In this issue, we offer a package of articles on the important topic of cybersecurity. As recent incidents such as Colonial Pipeline, JBS, and Kaseya demonstrate, cyberattacks aren’t slowing down. They are becoming more sophisticated and costly — and many organizations are poorly prepared to protect themselves.
The IIA recently released two Global Technology Audit Guides (GTAGs) that address internal audit’s role in helping protect their companies. Assessing Cybersecurity Risk: The Three Lines Model, released in late 2020, says auditors should assess:
- Who has access to the organization’s most valuable information?
- Which assets are most likely to be attacked?
- Which systems, if compromised, would cause the most significant disruption?
- Which data, if obtained in an attack, would cause financial or competitive loss, legal ramifications, or reputation damage?
The latest GTAG, Auditing Identity and Access Management (IAM), 2nd edition, digs deeper into information access management. “[IAM] controls are so fundamental to IT governance and the achievement of the organization’s IT-IS strategies and objectives, that the internal audit activity must examine how organizations control access…” the GTAG states.
Shawn Chaput, a consultant at Privity, a cybersecurity management company, says companies’ increasing reliance on IAM programs has become the most important risk since cloud computing came to prominence. Unfortunately, those measures often fall short, he tells Internal Auditor in “Reining in Cyber Risk.”
“Internal auditors should be able to evaluate their organizations’ implementation controls over the establishment of — and accountability for — IDs in every significant system,” writes David Petrisky, IIA professional practices director, in his recent InternalAuditor.org blog post, “Identity and Authentication.” Those systems include applications, databases, servers, network management solutions, and other computing and communications infrastructure, he says.
As technologies continue to evolve and introduce more threats and opportunities, Charlie Wright says internal auditors need to keep up with the pace of change and be ready to address what’s next. Readers can meet the new chairman of The IIA’s Global Board and learn more about his thoughts on technological transformation in “The Future-ready Internal Auditor.”