Internal Audit and Cyber Security: Guidelines and a Checklist

With data becoming an organization’s most valuable asset, it has also become its most vulnerable. Cyber criminals are continually targeting potential weaknesses in your security stance. Cyber attacks can culminate in an organization suffering costly or irreparable operational, financial and reputational damage.

Just recently we saw a large consumer financial information business suffer a major data breach which impacted over 143 million people and resulted in both its CEO and CISO resigning. Pending results of ongoing investigations, there could be legal, legislative, financial and operational implications for financial institutions and other organizations alike. It is becoming extremely apparent risk management professionals and internal auditors will need to help face the challenge of managing cyber risks.

Here are four key areas that the “third line of defense,” i.e. internal auditors, can focus on to make in impact.

1: Independent and Unbiased

Increasingly, organizations are recognizing the need for an independent review of security measures and performances.

“Internal audit is one of the few voices that is purposely positioned to go across the entire organization, and it is able to look at how the different parts work with each other and make sure the right information is getting to the right people.” ¹

Internal audit activity can provide senior management with independent and objective assurance on governance, risk management and controls pertaining to cyber security. This includes assessing the overall effectiveness of the activities performed by the first and second lines of defence (management and information security, respectively) in managing and mitigating cyber security risks.

Focus areas for internal audit should include the relationship between cyber security and operational risk, prioritizing responses and control activities and performing audits for cyber security risk mitigation across the organization.

Internal audit can help improve the organization’s security posture by looking to:

• Be aware of management and the board of director’s approach to cyber security policy.
• Identify and act on opportunities to improve the organization’s ability to identify, assess and mitigate cyber security risk to an acceptable level.
• Ensure cyber security risk is integrated into the organization’s internal audit plan.
• Evaluate the organization’s cyber security program against an industry-acknowledged framework.

2: Security Framework Options 

In a recent webinar presented to members of the Institute of Internal Auditors in Canada, MNP cyber security consultants Jared Weber and Jason Murray, suggested that when it comes to selecting a cyber security control framework, companies don’t need reinvent the wheel. Organizations should select a framework that works for them; possibly amalgamating a few as one might not meet all your needs. This is because organizations have differing levels of maturity within their information security program. It is important to adopt a framework which allows an organization to meet some standards but also have room for growth.

Frameworks involving international regulations such as the North American Electric Reliability Corporation (NERC), ISO 27001 and payment card industry data security standards (PCI DSS) are required to be met in full for an organization to market itself as being compliant. It is often difficult to accomplish this across an entire enterprise network and many security frameworks are not generalized enough to apply to all organizations.

An example of a flexible framework is The Centre for Internet Security’s 20 Critical Security Controls. This framework was originally intended to provide a roadmap for organizations to help protect against cyber-attacks. The framework uses 20 different categories each of which provide increasing levels of controls from foundational safeguards to advanced security controls and processes. This allows organizations to adopt a framework to a degree which matches their risk appetite.

3: Key Questions Internal Audit Should Ask

The following are key questions which internal audit should try to answer to gain an understanding of an organizations current security posture, risk appetite and its ability to manage and mitigate any potential cyber threats:

• Who has access to the organizations most valuable information?
• Which assets are most likely to be targeted?
• Which systems would cause the most significant impact to the organization should they be compromised?
• Which data, if stolen, would cause financial or competitive advantage, legal ramifications and / or reputational damage?
• Is management prepared to react in a timely manner should a cyber security incident occur?
• Are senior management aware of risks relating to cyber security?
• Are cyber security policies and procedures in place, understood and followed?
• Has management performed risk assessments to quantify their risk exposure?

4: IIA Canada Webinar Poll Results – Benchmark your Internal Audit Cyber Approach