Cybersecurity has become a pressing issue worldwide, thereby necessitating robust auditing procedures to provide assurance to senior management and boards of directors (BoDs). A cybersecurity audit can be considered simply an evaluation of the systems and controls in place to ensure safe cyberactivities. The goal is to evaluate current technology, policies, and procedures at a deeper level to determine if all applicable standards and regulations are being met effectively and efficiently. There are several best practices that organizations can apply during audits to measure the efficiency and effectiveness of cybersecurity systems, processes and controls.
Reasons for Conducting a Cybersecurity Audit
A cybersecurity auditor’s purpose is to verify whether an organization is operating according to various cybersecurity standards, regulations and guidelines. A cybersecurity audit gauges an organization’s current reality in terms of compliance and benchmarks it against a specific industry standard. A gap analysis is then undertaken to ensure that all control gaps are identified and remediated at the earliest opportunity through targeted recommendations.
There are several reasons why an auditor should conduct regular cybersecurity audits, including:
- To regularly monitor the organization’s IT infrastructures, systems and controls to detect any potential risk or defects
- To confirm the systems in place meet minimum compliance requirements and mitigate expected risk
- To evaluate the efficiency and effectiveness of cybersecurity operational systems and processes
- To inspect information systems, security controls and management procedures put in place with the aim of mitigating risk
- To provide input on the crafting of contingency plans to counter emergency cyberattacks or other vulnerabilities
The essential aspects of any cybersecurity audit include the review of cybersecurity policies, development of an integrated approach to cybersecurity, analysis of the cybercompetence of personnel and the facilitation of risk-based auditing initiatives in the organization.
The essential aspects of any cybersecurity audit include the review of cybersecurity policies, development of an integrated approach to cybersecurity, analysis of the cybercompetence of personnel and the facilitation of risk-based auditing initiatives in the organization.
Reviewing Cybersecurity Policies
Information security policies are pivotal to cybersecurity auditors as knowledge of the policies enables auditors to classify an organization’s data and determine which levels of security are needed to protect them. When reviewing any pertinent cybersecurity policy, the cybersecurity auditor should strive to compare it to the ideal version or global standard. Determining whether an enterprise’s cybersecurity policy meets both industry and global standards is essential. It is also important to know which compliance regulations are relevant and applicable to the organization before this step is conducted.
Some of the global barometers to which cybersecurity programs and policies should be compared include:
- The Payment Card Industry Data Security Standard (PCI-DSS)
- Systems and Organizational Controls (SOC)
- The US Sarbanes-Oxley Act of 2002 (SOX)
- The International Organization for Standardization (ISO)
- The EU General Data Protection Regulation (GDPR)
- The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- The Center for Internet Security (CIS) Controls, formerly known as the Critical Security Controls
Organizations may be required to comply with 1 or more standards depending on their respective sectors and/or jurisdictions. For example, financial institutions typically must adhere to PCI-DSS due to their widespread use of credit and debit cards, while publicly traded entities (especially multinationals) require compliance with SOX. Cybersecurity auditors should also consider jurisdictions, for example, how GDPR affects mostly countries domiciled in or undertaking business in the European Union. However, some standards apply universally across sectors and jurisdictions (e.g., CCM, ISO standards).
Developing an Integrated Approach to Cybersecurity Auditing
It is critical to centralize cybersecurity, risk management and compliance policies into a single consolidated working document to help cybersecurity auditors gain a more complete understanding of the organization’s cybersecurity pulse. In turn, this makes it easier for the auditor to identify gaps concurrently because there is always a relationship between cybersecurity, risk management and compliance.
It is critical to centralize cybersecurity, risk management and compliance policies into a single consolidated working document to help cybersecurity auditors gain a more complete understanding of the organization’s cybersecurity pulse.
Cybersecurity auditors should review relevant compliance standards and requirements well before the audit commences. If an organization has a compliance function, it should share relevant information with the audit team. Sharing compliance information enables cybersecurity auditors to stay up-to-date with changes in legislation and regulations and align particular audits with the pressing needs of the organization accordingly. To that end, it is important that the internal audit function and the audit committee meet with the chief information officer (CIO) and the chief information security officer (CISO) regularly to discuss important cybersecurity issues and share perceptivity on emerging threats, vulnerabilities, cybersecurity laws and regulations.
It may be useful to utilize automated tools (e.g., dashboards) that help teams communicate seamlessly and coordinate audit activities efficiently. A centralized data repository where internal audit, compliance and IT teams can easily maintain, access and share pertinent data can be set up in the cloud for easy access by each team. This centralized repository allows audit teams to map security risk to auditable entities, IT assets, controls, regulations and other key factors in a cybersecurity audit. A seamlessly integrated data flow allows internal audit to determine at a glance how cybersecurity risk or an ineffective and inefficient control could impact the entire organization. Accordingly, the internal auditor will then be able to offer targeted recommendations proactively to resolve the identified issues.
Analyzing the Cybercompetence of Personnel
Globally, it has become exceedingly difficult to find adequate personnel to fill the cybersecurity skills shortage. Organizations should create a list of information security personnel and their responsibilities as an essential step in dealing with cybersecurity issues on a continuous basis. Employee interviews are an important part of cybersecurity audits as they seek to determine whether the organization has in its employ competent cybersecurity personnel to assist in defending against cyberrisk. Cybersecurity auditors will often interview various IT and information security personnel to gain a better understanding of an organization’s security architecture and threat landscape. They should also interview board members to gauge their understanding of cybersecurity risk. Cybersecurity auditors can then verify whether all organizational employees, including leadership, are educated enough to contend with constantly evolving cyberrisk.
It should be noted that in addition to evaluating IT infrastructure on the technological side, cybersecurity audits also include reviewing and interviewing individuals responsible for security, data protection and IT infrastructure. Therefore, the cybersecurity auditor should have well-developed soft skills to be able to successfully interact with stakeholders at all levels.
Facilitating a Risk-Based Audit Approach
Cybersecurity risk is pervasive across enterprises and, therefore, beyond the scope of an effective cybersecurity audit, which can be vast and overwhelming. Cybersecurity audit teams should know where to begin their assessments, especially when resources are limited. This is where a risk-based approach to cybersecurity auditing adds value. Risk-based auditing enables audit teams to prioritize their activities and resources based on the areas of highest risk in the organization. Cybersecurity auditors must develop intelligence for risk-based auditing through interventions such as effective risk assessments, continuous risk monitoring and scenario analysis. The resulting data assist them in developing a systematic and risk-based audit plan with well-defined objectives and achievable goals. An aligning scope can then be devised to prioritize areas of greater risk. Technology can be utilized in streamlining risk assessments and delivering real-time visibility into enterprisewide cyberrisk. For example, cybersecurity auditors should understand where the organization’s critical data reside. They should also understand the organization’s entire governance framework in use and assist by bringing in the right third-party resources where necessary.
Conclusion
While the field of cybersecurity auditing is fairly new, the value of undertaking such audit assignments must be more commonly recognized. There is need for continuous improvement in the undertaking of cybersecurity audits, which are inherently highly specialized. Taking a disciplined, systematic approach to the audit process is essential for enterprises to gain the most from the process. This will ensure the delivery of audit results that enable organizations to address the challenges encountered in the ever-evolving cyber landscape.
Elastos Chimwanda, CISA, CIA, CISSP
Is an auditor with more than 10 years of experience in internal auditing, information systems auditing, cybersecurity auditing and cloud security auditing. He also serves as an independent adviser to boards and audit committees. Chimwanda is a member of the ISACA® IT Audit and Assurance Advisory Group and The Institute of Internal Auditor’s Public Sector Knowledge Group (PSKG).