ISACA: Auditing Cyber Security: Evaluating Risk and Auditing Controls

INTRODUCTION Cyber security is receiving increased attention from the boards of many organizations today in large part due to the bad publicity generated from recent large data breaches. Senior members of management ...

INTRODUCTION Cyber security is receiving increased attention from the boards of many organizations today in large part due to the bad publicity generated from recent large data breaches. Senior members of management and corporate boards have lost their positions, and organizations have had to spend valuable resources in post-breach cleanup and to make their clients and customers “whole.” Infrastructure spending has increased as organizations attempt to prevent the breaches from occurring, and security technology investments in incident detection and response mechanisms are climbing to limit the damage and liability should the event occur. These activities to enhance the infrastructure and defense mechanisms are welcomed investments to those charged with protecting from and responding to the attacks, but they represent only one necessary component of any cyber security program. The fundamental questions that need to be asked are those such as: • Where is the best place to invest the next security dollar? • Is the right amount being invested? • Are there areas of risk that are not being addressed? • Is the current infrastructure sufficient? • Are the dollars invested that we have today being used wisely? • How are competitors approaching this and what are they spending on information asset protection? The answers to these questions are best answered by: 1) evaluating the current and emerging risk to the organization, and 2) auditing the security controls that are current or planned to be in place to protect the information assets. Without executing formal processes to determine the risk, identify controls to mitigate the risk and subsequently audit the controls, company assurance that information assets are being adequately protected would be subject to chance. Without formal processes, there is the risk that inappropriate tools would be purchased without understanding where the tool fits into the architecture. Did this tool replace another tool? Will this tool improve the cyber security capabilities sufficiently beyond the current tool set to warrant the additional cost? Based upon the risk that the organization currently has, could the money have been spent better somewhere else? Are the current tools implemented and being attended to, or were they purchased and are now shelfware? This white paper will provide some guidance on evaluating the risk and auditing the cyber security controls for an organization. These concepts apply to organizations large and small, even though the investment dollars and approaches will be focused differently and of a different scale. CYBER SECURITY CONTROL SPECIFICATION Each organization should design controls specific to the risk posture of the organization and ensure that processes and people are in place to continuously manage the controls. Control issues typically are not due to the failure of the technology, but more often are the result of individuals not executing the process or using a process that is poorly defined. Administrative, technical and operational controls can be sourced from many places, such as COBIT® 5 for Information Security1 as a baseline. One of the primary goals of any cyber security program should be to limit the attractiveness for the attacker. Hacking has moved well beyond the script kiddie threat stage, and the more time it takes an attacker to penetrate a system, the less desirable that target becomes. If an attacker wants to break into a car at a shopping mall during the holidays, it would be easier to jiggle all the car door handles to find the one whose owner did not lock it vs. breaking into the first car the attacker sees with a crowbar, potentially setting off the alarms. Control investments are made across the organization through technical, administrative and operational investments in people, process, technology and growing a security-oriented culture. These investments may include: • Awareness investment • Policy investment • Intrusion detection systems • Event logging • Incident response • Vulnerability scanning • Information asset classification • Forward intelligence • Architecture and technology hardening • Systems hardening 1 ISACA, COBIT 5 for Information Security, USA, 2012, www.isaca.org/COBIT/Pages/info-sec.aspx Auditing Cyber Security: Evaluating Risk and Auditing Controls © 2017 ISACA. All rights reserved. 3 The attractiveness decreases as investments are made in cyber security controls in the preceding list (see figure 1). Leveraging Different Cyber Security Control Frameworks There are many approaches available for specifying cyber security control environments, such as National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.2 The purpose of SP 800-53 is to provide guidelines for selecting and specifying security controls for information systems supporting executive agencies of the federal government. The NIST model, in contrast to the COBIT® 5 model, is very prescriptive in nature and may be overwhelming to many organizations. SP 800-53 contains very detailed definitions and may be best used to complement and help develop the organizationspecific detailed activities to perform the COBIT 5 practices, which, in turn, as indicated in the previous section, support the overarching cyber security process.