As the business benefits from technology grow rapidly, so do related risks.
The ability to communicate and interact with remote stakeholders seamlessly requires points of entry into the enterprises network that would otherwise not be present. Such entries could result in vulnerabilities for organizations that should be identified and assessed. In like manner, the identification and assessment of threats that could potentially exploit such vulnerabilities is also necessary. Once there has been sufficient analysis of the potential risks, the enterprise must decide how to respond to them.
Business leaders have a heightened awareness of the existence of cyber risks due to frequent news reports of attacks affecting all sectors, including the government. Thus, we are starting to see significant investments in countermeasures designed to respond and mitigate risks to protect the assets of the enterprise.
The real question is, are the investments appropriate. Studies show most boards of directors and senior management are not educated enough in cyber security to make sound business decisions in this area. However, in most organizations, these are the individuals with the authority to make decisions when it comes to a significant investment in resources. A main goal of most enterprises is to make money and reduce costs. Therefore, the natural question is what will be the return on investment. This is where the audit professional comes in, which includes the audit committee of the board of directors. It is the role of audit to educate those responsible for the protection of the company’s assets on the need for effective and efficient cybersecurity controls.
It is important to note it is management that bears the responsibility of implementing controls to protect the assets of the enterprise. Audit is responsible for determining if controls are in place and whether the controls’ design will be effective in mitigating the risks associated with the asset. Of course, the ultimate goal is to prevent an attack or breach from occurring. Common controls implemented in an effort to prevent this includes authentication techniques such as passwords or biometric technology.
An auditor evaluating such controls usually determines if a password management policy exists and if there is required password syntax in place, as well as periodic password changes and automatic account lockouts after a pre-determined number of failed login attempts. Firewalls also are common. The existence, type and placement of a firewall in a corporate network is important when evaluating these controls. The auditor will also spend some time with the firewall administrator to understand the firewall rules and if they are based on an overall firewall policy. These are just two of many possible controls that may be in place to prevent attacks.
However, controls, as we know, can be circumvented, which is why there are preventative, detective and corrective controls. The hope is management has done a good job in implementing effective and efficient controls in each of these areas.
Ultimately, the audit professional produces a report reflecting its opinion of the effectiveness of the control environment based on the objective and scope of the audit. It is also common for the auditor to provide recommendations regarding how to improve the controls to better protect assets. It is important for auditors to also be proficient in articulating the potential consequences of ineffective controls and the impact it has on the assets of the organization.
Editor’s note: ISACA has produced a new white paper on auditing cyber security.
ISACA also created a cyber security audit program based on the NIST Cybersecurity Framework that contains detailed controls and testing steps.
Paul Phillips, Technical Research Manager, ISACA
[ISACA Now Blog]