So I have seen Rogue 1, the latest instalment of the Star Wars franchise. It’s really Star Wars episode 3.5 as it is the period immediately prior to the original 1977 Star Wars film. Of course, whilst enjoying the film, as any self-respecting CAE will report, the main concern is, if I was head of internal audit in this context, would I have done any better?
I have to say I think the Empire’s internal audit function did a lot better than the First Order’s Auditing a Galactic Empire *spoiler alert* So the story is about how the rebel alliance got hold of the DeathStar’s plans, that they used to such good effect in Star Wars.
The DeathStar’s data was not leaked by the disaffected DeathStar scientist Galen Erso. The best he was able to do was to find a single Empire freighter pilot to send a message that there was a weakness in the DeathStar’s plans and construction that could be exploited if the plans could be obtained. This suggests to me that, although the Empire knew Erso was an unwilling and untrustworthy employee (they had no choice to employ him as they needed his expertise), they did put good data controls in place. Remember this is in the future, there must be many ways to communicate data secretly. I am not sure why not controls and QA of the designs was not put in place though. Surely a fatal flaw would be something to check from a disgruntled employee? Perhaps it was too technical? Although it did not seem to need collusion from the other scientists – which seems to be their view (although they got shot anyway).
It also seems that the Empire was onto the disloyal and lost freighter pilot who had the message for his daughter and the rebel alliance. So I would be fairly comfortable that HR establishment controls were up to snuff. After all there must be millions of pilots and staff working in the Empire across the Galaxy.
So this is all good. Excellent internal control and a happy head of Empire internal audit. Then things seem to go wrong. First it’s not that difficult to identify where the secret plans were held. Everyone seems to know the Empire has a single archive (which appears to be a single point of failure itself, as no backup is mentioned). This archive is held on Scarif which has a reasonable set of protective and detective controls (a shield around the planet, controlled entry, lots of guns to protect it).
But once again it is lax implementation of operational control that allows the rebels in – a simple no recoding of entry codes on the Empire freighter the rebels stole. They seem to get landing rights and a very small welcoming party. How often as a CAE do we see that the weakness of business critical control is down in the weeds? Why was the freighter’s codes not invalidated automatically when they knew it was stolen? If they did not know it was stolen how can the refresh of the codes be so far apart and not more frequently and automatically updated?
Access controls also fall apart once in the building holding the archive. A single droid with access (again a stolen Empire asset without access removed) is able to identify the location of top secret data. How? Why? Where was the monitoring? Why did this not trigger a lockdown.
It seems that the Rebel’s plans were only picked up by very senior people (the Peter Cushing look alike) and Darth Vader. I have seen it said that the force is a the control, but as auditors we should not be Jedi auditors and rely on the force. If I can’t see it, taste it, smell it, hear it, or touch it, ‘it’ doesn’t exist.
The data was able to be simply removed on a card from the tower of server data. I would have though the data would be virtualised and not be in one physical part of the server. Also to have an ability to open the relevant data storage card seems odd too.
Finally the data was able to be transmitted using their main transmitter, despite the base being on lockdown! How? Why are external comms or removal of the data at that scale able to be done? – this was an archive surely?
So I can see a lessons learned exercise being conducted by me as a the Evil Empire’s CAE. I am not sure I would conclude that controls were inadequate, though a full review of the debacle of the then now destroyed Empire archive I think would be needed. So would I have done any better as the CAE? I think the data archive bit would have been better to be honest. So overall, a ‘generally conforms’ for me to the CAE of the Evil Empire, but not fully compliant!