Auditing
Cyber Security:
Evaluating Risk and Auditing Controls
ABSTRACT
Cyber security has become a prevalent issue today facing most organizations, one that is recognized
by companies to be an enterprisewide issue requiring thoughtful attention. Investments in controls are
necessary to protect organizations from increasingly sophisticated and widely available attack methods.
Intentional attacks, breaches and incidents can have damaging consequences. This white paper highlights
the need for these controls implemented as part of an overall framework and strategy, and focuses on the
subsequent assurance that is needed through management review, risk assessments and audits of the
cyber security controls.
, Auditing Cyber Security: Evaluating Risk and Auditing Controls 2
INTRODUCTION This white paper will provide some guidance on evaluating
the risk and auditing the cyber security controls for an
Cyber security is receiving increased attention from the boards organization. These concepts apply to organizations large and
of many organizations today in large part due to the bad small, even though the investment dollars and approaches will
publicity generated from recent large data breaches. Senior be focused differently and of a different scale.
members of management and corporate boards have lost
their positions, and organizations have had to spend valuable
resources in post-breach cleanup and to make their clients and
customers “whole.” Infrastructure spending has increased as
CYBER SECURITY
organizations attempt to prevent the breaches from occurring,
and security technology investments in incident detection and
CONTROL SPECIFICATION
Each organization should design controls specific to the risk
response mechanisms are climbing to limit the damage and
posture of the organization and ensure that processes and
liability should the event occur.
people are in place to continuously manage the controls.
These activities to enhance the infrastructure and Control issues typically are not due to the failure of the
defense mechanisms are welcomed investments to technology, but more often are the result of individuals not
those charged with protecting from and responding executing the process or using a process that is poorly
to the attacks, but they represent only one necessary defined. Administrative, technical and operational controls
component of any cyber security program. The fundamental can be sourced from many places, such as COBIT® 5 for
questions that need to be asked are those such as: Information Security1 as a baseline.
• Where is the best place to invest the next security dollar? One of the primary goals of any cyber security program
should be to limit the attractiveness for the attacker.
• Is the right amount being invested?
Hacking has moved well beyond the script kiddie
• Are there areas of risk that are not being addressed? threat stage, and the more time it takes an attacker
to penetrate a system, the less desirable that target
• Is the current infrastructure sufficient?
becomes. If an attacker wants to break into a car at a
• Are the dollars invested that we have today being used shopping mall during the holidays, it would be easier to jiggle
wisely? all the car door handles to find the one whose owner did not
• How are competitors approaching this and what are they lock it vs. breaking into the first car the attacker sees with a
spending on information asset protection? crowbar, potentially setting off the alarms. Control investments
are made across the organization through technical,
The answers to these questions are best answered by: administrative and operational investments in people, process,
1) evaluating the current and emerging risk to the organization, technology and growing a security-oriented culture. These
and 2) auditing the security controls that are current or investments may include:
planned to be in place to protect the information assets.
• Awareness investment
Without executing formal processes to determine the risk,
identify controls to mitigate the risk and subsequently audit the • Policy investment
controls, company assurance that information assets are being
• Intrusion detection systems
adequately protected would be subject to chance. Without
formal processes, there is the risk that inappropriate tools • Event logging
would be purchased without understanding where the tool fits • Incident response
into the architecture. Did this tool replace another tool? Will this
tool improve the cyber security capabilities sufficiently beyond • Vulnerability scanning
the current tool set to warrant the additional cost? Based upon • Information asset classification
the risk that the organization currently has, could the money
have been spent better somewhere else? Are the current tools • Forward intelligence
implemented and being attended to, or were they purchased • Architecture and technology hardening
and are now shelfware?
• Systems hardening
1 ISACA, COBIT 5 for Information Security, USA, 2012, www.isaca.org/COBIT/Pages/info-sec.aspx
© 2017 ISACA. All rights reserved.
Cyber Security:
Evaluating Risk and Auditing Controls
ABSTRACT
Cyber security has become a prevalent issue today facing most organizations, one that is recognized
by companies to be an enterprisewide issue requiring thoughtful attention. Investments in controls are
necessary to protect organizations from increasingly sophisticated and widely available attack methods.
Intentional attacks, breaches and incidents can have damaging consequences. This white paper highlights
the need for these controls implemented as part of an overall framework and strategy, and focuses on the
subsequent assurance that is needed through management review, risk assessments and audits of the
cyber security controls.
, Auditing Cyber Security: Evaluating Risk and Auditing Controls 2
INTRODUCTION This white paper will provide some guidance on evaluating
the risk and auditing the cyber security controls for an
Cyber security is receiving increased attention from the boards organization. These concepts apply to organizations large and
of many organizations today in large part due to the bad small, even though the investment dollars and approaches will
publicity generated from recent large data breaches. Senior be focused differently and of a different scale.
members of management and corporate boards have lost
their positions, and organizations have had to spend valuable
resources in post-breach cleanup and to make their clients and
customers “whole.” Infrastructure spending has increased as
CYBER SECURITY
organizations attempt to prevent the breaches from occurring,
and security technology investments in incident detection and
CONTROL SPECIFICATION
Each organization should design controls specific to the risk
response mechanisms are climbing to limit the damage and
posture of the organization and ensure that processes and
liability should the event occur.
people are in place to continuously manage the controls.
These activities to enhance the infrastructure and Control issues typically are not due to the failure of the
defense mechanisms are welcomed investments to technology, but more often are the result of individuals not
those charged with protecting from and responding executing the process or using a process that is poorly
to the attacks, but they represent only one necessary defined. Administrative, technical and operational controls
component of any cyber security program. The fundamental can be sourced from many places, such as COBIT® 5 for
questions that need to be asked are those such as: Information Security1 as a baseline.
• Where is the best place to invest the next security dollar? One of the primary goals of any cyber security program
should be to limit the attractiveness for the attacker.
• Is the right amount being invested?
Hacking has moved well beyond the script kiddie
• Are there areas of risk that are not being addressed? threat stage, and the more time it takes an attacker
to penetrate a system, the less desirable that target
• Is the current infrastructure sufficient?
becomes. If an attacker wants to break into a car at a
• Are the dollars invested that we have today being used shopping mall during the holidays, it would be easier to jiggle
wisely? all the car door handles to find the one whose owner did not
• How are competitors approaching this and what are they lock it vs. breaking into the first car the attacker sees with a
spending on information asset protection? crowbar, potentially setting off the alarms. Control investments
are made across the organization through technical,
The answers to these questions are best answered by: administrative and operational investments in people, process,
1) evaluating the current and emerging risk to the organization, technology and growing a security-oriented culture. These
and 2) auditing the security controls that are current or investments may include:
planned to be in place to protect the information assets.
• Awareness investment
Without executing formal processes to determine the risk,
identify controls to mitigate the risk and subsequently audit the • Policy investment
controls, company assurance that information assets are being
• Intrusion detection systems
adequately protected would be subject to chance. Without
formal processes, there is the risk that inappropriate tools • Event logging
would be purchased without understanding where the tool fits • Incident response
into the architecture. Did this tool replace another tool? Will this
tool improve the cyber security capabilities sufficiently beyond • Vulnerability scanning
the current tool set to warrant the additional cost? Based upon • Information asset classification
the risk that the organization currently has, could the money
have been spent better somewhere else? Are the current tools • Forward intelligence
implemented and being attended to, or were they purchased • Architecture and technology hardening
and are now shelfware?
• Systems hardening
1 ISACA, COBIT 5 for Information Security, USA, 2012, www.isaca.org/COBIT/Pages/info-sec.aspx
© 2017 ISACA. All rights reserved.
