Internet Security Audits for Government: An Overview of the Lessons Learned in the Netherlands

The number of attacks on government web sites continues to increase. In June 2015, Canadian government web sites were hit by a large-scale cyberattack.¹ In the Netherlands, large-scale cyberattacks on government web sites began in 2011. In 2012, the Dutch government decided to use IT audits as one of the remedies for this issue. This decision, and the compulsory approach for audit in the Netherlands, had a major impact on the IT audit profession. At the end of 2014, members of parliament raised questions regarding the value of the IT audits on government web sites when media outlets reported on vulnerabilities in web sites of municipalities.²

In countries where politicians and citizens are considering deploying IT audits on a large scale to diminish the chance of a cyberattack on government web sites, it is useful to see the lessons learned and the challenges experienced in the Netherlands as a result of mandatory IT audits. The insights from the Netherlands may be useful around world.

What is the DigiD Assessment?

Dutch citizens have access to hundreds of Dutch government web sites and nongovernment web sites by using their personal DigiD logins. In 2014, Dutch citizens authenticated 158 million times with DigiD.³ There are 12 million DigiD users on almost 17 million inhabitants.⁴ The basic version of the DigiD login in the Netherlands consists of a username and a password of choice.

In recent years, Dutch DigiD web sites have been victim to large-scale distributed denial-of-service (DDoS) attacks. Dutch government organizations sent out reassuring press releases and made promises for improvements, such as providing a new and improved version of DigiD, eID.⁵ In 2011, a private company responsible for the security of Dutch government web sites was hacked. As a consequence, the Dutch government advised its citizens not to use government web sites for a few days. As a direct result of the hack, the minister of interior and kingdom relations announced in early 2012 that all organizations using DigiD must meet a selection of standards for information security.⁶ Since 2013, all Dutch government organizations using DigiD on their web sites have had to file a mandatory assurance report annually regarding their level of security.⁷ The full name for the assurance audit is DigiD Information and Communications Technology (ICT) Security Assessments.

The security of DigiD is the responsibility of the Dutch Ministry of the Interior and Kingdom Relations. The ministry assigned the role of supervisor to the public authority organization Logius. Logius communicated more detailed information on the approach, scope and reporting templates related to DigiD audits.⁸ Logius can also disconnect insecure organizations from the DigiD infrastructure. Logius and the Ministry of the Interior, based on the report, determine “whether or not there is a risk to information security or DigiD.”⁹ Logius issued the following mandatory requirements for DigiD audits:

• The review (IT audit) is conducted and signed off by an IT auditor certified as a Registered Electronic Data Processing Auditor (RE) in the Netherlands.
• The audit covers 28 prescribed and mandatory controls.
• Each control receives a single conclusion of “satisfies” or “does not satisfy.”
• The report contains a summary of the audit method for each control.
• The controls of the DigiD assessment are tested for both design and existence.
• A penetration test of the web site with access through DigiD is a major and important part of the audit.
• The outcomes of the penetration test are included in the assurance report.

In 2012, a small number of government organizations (including the national Dutch tax office) that made heavy use of DigiD filed assurance reports. In 2013, almost 600 organizations that used DigiD were required to file a report, including all municipalities.¹⁰

After filing the 2013 assurance reports, Logius conducted a follow-up audit for each control with a “does not satisfy” outcome. The follow-up occurred within the first half of 2014. After that, the minister of interior announced that the next 2014 assurance report of the DigiD assessment had to be filed before 1 May 2015. When this article was written, organizations using DigiD were working on addressing the deficiencies detailed in the most recent filing. IT auditors are, again, required to review the outcome of the follow-up activities and report each control separately to Logius.

Lessons Learned in DigiD Assessments

For many Dutch government organizations, DigiD assessments proved to be innovative and intensive ventures. After three years of experience working with the controls, methods and results, there are interesting lessons to be learned from the situation in the Netherlands.

Lesson 1: Surprising Risk-related Complexity
The audits for the DigiD assessment teach a lesson about the complex relationship between humans and the technology behind the DigiD web site. Even parts that seem to have no technical and organizational connection with the DigiD web site contain some relevant security risk. An example is the control that requires older web sites or old web pages of the organization to be removed. The audit of this control shows the information security risk associated with these older sites or information. Strong security on web sites with the DigiD login page can be qualified as no longer sufficient for preventing risk, because older, more insecure web sites can be used to intercept valid DigiD login credentials. These stolen login credentials can then be used to log in on the real, highly secure DigiD web site. Identity theft and reputational risk are involved. These insights make management recognize that interconnected relationships on the Internet present risk for Dutch government organizations. This insight also applies to any country where the government organizations offer a growing service portfolio through the Internet.

Lesson 2: Combination Adds Value
A second important lesson in the DigiD assessment audit is the added value of a combined audit. Before the DigiD assessments existed, there was often separation between a penetration test of the Internet environment and other IT audits. Infrastructure and internal organizational processes provided audit subjects in separate audits and at different times. Moreover, in this separate audit, the specific DigiD Internet environment was not investigated in most cases. The result was that there was no clear picture of the security risk specific to DigiD.

All of these audit areas are brought together and analyzed in relation to each other in the DigiD assessment. The framework of controls for the DigiD assessment requires this comparison. An audit of processes and internal technical infrastructure and a penetration test of software and infrastructure are now conducted together in one audit. This broad approach, the depth of the audit and conducting a single audit are new for many organizations and auditors.

The combined audit approach provides a much more complete picture of the security risk factors related to DigiD.

Lesson 3: A New View on Processes and Responsibilities
The DigiD assessment provides the specific scope and approach for responsibilities and tasks within the organization. The scope for DigiD assessment is defined from Logius’ point of view. This perspective of the DigiD audit is new to the DigiD-using organizations and their service providers. For the first time, the DigiD Internet environment is the start of an audit. It provides a different and interesting look at the underlying processes and parties. The audit clarifies the picture of who is involved in the security of the local DigiD application. Through this approach, the responsibilities and tasks become further clarified with respect to the local DigiD Internet environment and infrastructure.

This lesson and the previous lesson can be valuable for any IT auditor who is designing an audit plan or approach for any Internet environment.

Lesson 4: Mandatory Controls
For IT auditors in the Netherlands, the DigiD assessment auditors have been training in auditing through the use of a mandatory control framework. In the Netherlands, most IT auditors are familiar with control frameworks that are tested periodically. In most cases, these controls frameworks are selected by the auditee or auditor. IT auditors in the Netherlands were relatively unfamiliar with the government regulation that prescribes control wording. IT auditors involved in the audits benefit from a quality control framework for an efficient and effective audit. In the case of the DigiD audit, Logius made a selection from the controls framework for web application security as published by the National Cyber Security Centre (NCSC) in the Netherlands.¹¹ This mandatory control framework saves time that would otherwise be needed to look for an appropriate framework, but it limits the IT auditor’s scope. A further advantage of the NCSC framework is that every control comes with background information that helps in the interpretation of the short description of the control. The mandatory control framework contributes to standardization and comparability. IT auditors around the world may already be familiar with the efficiency gained through the use of one limited control framework for more audits.

Lesson 5: Rule-based Auditing
IT auditors in the Netherlands are used to performing audits using a principle-based approach and primarily consider whether risk is adequately covered. In this approach, an IT auditor uses control wording as an instrument for analysis and in locating mitigating controls for insufficiently managed risk. In a rule-based approach, the wording of the control is the primary focus. The DigiD audit assessment approach is mainly a rule-based approach, so for IT auditors with no specific experience with rule-based auditing, the DigiD assessment is an exercise.

During an informational meeting in mid-2013, Logius indicated that the wording of the control had to be considered the basis for the opinion.¹² Moreover, the mandatory report template for reporting the outcome of a DigiD assessment only contains the control wording with a “satisfy” or “does not satisfy” outcome.¹³

If the auditor does not find what is literally required by the control wording, then the control will be considered “does not satisfy.” Mitigating controls do not count. Also, the wording of the controls in the framework fits a rule-based approach. For a view on the actual risk, however, a rule-based approach is less suitable.

The supervisor has also imposed a strict assessment policy for the auditors involved. A “does not satisfy” for design combined with a “satisfies” in existence results in a “does not satisfy” for the control. This rule-based approach and the strict assessment system may cause a blurred view on the actual risk based on the contents of the assessment report. The IT auditor is required to report on the controls through a compulsory report template.

The lesson applies to IT auditors used to working with a risk-based audit approach and to auditors used to a more rule-based approach.

Challenges for the DigiD Assessment

Both IT auditors and government organizations have a role in overcoming the challenges related to the DigiD assessment.

Challenge 1: More Resources Are Needed
Logius already announced that there will be a gradual extension of the number of mandatory controls from the NCSC framework that must be audited annually. This means that organizations that use DigiD and their service providers not only have to put effort into improving the “does not satisfy” outcomes, but also have to work on implementing new mandatory controls annually. The auditor has to audit newly implemented controls annually, which demands more time and money. All parties face these further investments. Stakeholders in other countries with plans to implement compulsory IT audits would do well to consider the impact on IT-audit resources available before any adjustments are made.

Challenge 2: Continuous Improvement Standards
When no improvements are made in the wording of controls, the gradual extension of the number of mandatory controls will have a significant impact on audit resources. This challenge considers the improvement of individual control wording.

In the process of providing a judgment and working with a rule-based approach, there may be duplications and ambiguities in the control wording. These ambiguities cost time and money due to the extra coordination effort required between the auditor and auditee. The challenge for the parties involved is the reduction of duplications and ambiguities in the current control wording. Logius already collected feedback for improvements on control wording. Logius will send the NCSC the anonymous assurance reports. The NCSC can reassess and enhance control wordings with the information from the reports,¹⁴ and the NCSC released a new, improved control framework.¹⁵ The provision to collect feedback and use the feedback for fast improvements is an important condition for an efficient implementation in any public sector around the world.

Challenge 3: Standardization
The search for the correct and feasible interpretation of standards is an activity that will require extra time in the first few years after the introduction of a control framework. When the interpretation is chosen, made applicable to the organization under audit, and aligned with the organization and the audit team, this work can be reused in subsequent years. The audit team has a task to document this information to facilitate this process. For example, the auditor should keep an underlying file, which also preserves the understanding of the relationship between controls. This leads to deeper insight of an audit object. This insight can be used to audit more efficiently and effectively year after year.

Organizations and their service organizations using DigiD work on the efficient preparation and distribution of the necessary evidence with each standard. The traceable implementation of improvements as a result of “does not satisfy” is also incorporated in the annual effort of the organization using DigiD. In cases where IT auditors face a heavy yearly workload with a recurrent control framework, it can be rewarding to invest in a reusable audit file. This saves time and money in the coming years.

Challenge 4: Knowledge Exchange
The current reporting form, with audit reports printed on paper, prevents essential knowledge exchange. This causes a delay in sharing knowledge with DigiD-using organizations. Moreover, the information in the current mandatory reporting template is limited, which further reduces the possibility of exchanging useful knowledge.

As a first step toward improved knowledge exchange, the public authority organization could start collecting audit information through a web site. A representative of the DigiD-using organization, for example, can select the control rating of “satisfies” or “does not satisfy” on a secure web site and provide general data, such as service provider, total of the DigiD verifications in the last year or audit costs this year. Logius can have a quick overview of the deficiencies from different points of view. It is then possible to provide the DigiD-using organization benchmark information on their position relative to other DigiD-using organizations. The benefits for all organizations involved increase with smart use of the available information. Of course, it is important to present every DigiD-using organization with benchmark information that cannot be related back to another organization. In a situation with a lack of resources and a limited control framework, knowledge exchange is important regardless of the audit subject involved.

Challenge 5: Yearly Planning
Many IT auditors are already accustomed to working within the cycle of the financial audit. This financial audit involves roughly the same activities in the same periods of the year. DigiD reporting should take place every year before 1 May, but the audit can be conducted earlier in the year and the report can be submitted between 1 January and 1 May. An earlier delivery to Logius means organizations can begin making improvements sooner. This additional possibility, in comparison to financial audits, provides the opportunity to spread audit work over the year. Thus, it is possible to use the IT audit capability more efficiently. To utilize this advantage, the organization should, at the beginning of the year, make agreements about what activities should take place during the audit period. Without proper planning, the IT auditor may have too much work at the end of the year.

Yearly planning is a challenge every IT auditor knows. The availability of resources and the timing of compulsory filing is an issue that stakeholders in other countries have to take into account.

Challenge 6: Risk-based Measures to Implement
As pointed out earlier, the audit approach for the DigiD assessment is characterized by a rule-based approach. This approach has its advantages, but also has the disadvantage of less attention for relevant risk factors. When risk is the starting point for analysis, it is easier to implement efficient and effective security measures. Unfortunately, this opportunity is not utilized within the approach for DigiD audits. This applies not only at the level of the individual organization, but also at the parent-sector level.

Citizens have the risk of theft of digital identity, and DigiD-using organizations have a reputational risk when identity theft happens on a large scale. There are security controls for DigiD, which effectively reduce risk for citizens and organizations. An example is the stricter requirements for DigiD passwords, which were introduced in 2014.¹⁶ A further possibility is to encourage the use of mid-level security for DigiD logins. This is a higher security level compared to the level of “basic.” In comparison to basic security, mid-level security, in addition to the username and password required for the lowest level of security, requires a verification code. This verification code is sent via Short Message Service (SMS) to the mobile number associated with a citizen’s DigiD account.¹⁷ This additional security requires extra effort from the citizen and the DigiD-using organization. Citizens should be encouraged to provide their mobile phone number and indicate a desire to use SMS verification codes in their personal DigiD settings. The DigiD-using organization will have to encourage citizens to log on with the use of an SMS verification code. The risk-managing possibilities of this additional security are not part of the controls in the current framework for the DigiD assessment. However, this higher security level is important in reducing the risk mentioned previously. If DigiD-using organizations ask citizens to log in with this mid-level security, the organization reduces the risk of identity fraud. Attackers who have captured DigiD usernames and passwords cannot do much without the single-transaction verification code on the mobile phone of the DigiD user. For government organizations, this additional step means a reduced risk for reputational damage. This line of reasoning, based on current security resources available, supports the need to take more action based on sector-wide risk analysis. The inclusion of a risk-based approach at the sector level is an important step to implement for an efficient and effective approach in fighting cyberattacks on government web sites.

Key Takeaways From Lessons Learned in the Netherlands

New developments in the Netherlands, such as the DigiD security audit, are a rich ground for new experiences from which the IT audit profession advances forward. Useful knowledge can be applied elsewhere in similar initiatives around the world. The general insights from the Netherlands experience are:

• The auditor and auditee were surprised about the interconnected relationships of DigiD web sites. No one individual who had designed this intentionally could be identified. This interconnectivity grew as a result of internal and external influences.
• When different perspectives are combined in one IT audit and performed at the same time, this can result in a lot of work. However, it provides auditors and management an innovative overview of real security risk.
• A set of mandatory controls and a rule-based audit approach add to standardization, but do not forget that the quality of the control framework must be high. Moreover, it is very efficient to design a feedback process for the control framework from the start.
• A risk-based approach may not seem like the most efficient approach, but be aware of the built-in blind spot when risk is left out of the picture.
• Local audit teams have to allocate enough resources to find an acceptable interpretation of a control and building a highly reusable audit file.
• A local audit effort for a DigiD web site of an individual organization must be based on a sector-wide risk analysis. This is a smart move to use for other local audits to be sure that across every level of the sector, people work on the most efficient and effective security measures.
• A sector-wide audit undertaking has a broad impact on the available IT audit resources in general. Before implementing these mandatory IT audits, start a sector-wide training program to have sufficient IT audit resources available on time.
• The demand for IT audit resources does not have to collide with the yearly cycle of the financial audit. The supervisor and stakeholders must indicate a reasonable time period to file reports and set a deadline.

Editor’s Note

This article is an updated and revised version of an article that was previously published in the Dutch magazine IT Auditor on 21 August 2014, http://www.deitauditor.nl/informatiebeveiliging/lessen-en-verbeteringen-rond-het-digid-assessment/.

Endnotes

¹ “Canadian Government Websites Go Dark After ‘Cyber A Attack,’” BBC News, 17 June 2015, http://www.bbc.com/news/world-us-canada-33170534
² House of Representatives of the Netherlands, Parliamentary year 2014–15, 26 643, no. 340, Netherlands, 19 December, 2014, http://zoek.officielebekendmakingen.nl/kst-26643-340.html
³ The Minister of the Interior and Kingdom Relations, Letter 2015-0000103908 to the House of Representatives of the Netherlands, 24 February 2015
⁴ Rijksoverheid, “DigiD verbreekt meedere records tijdens digistorm” (DigiD Breaks Multiple Records During Digistorm), press release, 4 April 2015
⁵ House of Representatives of the Netherlands, Parliamentary year 2013–14, 26 643, no. 299, 19 December 2013, http://zoek.officielebekendmakingen.nl/kst-26643-299.html
⁶ The Minister of the Interior and Kingdom Relations, Letter 2012-0000057362 to the House of Representatives of the Netherlands, 2 February 2012
⁷ The Minister of the Interior and Kingdom Relations, Letter 2012-2014-0000350206 to the House of Representatives of the Netherlands, 9 July 2014
⁸ “ICT-beveiligingsassessments” (ICT Security Assessments), Logius web site
⁹ Answer to the question “Wat moet Logius ontvangen ICT-beveiligingsassessments,” Logius
¹⁰ House of Representatives of the Netherlands, Parliamentary year 2014-15, 26 643, no. 323, Netherlands, http://zoek.officielebekendmakingen.nl/kst-26643-323.html
¹¹ Nationaal Cyber Security Centrum, ICT-Beveiligingsrichtlijnen voor Webapplicaties, 1 February 2012, www.ncsc.nl/actueel/whitepapers/ict-beveiligingsrichtlijnen-voor-webapplicaties.html
¹² Norea, “Bijeenkomst IT Auditors Over DigiD-assessments” (Meeting IT-auditors on DigiD Assessments), De beroepsorganisatie van IT-auditors in Nederland, 19 April 2013, www.norea.nl/Norea/Actueel/Nieuws/Bijeenkomst+DigiD.aspx
¹³ Template available at www.logius.nl
¹⁴ Op cit, Norea
¹⁵ Op cit, Nationaal Cyber Security Centrum
¹⁶ “Strengere eisen voor DigiD-wachtwoord,” NU, 20 May 2014, www.nu.nl/tech/3780183/strengere-eisen-digid-wachtwoord.html
¹⁷ “Detailinformatie” (Detailed Information), Logius, www.logius.nl/diensten/digid/detailinformatie/

Jeroen van Lewe, CISA, CEH, CIA, ECSA, has almost two decades of experience in IT. He started his career in the Netherlands as a software quality consultant for a major IT company. He has more than 10 years of experience in IT audit and eight years of experience in penetration testing and the review of penetration testing reports. He worked at a global financial services provider before starting his current job with the Dutch national government. He worked on several DigiD audits for various organizations over the last three years. He wrote this article in a personal capacity. He can be reached at j_van_lewe@hotmail.com.