Several cybersecurity incidents have made front page news this year. The reality for businesses is that it is a perpetual source of risk. Eighty-seven percent of respondents to Deloitte's most recent Global Risk Management Survey say improving their ability to manage cybersecurity risk will be an extremely or very high priority over the next two years.
Cyber risk must be managed in a disciplined, systematic way, and cybersecurity frameworks are designed to enable that. Cyber risk management often is associated with the protocols and technology controls organizations have in place to detect and thwart threats, such as malware and phishing. However, internal auditors should understand that a cybersecurity framework consists of more than just tools companies use to guard data and IT. A robust framework lays the foundation for vital processes such as governance, risk identification and assessment, incident response, dissemination of information, and self-assessment and improvement.
Cybersecurity frameworks can be leveraged in various ways. For example, an organization may focus on strict adherence to a particular framework and its standards, and, thereby, be able to communicate to external parties that it is compliant, which promotes trust. It also may select elements of various frameworks that are most relevant to its business model and risk profile. Or it may hold up a framework, such as the U.S. National Institute of Standards and Technology's (NIST's) Cybersecurity Framework, as a model or an ideal state and then get as close as possible using available resources. In some cases, such as with the U.S. Health Insurance Portability and Accountability Act, strict adherence may be mandatory.
Regardless of the organizational approach, any viable cybersecurity framework will include several aspects: governance, risk identification and assessment, controls, response planning, communication, and continuous improvement.
Common Cybersecurity Frameworks
There are several well-known cybersecurity frameworks, including:
- Center for Internet Security (CIS) Critical Security Controls — A prioritized set of actions and best practices designed to mitigate the most prevalent cyberattacks.
- General Data Protection Regulation (GDPR) — Applies to all organizations that collect and store the private data of European Union citizens.
- International Organization for Standardization (ISO) 27000 — Highlights best practices for information security management systems.
- NIST Cybersecurity Framework — Commonly used by U.S. organizations, this framework calls for greater collaboration between the public and private sector in identifying, assessing, and managing cyber risk.
- North American Electric Reliability Corp.–Critical Infrastructure Protection (NERC-SIP) — Developed specifically to mitigate cyber risk in the utility/power sector.
- Service Organization Control Type 2 (SOC2) — Developed by the American Institute of Certified Public Accountants to verify vendors/partner data management.
- U.S. Health Insurance Portability and Accountability Act (HIPAA) — Specific to health-care organizations securing the privacy of electronic health information.
Governance The role of governance is to promote and ensure accountability, responsibility, effective management, and responsiveness within an organization. From a cybersecurity standpoint, this includes setting a tone of responsibility around data and IT, defining the organization's risk appetite, providing resources and support, and organizing roles and lines of reporting to promote accountability and effective leadership.
Internal auditors, in turn, provide independent, objective assessments of the design and operating effectiveness of the organization's governance processes. It is vital that internal audit assess these processes as part of any cybersecurity-related audit.
Risk Identification and Assessment A dynamic inventory of assets and business processes, along with related threats, vulnerabilities, existing controls, and consequences, is a critical component of the cybersecurity risk management strategy. This risk identification and assessment process should consider cybersecurity risk not just in terms of vulnerabilities to IT, but all cybersecurity-related risks companywide. These may include legal, regulatory, and reputational risk.
Many organizations are implementing data analytics and data mining to monitor risk and controls. These technologies can help ensure the completeness of risk inventories and serve as an early warning system for possible threats. At the same time, it is critical that key stakeholders communicate regularly about emerging risk and the effectiveness of controls.
Controls This is the most obvious aspect of the framework, consisting of the array of tools and processes used to protect data and IT. This includes the tools and techniques, such as firewalls, password protocols, software patching, logical and physical access controls, and intrusion detection, that are designed to achieve the desired level of security and control. Also included are the policies that define acceptable behaviors and requirements for employees and third parties.
Internal audit is a vital part of the control system. By identifying gaps and vulnerabilities, internal audit supports senior leadership in making informed decisions on what approach to take to mitigate threats.
Response Planning It's extremely important for an organization to be able to recover as quickly as possible from a cyberattack, and robust incident response plans are a critical aspect of any cybersecurity framework. The scope of negative impacts to a company's finances and reputation are directly related to how quickly it's able to recover.
Internal audit should keep management informed about business continuity plan implementation and emphasize that cyber incident response should be a top priority because of the inevitability of a security breach. Working closely with the business continuity leader, internal audit also should check to ensure that business continuity plans are up to date and that all critical business functions are covered.
Dissemination of information is an essential aspect of cybersecurity preparedness and response. In addition to restoring operations, incident response plans should include when and how to notify key internal decision-makers, authorities, customers, or the public, as well as communication of important information to employees.
Communication Employee awareness is one of the most effective defenses against cyberattacks, and a formal communication plan is a vital component of the cybersecurity framework. Moreover, with today's quickly evolving threats, it's more important than ever for organizations to share information. For example, NIST SP 800-150, Guide to Cyber Threat Information Sharing, lays out multiple ways to share information internally and externally to help combat current and future cyber threats. This allows organizations to leverage communal knowledge, experiences, and capabilities based on threats they have been exposed to, and make better decisions while using improved defense and detection techniques and mitigation strategies.
Continuous Improvement As cybersecurity incidents occur, they offer opportunities for the organization to improve its controls and back processes — provided there is a method in place for capturing lessons learned. Reviewing real-world incidents, as well as system test and internal audit results, provides valuable lessons that can be used to achieve better cybersecurity. It's essential that any cybersecurity framework provide for incident review, self-assessment, and continual improvement to stay on top of cyber threats. Internal audit should be a key piece of this function. Many audit teams use a continuous audit approach to look at a company's practices and controls to ensure that outdated processes are identified and mitigation practices stay relevant.
A Holistic Approach
Cybersecurity experts insist that while technological expertise is essential, effective cybersecurity is an enterprisewide endeavor that requires purposeful leadership, dynamic risk assessment, detailed response planning, employee awareness, and stakeholder engagement. Indeed, an organization must always be improving its strategies and processes to be better prepared for the next possible attack. This type of holistic approach cannot be carried out without a sound framework, and internal audit should remain attuned to whether these crucial aspects are present and functioning at their organizations.