The US House Committee on Government Oversight and Reform published the results of its investigation into the Equifax breach, calling it “entirely preventable.” The report highlighted multiple problems, but two issues stand out: overall incompetence by Equifax’s IT security staff, and a reliance on “legacy” systems literally from the 1970’s.
What has not been discussed, however, is the fact that since 2011 Equifax held third party certification to ISO 27001, the international standard for information security management systems. Companies typically pursue this certification in order to prove the excellence of their cybersecurity systems, and with such a certificate in hand, companies can gain the right to bid on government and industry contracts. More and more, Federal agencies require ISO 27001 certification as a minimum qualifier.
It does not seem possible that Equifax could have achieved ISO 27001 certification, given that it requires annual third-party audits of not only their documented procedures, but also their hardware and facilities. It’s not clear how auditors could have missed equipment from the 1970s and, as the House report indicated, procedures that were grossly inadequate.
It begins to make sense, however, when one examines the entire ISO certification scheme and the actors involved. Companies like Equifax pay a “certification body” (CB) to audit it every year against the given standard, in this case ISO 27001. The CB is authorized to conduct this activity on the basis of their own accreditation, granted by an “Accreditation Body” (AB). The ABs audit the CBs every year against another ISO standard, ISO 17021. The ABs get their authority through membership in the International Accreditation Forum (IAF), through which they are audited under a different standard, ISO 17011. This network of auditing bodies and standards exists to ensure the results are valid, and not corrupted by conflicts of interest.
The problem is that the scheme itself is built upon a conflict of interest: each party pays their auditor, so there’s little incentive for any auditor to actually find problems. If a CB de-certifies a client, they lose that client. If an AB de-accredits a CB, they lose that CB. And so on. Those at the top have the most to lose financially, so have the least incentive to do their job. As a result, failing an audit is very, very rare.
In the case of Equifax, the arrangement was even more conflicted. Equifax’s ISO 27001 certification body was CertifyPoint, a division of Ersnt & Young. According to CertifyPoint’s public records, they issued Equifax its ISO 27001 certificate in 2011; it now lists the certificate as expired. According to Annual Reports published by Equifax, its ISO 27001 certificate was suspended in 2017, only after the data breach. This means that from 2011 through until the breach, CertifyPoint was conducting annual IT security audits on Equifax, and awarding them a certificate each year. The certificate was only pulled after the breach was reported by news outlets.
But it gets worse. According to reporting by Marketwatch, Equifax was using accounting auditors from the financial division of Ernst & Young. That article quoted Bentley University professor Dr. Rani Hoitash who explained that while financial accountants would not directly audit IT systems, “Auditors, however, are required to look at policies and practices related to financial reporting-related information technology systems and data early in the annual audit process.”
This, then, raises serious concerns about Equifax’s external auditors. EY financial auditors would be disincentivized to raise findings regarding the company’s IT security systems because that would reflect poorly on EY’s CertifyPoint auditors, who had otherwise blessed them. The conflict extends in the opposite direction as well, as CertifyPoint auditors would be hesitant to raise any issues that might impact poorly on EY’s financial auditing team.
Ironically, Equifax hired EY after its prior auditing firm, Arthur Andersen, was indicted and eventually shut down because of auditor-related conflicts of interest discovered during the Enron scandal. That incident resulted in the Sarbanes-Oxley law, which provides legislation to control conflicts between financial auditors and financial consultants. There are currently no laws governing conflicts of interest in the ISO certification scheme, however.
To date, representatives of CertifyPoint and its accreditation body, Raad Voor Accreditatie (RvA), are not answering questions on why none of them raised any concerns regarding Equifax’s poor controls and systems, which are now a matter of public record. Also silent is the IAF, which oversees the entire scheme.
It’s likely, therefore, that more such incidents will occur despite companies holding ISO certificates that claim their systems are fully compliant to international standards. Until regulators start paying attention, or until the IAF is called before Congress to testify on just what is happening on its watch, these problems will only worsen.
About the Author: Christopher Paris is an aerospace quality management consultant, author and industry watchdog. His company, Oxebridge Quality Resources, provides independent reporting on the ISO certification scheme and its conflicts of interest.
Source: infosec island