The scope of a cyber security audit includes:
- • Data security policies relating to the network, database and applications in place;
- • Data loss prevention measures deployed;
- • Effective network access controls implemented;
- • Detection/prevention systems deployed;
- • Security controls established (physical and logical);
- • Incident response program implemented.
There are many approaches available for specifying cyber security control environments, such as NIST Special Publication (SP)800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. SP 800-53 provides guidelines for selecting and specifying security controls for information systems supporting executive agencies of the federal government. It is prescriptive in nature, contains detailed definitions, and may help organizations develop their own overarching cyber security process(es).
An Audit in Three Parts The cyber security audit and review process contribute to cyber security audit success. Internal auditors and risk management professionals have key roles to play, as does enterprise management.
a) Management — Management ultimately owns the risk decisions made for the organization. Therefore, it has a vested interest in ensuring that cyber security controls exist and are operating effectively. Decisions are typically made based on guidance received during the risk management processes, on the appropriate direction to take.
b) Risk Management — Risk assessments are typically made based on guidance by the security officer at an organization and enterprise management make decisions, employing risk management processes. The objective in any risk assessment is twofold. First, it is critical to communicate the state of the risk so that it is easy to understand and be clear on the level of risk involved.
Secondly, and just as significantly the ways in which to address that risk must be identified as well. This provides both problem and solution, and mitigates the negative impact of that risk to an enterprise.
The risk landscape is ever-changing. It is important to have defined processes, trained and competent cyber security resources, and a governance framework to ensure that appropriate actions are carried out by enterprise leadership and managed effectively to address current and emerging threats.
c) Internal Audit — Auditing is a security measure. It is critical to protecting an enterprise in today’s global digital economy. The internal audit department plays a vital role in cyber security auditing in many organizations, and often has a dotted-line reporting relationship to the audit committee to ensure an independent view is being communicated at the board level of the enterprise. Audit helps enterprises with the challenges of managing cyber threats, by providing an objective evaluation of the controls and making recommendations to improve them as well as assisting the senior management and the board of directors understand and respond to cyber risks. Organizations, especially within the public sector, also contract for the services of external auditors to provide independent assurance of the financial and operational controls primarily to ensure the controls design is effective and the needs of the organization are being met.
Services Provided by our Company under cyber security:
- • Formation of Cyber Security Policies
- • Formation of Cyber Security Procedures
- • Formation of Crisis Management Plan (CCMP)
- • Compliance to Regulatory Guidance for Cyber security.
