Independent review and examination of an organization's cybersecurity to improve its safeguard and reduce cyber risks.
Organization are under increasing pressure to demonstrate the effectiveness of their cyber security. Investors, regulatory bodies or customers may want to see cyber security assessment reports, while internally there is the search to prove diligence to proactively mitigate risks.
Cyber(security) Audit may be performed by national regulators and their partners such as certified accountant, cybersecurity governmental agency, or data privacy governmental agency.
Corporate Internal Auditor are increasingly involved in cybersecurity matter, to verifies the implementation and effectiveness of technical, physical and governance security controls. They are sometimes replaced or complemented by External Auditors that generally may have more technical skills but less understanding of the corporate culture and particularities.
External consultants are yet generally the most in demand for the day-to-day audit performed by CIO or CISO.
What is Cyber Security Audit?
A cyber security audit is used to assess and evaluate a company’s IT ecosystem. It discloses dangers and vulnerabilities, pointing out weaknesses and high-risk procedures. If a company is non-compliant with EU GDPR (General Data Protection Regulation) or Asian PDPA (Personal Data Protection Act) privacy regulations, for example, the penalties for a data breach may be severe. An organisation may be able to reduce the repercussions of a data breach by performing a cyber security audit, which demonstrates that it has taken the necessary precautions to safeguard customer and company information.
The security audit process can be outlined by looking at various aspects of information security. External and internal experts at a institution maintain and inspect information security in order to keep it adequate and effective. The institution has various security controls to maintain and enforce. The untold philosophy behind security audit is to sate that hardware damage is replaceable, software damage is fixable but data damage are permanent. With Health & Safety, Data Security will be emphasize during a IT focused examination.
To maintain data security, an organisation should install and maintain security methods in order to prevent external access. There are two primary concepts in data security: the application’s security and the segregation of duties. In many ways, segregation of duties and application security are connected and have the same goal: to protect the integrity of a company’s data and prevent fraud. It is important to prevent unauthorized access to hardware and software through both physical and electronic security measures. In segregation of duties, the key is to physically inspect individuals’ access to systems and procedures and to ensure that all individuals have the proper security clearance.
For organisations that have not yet documented their internal and external risks, vulnerabilities, and threat exposure, cyber security audits are a valuable tool. It is also applicable to businesses that have expanded and implemented various security controls, but are overwhelmed by the volume of data being processed in daily communications as a result.
What are the different types of audit?
According to Richard A. Goodman and Michael W. Lawles, authors of the reference paper “Technology and Strategy: Conceptual Models and Diagnostics” (Oxford Press), a technological audit can be performed using three specific systematic approaches:
- Technological innovation process audit: The audit will evaluate the firm’s experience in its preferred technologies and the industries in which they operate, the structure of each project, and the organisation and structure of the section of the industry that addresses this product or service, in order to determine the company’s risk profile.
- Innovative comparison audit: The audit is an examination of the firm’s innovation capacity in relation to its rivals. In addition to assessing the firm’s R&D facilities and record of introducing new products, this assessment looks at whether the firm is capable of introducing new products.
- Technological position audit: The technology audit reviews the technologies that the business currently has and those that it requires. It categorized technologies as “Base”, “key”, “pacing”, and “emerging”.
Information Security Audit can also be differentiated according to the scope it reviews: Systems and Applications, Information Processing, Systems Development, Management of IT and Enterprise Architecture, Computer networks and Web Infrastructures. The scoping approach is more process-centric whereas the systematic approach is more strategy-focus.
Cyber Audit, Vulnerability Assessment and Penetration Testing
Beyond security audits and vulnerability assessments, penetration testing attempts to breach your system just like an intruder. A security expert will attempt to replicate the same methods employed by malicious actors to see if a particular scope of the IT infrastructure can withstand a similar attack.
Red teaming is more complex than penetration testing, takes longer, and thoroughly tests the organization’s response capabilities and security measures. Because they are objective-oriented, red team assessments tend to be more thorough than penetration tests than focus on a particular application or network segment.
An audit is a measurement of how well an organization is meeting a set of external standards, whereas an assessment is an internal check. A security assessment is an internal check that takes place prior to, and in preparation for, a security audit.
How to Master Cyber Audit
A cybersecurity audit lets an organization understand how well their technologies, policies, and people work together to reduce risks from cyberattacks. It is the only way to know that an organization can meet the challenge of the modern cyber threat landscape.
#1 - Routinely run trial audits
Risk Officer, Compliance Officer or Cybersecurity Officer can run independently or together routine audit to prepare proactively for the real one. They assess the current technological maturity level of a company focusing on the minimum security requirements : Organizational and Personal security, Cyber Asset Management, Physical and environmental security, Governance and Compliance, IT systems development and maintenance, IT security incident management, Disaster recovery and business continuity management, Anticipation and Management of risks.
#2 - Be data-centric
An auditor should use the information gathered during previous audit or the audit preparation to determine the best strategy. Planning a company’s audit in advance helps the auditor gather the necessary and appropriate evidence for each situation. This data-centric approach helps the auditor predict audit costs, assign the appropriate manpower and time line, and avoid client problems.
Before conducting a data-centric assessment, an auditor should be well versed in the company and its critical business activities. The objective is then to align activities metrics with the goals of the business to identifies gaps and recommend improvement in the security and integrity of critical information and processes.
Typical activities needed to kickstart an audit are: gather with cyber management to determine possible blind spot, review the IT organization chart, review job descriptions of IT-related employees, research all technologies and equipment operating within the organization, reviews IT policies and procedures, evaluate the current IT and cybersecurity spending of the company, review the disaster recovery plan.
#3 - Start with an objective
In order to determine an organization’s operating environment risks, auditors first performs a data-centric review of the company. Then, they consider multiple factors that relate to cyber procedures and activities that may indicate risks and evaluate the controls in place to mitigate them. After conducting thorough testing and analysis, they can accurately assess whether the organization has the proper controls and is operating efficiently and effectively. The auditors can then match findings with a list of objectives that may trigger recommandation in diverses areas: personnel procedures and responsibilities, change management processes, appropriate backup and recovery procedures, physical security controls, environmental controls against flood and fire.
#4 - Hunt for the gaps
The collection of evidence must focus on identifying strong holds and dangerous gaps. The audit can’t afford to be exhaustive. It involves interviews, reviewing papers, but more importantly to wander in the organization to observe from distance how its runs. When taking a coffee in the lobby, do people talk sensitive matter, do a lot of external bypass security or do not wear badges ? When reviewing equipment, have a look the sooner at disposal and understand why it is there, how is it stored and with what procedures it exit the organization. Same for employee, focus on departure procedures to understand what they had and what they are left after leaving the company.
#5 - Iterate the final report
The first formal meeting to present the audit report to appropriate stakeholder should never be the last. It should be an excuse for the auditor to make executive and senior management talk and react about the raw findings. The auditor may not have the proper context or culture to assess the findings and offer the compelling recommandation.
They should choose carefully what they present in that preliminary final meeting to generate reaction and collect more information. Those are then integrated in the final reporting. If during the first meeting they spot new grey area, they should hesitate to go back for evidence collection to back up or dismiss an argumentation they gathered.
Cybersecurity assessment for Internal Audit
The way forward for Internal Audit to fulfil its growing cyber responsibilities must be realistic, technical, and comprehensive—that is, audit leaders can move beyond simply checking compliance boxes to assessing effectiveness. An internal audit should focus on whether cyber risk assessments are adequate and whether key risks are identified, as well as whether they have a sense of the threat landscape internally and externally. These key risks should be included in the annual audit plan for review.
An internal audit team should at least develop a framework for performing effective cybersecurity audits based on international standards on cybersecurity such as NIST CSF and ISO 27001 and 27002. Then the hunt for gaps should be practical and evidence-based. Penetration testing can be conducted on crown jewels to evaluate their robustness against real-world attack techniques.
The organization’s risk assessment can be stress-tested by one very common blind spot which is the relevance of identified threats. A deep review of the organization ecosystem and Threat Intelligence investigation leverage the internal audit to perform accurate Threat Modeling and challenge current risk scenario.
Red Teaming is the perfect combinaison of evaluation and real-world stress-testing. Based on the Internal Audit’s Threat Modeling and understanding of the organization’s gap, they can conduct or request to a specialized team to emulate the behavior of a relevant adversary to prove or dismiss an audit objective. The final report can then benchmark the red teams successes and the organization’s successes to a cybersecurity international standards to challenge on a structured manner high-level perception of an organization’s on its own security.
A clear roadmap should be delivered indicating proven risk-based IT and cybersecurity initiatives and investments in the short, medium, and long term, based on the organization’s business goals and its current weakness.
To gain more insight on how XRATOR can help Internal Audit initiatives, contact our expert offensive security team.