Internal audits’ cybersecurity role
Internal audits play a critical role in providing an independent perspective of your cybersecurity program during this period of change and adaptation. It’s clear that changes in IT and cybersecurity practices are here for the long term, so assessing and identifying gaps early in these new processes and controls is crucial.
Start by checking how well your risks are aligned with your cybersecurity program to drive consistent risk and compliance objectives. Evaluate emerging cybersecurity risks defined through the enterprise risk assessment and the factors driving the increase and acceleration of these risks. Then determine if changes in processes and controls are keeping pace. One option to expand the reach of internal audits is to facilitate risk and control self-assessments based on cybersecurity risk factors for selected business units. These self-assessments can then inform where you invest your internal audit resources for deeper-dive cybersecurity audits.
Next, review your operating model against regulatory mandates and frameworks. Understand if your cybersecurity practices are aligned with organizational priorities and applicable regulations. For example, if you are a health care company, is the Health Insurance Portability and Accountability Act adequately addressed in the new remote workforce model? If you are a bank, are your IT compliance practices adequate enough to meet the Federal Financial Institutions Examination Council IT Handbook and Cybersecurity Assessment Tool requirements? Do you have standardized controls around cybersecurity, and is ownership and accountability established through appropriately allocated roles and responsibilities? Is there enough independence across all three lines of defense?
With regulatory requirements and leading frameworks as your baseline, review your technology landscape to assess significant technology changes and the impact of these changes on your cybersecurity risk posture. As existing technologies are expanded or new tools are added (e.g., artificial intelligence efforts or cloud implementations), you should ensure that adequate controls are in place. Identify and prioritize risks associated with any outdated or legacy platforms.
Ensure effective reporting of cybersecurity issues to both management and your board by aligning reporting to a consistent framework based on a comprehensive review of your organization’s cybersecurity risks. Consider using regulatory and leading practice frameworks to baseline and show changes in your organization’s overall cybersecurity health.
Adapt cybersecurity efforts to unique COVID-19 challenges
COVID-19 has likely forced your organization to accelerate new technologies and adopt new processes to enable a remote work environment and otherwise adjust to doing business during a pandemic. Be sure to consider the following in your cybersecurity audits:
- The need for increased training on security awareness across your organization. This training should keep employees up to date on emerging cyberthreats by increasing awareness on phishing, remote access security and acceptable use policies. Executives and privileged users should receive training tailored to their unique risk profiles.
- Monitoring of increased web activity and the blurring of lines between personal and professional use of your networks and tools. Fraud and insider threat activity is generally on the rise during recessions. Given today’s fluid workplace, it is especially important to track irregular behavior.
- Limiting access within your systems to only those tools that staff need to perform assigned responsibilities. Monitor high levels of activity by privileged users and monitor violations of the principle of least privilege.
- Address the risks associated with increased use of web-based conferencing tools, such as Zoom and Microsoft Teams, as well as guidelines for the use of interconnected devices, such as Google Home, Alexa and others. Review policies and minimum-security configuration requirements for these tools to ensure they have been strengthened to respond to exponentially increased use.
- Manage your data protection and privacy regulation risks. If you are affected by relaxed regulations due to contact tracing requirements, be sure these are appropriately tied into your overall data privacy and data protection program. Additionally, monitor data sharing through cloud-based collaboration platforms.
Audit scope alternatives to consider now
Depending on your organization’s risk profile, you may want to consider alternative audits addressing cybersecurity exposure, including privacy concerns, remote workforce issues and overall cyber resiliency. Consider the following examples:
- Find out what you don’t know. The cyberthreat landscape has always been fluid, but during the COVID-19 crises, threats have been emerging at an incredible pace due to companies’ rapid adoption of new processes and technologies. Leverage defined cyber frameworks to re-evaluate your new cybersecurity landscape and learn about new risks and their impact on your organization.
- Secure your remote workforce. The unprecedented speed and scope with which most organizations have had to expand their remote workforces requires new monitoring resources to protect data and mitigate insider threats. Review your practices to make sure you are enforcing technology controls for website monitoring, user behavior analytics and insider threat identification. Enhance technological controls such as data loss prevention to stop unintended data leakage.
- Improve your cyber resiliency. Make sure your cyber resiliency plans have kept pace with the threat environment. A compromised system can quickly impact your entire corporate network. Your governance, risk and compliance controls must be ready to minimize the impact and speed the repair of any breach. Identify business-critical operations and crown-jewel services and be sure you have appropriate and effective resiliency plans in the event of an interruption.
As you consider changes to your audit scope, be sure to consider the value proposition as well. What benefits will the change provide? What costs might it reduce? Potential benefits include:
- Better visibility into your cyber and privacy risk landscapes through tailored assessments
- Rapid risk assessments to help you quickly and accurately identify high risk priorities
- Safeguarding against data leakage over insecure external networks through data protection solutions
- Improving cyber resiliency by increasing automation
Cost reductions are also part of the equation:
- Reducing potential audit expenses associated with noncompliance with security and privacy regulations
- Managing brand and reputational risk associated with insider threats and data loss
- Maximizing throughput through technology monitoring solutions
- Reducing the costs stemming from manual operations, duplicated efforts and inconsistent reporting
Rapid risk assessment
- By leveraging a defined cyber framework, such as those provided by the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) or the International Organization for Standardization (ISO), you can gain a holistic view of your organization’s risk and maturity posture and develop a strategic roadmap to address maturity gaps. Consider this example:
Phase one - Planning and initiation
- Confirm the cyber domains’ in-scope and assessment framework being leveraged (e.g., NIST CSF, ISO 27001/2, etc.,)
- Develop a project plan and prepare logistics for the assessment
- Conduct kick-off meeting and circulate document request list
- Audit plan and work papers based on assessment framework
- Kick-off deck and project plan
- Document and evidence request list
Phase two - Program assessment
- Interview management and operational stakeholders to understand the control posture
- Assess readiness against the framework requirements
- Define potential future state design and corresponding gap analysis
- Evaluate and measure cyber risk maturity levels based on the results of the current state assessment
- Define cybersecurity risks and related vulnerabilities
- Current and desired future state captured in the framework assessment
- Ranked cybersecurity risks/vulnerabilities
- Current and targeted maturity model
Phase three - Reporting
- Evaluate and prioritize remediation plans with key stakeholders based on the risk priorities
- Develop a detailed cybersecurity assessment report highlighting gaps, risks, and remediation recommendations
- Develop an executive report
- Socialize deliverables with key stakeholders and finalize deliverables
- Cyber risk and maturity assessment
- Strategic roadmap
- Executive and board-level reporting
Of course, the right model will be based on your organization’s specific risks and circumstances. In the end, you must match your audit approach and maturity criteria with your organization’s strategic and operational objectives, risk intelligence and capabilities, as well as your industry regulatory requirements and leading practices. By adapting your internal audit scope, approach and testing methodology in a time when cybersecurity threats are changing and accelerating, your internal audit team can help ensure you’re both protecting and enhancing your organization’s value.