Existing frameworks that reduce cyberrisk
As time goes on, perimeter-oriented and compliance-based security strategies are increasingly failing to keep up with information security risk. Proficient trespass and assault artists (hackers, as it were) can get in and out of these systems leaving little evidence of their presence, outside of the damage they have done. We must investigate tactics that a firm can use to prevent such encroachments.
In September 2013, legendary professional services firm PricewaterhouseCoopers (PwC) published the Global State of Information Security Survey, which reported that information security risk factors have expanded and complexified substantially. The PwC survey leads the notion that firms must outline a security strategy that outlines adversaries, assets, and threats, among others.
A duo of network security schemata have been outlined and may be appropriate for your firm. ISO 27001 is one of them; Information security management systems outlines independently certified specifications organizations can use for information security management. A sister code, ISO 27002, Information technology—Security techniques—Code of practice for information security controls encapsulates 39 control objectives; these will classify information assets by availability, confidentiality, and integrity. The objectives generated by this code will then be diffused to employ in direct tactics, which are at the user’s discretion.
Another resource could be the US National Institute of Standards and Technology’s (NIST) Recommended Security Controls for Federal Information Systems and Organizations, which is a document that delineates a whopping 198 procedures, categorized into three classes and eighteen families; mapped to the aforementioned ISO 27001. Low-, moderate-, and high-impact Information Technology (IT) systems can all be guided by the three security baselines described in SP 800-53, which will provide risk-based security standards for any asset categorizations that have been generated.
In an effort to protect the capacity of crucial US infrastructure, President Barack Obama issued Executive Order 13636 in February 2013, which keeps in mind national and economic security. Improving Critical Infrastructure Cybersecurity charged the NIST with coordinating with stakeholders in constructing a system that took into account best practices, guidelines, and standards of minimalizing cyberrisk, to be employed electively by organizations.
NIST’s initial framework was published on February 12, 2014 and proved to be versatile, replicatable, prioritized, and fiscally efficient for owners and operators to reduce their cyberrisk.
Internal vs. External auditing
Certified public accountants (CPAs) issue audits for financial statements and must be allowed entry through security channels in particular instances; these audits usually do not take into account network security and risk. Internal IT audits on the other hand do make those assessments. A Certified Information Systems Auditor (CISA) would take into account internal security in their work; administering ISACA’s IS Auditing Procedure P8 Security Assessment—Penetration Testing and Vulnerability Analysis, (P8).
Internal audits provide independent assessments of established and necessary controls, equipping audit boards and committees with the information needed to administer security practices to combat the digital and human menaces that plague the cyberverse.
These threats are not only many and ever-present, they are ever-adapting. An organizations capabilities must likewise be repeatedly re-evaluated by audit boards and committees. Risk assessment and strategy formation need to take a key role in internal auditing. To begin, a cyberrisk assessment must be administered; it will provide a succinct layout of risk-oriented analyses. An audit board and/or committee would use this to construct a multiyear internal audit plan.
Looking at cyber-defense in a business as a multi-tier system of staffers, IT units would be in charge of the day-to-day agents and executors of practices, review, and detection. They will have the most hands-on experience with network security, which is determined by the higher management tier. These individuals will have a greater breadth of control and oversight in security operations and will be able to provide vital recommendations to the audit board, the third tier.
This approach has been taking a growing role in company cyber-defense. As executive boards face increasing financial and legal scrutiny, internal audit has played an equally increasing role in keeping business honest, efficient, and profitable for stakeholders. They, the auditors, must assure their company functions properly and report their findings to the responsible parties.
Cyber Security assessment procedure for internal auditors
Internal audit professionals will need to keep in mind three concepts when constructing and administering their assessments of network security:
- Choose your teams wisely. Not all professionals have the depth or variety of skills and experience to tackle cyber security. Risk-, tech-, and tactically-oriented minds must align to form super-soldiers in your war on cyber-threats
- Don’t limit your approach. Take into account larger frameworks, take a broad overview and generate a more full understanding of your current security layout. Evaluate characteristics, upper- and lower-limits, and advancement pathways of practices in your industry sector.
- Evaluate and re-evaluate. Your work is only finished when your organization is finished; so let your assessments dictate additional assessments. Some situations require more attention than others some avenues may go undiscovered without a careful analysis. Deep dive reviews are your friend, they will make sure no base goes uncovered.