Cybersecurity and the role of internal audit An urgent call to action

Similar documents
Cybersecurity and the role of internal audit An urgent call to action

The value of visibility. Cybersecurity risk management examination

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Risk Advisory Academy Training Brochure

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

The Deloitte-NASCIO Cybersecurity Study Insights from

Anticipating the wider business impact of a cyber breach in the health care industry

Cyber Risks in the Boardroom Conference

THE POWER OF TECH-SAVVY BOARDS:

INTELLIGENCE DRIVEN GRC FOR SECURITY

CYBER RESILIENCE & INCIDENT RESPONSE

Why you should adopt the NIST Cybersecurity Framework

Are we breached? Deloitte's Cyber Threat Hunting

Security and Privacy Governance Program Guidelines

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Cyber Security Incident Response Fighting Fire with Fire

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Keys to a more secure data environment

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Headline Verdana Bold

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Cybersecurity and the Board of Directors

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Building and Testing an Effective Incident Response Plan

Sage Data Security Services Directory

Cybersecurity, safety and resilience - Airline perspective

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

SOC for cybersecurity

MITIGATE CYBER ATTACK RISK

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Effective Cyber Incident Response in Insurance Companies

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

State of South Carolina Interim Security Assessment

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cyber Security: Are digital doors still open?

GDPR: A QUICK OVERVIEW

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Business continuity management and cyber resiliency

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Achieving effective risk management and continuous compliance with Deloitte and SAP

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

locuz.com SOC Services

Vulnerability Management. June Risk Advisory

Protecting your data. EY s approach to data privacy and information security

CISO as Change Agent: Getting to Yes

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Emerging Technologies The risks they pose to your organisations

CYBER SOLUTIONS & THREAT INTELLIGENCE

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

People risk. Capital risk. Technology risk

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Cybersecurity. Securely enabling transformation and change

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

EU General Data Protection Regulation (GDPR) Achieving compliance

Continuous protection to reduce risk and maintain production availability

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

CFOs in a new global environment Sandy Cockrell, Deloitte

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Run the business. Not the risks.

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

CCISO Blueprint v1. EC-Council

NCSF Foundation Certification

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Cyber Risk and Networked Medical Devices

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Webcast title in Verdana Regular

Global Security Consulting Services, compliancy and risk asessment services

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Avanade s Approach to Client Data Protection

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Information Security Controls Policy

Cybersecurity for Health Care Providers

Technical Resilience Building the always-on enterprise with Deloitte Advisory and Amazon Web Services

Oracle Data Cloud ( ODC ) Inbound Security Policies

Cyber Security Technologies

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cybersecurity in Higher Ed

Cybersecurity Protecting your crown jewels

Section One of the Order: The Cybersecurity of Federal Networks.

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Transcription:

Cybersecurity and the role of internal audit An urgent call to action

The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could cost businesses over $2 trillion by 2019, nearly four times the estimated 2015 expense. 1 Many audit committees and boards have set an expectation for internal audit to understand and assess the organization's capabilities in managing the associated risks. Our experience shows that an effective first step for internal audit is to conduct a cyber risk assessment and distill the findings into a concise summary for the audit committee and board which will then drive a risk-based, multiyear cybersecurity internal audit plan. An ascending agenda item The forces driving business growth and efficiency contribute to a broad attack surface for cyber assaults (Figure 1). Internet, cloud, mobile, and social technologies, now mainstream, are platforms inherently oriented for sharing. Outsourcing, contracting, and remote workforces are shifting operational control. Data continues to expand along with requirements to protect it. And, attackers can range from hackers to nation states, all continuously innovating and subverting common controls, some beyond the reach of a country s law enforcement. Figure 1. Forces of cyber vulnerability Technology expansion Headline-making breaches, combined with growing government focus on cyber threats, have increased concern among corporate audit committees and boards of directors. Under US Securities and Exchange Commission (SEC) guidance, public companies are expected to address potentially material cybersecurity risks and cyber incidents in the Management s Discussion and Analysis of Financial Condition and Results of Operations (MD&A). 2 Amid ever-growing concerns about cyberattacks affecting the nation s critical infrastructure, President Obama s Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, has highlighted the role of businesses in improving the nation s cybersecurity framework and the need to adapt to rapidly changing regulatory agency expectations and oversight. 3 Three lines of defense Business units and the information technology (IT) function integrate cyber risk into day-to-day decision making and operations. This comprises an organization s first line of defense. The second line includes information and technology risk leaders who establish governance and oversight, monitor security operations, and take action as needed, often under the direction of the chief information security officer (CISO). Increasingly, many companies are recognizing the need for a third line of cyber defense independent review of security measures and performance by the internal audit function. Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. At the same time, internal audit has a duty to inform the audit committee and board of directors that the controls for which they are responsible are in place and functioning correctly, a growing concern across boardrooms as directors face potential legal and financial liabilities. The why and how of cyber-risk assessment and defense Exploring an organization s cyber risks begins with three key questions: Who might attack? Are the perpetrators criminals, competitors, third party vendors, disgruntled insiders, agenda-driven hackers, or someone else? What are they after, and what business risks need to be mitigated? Do they want money or intellectual property? Is their goal to disrupt the business or ruin our reputation? Could health and safety risks be created? What tactics might they use? Will they go phishing, test system vulnerabilities, use stolen credentials, or enter networks through a compromised third party? Data growth Cyber risk Evolving business models Motivated attackers 1

Deloitte Advisory has identified a threepronged approach to help clients address the threats identified through examining these questions: Secure. Most organizations have established controls such as perimeter defenses, identity, and data protection to guard against known and emerging threats. Risk-focused programs prioritize controls in areas that align with top business risks. Vigilant. Threat intelligence, security monitoring, and behavioral and risk analyses are used to detect malicious or unauthorized activity such as application configuration changes or unusual data movement, and help the organization respond to the shifting threat landscape. Resilient. Incident response protocols, forensics, and business continuity and disaster recovery plans are put into action to recover as quickly as possible and reduce impact. Cybersecurity assessment framework a comprehensive approach Many internal audit functions have performed procedures around evaluating components of the organization s cyber security readiness. These targeted audits, such as attack and penetration procedures, are valuable, but do not provide assurance across the spectrum of cyber security risks. For internal audit to provide a comprehensive view of cyber security, and avoid providing a false sense of security by only performing targeted audits, a broad approach should be employed. Figure 2 portrays a cybersecurity assessment framework built on our recommended Secure.Vigilant.Resilient. TM concept. As shown, multiple security domains support each of the three themes. In assessing cybersecurity readiness, internal audit can benefit from understanding the capabilities within each of the 12 domains, how they are addressed today, and gaps that may exist within the organization. Exploring the who, what, and how questions posed above in the context of a secure, vigilant, and resilient organization provides the foundation for a broad internal audit cybersecurity assessment framework that will be an integral component of the organization s cyber defense initiatives. As used in this document, Deloitte Advisory means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 2

Figure 1. Forces of cyber vulnerability Resilient Vigilant Secure Cybersecurity risk and compliance Compliance monitoring Issue and corrective action planning Regulatory and exam Risk and compliance assessment and Integrated requirements and control framework Third-party Evaluation and selection Contrast and service initiation Ongoing monitoring Service termination Incident response and forensics Application security testing Threat modeling and intelligence Security event monitoring and logging Penetration testing Vulnerability Recover strategy, plans and procedures Testing and exercising Business impact analysis Business continuity planning Disaster recovery planning Secure development life cycle Secure build and testing Secure coding guidelines Application role design/access Security design/architecture Security/risk requirements Information and asset Information and asset classification and inventory Information records Physical and environment security controls Physical media handling Data classification and inventory Breach notification and Data loss prevention Data security strategy Data encryption and obfuscation Records and mobile device Change Configuration Network defense Security operations Security architecture Security direction and strategy Security budget and finance Policy and standards Exception Talent strategy Account provisioning Privileged user Access certification Threat and vulnerability Data and protection Risk analytics Crisis and resiliency Security operations Security program and talent Identity and access Access and governance Information gathering and analysis around: User, account, entity Events/incidents Fraud and anti-money laundering Operational loss Security awareness and training Security training Security awareness Third-party responsibilities SOX (financially relevant systems only) Penetration and vulnerability testing BCP/DRP testing 3

Notably, roles and responsibilities within the framework are not limited to the IT organization, but span the entire enterprise. For example, data and protection, elements of vigilance shown in Figure 2, are put in the hands of managers and employees across the business to define what their data is. This responsibility exists up and down the organization, with even CEOs tasked to assess the risk exposures in their memos and other communications. Other important considerations can include the limited scope of existing IT audits and the lack of internal audit review of certain capabilities. Color highlights in the framework indicate that Sarbanes-Oxley testing, penetration and vulnerability testing, and business continuity and disaster recovery testing each address certain elements of the Secure.Vigilant.Resilient. TM framework. However, numerous other risks may be missed in the IT function s general computer controls testing, for example, the non-highlighted vigilance functions of threat modeling and security event monitoring, and the resilience functions of recovery, testing and exercising. An internal audit cyber-risk assessment could identify these gaps, leading to war gaming scenarios and exercising to spotlight critical questions. Who should a threat recipient alert to the danger? How does the organization respond? If a ransom is demanded, should we pay it? Several factors are noteworthy as internal audit professionals consider and conduct a cybersecurity assessment. First, it is vital to involve people with the necessary experience and skills. Internal audit has the know-how to conduct assessments. However, understanding whether the IT department or the CISO is doing a robust job of threat modeling can require subject matter specialists who know effective questions to ask. A tech-oriented audit professional versed in the cyber world can be an indispensable resource. It s also important to evaluate the full cybersecurity framework, rather than cherry pick items. This evaluation involves understanding the current state against framework characteristics, where the organization is going, and the minimum expected cybersecurity practices across the industry or business sector. Finally, the initial assessment should be a broad evaluation. It is not intended to be an exhaustive analysis requiring extensive testing. Instead, the initial assessment should drive additional risk-based cybersecurity deep dive reviews. Cyber risk assessment an important starting point Maintaining and enhancing security capabilities can help mitigate cyber threats and move the organization toward its desired level of cybersecurity maturity. By performing a comprehensive cyber risk assessment, internal audit can present objective perspectives and findings to the audit committee and board members, and use those findings to develop a broad internal audit plan that addresses the areas of cyber risk for the organization over a single or multi-year audit period. Performing risk assessments may be one strategy for organizations, or some may elect to use the maturity analysis approach. The maturity analysis approach can provide additional value to and those tasked with corporate governance by providing a quick visual reference that gives clear cues about areas they should explore further. With the proper subject matter expertise and involvement, a cyber risk assessment can also be structured to generate a list of cybersecurity gaps and provide the organization with a road-map for short and long-term remediation activities. Figure 3 presents an analysis built around the secure, vigilant, and resilient themes and is mapped to the themes 12 cybersecurity domains. The five maturity stages Initial, Managed, Defined, Predictable and Optimized reflect the progress the organization has made in maintaining and enhancing security capabilities to help mitigate cyber threats and achieve its desired maturity level. The green dotted lines lead to the level of maturity an organization is targeting, potentially identified in a remediation roadmap. As changes are implemented, the results should map to the location of the green dots. The board should agree to the desired maturity level upon completion of the work, at which point internal audit would test once again and come back to the board to confirm the targeted level has been achieved. 4

Figure 3. Sample risk assessment maturity analysis Stage 1: Initial Stage 2: Managed Stage 3: Defined Stage 4: Predictable Stage 5: Optimized Recognized the issue Ad-hoc/case by case Partially achieved goals No training, communication, or standardization Process is managed Responsibility defined Defined procedures with deviations Process reviews Defined process Communicated procedures Performance data collected Integrated with other processes Compliance oversight Defined quantitative performance thresholds and control limits Constant improvement Automation and tools implemented Managed to business objectives Continuously improved Improvement objectives defined Integrated with IT Automated workflow Improvements from new technology Maturity analysis Cybersecurity domain Initial Managed Defined Predictable Optimized Cybersecurity risk and compliance Third-party Secure Secure development life cycle Information and asset Security program and talent Identity and access Threat and vulnerability Vigilant Data and protection Risk analytics Crisis and resiliency Resilient Security operations Security awareness and training Current state CMMI maturity* Desired/Target state *The industry recognized Capability Maturity Model Integration (CMMI) can be used as the model for the assessment. Each domain consists of specific capabilities which are assessed and averaged to calculate an overall domain maturity. 5

A separate assessment scorecard should support the maturity evaluation, highlighting in detail the cyber risks surrounding people, process, and technology. Findings must be documented and recommendations made for closing identified gaps. Foundations of an internal audit plan for cybersecurity As noted earlier, the cyber-risk assessment underpins both the maturity analysis provided to the audit committee and board and the development of a riskbased, multiyear internal audit plan for cybersecurity. The multiyear plan can be developed through the results of the assessment, with some audits occurring at a higher frequency than others based upon urgency and consideration of other testing and assessment activities underway in the organization. The internal audit plan for cybersecurity is not set in stone. Adjustments can be made based on the emergence of new risks, changes in the relative intensity and importance of existing threats, and other organizational developments. Internal audit s role in strengthening cybersecurity Cyber risks continue to grow in frequency, variety, and the potential harm they can cause to companies, their trading partners, and their customers. Most businesses take these risks seriously, but more can be done, both to combat the dangers and to keep company leaders apprised of cybersecurity preparedness. Internal audit has a critical role in helping organizations in the ongoing battle of managing cyber threats, both by providing an independent assessment of existing and needed controls, and helping the audit committee and board understand and address the diverse risks of the digital world. 6

Contacts Contact us to further discuss internal audit s role in cybersecurity and how Deloitte Advisory is helping organization meet the expectations of boards and audit committees today. Sandy Pundmann Deloitte Advisory Managing Partner Internal Audit Deloitte & Touche LLP +1 312 486 3790 spundmann@deloitte.com Michael Juergens Deloitte Advisory Principal IT Internal Audit Deloitte & Touche LLP +1 213 688 5338 michaelj@deloitte.com Geoffrey Kovesdy Deloitte Advisory Senior Manager IT Internal Audit Deloitte & Touche LLP +1 212 436 5149 gkovesdy@deloitte.com Glenn Wilson Deloitte Advisory Senior Manager IT Internal Audit Deloitte & Touche LLP +1 213 688 6976 glennwilson@deloitte.com Clay Young Deloitte Advisory Partner IT Internal Audit Deloitte & Touche LLP +1 408 704 2772 clyoung@deloitte.com 7

Endnotes 1. Cybercrime will Cost Businesses Over $2 Trillion by 2019, Juniper Research, May 12, 2015, http://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion. 2. CF Disclosure Guidance: Topic No. 2, US Securities and Exchange Commission, October 13, 2011, https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 3. Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD)-21 Critical Infrastructure Security and Resilience, US Department of Homeland Security, [undated], http://www.dhs.gov/publication/fact-sheet-eo-13636-improving-critical-infrastructure-cybersecurity-and-ppd- 21-critical. 4. The framework in Figure 2 aligns with industry standards including National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Committee of Sponsoring Organizations (COSO) and Information Technology Infrastructure Library (ITIL). 8

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright 2017 Deloitte Development LLC. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback