//
you're reading...
Information Security, IT & TECHNOLOGY

New NIST-Based Audit/Assurance Program Validates Cyber Controls


ISACA-Logo

We live and work in a high-tech, interconnected world that is seeing increases in the volume and sophistication of cyberattacks. In order to function safely in this technology-driven, digital world, we must have strong cybersecurity controls. But how do we know if we have the right controls or if our controls are functioning as planned?

Because of the need for audit and assurance programs and processes around cybersecurity, ISACA has developed a new IS audit/assurance program, Cybersecurity: Based on the NIST Cybersecurity Framework. The goal of this program is to provide organizations with a formal, repeatable way to validate cybersecurity controls.

The program is based on the NIST Cybersecurity Framework and is built around the following five critical cybersecurity activities:

  1. Identify – Determine if the systems, assets, data and capabilities critical to cybersecurity have been identified and are understood by the organization. Process sub-areas include asset management, business environment, governance, risk assessment and risk management strategy.
  2. Protect – Review cybersecurity safeguards designed to limit the impact of potential events.  Process sub-areas include access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
  3. Detect – Assess activities designed to identify the occurrence of cybersecurity events. Process sub-areas include anomalies and events, security continuous monitoring and detection processes.
  4. Respond – Evaluate action plans to take after learning of a security event. Process sub-areas include response planning, communications, analysis, mitigation and improvements.
  5. Recover – Analyze plans for resilience and the timely repair of compromised capabilities and services. Process sub-areas include recovery planning, improvements and communications.

The program is offered as a Microsoft Excel file with columns created so users can define controls to be tested (including frequency and results), as well as add references and comments. Testing steps have been identified for each NIST Cybersecurity Framework functional subcategory. These subcategories are labeled “Controls” in the program.

In addition, controls are referenced to COBIT 5 and ISO/IEC 27001:2013, making it easier for professionals to integrate the program into existing frameworks and/or audit programs.

Editor’s note: To download the Cybersecurity: Based on the NIST Cybersecurity Framework audit/assurance program, visit: www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cybersecurity-Based-on-the-NIST-Cybersecurity-Framework.aspx.

ISACA also is offering a one-day workshop entitled “Cybersecurity for Auditors” immediately following the 2017 North America CACS conference in Las Vegas, Nevada. For more information and to register, visit: www.isaca.org/Education/Conferences/Pages/North-America-CACS-Presentations-and-Descriptions.aspx#ws7.

Russell Horn, CISA, CRISC, CISSP, President, CoNetrix

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 116,908 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,132 other followers

Twitter Updates

Archives

January 2017
M T W T F S S
« Dec   Feb »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
%d bloggers like this: