Auditors Need To Know About Cyber Security

Uploaded on 2017-02-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial, TECHNOLOGY--Resilience

We live in an age when social media, mobile devices and the Internet of things (IoT) dictate how we access, manage and communicate information. 

This technology is constantly changing and relatively complex in nature. Thus, it is essential that enterprises have a fully functional and effective information security program.

 

The responsibility to ensure such a program is properly implemented resides with senior management.

These overall objectives should be supported by safeguards known as controls, which are put in place to mitigate the risks associated with the use of the technology. If the controls are operating effectively and efficiently, the potential for loss and harm to enterprises assets should be reduced to an acceptable level. The question is who and/or what makes the determination of the effectiveness and efficiency of the controls.

This is where Auditors Come In

Their role is to review and perform tests to ultimately provide a level of assurance to management and the board of directors that the controls in place are appropriate, are in fact operating and are meeting the intended objectives. In many cases, this job function is relatively straightforward.

However, many would argue that when it comes to cyber security technology, although the auditor’s role doesn’t change, the complexity of the audit does.

Auditors have an obligation to educate themselves on this powerful and evolving technology, and there is much to learn.

Below are 10 things an auditor needs to know about cyber security. This list is not all-encompassing, nor is it ranked in any order.

  1. Everything is connected to everything. The primary function and objective of any cyber device is connectivity. Devices are like climbers roped together on the side of a mountain, if one falls, it can bring down anything connected to it. The Target hack (through an HVAC supplier connection) clearly demonstrates the need for a holistic cyber security view. With the arrival of the Internet of Things, it’s imperative that auditors understand and address the bigger picture.
  2. All risks are subjective. To qualify as a “risk,” a threat needs to be associated with a vulnerability that, if exploited, could negatively impact an information asset. If it does not, it is not a threat. Too many auditors worry about threats and vulnerabilities that pose no actual risk to an asset, prioritising compliance over risk and wasting precious time and resources.
  3.  Users are (and will always be) the biggest security risk. Our industry is led by vendors, and we continue to seek security through products (firewalls, IDS/IPS, DLP, etc.). We invest in product before people while real and measurable results can be achieved by investing in information security awareness. To contribute tangible results, auditors should prioritise people over product. Cyber security education is the silver bullet.
  4. Leverage existing frameworks/guidelines. Auditors should consider mapping of the NIST “Framework for Improving Critical Infrastructure Cybersecurity” to ISO 27001:2013 controls and COBIT 5 to reduce the scope of the audit, making the audit more manageable.
  5. Consider forthcoming legislation. Auditors should study how forthcoming and existing legislation like General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI-DSS) could potentially be incorporated into cyber security programs. Also, auditors need to understand the global regulatory environment and the differences that can exist between different geographic regions.
  6. Basic information security controls still hold true. As part of overall security (including cyber security), these controls provide a valid baseline of security controls that help create in-depth security, such as physical and logical access controls and application of “principle of least privilege.”
  7. Utilize a cyber incident response policy and plan that is fully tested. Auditors need to assess whether a proper crisis management and communication plan is in place, clearly communicated and tested as appropriate. This should enable sufficient business continuity in the event of a cyber security breach. Crisis management should include incident response and forensics, where warranted. Proactive monitoring and detection (with automated tools) should be in place.
  8. Cyber security strategy needs to be agile, the landscape is “mutating.” Strategy needs to be adaptable and scalable to handle new attack methods, such as ransomware and cloud-related risks. Auditors need to be aware that this is an area that is constantly changing and must not assume that what currently keeps your IT environment secure will continue to remain secure indefinitely.
  9. Cyber security awareness depends on the right training. Employees need sufficient and timely education and training to help combat ever-changing cyber security threat. Security needs to be interwoven into the fabric on an organization.  One-off, box-checking exercises are not sufficient. For example:
  • Do employees understand the implications of a cyber security breach?
  • Has any thought been given to insider threats from a cyber security perspective?
  • Is there clear guidance on the use of social media/shadow IT solutions/BYOD/how to respond to a phishing or ransomware attack?
  • Are employees rewarded/praised for promoting security in an organisation? Are they incentivised?

​​10. Be aware of credential theft techniques. Auditors should have knowledge of credential theft attack techniques. Typically, the Pass-the-Hash (PtH) attack and other credential theft attacks utilize an iterative, two-stage process. First, an attacker captures account logon credentials on one computer, and then uses those captured credentials to authenticate to other computers over the network.

Information-Management:      Special Report: CEOs And IT Innovation (£)

Cybersecurity Due Diligence Is Critical:

 

« Action Fraud: Social Media Used to Steal Charity Donations
Italian Brother & Sister Cyber Spies Arrested »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Fuel Recruitment

Fuel Recruitment

Fuel Recruitment is a specialist recruitment company for the IT, Telecoms, Engineering, Consulting and Marketing industries.

National Security Agency (NSA)

National Security Agency (NSA)

NSA is a US intel agency responsible for the protection of government communications and information systems against penetration and network warfare.

Silverfort

Silverfort

Silverfort introduces the first security platform enabling adaptive authentication and identity theft prevention for sensitive user, device and resource throughout the entire organization.

CLDigital

CLDigital

CLDigital's no-code risk and resilience platform, CL360, provides leaders with risk and resilience data to make strategic and tactical continuity decisions.

Inky Technology Corp

Inky Technology Corp

Inky® Phish Fence is an email protection gateway that uses sophisticated AI, machine learning and computer vision algorithms to block deep sea phishing attacks that get through every other system.

CRYPTTECH

CRYPTTECH

CRYPTTECH specializes in Information Security and Intelligence, Risk Evaluation and Vulnerability Recognition against Cyber-Attacks and APTs.

Cycuity

Cycuity

Cycuity (formerly Tortuga Logic) is a cybersecurity company that is transforming the way we secure silicon with comprehensive hardware security assurance.

Dataships

Dataships

We help companies automate their privacy compliance while building healthy, transparent data relationships with their customers.

SafetyDetectives

SafetyDetectives

SafetyDetectives mission is to give our readers accurate and valuable information so they can make informed decisions about staying safe, secure and protected on the internet.

Celera Networks

Celera Networks

Celera Networks is a managed services provider specializing in cybersecurity, cloud and managed IT services.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Advent One

Advent One

Advent One are recognised for solving intricate dilemmas, not only making technology work but building foundations that customers can grow upon in an effective and secure way.

Buchanan Technologies

Buchanan Technologies

Buchanan Technologies is a leading IT consulting and outsourcing services firm. Our methodology transforms everyday technology investments into streamlined, secure and scalable solutions.

UM6P Ventures

UM6P Ventures

UM6P Ventures is an African based early-stage ventures firm operating two funds; a Digital Transformation fund and a Deeptech Ventures fund.

Focus Digitech

Focus Digitech

Focus Digitech helps you with your digital transformation journey with our main core offerings of Cloud, Cybersecurity, Analytics and DevOps.

Radix Technologies

Radix Technologies

Radix offer end-to-end device management solutions, consolidating all the organization devices, processes and stakeholders into one easy-to-use management platform.