization select, develop, and perform evaluations to ascertain the design and operating effectiveness of internal controls that address cyber risks? When deficiencies are identified how are these deficiencies communicated and prioritized for corrective action? What is the organization doing to monitor their cyber risk profile?

Figure 1: The COSO Cube

Proper implementation of the COSO Framework requires commitment from the senior management of any organization. Our organization understands this. The COSO Framework states that “The control environment is the set of standards, processes, and structures that provide the basis for carrying out the internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.” (Galligan & Rau, 2015). Our organization’s senior management from the Board of Directors down to the functional management embrace this point of view and prioritize the protection of our data and understand what that means in terms of the allocation of resources and the attitudes within the organization toward the protection of its data.

Risk Assessment 

From the most recent COSO Framework document: “Because the cyber risk assessment informs management’s decisions about control activities deployed against information systems that support an entity’s objectives, it is important that senior management and other critical stakeholders drive the risk assessment process to identify what must be protected in alignment with the entity’s objectives. Many organizations do not spend enough time gaining an understanding of what information systems are truly critical to the organization; they also may have difficulty understanding where and how the information is stored. This can lead to attempts to protect everything, which leads to overprotecting certain information systems and under protecting others” (Galligan & Rau, 2015).

Our organization is fully committed to combating the external and internal risks it constantly faces. Utilizing a multidimensional threat matrix informed by divisions throughout the organization and refined by external cyber risk assessment subject matter experts, decisions are made with clear visibility of the likelihood of the potential occurrence of specific risks and their impact to the organization’s operations. This enables well-informed decision making that enables a cyber posture that is ready for anything.

In accordance with the COSO Framework, our organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. This clarity is essential to provide the direction and context for what we do with our risk assessment processes. Resources are not unlimited, so well-informed decision-making is essential to prevent, detect, and manage the cyber risks that the organization faces.

Our organization begins by declaring the information systems that are the most valuable by measuring the impact of their potential loss. Quantifying these values is possible because of the excellent communication by stakeholders across our organization.  Like any organization, we cannot act on every risk, given our limited time, budget, and resources, so management determines the levels of risk tolerance acceptable to the organization to focus its efforts to protect the information systems most critical to the organization.

Our risk assessment processes are so successful because our decision makers understand what information systems are valuable to perpetrators of cyberattacks, and they understanding how attacks are likely to occur. The costliest attacks tend to be targeted at an organization for specific reasons. Our organization understands its cyber threat profile.

Successful organizations incorporate their cyber threat profile into their overall risk assessment process in order to understand where controls should be placed to keep those assets secure. Our organization has successfully established threat awareness throughout the organization and developed the capacity to detect patterns of behavior that indicate and predict compromise of our critical assets.

“It is also important to apply an industry lens to cyber risks versus just looking broadly at cyber risks. The perpetrators of cyberattacks have unique objectives that differ between industry sectors. For example, in the retail sector, organized criminals are the most likely attackers, focused primarily on exploiting vulnerabilities in systems that contain information that can be used for profit (e.g., credit card data or Personally Identifiable Information (PII)). Alternatively, the oil and gas industry might be targeted by nation states with a motive to steal strategic data about future exploration sites. Chemical companies may find themselves targeted by hacktivists because of perceived environmental issues around their products. Regardless of their motives, cyber attackers are relentless, sophisticated, and patient. They will stage attacks over time by gathering information that will expose weaknesses within the organization’s information systems and internal controls. Through careful evaluation of the motives and likely attack methods and the techniques, tools, and processes (TTPs) the attackers may use, the organization can better anticipate what might occur and be in a position to design controls that are highly effective in minimizing the disruption of potential cyberattacks and keeping highly valued assets secure.” (Galligan & Rau, 2015).

Every organization should anticipate change while performing cyber risk assessments. As our organization has evolved over time, we have made changes to our objectives, people, processes, and technologies. As our cyber landscape changes, new perpetrators of cyber attacks along with new methods of exploitation emerge. While cyber risk assessments generally reflect the current state of the organization, processes must be dynamic and iterative and consider changes to the internal and external threat landscapes that could lead to change in the management of cyber risks. We have been successful with this.

“Business and technology innovations are adopted by organizations in their quest for growth, innovation, and cost optimization. However, such innovations also create exposure to new cyber risks. For example, the continued adoption of Web, mobile, cloud, and social media technologies has increased the opportunity for exploitation by the perpetrators of cyberattacks. Similarly, outsourcing, offshoring, and third-party contracting have exposed organizations to potential cyber vulnerabilities that are ultimately outside of the organization’s control. These trends have resulted in the development of cyber ecosystems that provide a broad attack surface for the perpetrators to exploit. The assessment of changes that could have an impact on the system of internal control should include considerations regarding changes in personnel. Turnover of personnel at operational levels of the organization can have a significant impact on the organization’s ability to effectively perform their control responsibilities that are designed to minimize the potential impacts of cyberattacks. Risk assessments should be updated on a continuous basis to reflect changes that could impact an organization’s deployment of cyber controls to protect its most critical information systems. As information is generated from the vigilant monitoring of the changing threat landscape and the risk assessment process, senior executives and other stakeholders must share and discuss this information to make informed decisions on how to best protect the organization against exposure to cyber risks” (Galligan & Rau, 2015).

Identifying and Implementing Control Activities that Address Cyber Risks

“Control activities are the actions performed by individuals within the organization that help to ensure management’s directives are followed in order to mitigate risks to the achievement of the objectives. Such control activities should be documented in policies to help ensure that control activities are carried out consistently across the organization” (Galligan & Rau, 2015).

As mentioned earlier, cyber risks cannot be avoided, but they can be managed with the implementation of appropriately designed controls. When an organization considers the likely attack methods and routes of exploitation (through the risk-assessment process), they are better positioned to minimize the potential impact that cyber breaches may have on its objectives. As organizations arrive at the reality that cyber breaches are inevitable, and have performed an appropriate cyber risk assessment, control structures should be deployed in a layered approach that prevent intruders from freely roaming the information systems after the initial layers of defense are compromised.

Adherence to the COSO Framework enables our organization to conduct its business in a way that is adaptable in how it faces its cyber risks. It allows for effective audit processes that allow for visibility and accountability across the organization.