avatarGokhan Polat ☀️

Summary

The article discusses the importance of cybersecurity audits in ensuring information security maturity and managing risks.

Abstract

The article emphasizes the significance of cybersecurity audits in managing information security risks. It highlights the increasing number of cyberthreats and the need for organizations to invest in security measures. The article introduces the concept of the "CIA Triad" and its principles of confidentiality, integrity, and availability. It also discusses the potential consequences of failing to manage information assets, such as loss of reputation, financial loss, and legal obligations. The article suggests that a robust information security management system is essential for achieving a sound information security maturity level. It also mentions the ISO / IEC 27001: 2013 Information Security Management System as a standard adapted by organizations to maintain optimal information security maturity. The article concludes by discussing the role of internal audit functions in evaluating cybersecurity measures and the need for senior management to direct internal audit resources towards cybersecurity.

Opinions

  • The article emphasizes the importance of managing information assets to prevent harmful consequences such as loss of reputation, financial loss, and legal obligations.
  • The article suggests that a robust information security management system is essential for achieving a sound information security maturity level.
  • The article mentions the ISO / IEC 27001: 2013 Information Security Management System as a standard adapted by organizations to maintain optimal information security maturity.
  • The article concludes by discussing the role of internal audit functions in evaluating cybersecurity measures and the need for senior management to direct internal audit resources towards cybersecurity.

Cybersecurity Audit — 1

With the increasing number of cyberthreats, it is becoming critical for audit plans to include cybersecurity…

Technology has a vital place in all areas of business life. Thanks to the blessings of technology, while computers produce reports and make necessary queries, our employees can perform different tasks, increase the efficiency and variety of services offered to stakeholders, and share data quickly.

Again, thanks to technology, we produce a lot of data. Our world is full of data. The size of the data we store is enormous. Soon, organizations will have to deal with 30 times more data than they already process in less than ten years. These data should be stored, categorized, and classified appropriately. And of course, it should be protected very carefully.

Information security helps protect information from a wide range of threats to ensure business continuity, minimize related risks, and obtain maximum benefit from investments and opportunities. This definition is essential; It clearly shows us that information security is a tool, not a goal. Security always has a cost, and you have to pay. In this respect, a cost-benefit analysis will show us how much security we need.

None, an organization on earth, exists solely for providing information security. Basically, they exist to create value that they can gain profit in return. None of them came to life specifically to have firewalls, IDSs, identification technologies, guards, policies, and procedures. However, today the scale and intensity of attacks on information assets seem to make us forget what is done for what.

Legal obligations and reputational concerns force organizations to invest in security investments in huge budgets. So how much security will be enough? It is tough to answer this question. It is not possible to make a definite judgment as to what the limit of this should be. With each passing day, there are reports of serious data leaks occurring in trusted companies due to a new type of attack or the abuse of a minor vulnerability inexpensive systems.

You will hear information security experts talk about the “CIA Triad” concept in their speeches. The primary purpose of information security is to continuously provide the confidentiality, integrity, and availability of the existing data.

# If a security mechanism provides confidentiality, it should be understood that there is a high level of assurance that your data and information system resources will not be accessible by unauthorized persons.

# From the concept of integrity, it should be understood that the accuracy of objects is preserved and can only be changed by authorized persons within their authority.

# Availability, as the third principle of the “CIA Triad,” means that authorized persons have the opportunity to access data on time and without interruption.

Security controls and vulnerabilities are evaluated according to the extent to which these basic security principles are met or violated. What can happen when we fail to manage our information assets?

We can face some harmful consequences, like;

  • Loss of reputation,
  • Financial loss,
  • Intellectual and intellectual property damage,
  • Violation of legal and regulatory obligations.

Suppose we desire to prevent any of these harmful situations. In that case, it is necessary to keep the organization’s information security maturity at a level that meets the legislative requirements, sectoral expectations, and risk portfolio. What is your optimum maturity level for an organization? Determining this level requires reasonable and realistic analysis for each organization, and it is not possible to say anything in advance.

But I can say the essential condition for achieving a sound information security maturity level:

A robust information security management system provides a strong control environment and allows data to be securely created, controlled, stored, and accessed.

Photo by Franck on Unsplash

Today, the first thing that comes to mind when it comes to information security management systems, “ISO / IEC 27001: 2013 Information Security Management System” is adapted by organizations that want to keep the information security maturity at optimum level. The approach stipulated by ISO 27001 covers all organization activities and by increasing the level of information security in these activities;

  • It contributes to the protection of stakeholder information,
  • Effective and systematic management of information security risks,
  • Ensuring legal compliance with information security,
  • Increasing stakeholder confidence,
  • Protecting the brand value and reputation of the institution,
  • And reducing the cost of services offered to customers.

As we all know, it is essential to monitor and assess the controls of the business processes regularly. Assessment of controls by someone other than those responsible for designing, implementing, and performing them improves the evaluation quality. The control measures of organizations regarding information security in general and cybersecurity, in particular, should also be observed and evaluated with an independent and competent understanding.

And the internal audit functions seem to be the correct address for this request. However, directing internal audit resources to examine cybersecurity is a crucial decision to take by senior management.

We use a multi-layered structure consisting of administrative, technical, and physical controls to protect organizational information assets against risks. This approach makes our defenses firm and robust. The three lines of defense provides the basic principle of risk management, “defense-in-depth,” as a known and accepted model worldwide.

The three lines of defense model can beautifully depict the different aspects of information security risks and how they will be managed within the organization. Internal audit functions, which are in the third line of this defense model, should independently review security measures and performance.

The risks faced by organizations; determine the types of audits to be performed and which areas will be given priority in the audit universe.

Generally, internal auditors focus on financial and compliance audits. These issues are seen as safe areas (due to their strong financial control knowledge) for internal auditors. And cybersecurity audits are conducted by external auditors or experts who have deep knowledge of IT audit skills. However, research and surveys show us that the demand for cybersecurity audits is increasing. The OnRisk 2021 survey of IIA shows us more members of management see cybersecurity as being highly relevant to their organizations than any other key risk.

Directing internal audit resources to cybersecurity is an important decision that should be made by senior management. And only after understanding the goals, concerns, expectations, and vision of top management, regarding the technological change, use of technology, and data protection, internal audit functions should determine the areas to focus on.

I will continue my next article with suggestions on what kind of competencies are needed in terms of cybersecurity auditing and describing a path for auditors to follow to improve their skills in cybersecurity audit.

Follow us, and keep updated!

Other Articles:

Cybersecurity
Data Governance
Technology
Data Privacy
Internal Audit
Recommended from ReadMedium
avatarDave Adamson
Risk Management: A Step-By-Step Guide For Beginners

Getting Started With Risk Management? Here’s Your Perfect Guide

3 min read
avatarLex Crumpton
Advanced Cyber Threats Impact Even the Most Prepared

Written by Lex Crumpton and Charles Clancy.

7 min read
avatarParitosh
Best AI Tools For Cybersecurity in 2024

Here are some AI tools that were relevant for cybersecurity:

2 min read
avatarThomas Roccia
Applying LLMs to Threat Intelligence

A Practical Guide with Code Examples

15 min read
avatarCristian Cornea
Do you think Threat Intelligence is “cool”?

We are hiring! SectionX.io

6 min read
avatarKhaleel Khan
Roadmap to Cybersecurity Mastery: A Guide for Aspiring IT Professionals

Cybersecurity Unlocked: Navigating the Path to Tech Safeguarding

2 min read