INTRODUCTION
Cyber security is receiving increased attention from the boards
of many organizations today in large part due to the bad
publicity
... [Show More] generated from recent large data breaches. Senior
members of management and corporate boards have lost
their positions, and organizations have had to spend valuable
resources in post-breach cleanup and to make their clients and
customers “whole.” Infrastructure spending has increased as
organizations attempt to prevent the breaches from occurring,
and security technology investments in incident detection and
response mechanisms are climbing to limit the damage and
liability should the event occur.
These activities to enhance the infrastructure and
defense mechanisms are welcomed investments to
those charged with protecting from and responding
to the attacks, but they represent only one necessary
component of any cyber security program. The fundamental
questions that need to be asked are those such as:
• Where is the best place to invest the next security dollar?
• Is the right amount being invested?
• Are there areas of risk that are not being addressed?
• Is the current infrastructure sufficient?
• Are the dollars invested that we have today being used
wisely?
• How are competitors approaching this and what are they
spending on information asset protection?
The answers to these questions are best answered by:
1) evaluating the current and emerging risk to the organization,
and 2) auditing the security controls that are current or
planned to be in place to protect the information assets.
Without executing formal processes to determine the risk,
identify controls to mitigate the risk and subsequently audit the
controls, company assurance that information assets are being
adequately protected would be subject to chance. Without
formal processes, there is the risk that inappropriate tools
would be purchased without understanding where the tool fits
into the architecture. Did this tool replace another tool? Will this
tool improve the cyber security capabilities sufficiently beyond
the current tool set to warrant the additional cost? Based upon
the risk that the organization currently has, could the money
have been spent better somewhere else? Are the current tools
implemented and being attended to, or were they purchased
and are now shelfware?
This white paper will provide some guidance on evaluating
the risk and auditing the cyber security controls for an
organization. These concepts apply to organizations large and
small, even though the investment dollars and approaches will
be focused differently and of a different scale.
CYBER SECURITY
CONTROL SPECIFICATION
Each organization should design controls specific to the risk
posture of the organization and ensure that processes and
people are in place to continuously manage the controls.
Control issues typically are not due to the failure of the
technology, but more often are the result of individuals not
executing the process or using a process that is poorly
defined. Administrative, technical and operational controls
can be sourced from many places, such as COBIT® 5 for
Information Security1 as a baseline.
One of the primary goals of any cyber security program
should be to limit the attractiveness for the attacker.
Hacking has moved well beyond the script kiddie
threat stage, and the more time it takes an attacker
to penetrate a system, the less desirable that target
becomes. If an attacker wants to break into a car at a
shopping mall during the holidays, it would be easier to jiggle
all the car door handles to find the one whose owner did not
lock it vs. breaking into the first car the attacker sees with a
crowbar, potentially setting off the alarms. Control investments
are made across the organization through technical,
administrative and operational investments in people, process,
technology and growing a security-oriented culture. These
investments may include:
• Awareness investment
• Policy investment
• Intrusion detection systems
• Event logging
• Incident response
• Vulnerability scanning
• Information asset classification
• Forward intelligence
• Architecture and technology hardening
• Systems hardening
1 ISACA, COBIT 5 for Information Security, USA, 2012, www.isaca.org/COBIT/Pages/info-sec.aspx
Auditing Cyber Security: Evaluating Risk and Auditing Controls
© 2017 ISACA. All rights reserved.
3
The attractiveness decreases as investments are made in
cyber security controls in the preceding list (see figure 1).
Leveraging Different Cyber Security
Control Frameworks
There are many approaches available for specifying cyber
security control environments, such as National Institute of
Standards and Technology (NIST) Special Publication (SP)
800-53 Revision 4, Security and Privacy Controls for Federal
Information Systems and Organizations.2 The purpose of SP
800-53 is to provide guidelines for selecting and specifying
security controls for information systems supporting executive
agencies of the federal government. The NIST model, in
contrast to the COBIT® 5 model, is very prescriptive in nature
and may be overwhelming to many organizations. SP
800-53 contains very detailed definitions and may be best
used to complement and help develop the organizationspecific
detailed activities to perform the COBIT 5 practices,
which, in turn, as indicated in the previous section, support
the overarching cyber security process. [Show Less]