While Mr. Bean would most definitely not send you some malicious e-mail; someone else might. What will you do? Most likely you’d not even open it; right? I once opened such e-mail. I received an e-mail that I was being given a performance-based award from the company. I was excited and decided to thank my manager; I just assumed she must have recommended me for the award. I should have seen a red flag from the fact that the award was not associated with any specific project. I however was excited because this kind of awards usually come with some dollar amount in gift cards, fifty or hundred dollars sometimes. I sent a thank you e-mail to my manager and then called her almost immediately. My manager started laughing on the phone while she told me it was just a test from the compliance team. They were trying to see how many employees would fall for a phishing e-mail that appears to be from the company. Well, I technically passed the test, as I had not yet clicked on the link; but I was planning to. I only wanted to say thank you to my manger before clicking on the link to claim my amazon gift card or something like that. I believe your company might also send out such emails to you as part of your organization’s cybersecurity awareness and training program.
I read a blog post from Neil Lappage on baselining cybersecurity skills for all IT professionals and it made me think of cybersecurity audit. When it comes to cybersecurity, most organizations are either trying to be as protected as possible or they have given up on worrying about the cyber threats that could possibly affect them or their enterprise. I believe it’s better to learn from other company’s experience and secure your organization’s information system as much as possible. According to ZDNET, some of the data and information system breaches in 2020 are below:
- It was reported that about 30 million records of Wawa Inc. (a chain of convenience stores and gas stations) containing customers’ details were made available for sale online.
- A Texas school district (Manor Independent school District) lost $2.3 million during a phishing scam.
- A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users.
- Clearview AI’s entire client list was stolen due to a software vulnerability.
- GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service.
- The Virginia Media reported that 900,000 users’ data was exposed through an open marketing database.
- NutriBullet became a victim of a data skimming attack (Magecart attack), with payment card skimming code infecting the firm’s e-commerce store.
- Marriott disclosed a new data breach impacting 5.2 million hotel guests.
These are just a few of the reported cybersecurity breaches in 2020. Auditing your cybersecurity program might be something you do on a yearly basis, but for those organizations that might want some direction on how to go about it; here are some steps to take:
1. Know the purpose, size, and scope of your organization’s cybersecurity program.
- Since different organizations have different goals, the form and structure of the cybersecurity program in organizations also vary. A business entity’s cybersecurity program would depend on several factors among which the kind of asset that needs to be protected and revenue size will be the most important.
- Another factor that might determine the size of the cybersecurity program of an organization includes the perceived threats and vulnerabilities of an organization based on a comprehensive risk assessment or threat modelling.
- Sometimes the size of the cybersecurity program of an organization would be determined by the amount of senior management support for IT projects or their perception of the potential and actual threats and vulnerabilities that affects their organization (this is the control environment as described by the COSO internal controls framework). So, your audit team has the responsibility to help your management have a good perception of the cyber threats affecting your organization.
There are some industry specific requirements which could also determine the size of a company’s cybersecurity program. Examples include:
- PCI DSS (Payment Card Industry Data Security Standard) requirements for retail companies or companies that process customers’ credit card information beyond a specified threshold.
- Companies that have operations in Europe would be required to comply with European Union General Data Protection Regulation (GDPR) and this regulation would affect the amount of budget as well as the investment of company personnel on the organization’s cybersecurity programs.
To sum it up, the overall risk exposure of an organization and these other factors must be determined and documented to know the scope, size, and purpose of an organization’s cybersecurity program.
2. Have a well-documented audit program or steps to cover different areas of the program.
The audit program should be developed based on the first step mentioned above and should be focused on the scope of the cybersecurity audit. If your organization has a team of cybersecurity auditors that specialize in auditing the different areas in scope, then the IT audit team might review their most recent past audit reports.
- Determine the people involved in the organization’ cybersecurity program (e.g., the CIO and find out the process owner to have him walk you through the processes involved in the cybersecurity program. This is to obtain necessary understanding of the control processes and relevant evidence like documentations (e.g. IT security policy covering the cybersecurity program, proof of its enforcement and the disaster recovery or response plan for the cybersecurity program). The IT security policy should cover various essential processes and systems to achieve the security needs of the assets. The focus should be on confidentiality, integrity, and availability of data as well as processes to secure the information system assets. It is important to verify how adequate the policy is in terms of coverage of your organization’s IT environment.
- Performing your audit should also involve mapping the security attributes related to the assets in scope (which could be processes or systems) to the controls associated with those attributes. Just three attributes are mentioned above, but the list could be longer if the SABSA attributes (the Sherwood Applied Business Security Architecture attributes) are adopted.
3. Another important step in the cybersecurity audit would be to examine the cybersecurity awareness training programs and cybersecurity information communication process of your organization.
It is also important to evaluate the process of ensuring that the IT security employees have the required knowledge and skills to match the demand of securing the assets in scope. While it would be challenging to evaluate such criterion in the entire organization, sending out e-mail like the company generated test- phishing e-mail which I mentioned earlier would be helpful in training employees and accessing the risks of incoming threats.