Cybersecurity is a hot topic from the boardroom to the back room. Why? Because it not only affects operations, but also how well a company performs. Cyber breaches have big impacts to organizational reputations and can cost millions to fix. Hackers do not discriminate between public and private organizations. All organizations are fair game. According to Robert Mueller III, former director of the FBI, “There are two types of companies – those that have been hacked and those that will be.” That was in 2012. Three years later the current director of the FBI, James Comey, says his organization has created a new five-point strategy to combat the cyber threat in the United States. This issue is not going away; it is only getting worse.
So what can internal audit functions do to help their organizations improve cybersecurity? In addition, do auditors need specialized skills to perform cybersecurity audits?
Cybersecurity is high profile, but is it high risk? Auditors need to understand their organizational risk for cybersecurity breaches. Does the organization collect personal or financial information on clients? Is the organization a government entity frequently targeted for attacks or has recently become a target? In most organizations, cybersecurity will rank high on a risk assessment, even if it was audited in recent years. Why? Well, anything that touches your network creates a vulnerability.
There are an estimated 12.5 billion devices connected to the Internet now, which will grow to 25 billion by 2020, according a report published in 2013 by Heller Information Services, Inc.. According to Tech Target, the Internet of Things (IoT) is an environment in which objects, animals, or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. What does that mean? It means phones, tablets, iPads, FitBits, and other personal devices are using the network often without employees or IT staff knowing it.
How should audit departments build scope around these audits? Do auditors need specialized skills to perform these audits? What things should auditors consider when developing the scope of cybersecurity engagements? How big is the network? Who and what can access the network? Does your organization have any policies and procedures concerning cybersecurity and breaches? The sheer volume of possibilities can be overwhelming.
Keep your cybersecurity audits simple and straightforward. There are four general areas to cover: 1) policies and procedures, 2) IT infrastructure, 3) updates and 4) user access. The matrix below is a sample scope sufficient to identify organizational risk. Beware of scope creep on these engagements — this is fascinating stuff; so it is easy to get in the habit of exploring each and every rabbit hole.
|Written||Physical security||Any outstanding patches or updates||Terminated employee access|
|Who is responsible||Access points||Frequency of updates||Current employee access reasonable (i.e,. no internal control deficiencies)|
|What activities should happen||Can IoTs connect to the network automatically?||updates automatic or manual||Documented approval process for employee access|
|When should the activities happen||Is there a change management protocol in place? (include network, servers, cloud, laptops, desktops and other IoTs)||Responsible party identified (by position, not name) in policy/procedures document||Documented removal process for terminated employees and employees who change positions|
|Where are these activities happening (i.e., servers, cloud, network, vendors)||Proactive scans for vulnerabilities|||||
* Great area to use data analytics to reduce costs and level of effort.
While these areas are not all inclusive of every risk or vulnerability, they will help the organization ascertain the amount of risk, efficiency, and effectiveness of ongoing operations.
About the Author
Mara Ash, CIA, CGAP, CGFM, CMRA, is a federal compliance specialist whose career has spanned federal, state, and local governments as well as private industry. Her goal is to help organizations improve service delivery, ensure compliance, and enhance transparency.
She is an active member of The IIA and the Association of Government Accountants, where she has held various leadership positions.