Security
1. Information Security
An understanding of information security includes familiarity with IT general controls,
identity and access management, information security controls, data privacy, emerging
technology, and cybersecurity risks.
IT General Controls and Physical Security
User Authentication and Authorization Controls
Information Security Controls
Data Privacy and Security
Emerging Technology
Cybersecurity Risks
Cybersecurity Policies
1.1. IT General Controls and Physical Security
This topic introduces information security and then addresses IT general controls up
front, since they apply to so many areas of information security. It next covers physical
security, which is one category of IT general controls. The topic concludes with a
discussion of common types of physical security controls, for example, cards, keys, or
biometrics.
In addition to reviewing the contents of this topic, students can review the following IIA
materials:

Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and
Controls,” 2nd Edition

Global Technology Audit Guide (GTAG) 15, “Information Security Governance”
Information Security
Information security relates to protecting
confidentiality, integrity, and availability.
IT General Controls
Information security needs to be a
holistic endeavor, and the way to
accomplish this is through a strong set
of IT general controls (ITGCs).
Physical Security and Physical
Security Controls
Physical security controls include
physical access controls, asset controls,
environmental hazard controls, and fire
and flood protection.
IT Operational Controls
IT operational controls are part of IT
general controls and include IT
organizational structure, segregation of
IT duties, financial and budgetary IT
controls, operational change
management, operational data security
controls, and security level
management.
(1) Information Security
Information security is the set of policies, processes, and procedures used to protect
the organization’s intellectual property by ensuring the confidentiality, integrity, and
availability of the organization’s data and information in any format (electronic, print, or
other media).

Confidentiality is enabling only authorized persons to access or view the
information.

Integrity is assurance that the data has not been improperly altered, is correct,
and is reliable.

Availability is ensuring that authorized roles and individuals have access to the
information and information systems required to perform their duties without
unreasonable outages.
In addition to establishing preventive and detective controls, information security
involves continuously monitoring and responding to security threats. Information
security extends to the data in storage, processing, and transit.
Information Security Risk Management Practices
It is not possible to mitigate all information security risks. A risk management process is
needed to manage exposure to potential information losses.
Information security risk management encompasses the processes an organization
puts into place so that security controls and expenditures are appropriate and effective
at mitigating risk exposures. The security risk management process should be
appropriate for the organization and its security objectives and can follow a typical
enterprise risk management format such as is described in Part 1 of these materials.
The internal audit activity may assess information security risks using the following
techniques and tools:

Analysis of reported incidents. Records can provide valuable information
about potential and actual losses.

Review of exposure statistics. Statistics from insurance carriers, industry
associations, and regulatory agencies can provide guidance about potential risk
exposures.

Mapping key processes. Developing process maps and identifying potential
risk points provide helpful insights.

Periodic inspections. Health and safety inspections can surface compliance
lapses and also uncover opportunities to decrease risks.

Periodic process and product audits. Such internal audits can incorporate
specific questions to identify potential risks.

Assessments of management system effectiveness. Beyond internal audits
conducted to verify conformance to one or more standards or to assess
continual improvement, this technique can identify gaps in management
systems that expose the organization to potential losses.

Scenario analysis. Tools such as brainstorming and mind mapping are effective
to identify all the consequences that could occur in a worst-case scenario.
This list could go on. The point is to do whatever is necessary to identify and prioritize
risks.
Special Information Security Considerations
While the primary monitoring role over information security (and other areas) is with
management rather than internal audit, internal audit’s role is to periodically monitor the
effectiveness of information security management. This includes assessing the
organization’s information confidentiality, integrity, and availability practices and
recommending, as appropriate, enhancements to, or implementation of, new controls
and safeguards.
Such assessments can be either conducted as separate stand-alone engagements or
integrated into other audits or engagements conducted as part of the annual audit plan.
The nature of the engagement will determine the most appropriate process for
reporting to senior management and the board.
Assessments of information security should start with an overall assessment of the
control environment and any control frameworks in use. Implementation Guide 2130
notes that:
[The CAE] should first consider the risk appetite, risk tolerance, and risk culture of the
organization. It is important for internal auditors to understand the critical risks that
could inhibit the organization’s ability to achieve its objectives, and the controls that
have been implemented to mitigate risks to an acceptable level.
The CAE determines whether the internal audit activity possesses or has access to
competent audit resources to evaluate information security and associated risk
exposures. This includes both internal and external risk exposures and exposures
relating to the organization’s relationships with outside entities. If specialized
knowledge and skills are required, the organization may need to secure external
service providers.
Guidance recommended by The IIA includes specific responsibilities for the internal
audit activity. As Implementation Guide 2130 further states:
It is important for internal auditors to obtain a thorough understanding of the control
framework(s) adopted either formally or informally by the organization and to become
familiar with globally recognized, comprehensive control frameworks.
To fulfill this standard, the CAE determines whether information integrity breaches and
conditions that might represent a threat to the organization will promptly be made
known to senior management, the board, and the internal audit activity.
Internal auditors assess the effectiveness of preventive, detective, and mitigation
measures against past attacks, as appropriate, and future attempts or incidents
deemed likely to occur. They determine whether the board has been appropriately
informed of threats, incidents, vulnerabilities exploited, and corrective measures.
Determine Disposition of Security Violations
It is reasonable to expect that the internal audit activity will monitor whether and how
well information security violations are corrected when they are discovered (similar to
corrective action plans in response to internal audits). In doing so, the focus of the
internal auditor should be to ensure that the root causes of the security violations are
addressed.
Report on Compliance
The internal audit activity can report to management and the board on the level of
compliance with security rules, significant violations, and their disposition.
With regard to information security, high-level compliance can be achieved through the
implementation of codes of practice for information security compliance. An example is
ISO/IEC 27002:2013, which:

Focuses on information security controls and establishes guidelines and general
principles for initiating, implementing, maintaining, and improving information
security management in an organization.

Contains best practices for control objectives and controls that can be applied
by any organization, regardless of size or industry.
Organizations adopt ISO/IEC 27002 to develop organizational security standards and
effective security management practices, address legal and regulatory concerns, and
better manage compliance.
(2) IT General Controls
In addition to the application-specific controls discussed later in these materials,
information security relies on having a comprehensive set of IT general controls.
IT general controls (ITGC) are those IT controls that form the basis of the IT control
environment (a framework for ensuring comprehensive information security) and apply
to all systems, components, processes, and data for a given organization or systems
environment. The other broad category of IT controls is application controls, which
relate to a specific application and so are not general. Some ITGCs are businessrelated, such as segregation of duties, and others are technical and relate to the
underlying IT infrastructure.
Information security needs to be a holistic endeavor so that a strong protection in one
area is not simply bypassed in some other way, such as:

An outside person bypassing external access security by accessing the network
through someone’s computer with weak protections (or stealing a laptop with
sensitive data).

An unscrupulous programmer adding a backdoor into a computer system during
systems development or a system update.
To help internal auditors understand the context for ITGCs, Exhibit 3-31 shows how IT
general controls as well as application controls exist to support overall business
functions. Note how ITGCs relate to both applications and the IT infrastructure services
while application controls relate only to applications.
Exhibit 3-31: Understanding the IT Environment in a Business Context
The effectiveness of ITGCs is measured by the number of:

Incidents that damage the enterprise’s public reputation.

Systems that do not meet security criteria.

Violations in segregation of duties.
ITGCs are classified in the Global Technology Audit Guide (GTAG) 1, “Information
Technology Risk and Controls,” 2nd Edition, as follows:
Many of these categories are of such importance that they are addressed in more
detail later in these materials, in topics devoted specifically to each.
(3) Physical Security and Physical Security Controls
Physical security involves the physical and procedural measures used to protect an
organization’s buildings, the occupants, and the building contents. The goal in
workplace security is to eliminate or reduce the risk of harm to facility occupants first,
followed by risk of loss of organizational assets—tangible and intangible—from human
and natural disasters.
There are many sources of physical security vulnerabilities. Examples include:

Unauthorized access to facilities, systems, etc.

Natural disasters (e.g., fires, floods, hurricanes, tornadoes, earthquakes).

Service disruptions (e.g., telecommunications, network, Internet access,
electrical power, equipment, supply chain).

Human error.

Theft and vandalism.

Terrorism or sabotage.
A general physical security control is physical security awareness training for
personnel. Pre-employment background reference checks, post-employment security
clearances, and separation of job duties are additional general measures that can help
mitigate physical security risks (e.g., theft).
Ideally, physical security begins with workspace design. A few obvious examples are:

Smoke alarms.

Adequate lighting throughout a facility.

Installation of an electronic security system for building entry.

A reception area with staff or a security guard, sign-in sheets, and visitor
badges.

Restricted areas, such as the data center.
Physical security controls include physical access controls, asset controls,
environmental hazard controls, and fire and flood protection.
Physical Access Controls
Physical access controls are the real-world (tangible) means of providing and limiting
access to buildings, data centers, record rooms, inventory areas, and key operational
areas to only authorized persons (and denying access to unauthorized persons). Note
that many of these same types of access controls can be used to provide or deny
access to computer systems or other devices. Access controls could include:

Keys or keycards.

Some type of code or password.

A biometric scan.
Higher levels of security may be provided by increasing the complexity of one of these
levels (also called factors). For example:

Preventing access to an asset could use a lock and a physical key, but there
would be no audit trail of who accessed that door (except perhaps for security
camera footage).

Keycard systems identify a particular user badge. A security computer checks
the badge against a list for access, and an access log indicates which badge
was used and when.

Biometric devices check a user’s identity through fingerprints, palm scans, iris
photos, face recognition, and/or other unique physical identifiers. The scan is
compared to a copy in a security database, so there is also an audit trail here.

Even greater security could require two-level identification (or even three-level
identification): a keycard and a password, a keycard and a biometric scan, etc.
Note that audit trails are an IT operational control and so are discussed in another
topic.
Some facilities should have security guards and/or checkpoints such as with metal
detectors. There may be a process to grant access to facilities such as log books and
monitoring of all entry points. Visitor escorts may be required. All persons may be
required to have visible identification badges with area-specific access rights.
In addition to authentication for access, all areas of a building should be covered by a
general security system, including motion sensors and cameras in key areas as well as
devices to detect break-ins. There may need to be perimeter restrictions such as
fences. Physical security can also be role-based, with certain areas more secure than
others, even to IT staff.
Data centers (or safes) should not be located along an exterior wall but should be in an
inconspicuous location with as few doors as fire codes allow. If the data is extremely
sensitive, sturdy walls may need to extend all the way to the permanent ceiling above.
Asset Controls
Hardware not in a data center, such as laptops or PCs, can be physically secured with
locks and have their own small uninterruptible power supplies (UPSs) and surge
suppressors. Exposed wiring should be minimized using wiring closets or patch panels.
Environmental Hazard Controls
Certain facilities may need protections from specific environmental hazards such as
earthquakes or hurricanes, either as part of the design or as a retrofit. The building
envelope needs to be maintained properly to keep out the elements in any facility.
Heating, ventilation, and air conditioning (HVAC) are vital for all facilities but especially
in climates with extreme temperatures. HVAC systems need to be kept maintained and
free from pathogens. Building occupant satisfaction may also be an objective. Backup
power supplies or systems may be needed.
For server rooms:

HVAC is particularly important. Servers function better in cool, low-humidity
rooms. The air must be clean and free from smoke and particles, especially
metallic particles, which can ruin tapes or CPUs.

UPSs and surge suppression should be employed.

Devices need to be grounded and the floor covered with static takeoff.

Electromagnetic interference from outside devices can be minimized by proper
shielding.
Maintenance and housekeeping schedules for dust removal should be set and adhered
to as per manufacturer recommendations. Logs of hardware cleaning and malfunctions
should be kept. Internal auditors can check to see if actual maintenance patterns
match suggested patterns; they can also check on the lag between when issues are
reported and when they are fixed.
Fire and Flood Protection
Fire and flood protection systems need to be in place per local building codes, and
testing and maintenance schedules need to be validated and tests or maintenance
observed. Media storage should be fire-rated, and backup and disaster contingency
measures should be in place. Fire alarms and moisture detectors should be used.
Sprinkler systems may be required.
(4) IT Operational Controls
IT operational controls are part of ITGCs and include:

IT organizational structure.

Segregation of IT duties.

Financial and budgetary IT controls.

Operational change management.

Operational data security controls.

Security level management.
IT Organizational Structure
Examples of controls that can be built into IT organizational structure include:

Minimizing the number of users with administrative privileges.

Using software tools and direct observation by supervisors to monitor the
activities of users with administrative privileges.

Setting policy guidelines for all employees to take a certain minimum number of
consecutive days off at least annually, with special emphasis and/or required job
rotations for persons with sensitive roles or access privileges such as systems
controllers.
Segregation of IT Duties
Segregation of IT duties can occur at the ITGC level or the application level.
Segregation of duties at the ITGC level relates primarily to restrictions to the roles of
individuals, while application-level segregations are primarily automated controls within
systems. Segregation of duties at the ITGC level includes:

Following the identity and access management (IAM) principle of allowing
access only if the job function requires it.

Ensuring that initiation, authorization, input, processing, and validation of data
are all done by different individuals and possibly by different departments.

Ensuring that employees with physical custody of assets do not have access to
the related computer records or have any other related authorization rights or
privileges.

Separating systems development and operations:

Programming and change deployment should be organizationally and
physically separate from users with access to production systems, and
neither should be able to do the others’ tasks.

Neither should have access to file libraries (a function of a system
librarian) or input/output controls (a function of the systems controller).
Other segregations include systems analysis and data entry.
Smaller organizations may not have the luxury of this level of segregation of duties. If
this is the case, combined roles require greater scrutiny. Inadequate segregation of
duties could heighten the potential for fraud, including misappropriation of assets and
fraudulent financial reporting or statements. It could also result in data tampering and
loss of data privacy.
Financial and Budgetary IT Controls
Management needs to ensure that the sizable investments in IT development and
support are effective in helping meet organizational objectives and are efficient from a
cost-benefit perspective. Related controls include:

Ensuring that there is a process to justify and approve software projects or
ongoing operations using measurable metrics such as projected return on
investment or savings.

Monitoring and controlling software projects and operations against baselines.

Evaluating completed software projects or operational results against their
projected results or baselines to determine the accuracy of those projections,
and reporting on results.
Operational Change Management
While program change management controls are discussed in a different topic, some
IT organization-level change management controls are discussed here. Change
management controls at the operations level include:

Reviewing exception reporting and transaction logs.

Separating testing and production environments by formal data migration
processes.

Ensuring that adequate audit trails exist.
Audit trails log the functions performed and the changes made in a system, including
who made the change and when, for example:

An audit log could show repeated incorrect password entries to investigate.

Comparisons of users to their activities can highlight unusual activities.

Use of sensitive or powerful command codes can be reviewed.
The audit trail is either kept in a separate file or sent to the system activity log file. It
must be secure from as many users as possible, and access restrictions should be
reviewed.
Preventive maintenance should be performed on hardware and software systems and
on their controls, because doing so is almost always less expensive than dealing with
problems arising from poor maintenance. An operations control group should also be
formed to monitor the results of production, including record keeping and balances of
input and output.
Operational Data Security Controls
In addition to controls for the backup of data, organizations need controls over data as
it is being used. In general, data security must be maintained:
Data policies are enforced through data standards, which define how things need to be
done to meet policy objectives. Enforced standards keep systems functioning efficiently
and smoothly. Standards should be set for systems development processes, software
configuration, application controls, data structures, and documentation.
Some controls over data security have already been mentioned. The following are a
few others:

End-user training in the proper use of email and the Internet is important.

Logical controls should prevent end users from installing new software.

Applications should be safeguarded by keeping them in computer program
libraries, which should be restricted by physical and logical access controls.

There should be a secure process for removing of old IT hardware due to the
possibility of sensitive data being on the drives. This basically means ensuring
that deleted files are really deleted by using special file deletion software or by
physical electromagnetic wiping. This should be done on hard drives or backup
tapes being resold or discarded.
Security Level Management
Not every system needs the highest level of security. The cost of the security measures
should be commensurate with the level of risk mitigation required, so this requires
customization for the organization.
To determine appropriate network security levels, the organization assesses its data
repositories and physical security requirements and assigns security risk levels:

The highest-security physical area or data in a database defines the area’s
security level, for example, key projects such as R&D data would have elevated
security.

The availability, integrity, and confidentiality requirements for each area are
assessed.
Once the security level is known, a multi-tiered security system can be designed,
including provisions for physical, software, program library, and application security.
1.2. User Authentication and Authorization Controls
This topic differentiates among the various forms of user authentication and
authorization controls, for example, two-level authentication (e.g., passwords and
biometrics). The topic also discusses identity and access management, including
related risks.
In addition to reviewing the contents of this topic, students can review the following IIA
materials:

Global Technology Audit Guide (GTAG) 9, “Identity and Access Management”
Levels of Authentication
Levels of authentication can include
factors such as something a person
has, something a person knows, and/or
something a person is.
Identity and Access Management
(IAM)
Various policies, procedures, activities,
and technologies are used to identify
authorized users.
User Authentication and
Authorization Control Risks
Internal auditors must be aware of the
risks of failing to properly authenticate
users or systems or to provide proper
authorization controls.
(1) Levels of Authentication
User authentication and authorization controls for applications are sometimes called
application authentication. With application authentication, a software application is
able to grant access only to authorized users or systems and prevent unauthorized
access. Application authentication also depends on implementing logical access
controls, which are basically a framework for allocating appropriate access.
As with physical access authentication, user authentication can require up to three
levels. The three basic levels, or factors, for authenticating an individual to provide
physical access, access to a device, or access to an application are:

Something the person has, such as a key, a keycard/badge, a credit card, a
cryptographic key, or a registered mobile device.

Something the person knows, such as a user name and alphanumeric password
or a numeric code.

Something unique to the individual, in other words, a biometric trait (e.g.,
fingerprint).
One form of application authentication, possible in Microsoft Windows, for example, is
the creation of role-delimited accounts for authorized users with required identification
(something the person knows). Web applications can also authenticate users, who may
be assigned to roles, such as customer, user, manager, etc., and assigned a log-in
code, which is sent to the web server for verification. This verification process creates
an audit trail.
Greater security may be provided by increasing the complexity of one of these levels or
by requiring multi-factor authentication. Two-level (or two-factor) authentication is
usually “adequate to meet the highest security requirements,” according to NIST
Special Publication 800-63-3, “Digital Identity Guidelines.” (NIST is a U.S. national
standards-setting body.) A common example of two-level identification for some types
of access is a person entering a password (something he or she knows) but also
receiving an access code on a mobile device (something that is registered to him or
her). Many mobile devices and laptops also now have built-in fingerprint or facial
recognition as an alternate level of authentication.
(2) Identity and Access Management (IAM)
Logical access controls are the ways computer program logic can identify authorized
users—a challenging task in a large and complex enterprise in which many groups
must have access to data. The various policies, procedures, activities, and
technologies used to identify authorized users comprise a process called identity and
access management (IAM). The Global Technology Audit Guide (GTAG) 9, “Identity
and Access Management” poses three fundamental questions:

Who has access to what information?

Is the access appropriate for the job being performed?

Are the access and activity monitored, logged, and reported appropriately?
The answers to these questions should inform access decisions and management.
The IAM process is designed to allocate identities and provide appropriate access.
An identity is defined as a unique descriptor (or combination of descriptors) of a
person or machine—for example, a name, a password, an ID number, or a biometric
identifier. Proper identity provides access to information systems and
data. Access may be defined as the right to perform certain transactions (e.g., copying
or transferring data). These access rights are termed the user’s “entitlements.”
Exhibit 3-32 illustrates the way in which the IAM process manages identity and access.
Exhibit 3-32: IAM Process
Global Technology Audit Guide (GTAG) 9, “Identity and Access Management.”
Three processes are involved in an IAM system:

Provisioning. The most visible aspect of IAM is provisioning—the creation,
changing, termination, validation, approval, propagation, and communication of
an identity. The IT department is responsible for developing and universally
applying a policy statement on provisioning using input from business units. One
role of the internal audit activity is to determine if there is proper segregation of
duties for the approval of provisioning to an identity.

Identity management. Identity management refers to the establishment,
communication, and management of IAM strategies, policies, and processes. It
entails monitoring, auditing and reconciling, and reporting system performance.

Enforcement. Enforcement occurs automatically, through processes or
mechanisms, as identities are authenticated and authorized and activity is
logged. This forms an audit trail.
Access Controls
A primary logical access control is password authentication. Authentication includes:

Digitally enforced use of alphanumeric passwords.

Enforced password changes.

Password management such as deleting unused passwords and user accounts
(provisioning) or detecting user accounts that have no password or use a default
password.
Note that use of a valid password doesn’t prove the authenticity of a user.
Authentication can be reinforced by a physical device such as an access card or by
software designed to recognize a user’s keystrokes. Also, password protection can be
bypassed if there are other access points, such as a logical/software backdoor created
by a flaw in design or on purpose.
End-user security training can make a huge difference to application authentication
security. Password and log-on methodology training teaches users to avoid common
mistakes. Users will be trained to avoid storing their password near their computer or
using easily deduced passwords such as their child’s name or the word “password.”
Other logical access controls include:

Automatic log-off procedures.

Monitoring and controlling access to computers with remote control privileges
(e.g., help desk).

Access logs (application and Internet logs).

Single-use access codes or codes with defined start and end dates for
contractors.

Digital signatures. (These can be used for user authentication of electronically
stored or transmitted documents, such as contracts.)
Under the concept of least privilege, users and/or departments are assigned roles or
profiles granting them access only to areas where there is a genuine business need.
Access rights are based on a role name set in a hierarchy, which should be audited to
see if roles are too broad and some users have unnecessary rights. Roles can be used
to enforce laws and regulations, such as allowing only authorized roles to create
prescriptions. They can also be segregation-of-duties controls, such as preventing a
cash manager from creating journal entries. Roles can allow for some users to have
read-only access (no modifications). Privileged accounts require additional controls, as
is addressed more next.
Granting Access Rights to Privileged Accounts
A privileged account is an identity that has administrative access to an organization’s
information systems, enabling the role to make high-level and sometimes (improperly)
undocumented changes to the IT environment, possibly including the establishment
and provisioning of other identities. To prevent unnecessary or inappropriate access to
these accounts, the organization should include a section in its IAM policy on
provisioning, administration, and enforcement of privileged accounts.
IT management needs to periodically review the list of users with privileged access and
the activities and online activities of privileged accounts (whenever possible). IT
management should also check online activities of privileged accounts due to the
possibility of inappropriate transmission of data or introduction of unapproved
applications. In addition, as part of segregation of duties, privileged and IT account
identities should be reviewed by an appropriate manager or system owner.
(3) User Authentication and Authorization Control Risks
The risks of failing to properly authenticate users or systems or to provide proper
authorization controls include but are not limited to the following:

Inappropriate employee or contractor access to confidential information (e.g.,
payroll)

External access allowing:

Theft of proprietary information (e.g., patented formularies for drugs at a
pharmaceutical company)

Modification, corruption, or encryption of data

Installation of malware or spyware

Access to other systems

Deletion of information

Compliance risk such as material breach of privacy

Loss of customer trust (reputation risk) and loss of market share (market risk)
1.3. Information Security Controls
This topic explains the purpose and use of various information security controls,
including encryption, firewalls, and antivirus software.
Information Security Controls
Information security is a management
responsibility, but internal audit can help
ensure that the function is robust and
well designed.
Firewalls
A firewall is a hardware/software
combination through which all
communications to or from the outside
world are routed.
Encryption
Encryption is an information security
control that uses a mathematical
algorithm to scramble data.
Antivirus Software
Antivirus software is a type of
preventive control.
(1) Information Security Controls
An organization’s data can be one of its most important assets. As such, information
security is critical.
Information security is a management responsibility. This responsibility includes all the
important information of the organization, regardless of how the information is stored.
The internal audit activity should ensure that:

Management recognizes this responsibility.

The information security function cannot be breached.

Management is aware of any faulty security provisions.

Corrective measures are taken to resolve all information security problems.

Risk-based and cost-benefit-based preventive, detective, and corrective controls
are in place to ensure information security.
IT general controls and application controls such as passwords and privileges are the
basis for information security. Information security needs to focus on both data and
infrastructure.

Data security should ensure that only authorized users can access a system,
their access is restricted by user role, unauthorized access is denied, and all
changes to computer systems are logged to provide an audit trail.

Security infrastructure can be part of end-user applications, and/or it can be
integral to servers and mainframes, called security software.

When the focus on security is primarily at the application level, such as
for small environments, user and role-based access controls are
generally strong but controls over expert programmers often tend to be
weak.

Security software resides at the server, client, or mainframe level and
provides enhanced security for key applications, such as wire transfer
software.
Errors introduced into a computer system can be just as costly as malicious attacks.
One key control that will help is setting a clear policy on the use of hardware and
software and training personnel to address the most common errors. The policy should
also address ethics, such as computers being used for personal activities or illegal
acts.
(2) Encryption
Encryption uses a mathematical algorithm to scramble data. The data cannot be
unscrambled without a numeric key code, which can be designated as a public key
(able to encrypt but not decrypt messages) or a private key (able to both encrypt and
decrypt messages). Public keys add a layer of security because the private key does
not need to be distributed. Encryption is used on stored data, physically transmitted
data (e.g., on a flash drive), and electronically transmitted data. Server access control
is the use of internally encrypted passwords to keep technical persons from browsing
password files. Wireless data can also be encrypted to prevent compromise if it is
intercepted.
While there are various forms and levels of encryption, the key point is that
organizations wishing to maintain good encryption may need to avoid the “easy” routes
and commit to a level of investment and effort sufficient for the targeted level of
security.
The relative security of a key is determined by its bit length. When passwords are used
to create keys, effective password creation rules must be applied. External aids include
cryptographic module testing (CMT) labs and validation programs for cryptographic
modules and their algorithms.
Digital signatures verify the authenticity of a public key user (including non-repudiation)
and the integrity of the message itself. A server certificate can establish the authenticity
of a site.
Auditing Issues
Evaluating encryption includes evaluating physical controls over computers that have
password keys, testing policies to see if they are being followed, and implementing and
monitoring logic controls. Protection of private keys from disclosure to outside parties is
paramount. Each security domain should be able to share its local identity and security
data without compromising its internal directories.
(3) Firewalls
Perpetually available broadband connections need constant monitoring. A firewall is a
hardware/software combination through which all communications to or from the
outside world are routed. The firewall compares access rules (controlled by network
administrators) against the IP addresses, names, files, and applications attempting to
enter the system and blocks unauthorized traffic. Firewalls can:

Improve security by blocking access from certain servers or applications.

Reduce vulnerability to external attacks (e.g., through viruses) and ensure IT
system efficiency by limiting user access to certain sites.

Provide a means of monitoring communication and detecting external intrusions
(through intrusion detection systems, described below) and internal sabotage.

Provide encryption internally (within an enterprise).
Corporate firewalls are often multi-tiered:

A firewall is placed before the web server and any other public access servers.

A firewall is placed between the public access servers and the private network
areas.

Additional firewalls can be used to protect sensitive data such as payroll.
An organization’s firewalls should be installed on dedicated hardware that has no
unnecessary software. Internal auditors verify that firewalls are located in front of
critical systems and are configured to restrict workstation connection to only those
authorized.
The location of a firewall can create a DMZ. DMZs (from military jargon for
“demilitarized zones”) are portions of a network that are not part of either the Internet or
the internal network, such as between the Internet access router and the host. If the
access router has an access control list, it creates a DMZ that allows only recognized
traffic to contact the host.
Auditors need to determine if firewalls can be bypassed or the controls overridden by
alternative transactions. User prompts for allow/deny communications can be the most
risky. Auditors should work with the network administrator to determine the efficacy of a
firewall, how specific its rules are, and whether the lists of acceptable users, IP
addresses, and applications are kept up-to-date such as by promptly removing
terminated employees. Because a firewall is a chokepoint, it can be used to audit
controls or trace the source of an incoming attack. Firewall logs could be used as legal
audit evidence if the data was collected, processed, and retained properly.
A firewall has limitations, for example:

Data can still be stolen via USB flash drive or use of a persona modem on a
voice line.

Employees or visitors could have a conflict of interest (industrial espionage), or
they could simply be gullible and “help” someone by providing access.

Firewalls can be configured incorrectly.
Auditors should assume that firewalls are always being probed for weaknesses and
that they cannot prevent all attacks.
Intrusion Detection/Prevention Systems
Browsers process so much data that firewalls alone may not be sufficient. Intrusion
detection/prevention systems monitor systems for intrusions from browsers.
Types of these systems include the following:

An intrusion detection system (IDS) combined with a firewall is called an
intrusion prevention system (IPS).

Host IPS (HIPS) software can detect and block abnormal application behavior
before it executes by assuming that abnormal behavior is an unknown form of
attack.

Network IPS (NIPS) are hardware and software systems on a network that
analyze incoming packet content, dropping malicious packets.
These systems usually are more conservative than other types of firewalls and provide
more detailed reports.
(4) Antivirus Software
Antivirus software exists to block known cybersecurity threats. This type of preventive
control is effective only if it is regularly updated to address emerging threats.
1.4. Data Privacy and Security
This topic helps internal auditors recognize the potential impact of data privacy laws on
data security policies, practices, and controls. The topic also addresses auditing
privacy risks.
In addition to reviewing the contents of this topic, students can review the following IIA
materials:

Practice Guide, “Auditing Privacy Risks,” 2nd Edition
Data Privacy
Data Privacy Controls
Data privacy is the individual’s right to
have a voice in how his or her
personally identifiable information is
collected, handled, and used.
Data privacy controls can mitigate the
risks of potential misuse, leaks, or loss
of personally identifiable information.
Data Security Practices
Data Privacy Laws and Frameworks
Privacy laws are based in part on fair
information practices. The General Data
Protection Regulation of the EU is an
example of a specific data privacy law.
Sustaining privacy practices can be
challenging.
Auditing Data Privacy
When auditing data privacy, internal
auditors consider who is at risk,
evaluate the organization’s data privacy
framework, and assess data privacy
risks.
(1) Data Privacy
Privacy is essentially the right to be left alone and to be free from surveillance by
individuals, organizations, or the government. Data privacy is the individual’s right to
have a voice in how his or her personally identifiable information is collected, handled,
and used, to control who has access to that information, and to amend, change, or
delete the information. The “Auditing Smart Devices” Global Technology Audit Guide
cites the following U.S. Department of Labor definition of personally identifiable
information (PII):
Any representation of information that permits the identity of an individual to whom the
information applies to be reasonably inferred by either direct or indirect means. Further
PII is defined as information:

(i) that directly identifies an individual (e.g., name, address, social security
number or other identifying number or code, telephone number, email address,
etc.) or

(ii) by which an agency intends to identify specific individuals in conjunction with
other data elements (e.g., indirect information). These data elements may
include a combination of gender, race, birth date, geographic indicator, and
other descriptors. Additionally, information permitting the physical or online
contacting of a specific individual is the same as personally identifiable
information. This information can be maintained in either paper, electronic, or
other media.
Photographs and biometric identifiers are other examples of PII, as is behavioral
information, for example, in a customer relationship management system.
Adherence to data privacy laws and regulations requires having robust data security
policies and practices, because such laws specify the need to properly secure all enduser and customer data. Also, many laws and regulations have specific provisions
related to “sensitive information,” and they may define what is meant by this term in
different ways. Exhibit 3-33 shows examples of various types of sensitive information.
(These are just examples; a review of applicable regulations is needed to determine
what each given regulation considers sensitive.)
Exhibit 3-33: Sensitive Information
Sensitive health
information



Sensitive financial
information
Medical records
Health plan beneficiary information
Physical or mental health information

Provided health services or information collected during
visits

Account numbers (e.g., bank accounts, credit card
numbers)
Financial history

Other sensitive
information

Salary information

Racial or ethnic origin
Religious or philosophical beliefs
Political opinions
Trade union membership
Legal proceedings and civil actions
Combinations of certain information





IT can make invasions of privacy easy and inexpensive. Any transaction entered into
an information system, from simple purchases to medical records, can be stored
indefinitely and potentially used for marketing or crime fighting as well as for illegal
activities such as blackmail.
Privacy is an issue for corporate data, employees, and customers. Corporate data
must be safeguarded for a business to stay viable. Employees and their employers are
in conflict on privacy, because organizations want to both protect their interests and
guard against improper activity, while employees want to feel that they have a measure
of privacy at work. Software can log websites visited and track every keystroke a user
makes.
Higher levels of monitoring can provide control but at the possible price of lower
morale. Clear communication of the privacy policy will help with morale. The policy
should inform employees what is and isn’t monitored as well as what is expected of
them, such as using the Internet only for specific activities. Logical controls over
possible sites that can be visited can reduce the need to monitor employee activities.
(2) Data Privacy Laws and Frameworks
The privacy laws in Europe and in the United States, Canada, and other countries are
based in part on fair information practices (FIPs). FIPs acknowledge that the parties in
a transaction have obligations to each other. Individuals have rights to privacy but need
to prove their identity; organizations have responsibilities over the collection and use of
information. FIPs include:

Notice. Prior to collecting data, websites must disclose who is collecting the
data, its uses, other recipients, what is voluntary, and what will be done to
protect the data.

Choice. Consumers should be able to choose how the information is used
outside of support for the current transaction.

Access. Consumers should be able to access and modify their personal
information without great expense or hardship.

Security. Data collectors must ensure that they have adequate data controls.

Enforcement. FIPs must be enforced via self-regulation, legislation giving
recourse rights to consumers, and other laws.
A number of laws exist to protect privacy against government intrusion, such as the
Canadian Privacy Act, which sets rules for the government’s ability to collect and use
information about its citizens. Fewer regulations apply to the private sector, and selfregulation is the general tendency. Because many nations have privacy laws that may
differ considerably, the Organisation for Economic Cooperation and Development
(OECD) and similar organizations are working to create consistency in privacy laws
and laws on the transborder flow of information.
While many countries (and even some regions, such as California in the United States)
have privacy laws or regulations, the best way to study for the exam is to learn the
principles behind these laws since they share many principles.
In the European Union (EU), the General Data Protection Regulation (GDPR) is a
binding regulation. The GDPR obliges EU member states to protect the fundamental
rights and freedoms of persons, in particular their right to personal data privacy. Much
like the FIPs described above, the GDPR gives individuals the right to:

Be informed of how organizations are using their personal data (i.e., a privacy
policy).

Access their personal data.

Rectify incorrect information.

Be forgotten. (Individuals can request deletion of their personal information.)

Have data portability. (Individuals can request a copy of their personal
information.)

Object or opt out of future data collection at any time.
While this is an EU regulation, any organization in any part of the world that collects or
holds the personal data of persons residing in the EU will need to have policies,
procedures, and IT systems in place as appropriate. Many organizations who do
business globally have welcomed the GDPR as a gold standard for privacy that may
prevent needing to instead comply with a patchwork of national regulations.
Organizations should seek advice from legal counsel when developing or adopting a
privacy framework.
Organizations with a global footprint often use the most stringent data privacy
regulation as a base standard for their operations in all countries to limit risk. Many
organizations use the GDPR as this standard because noncompliance could put them
out of business.
There may be nuances to data privacy depending on the organization’s business
sector.

Public sector. Governments collect PII in a vast number of areas, for example,
real estate, voter registration, taxation, welfare, and law enforcement.
Compliance requirements may be specific to different levels of public entities.
The risk of files being misused, lost, or stolen is high. There may be rules or
laws that prevent (or permit, given an approval process) one agency from
comparing PII with others, called data matching (e.g., law enforcement
reviewing driver databases).

Social services. Government agencies are subject to specific compliance
requirements, but other institutions such as churches may be exempt from
general legal frameworks, which could lead to lax privacy controls.

Financial services. Many regulations and active supervisory bodies exist due
to the sensitivity of PII such as credit history.

Marketing, retail, and social media. PII includes address lists, consumer
profiles, financial information, purchase history, personal preferences, and so
on. Such information may be bought or sold. Sector associations offer codes of
conduct.

Utilities, transportation, and travel. PII is collected at tollways and parking
areas and in traffic systems.

Health care and research. Sensitive patient information is highly regulated.
One example of a private-sector law is the U.S. Health Insurance Portability and
Accountability Act (HIPAA), which governs the disclosure of medical records. It
applies to health plans, health-care clearinghouses, health-care providers, and
employers.

International business. Many laws and regulations require that PII not leave
the regulated zone of a country. These rules address the concern of loss of
control when PII is transferred to another jurisdiction (which may not respect
other nations’ laws).
(3) Data Privacy Controls
Data privacy controls can mitigate the risks of potential misuse, leaks, or loss of PII.
Benefits of good data privacy controls include:

Public image and brand protection.

Customer, employee, donor, and business partner PII protection.

Credibility, confidence, and goodwill leading to competitive advantage.

Compliance.
Fundamental controls for data security include ensuring adequate governance and
oversight by the board and management. Another general control example is
benchmarking the organization’s privacy compliance and data-handling practices and
weaknesses against international policies, laws, regulations, and best practices. Here
are some additional elements of an effective privacy program:

Clear roles and responsibilities

Privacy statement/notice

Written policies and procedures for the collection, use, disclosure, retention, and
disposal of PII

Information security practices, incident response plans, and corrective action
plans

Training and education of employees

Privacy risk assessments and maturity models

Monitoring, auditing, and compliance with privacy laws and regulations

Inventory of the types and uses of PII

Controls over service providers (outsourcing)
Ethics in Data Storage
Data storage can become an ethical issue. Data needs to be safeguarded per data
privacy policies, regulations, etc. However, it may also need to be protected from
deletion for audits or evidence of compliance. Electronic data such as emails are
considered legal evidence (in the United States, this is covered under the Federal
Rules of Evidence), and some companies have received large fines for denying access
to or deleting such evidence. Internal auditors need to develop an awareness of these
and other ethical implications when providing assurance or consulting on data storage
or deletion policies.
(4) Data Security Practices
Sustaining privacy practices can be challenging. IT advancements and outsourcing
trends are making it difficult to determine where data is stored, how it is protected, who
has access to it, and whether it is disposed securely. This evolution has outpaced legal
frameworks and industry standards. Such inconsistency and uncertainty creates
assurance risk. CAEs can ask questions such as the following related to data security
practices:

Does a board committee exist to consider risk appetite related to privacy risk?

What is management’s privacy risk appetite?

What are the current or likely forthcoming applicable privacy laws and
regulations?

What PII does the organization collect, who defines what is private, and are the
definitions consistent or appropriate?

Does the organization have privacy procedures and programs with defined
responsibilities and accountabilities and sufficient resources to be effective?

Does the organization know where all personal information is stored and who
has access?

How is PII protected at the database, network, system platform, application, and
business process layers?

Is any PII disclosed to or processed by third parties?

Do employees receive privacy awareness training specific to their
responsibilities?

Does management periodically assess program effectiveness and need for
meeting new requirements?
(5) Auditing Data Privacy
Data privacy audits can help with compliance, including measuring and improving
compliance with the organization’s data protection system. Audits can also identify
potential inconsistencies between policies and actual practices, which can help provide
assurance over reputation risks or help ensure that privacy response procedures are
effective. An audit can be used as a tool to raise the level of data protection awareness
among management and staff.
Internal auditors look for data privacy risks in three basic categories, as shown
in Exhibit 3-34.
Exhibit 3-34: Threats to Organizations, Stakeholders, and Individuals
Threats to
organizations
Privacy breaches can get significant attention from the press,
supervisory authorities, and privacy watchdogs. An organization
could fail to achieve its objectives and could experience
operational disruptions, inefficiency, or reputation damage, with
severe financial impacts. Specific control weaknesses when
processing PII include:









Excessive collection.
Incomplete or outdated information.
Damaged data.
Inadequate access controls.
Excessive sharing.
Incorrect processing.
Inadequate use.
Undue disclosure.
Undue retention.
Threats to
stakeholders
While excessive privacy practices can hinder efficiency and thus
investor returns, risks of damaged reputation and litigation usually
outweigh this consideration.
Threats to
individuals
Individuals may be victims of identity theft, bear extra cost,
experience discrimination, or have limited control over their PII. For
example, data submitted for a job application could be used for
intrusive, unfair, unreliable, or adverse purposes.
Evaluating the Organization’s Data Privacy Framework
Internal audit determines whether a data privacy framework exists and evaluates the
framework to ensure that the board has set a risk appetite related to privacy risks and
that the framework is effective in identifying and addressing significant risks. Internal
auditors may need to work with other parties to understand the context of security
policies and guidelines for both internal use and those communicated to customers,
including:

Legal counsel, to identify other steps that should be performed.

Privacy professionals, to help internal auditors develop an understanding of data
privacy framework maturity.

IT specialists, to help create a process map of information flows, system
controls, and the PII life cycle, including incident response programs.
Internal auditors also need to determine how the framework and related policies
classify organizational data and evaluate whether the levels of classification and
related controls are appropriate. Classifications are usually based on the level of harm
a data breach or misuse could cause and/or the regulatory penalties for
noncompliance. Another area of review is whether the framework has a privacy
incident response plan and related templates.
Assessing Risk
Categories of privacy risk include the following:


Legal and organizational risk. Internal auditors ensure that relevant privacy
laws and other regulations are communicated to clearly designated responsible
parties.

Personnel are told what is expected of them and what the individual and
organizational penalties are for noncompliance.

Auditors assess personnel competency levels and whether they have a
process to keep current with new laws, regulations, and technologies
(e.g., cloud computing).

Proof of compliance is required, not just compliance, so documentation
must be addressed.

Auditors determine if management is spending too much on privacy
controls (e.g., expensive encryption for routine data).
Infrastructure risk. PII processing steps may include paper or online forms,
data entry, or fully automated steps. Each time PII moves and changes format,
new vulnerabilities to confidentiality, integrity, and availability of data occur.
Internal auditors should trace PII in operations as well as in backup storage,
such as by reviewing encryption in storage and in transit. Controls include:

Paper shredders, locked files, or other physical controls.

IT general controls and application controls.
Each platform or technology should have a data map and inventory of all PII, including
transfers to third parties.

Application risk. Evaluating software involves reviewing privacy risk
assessments and whether there is “privacy by design,” such as use of data
classification standards, defaults to least privileges to user access, or external
interface authorization limits.

Business process risk. PII needs to be used for its legitimate business
process purposes, and this creates a risk that it will be at risk at person’s desks
in printed form and so on. Discretion should be used in areas open to the public,
and basic controls should exist, such as clean desks or timed locking of
computers not in use.
1.5. Emerging Technology
This topic helps internal auditors recognize emerging technology practices and their
impact on security. Such practices include bring your own device (BYOD), smart
devices, and the Internet of things (IoT).
In addition to reviewing the contents of this topic, students can review the following IIA
materials:

Global Technology Audit Guide (GTAG), “Auditing Smart Devices: An Internal
Auditor’s Guide to Understanding and Auditing Smart Devices”
Emerging Technology
Smart Devices
Emerging technology includes the
Internet of things (IoT), hardware
authentication, user-behavior analytics,
data loss prevention, machine learning,
and cloud computing.
Smart devices enable working in a truly
mobile way. Examples include cell
phones, tablets, wearable devices, and
specialized devices such as for
warehouse picking.
(1) Emerging Technology
Technology is constantly advancing, as is the rate and variety of malicious attacks.
How to keep up with new technology and get ahead of threats? A good place to start is
to provide assurance regarding IT general controls including physical security, logical
access controls, and operational controls.
But what other practices can be used?

The Internet of things (IoT) refers to a system of interrelated physical devices
around the world connected to the Internet, collecting and sharing data. It allows
for the transfer of data over a network independently without human action. IoT
has emerged to allow machine-generated data to be analyzed for insights to
drive improvements.
The benefits of IoT to businesses are that it allows more access to data about an
organization’s products and internal systems and a greater ability to make changes as
a result, such as pushing out new security updates. However, this raises new concerns
about data privacy and security. The increase in connected devices gives
cybercriminals more entry points and leaves sensitive information vulnerable.
Establishing a standardized security protocol to address the scope and diversity of
devices is a central challenge.

Hardware authentication incorporates authentication into a user’s hardware.
An end user may be required to enter a code sent to their mobile device in order
to achieve authentication. This can be combined with other forms of
authentication.

User-behavior analytics operates on the premise that by identifying activity
that does not fit within the normal routine of an employee, IT can identify a
malicious attacker posing as an employee.

Data loss prevention ensures that end users do not send sensitive or critical
data outside their corporate network. The key to successful data loss prevention
is technology such as encryption and tokenization, which can provide data
protection down to a subfield level.

Machine learning and artificial intelligence can be used to automate certain
protocols or detect trends in big data. Rather than looking at the end user only,
these systems can also distinguish between good and bad software and provide
an advanced threat detection and elimination solution.

Cloud computing security refers to controls, technologies, and policies in
place to protect data, applications, and the infrastructure of cloud computing.
Cloud security architecture can use numerous controls, such as deterrents,
prevention, and detective and corrective controls to safeguard potential system
weaknesses. In addition, cloud access security brokers (CASBs) provide
software that aligns itself between end users and the cloud applications to
monitor activity and enforce security policies. ISO 27017 focuses on the
protection of information in cloud-based services.
(2) Smart Devices
Smart devices enable working in a truly mobile way. Examples include cell phones,
tablets, wearable devices (e.g., watches, glasses), and specialized devices such as for
warehouse picking. Smart devices have operating systems, data storage, and security
mechanisms, and they connect to cellular and/or Wi-Fi networks for data, voice, and/or
video. They may include GPS or specialized sensors such as for radio frequency
identification (RFID).
Internal auditors may need to audit the security impact of smart devices as well as
related systems that may be under the control of third parties. Understanding the
business context will help internal auditors determine the real business needs for smart
devices, which could highlight opportunities for business advantage or a lack of real
need (i.e., too much risk, too little reward). A risk assessment will help determine the
engagement’s objectives and scope and required resources as well as the relevant risk
and controls that the internal audit activity should recommend.
A key issue around the security impact of smart devices is a bring-your-own-device
(BYOD) policy. A BYOD policy relates to whether or not an employee or contractor can
(or is required to) bring their own laptop or mobile device to the workplace and use it
for work purposes. Note that prohibitions on laptops or tablets might be enforceable so
long as a suitable device is provided to the employee or contractor, but prohibitions on
mobile phones would be feasible only in very high security environments.
Smart Device Risks
Smart devices face risks in a number of categories.

Compliance risks. The variety and number of smart devices creates a risk of
organizational smart devices failing to be regularly updated per policies and
procedures. BYOD update risks are even higher, since the organization may not
control updates. For example, a person could avoid updates due to performance
concerns.

Privacy risks. Personally identifiable information (PII) is stored on smart
devices. Also, the organization could use smart devices to monitor its
employees. BYOD practices and devices of vendors, guests, or visitors increase
the risks to PII compromise.

Physical security risks. Small devices are at risk of loss, breakage, or theft.

Information security risks. Data on smart devices could be accessed if left
unencrypted. Backups may not be performed. Controls built into operating
systems (OS) could be bypassed to enable prohibited software to be installed
that could contain malware; this is called “jailbreaking” for the Apple OS and
“rooting” for the Android OS. Note that either practice can prevent remote wiping
of the memory (a control). Persons on organizational or BYOD devices could
join untrusted networks and their devices could be hijacked. GPS could be used
for tracking or nefarious uses.
Smart Device Controls
A general smart device control is an acceptable use policy with a clear indication of
penalties for noncompliance. This can include a mandate for all organizational and
BYOD devices to have up-to-date anti-malware software installed, to keep the OS
updated, to use only official app stores, and to not do jailbreaking/rooting. End users
need to be educated on weak versus strong passwords or other forms of
authentication. Basic security training for organizational or BYOD devices can be
provided, such as promptly reporting thefts or ensuring that user devices have user
authentication turned on in case the device is stolen.
BYOD policies should require an employee signature and may include:

What devices are allowed and the individual’s maintenance responsibilities.

Policies on downloading, use, and transmission of organizational data, with
specific prohibitions for sensitive data.

Minimum security requirements.

Backup policies, including if home backups are allowed. (Home backups could
be prohibited to maintain U.S. HIPAA compliance.)

Enabling remote wiping (for stolen devices) or possibly mobile device
management (MDM) for remote software updating, monitoring, etc.

Selling, discarding, or sending in for maintenance policy (e.g., proper wiping of
memory).

Requirements to use a virtual private network (VPN) and not use Wi-Fi networks
if a VPN exists.
Controls also exist at the hardware and software levels. Authentication controls need to
be in place. Devices that have hardware encryption (which encrypts all data and apps
when not in use) can be selected. Software encryption is a must. Some devices also
support encryption in transit.
1.6. Cybersecurity Risks
This topic helps internal auditors recognize existing and emerging cybersecurity risks,
including hacking, piracy, tampering, ransomware attacks, phishing attacks, and more.
In addition to reviewing the contents of this topic, students can review the following IIA
materials:

Global Technology Audit Guide (GTAG), “Assessing Cybersecurity Risk: Roles
of the Three Lines of Defense”

Global Technology Audit Guide, “Auditing Insider Threat Programs”

Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and
Controls,” 2nd Edition
Cybersecurity Risks
Piracy and Device Tampering
Cybersecurity is the protection of
computers, networks, programs, and
data from attack, unauthorized access,
damage, change, or destruction.
Software piracy is the illegal copying of
software or distribution of software
access to more users than is allowed in
the organization’s contract. Device
tampering includes jailbreaking/rooting
of smart devices or other hardware
manipulations.
Malware
Types of malware include viruses,
worms, Trojan horses, ransomware,
and phishing.
Insider Threat Programs
Programs to monitor and control insider
threats may be part of the risk universe
for internal auditors.
(1) Cybersecurity Risks
Cybersecurity, also referred to as computer or IT security, is the protection of
computers, networks, programs, and data from attack, unauthorized access, damage,
change, or destruction. Cyber risks (or cyber threats) involve persons or entities that
seek unauthorized access to a system, network, or device, either remotely or via inside
access. A hacker is a person who accesses systems and information, often illegally
and without authorization. Unethical organizations employ hackers to perform industrial
espionage. Hackers could harm the organization’s employees, contractors, customers,
and other stakeholders and its competitive advantage. They could cause direct
monetary loss as well as reputation damage if certain information were made public.
Cybercrime is a growing area of organized crime. Profit is the motive. Organized crime
organizations may have large-scale operations in certain nations that suffer from poor
enforcement or graft and corruption.
There are generally three main types of computer crime:

Those where the computer is the target of a crime

Those where the computer is used as an instrument of a crime

Those where the computer is not necessary to commit the crime, but it is used
to make committing the crime faster, to process more information, or make the
crime more difficult to identify and trace
Two other sources of cybersecurity risks are insiders and service providers, especially
service providers who develop substandard offerings that have security vulnerabilities
or who do not promptly patch known vulnerabilities. Aside from negligence, insiders
and service providers could use their inside knowledge and access to take advantage
of inside information to perpetrate or conceal fraud.
(2) Malware
Malware is malicious software designed to gain access to a computer system without
the owner’s permission for the purpose of controlling or damaging the system or
stealing data. The types of attacks that are increasing are ransomware (see below),
attacks that gain unrestricted access to user systems and data, and attacks that gather
network passwords and financial data. Zero-day attacks use malware that is not yet
known by the anti-malware software companies.
The number and frequency of network attacks is increasing, sometimes with several
versions of the same type of malware appearing in one day. Antivirus vendors have
resorted to hourly updates. The antivirus industry rapid response system is challenged
by criminals who have their own structure to develop new threats and to scan for and
infect vulnerable systems.
Types of malware include the following:

VirWare. VirWare includes viruses, worms, and ransomware.

A virus attaches itself to storage media, documents, or executable files
and is spread when the files are shared with others. One type is a macro
virus, which uses the macro function of software such as Microsoft
Word® to create executable code. In response, Microsoft created file
extensions (e.g., .xlsx—no macros, .xlsm—macros allowed).

Worms are self-replicating malware that can disrupt networks or
computers. Unlike a virus, a worm does not attach itself to an existing
program or to code. It spreads by sending copies of itself throughout a
network. Worms may act to open holes in network security or trigger a
denial-of-service attack (see below).

With ransomware, software encrypts all files on a computer or network
and the criminal sends the user a demand indicating that the encryption
key won’t be released unless a payment is made quickly, usually through
a cryptocurrency. Avenues of attack include links or attachments in
unsolicited emails as well as malvertising, or malicious advertising on
websites that can direct users to criminal servers even if the user never
clicks on an ad. Ad-blocking software is a partial defense.
Instant message (IM) worms, worms for mobile devices, and net-worms have been
increasing because they don’t need to rely on users opening email. Email worms have
been decreasing, partly due to the rapid response system and improved antivirus
software. Cybercriminals have shifted to using more Trojan horses.

Trojan horses. Trojan horses are malicious programs disguised to be
innocuous or useful using social engineering. Social engineering is a set of
rhetorical techniques used to make fraudulent messages seem inviting; it is
initiated through deceptive emails, instant messages, or phone contact. A key
control is to educate users to initiate all contact themselves (i.e., don’t click on
an email link; go to the site directly). Once installed, Trojan horses can install
more harmful software, such as spyware. Spyware is malware installed without
the user’s knowledge to surreptitiously transmit data to an unauthorized third
party. Trojan horses are smaller and easier to transmit and cheaper to develop
because they do not need to be capable of self-delivery. Trojan horses include
the following.




Trojan-clickers require clicking on a hyperlink.

Banker programs steal bank account data.

Root kits are tools installed at the root (administrator) level.

Trojan-proxies use an infected computer as a proxy.
Other malware.

Adware is malware intended to provide undesired marketing and
advertising, including pop-ups and banners on a user’s screen.

A key logger records keystrokes to steal passwords, etc.

A dialer automatically dials a 900 number (a high-fee line) to generate
huge debts.
Other external threats.

Phishing is creating a website that appears identical to an organization’s
site and then luring the organization’s users to that site through social
engineering to capture IDs, passwords, government IDs, etc.

An evil twin is a Wi-Fi network operated by a cybercriminal that mirrors a
legitimate network.

Identity theft is the illegal use of sensitive information to impersonate an
individual over computer networks in order to defraud the person or
commit a crime without the perpetrator’s true identity being known. The
human-to-browser phase of transactions is where most identity theft
occurs, not in the space between browser and web server. Most of the
problem is due to poor password controls and social engineering.

Piggybacking is either physically following someone through a secure
door or using someone’s legitimate password to access a network.

A denial-of-service attack is designed to take up so much of a shared
resource that none of the resource is left for other users.
Internal threats: illegal program alterations. Hackers, or more likely,
malicious insiders with programming privileges, can alter the code of programs,
usually to perpetrate fraud or theft. The following are examples of such data
manipulation techniques:

Asynchronous attacks cause an initial system action and then a
subsequent system reaction. For example, after a system has been shut
down and before it restarts automatically, changes may be made to the
restart parameters to weaken security.


Data diddling is intentionally manipulating data in a system.

Data hiding is manipulation of file names or extensions or other tricks to
hide a file so that it can be manipulated (e.g., hiding an audit log).

Backdoors can bypass normal authentication and be installed by direct
code manipulation (or by Trojan horses).
Server/mainframe malware. Attacks on mainframes are rare because of the
specific knowledge needed for a particular mainframe. Nevertheless, publicly
available servers connected to the web are assumed to be under a constant
barrage of attacks.
Server attacks start by attempting to gain low-security access followed by an attempt to
elevate the security level. Once inside, changes include hiding tracks, stealing data,
and breaking or taking control of the system.
Microsoft servers have security issues that are regularly patched and publicly
announced, but hackers will exploit systems that aren’t updated. In addition to system
attacks, publicly available servers can be attacked through their applications. For
example, an intranet server might use a distributed application to allow employees to
check customer data. Hackers find flaws in such applications.
Exhibit 3-35 provides a summary of the types of malware just discussed.
Exhibit 3-35: Malware Summary



Virware
 Viruses
 Worms
 Ransomware
Trojan horses
 Trojan-clickers
 Banker programs
 Root kits
 Trojan-proxies
Other malware
 Adware
 Key loggers
 Dialers



Other external threats
 Phishing
 Evil twins
 Identity theft
 Piggybacking
 Denial-of-service attacks
Internal threats: illegal program alterations
 Asynchronous attacks
 Data diddling
 Data hiding
 Backdoors
Server/mainframe malware
Protecting Systems from Malicious Software and Computer Crime
All operating systems contain bugs that create vulnerabilities and affect overall system
performance. The use of homogenous operating systems allows wide-scale
exploitation of bugs. Controls include:

Frequent updates and patches to operating systems.

Running systems with administrative privileges turned off.

Operating systems that restrict rights given to code, such as use of a virtual area
or sandbox, which fixes a security flaw of over-privileged code (when systems
allow any code executed on a system to receive all rights of the system user).
Antivirus software maintains lists of known viruses and prevents them from being
installed or helps recover a computer once a virus is removed. Such software scans
both incoming and outgoing data. Automated downloads and regularly scheduled
scans are important controls to keep such systems up to date. Some antivirus
programs use nature-based models that look for any unusual code and can detect new
viruses. Policies can also help, such as allowing downloads only from reputable
locations with security seals. Other tools include blockers for spyware, spam, macros,
and pop-ups.
One method of self-protection from malware in general is to follow a minimum set of
agreed-upon controls, called baseline controls. One example is the VISA ® Cardholder
Information Security Program (CISP), which has made a set of security guidance rules
available to credit card network users. This advice, called the “Digital Dozen,” can be
found in the Global Technology Audit Guide (GTAG) 1, “Information Technology Risk
and Controls,” 2nd Edition.
Other controls include taking sensitive information offline and performing background
checks on new employees and users with security clearance. Browsers contain
phishing filters, which send data to the browser manufacturer for validation.
Controls associated with proper user identification and authentication of identity are
critical. Authentication mechanisms must be secured and assessed. Users must be
aware of the dangers of sharing or not securing passwords or creating weak
passwords.
Externally Stored Data and Third-Party Cybersecurity Risk
When data is stored external to the organization, such as in a third-party cloud, it is
vital for the organization to ensure that vendors are properly managing relevant risks.
Critical steps for management to take include due diligence and strong contracts that
require:

Service organization control (SOC) reports.

Right-to-audit clauses, including use of cybersecurity engagements.

Service level agreements (SLAs), including reporting requirements related to
information security protections.
Oversight and data and information security governance include monitoring the
vendors and the key metrics they report to ensure conformance with the SLAs.
Remedies for deficiencies include asking for timely resolution of concerns, enforcing
penalties, and enforcing the right to audit. Vendors who do not remediate issues in a
timely manner may need to be replaced.
(3) Piracy and Device Tampering
Software piracy is the illegal copying of software or distribution of software access to
more users than is allowed in the organization’s contract. Software organizations may
be able to detect illegal use of software remotely or have their own right-to-audit
clauses with the purchasing or leasing organization. Financial penalties for
noncompliance can be severe. A policy prohibiting piracy is an important control. Riskbased internal audits may be needed to provide assurance that software is not being
pirated.
Device tampering includes jailbreaking/rooting of smart devices or other hardware
manipulations. It may enable piracy or installation of apps that contain malware. Device
tampering is dangerous and should also be prohibited by policy.
(4) Insider Threat Programs
The primary purpose of an insider threat program is to protect critical assets, which
include valuable data, people, facilities, and systems. Insider threats cannot be
completely eliminated, and trying to do so can be prohibitively expensive.
Programs to monitor and control insider threats may be part of the risk universe for
internal auditors. Given a risk assessment, the internal audit activity may plan
assurance engagements to assess the effectiveness of these programs or consulting
engagements to assess insider risks. An important step is to assess the control
environment, since poor authentication controls and so on can create a pervasive
impact on opportunities for insider threats. Usually audits will focus on a specific subset
of insider threats, such as hiring practices or management’s methods to monitor the
external and internal environment, rather than having a full scope.
The steps related to understanding the engagement context, gathering information,
performing a risk assessment, and communicating results to the board are discussed
next. These steps will be used to establish the scope, allocate resources (the CAE
needs to obtain competent assistance and advice per Standard 1210.A1), and plan the
engagement.
Understanding the Engagement Context and Gathering Information
Understanding the engagement context and purpose may involve determining if
changes in the operating environment, such as mergers or acquisitions, have
introduced new risks to the environment. Information gathering can include discovery
about past fraud allegations, occurrences, and investigations involving insiders. It is
also important to review related regulatory compliance requirements. Internal auditors
may need to prepare by studying established security frameworks, programs, and
recommendations. This culminates in a risk assessment.
An insider threat program should have a process map that can be reviewed.
Components of the program to review include:

Stakeholders involved and their requirements.

Senior management and board buy-in and oversight, including governance
structure and policy.

Management’s insider threat planning process.

Management’s insider threat risk management process:


How it identifies critical assets.

How it identifies threats.

How it assesses vulnerabilities.
Management’s insider threat operations:

Communications, training, and awareness programs (which should be
improved using feedback loops from issue resolutions to improve these
processes).

Preventive and detective controls.

Data and tool requirements.

Analysis and incident management:


Initial and internal investigations.

Referrals and reporting.

External criminal investigation decisions.
Final actions, management reporting, and feedback and lessons learned.
Subprocesses may also be reviewed, such as the employee application, screening,
hiring, onboarding, reaccreditation (changing access privileges when employees shift
to new positions), and termination process for employees. Each step in such a process
will have its own risks and a potential set of controls. For example, the employee
application process has a risk of hiring employees who are secretly working for major
competitors. Employment history evaluation and additional screening for sensitive
positions are potential controls.
Risk Assessment
Exhibit 3-36 reviews common insider threats that are generally based on the use of IT
to commit the crimes.
Exhibit 3-36: Insider Threats
Threat
Risk
Potential Impact
Fraud
Identity theft or illegal use of
data for personal gain
Financial misstatements or
reputation damage
IT sabotage
Use of IT to harm
organization or specific
individual
Denial of service or productivity
loss
Theft of
intellectual
property
Industrial espionage
involving insiders
Loss of competitive advantage or
revenue
Theft or
disclosure of
sensitive data
Theft of confidential,
proprietary, or private data
for financial gain
Restitution payments to
customers or loss of customer
trust
Threat
Risk
Potential Impact
Theft of personal
data
Theft or disclosure of
personally identifiable
information
Legal expenses, restitution, or
loss of trust; data privacy
noncompliance penalties
Illegal activities
Use of digital assets to send
spam, gamble, or do other
prohibited activities
Financial losses and reputation
damage
Insider Threat Reports and Recommendations
To effectively communicate the risks related to insider threats to the board, internal
auditors must translate audit findings into terms of financial loss, reputation damage,
operational disruption, and other organizational performance indicators. Best practices
include referring to existing industry reports and educating the board that only
reasonable assurance of security is possible.
The Global Technology Audit Guide, “Auditing Insider Threat Programs” cites the
CERT® Insider Threat Center’s “Common Sense Guide to Mitigating Insider Threats,
Fifth Edition,” for a set of best practices or control objectives. Internal audit activity
recommendations may include one or more of these best practices, as reproduced
below, depending on the results of the engagement:

Know and protect your critical assets.

Develop a formalized insider threat program.

Clearly document and consistently enforce policies and controls.

Starting at the hiring process, monitor and respond to suspicious or disruptive
behavior.

Anticipate and manage negative issues in the work environment.

Consider threats from insiders and business partners in enterprise-wide risk
assessments.

Be especially vigilant regarding social media.

Structure management and tasks to minimize unintentional insider stress and
mistakes.

Incorporate malicious and unintentional insider threat awareness into periodic
security training for all employees.

Implement strict password and account management policies and practices.

Institute stringent access controls and monitoring policies for privileged users.

Deploy solutions for monitoring employee actions and correlating information
from multiple data sources.

Monitor and control remote access from all end points, including mobile devices.

Establish a baseline of normal behavior for both networks and employees.

Enforce separation of duties and least privilege.

Define explicit security agreements for any cloud servers, especially access
restrictions and monitoring capabilities.

Institutionalize system change controls.

Implement security backup and recovery processes.

Close the doors to unauthorized data exfiltration.

Develop a comprehensive employee termination procedure.
1.7. Cybersecurity Policies
This topic describes organizational policies related to cybersecurity, information
security, and information security governance.
In addition to reviewing the contents of this topic, students can review the following IIA
materials:

Global Technology Audit Guide (GTAG), “Assessing Cybersecurity Risk: Roles
of the Three Lines of Defense”
Cybersecurity Policies
The NIST Cybersecurity Framework is a
possible basis for cybersecurity policies.
Information Security Policies
Information security policies guide
management, users, and system
designers in making information
security decisions.
Role of the Three Lines Model in
Cybersecurity
The IIA’s Three Lines Model describes
organizational roles in regard to
cybersecurity.
(1) Cybersecurity Policies
Cybersecurity policies and related training and testing are designed by IT risk
management and IT compliance functions (second line roles) and administered by IT
operations management roles (first line roles). Internal audit (third line roles) provides
independent ongoing evaluations of cybersecurity policy effectiveness. Since many
cybersecurity policies are based on cybersecurity frameworks, a common
cybersecurity framework is presented next.
NIST Cybersecurity Framework
The U.S. National Institute of Standards and Technology (NIST) Cybersecurity
Framework, or CSF, provides a risk-based iterative approach to the adoption of a
vigilant cybersecurity stance for public and private organizations. It also includes
guidance on self-assessment. The NIST CSF Framework Core, shown in Exhibit 3-37,
includes cybersecurity activities, desired outcomes, and references from industry
standards, guidelines, and practices. The Framework Core has five functions, which
are further divided into 23 categories.
Exhibit 3-37: NIST CSF Framework Core
Function
Description
Identify
Identify and communicate
cybersecurity objectives and
goals. Develop organizational
understanding to manage
cybersecurity risk to systems,
assets, data, and capabilities.

Develop and implement the
appropriate safeguards to
ensure delivery of critical
infrastructure services.

Protect
Categories










Detect
Respond
Develop and implement the
appropriate activities to identify
the occurrence of a
cybersecurity event.

Develop and implement the
appropriate activities to take
action regarding a cybersecurity
event.







Asset management
Business environment
Governance
Risk assessment
Risk management strategy
Supply chain risk management
Identity management and
access control
Awareness and training
Data security
Information protection
processes and procedures
Maintenance
Protective technology
Anomalies and events
Security continuous monitoring
Detection processes
Response planning
Communications
Analysis
Mitigation
Improvements
Function
Description
Recover
Maintain plans for resistance
and to restore capabilities or
services that were impaired due
to a cybersecurity event.
Categories



Recovery planning
Improvements
Communications
Source: “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.0.
NIST (National Institute of Standards and Technology), 2014.
(2) Information Security Policies
An effective information security policy should provide guidelines for preventive and
detective controls to address a variety of information risks. Such risks can include
unauthorized access, disclosure, duplication, modification, misappropriation,
destruction, loss, misuse, and denial of use. Information security policies guide
management, users, and system designers in making information security decisions.
The International Organization for Standardization, or ISO, the world’s largest
developer and provider of international standards, has established guidelines and
general principles for initiating, implementing, maintaining, and improving information
security management within organizations. ISO provides the 27000 family of standards
for the development of organizational security standards and effective security
management practices and to help build confidence in interorganizational activities.
The ISO 27001 certification means that the organization will be able to:

Improve enterprise security.

Plan and manage security effectively.

Secure partnerships and e-commerce.

Enhance customer confidence.

Perform accurate and reliable security audits.

Reduce liability.
For internal auditors, a key resource is The IIA’s Global Technology Audit Guide
(GTAG), “Assessing Cybersecurity Risk: Roles of the Three Lines of Defense.”
To design an information security policy, the organization should assess its security
needs to gain an understanding of its business needs and security objectives.
Common questions that this assessment should ask include:

What information is considered business-critical?

Who creates that critical information?

Who uses that information?

What would happen if the critical data were to be lost, stolen, or corrupted?

How long can our business operate without access to this critical data?
As information crosses multiple lines in an organization, so too does information
security. Therefore, an information security policy should be coordinated with multiple
departments—including systems development, change control, disaster recovery,
compliance, and human resources—to ensure consistency. Additionally, an information
security policy should state Internet and email ethics and access limitations and define
the confidentiality policy. Good policies also need to provide precise instructions on
how to handle security events and escalation procedures (e.g., how to escalate
situations where a risk is likely exceeding the organization’s risk appetite). One
essential information security policy is to ensure that the organization’s Three Lines
roles also cover information security roles and responsibilities, as is discussed more
next.
Information Security Objectives
Auditors not only need to understand information security principles and controls in
general; they should also understand the security needs of the particular facet of the
business where the controls and information security systems reside. Both are needed
to gain a full appreciation of information security risks and controls.
The overall goal of information security is to maintain the integrity of information assets
and processing and mitigate and remediate vulnerabilities. COBIT, formerly known as
Control Objectives for Information and Related Technology, is an internationally
accepted framework created by ISACA that helps enterprises to achieve their
objectives for the governance and management of information technology. COBIT
systems security objectives reflect the breadth and complexity of the systems security
environment:

Manage IT security, as aligned with business requirements.

Implement an IT security plan that balances organizational goals and risks and
compliance requirements with the organization’s IT infrastructure and security
culture.

Implement identity management processes to ensure that all users are identified
and have appropriate access rights.

Manage user accounts through appropriate policies and processes for
establishing, modifying, and closing them.

Ensure security testing, surveillance, and monitoring to achieve a baseline level
of system security and to prevent, identify, and report unusual activity.

Provide sufficient security incident definition to allow problems to be classified
and treated.

Protect security technology by preventing tampering and ensuring the
confidential nature of security system documentation.

Manage cryptographic keys to ensure their protection against modification and
unauthorized disclosure.

Prevent, detect, and correct malicious software across the organization in both
information systems and technology.

Implement network security to ensure authorized access and flow of information
into and from the enterprise.

Ensure that sensitive data is exchanged only over trusted paths or through
reliable media with adequate controls to ensure authenticity of content, proof of
submission, proof of receipt, and proof of nonrepudiation of origin.
Systems security is made up of controls general to the organization and specific to IT
and physical security systems. Because a system is only as strong as its weakest link,
systems security must start with use of a control framework such as COSO’s Internal
Control—Integrated Framework. Other controls such as proper segregation of duties
are a prerequisite for IT systems security.
Pointing out a deficiency in general or application controls needs to be put in context by
explaining to management the risk exposure the deficiency is causing. The auditor
should recommend the best system that can address the control given the particulars
of the organization. Continual monitoring is required for controls to be effective. For
example, a review of a software application for controls should include the security
administration procedures, password controls, and user role provisioning methods.
When auditing for computer-related fraud, auditors trained in computer controls should
try to think like a thief or a hacker in determining areas of greatest vulnerability. While
this is not an easy task, it is important to determine what fraud would “look like” in the
particular area under review so as to design the audit for maximum impact. This
involves considering:

How a system could be exploited.

How the audit trail might be covered up.

What level of authority would be needed to enact the cover-up.

What explanations could be used if the issue were detected.
(3) Role of the Three Lines Model in Cybersecurity
In the Three Lines Model, the first and second line roles for an organization are
management (including its support functions) and the third is the internal audit activity.
First line management roles deliver products and services to customers and are
responsible for managing risk. Second line roles provide complementary expertise,
support, monitoring, and challenge to first line roles. Proper board governance is also
vital to the model and forms two of its six principles:

Governance

Governing body roles

Management and first and second line roles

Third line roles

Third line independence

Creating and protecting value
In terms of cybersecurity, management is accountable for developing, funding,
monitoring, and controlling data administration, data processes, data risk management,
and data controls. They usually delegate to qualified systems administrators who
recruit and train certified and qualified staff. Systems administrators need to:

Implement cybersecurity procedures, including training and testing of these
procedures.

Keep all systems up to date and securely configured, including restriction to
least-privilege access roles (i.e., not overprivileged).

Use intrusion detection systems.

Conduct penetration testing (simulated attacks such as a denial-of-service
attack) and internal and external scans for vulnerability management.

Manage and protect network traffic and flow.

Employ data and loss prevention programs, including encrypting data when
feasible.
The first and second line roles that include risk, control, and compliance functions help
assess whether the controls are functioning adequately and whether they are
complete. First and second line roles need qualified, talented, and certified individuals
who can conduct cyber risk assessments and gather intelligence on cyber threats. The
roles need adequate policies, including for ongoing training. They may be involved in
helping to:

Design roles to have least-privilege access.

Assess external business relationships.

Plan and test business continuity and disaster recovery.
Internal audit maintains its independence and objectivity in part so that it can properly
function as the third line role. In the event that the first two lines fail to provide
adequate protection, have an incomplete strategy, or fail to implement recommended
remediation, internal auditors will be in a position to make these observations to senior
management and/or the board. This might entail evaluating:

Cybersecurity preventive and detective controls for adequacy and
completeness.

The IT assets of privileged users to ensure that they have standard security
configurations and are free from malware.

External business relationships by conducting cyber risk assessments.
The following cybersecurity risk assessment framework can help the internal audit
activity ensure that the board and management are fulfilling their roles with regard to
cybersecurity.
Cybersecurity Risk Assessment Framework
The “Assessing Cybersecurity Risk” Practice Guide presents a cybersecurity risk
assessment framework, as shown in Exhibit 3-38. Each of the framework’s
components are inderdependent and depend on the effectiveness of the other
components to enable the organization to be fully prepared to address cybersecurity.
Each component is discussed more next.
Exhibit 3-38: Cybersecurity Risk Assessment Framework
Cybersecurity Governance
Cybersecurity governance is evidenced by clearly defined policies, relevant tools,
sufficient staffing, and insightful training. Red flags of lack of governance include
fragmented governance structures, incomplete strategy, unnecessary delays, budget
cuts, attrition, or lack of accountability enforcement.
A cybersecurity governance committee with representatives from the board,
management, and internal audit can be formed to help:

Establish a culture of cybersecurity risk awareness.

Set a related risk appetite.

Develop cybersecurity business continuity and disaster recovery plans.

Collect cybersecurity risk intelligence.

Collaborate and share expertise.
Such a committee would also oversee prompt management responses to security
breaches, including root cause analysis. This committee can help avoid a common
pitfall of management in that emerging threats or vulnerabilities are not considered
proactively. The committee enlists the right types of expertise, does ongoing research,
creates metrics, and reviews security defense tests.
Inventory of Information Assets
Management is responsible for creating an inventory of information assets, technology
devices, and related software. This priority-ranked list of information assets can help
determine where to apply stronger controls and where IT general controls and periodic
evaluations should suffice. The most valuable assets will need preventive and detective
controls that are continually monitored for ongoing effectiveness.
This inventory will be enhanced if a process map is used or created to show how the
information assets interact. A key benefit of having an inventory is that it will enable
detection when unknown devices have accessed a network. If these are the
employees’ own devices (used under a bring-your-own-device policy), they can be
authenticated and inventoried.
An inventory will consider data by type (e.g., transactional, unstructured), classification
(e.g., health data), and storage environment. A comprehensive inventory will include:

A physical inventory of servers and network, storage, and end-user devices.

A comprehensive list of all applications.

All third-party-hosted environments and data shared with external organizations,
including regulatory agencies and vendors.
Standard Security Configurations
Centralized, automated configuration management software can establish baselines for
devices, operating systems, and software. Standardized configurations are more
effective and easier to use for global updates than a patchwork. Risk assessments can
determine where higher-security configurations are needed.
Information Access Management
An internal audit activity review of user access can determine if preventive controls,
such as review and approval of privileges based on a new or transferred job role, are
appropriate and working. An emphasis is placed on preventive controls for privileged
administrative access because this is a leading indicator of cybersecurity program
effectiveness.
Prompt Response and Remediation
Mature programs continuously shorten the time to management response. The second
line roles communicate important risks to management, enact remediation, track issues
to resolution, and create trend reports on resolutions.
Ongoing Monitoring
The second line role is expected to implement a monitoring strategy designed to
generate behavioral change. Successful behavior change can include the following
results.

Users who do critical processes or access sensitive data are monitored at the
access level.

A systematic process to find IT vulnerabilities and remediate them is developed,
including by regularly scanning systems.

For external-facing systems, first and second line roles help define and agree on
service level agreements (SLAs), service organization controls (SOCs), and
other risk assessment and oversight programs such as technical architecture
evaluations and compliance monitoring.

The second line roles do announced and unannounced penetration testing.

A method of ongoing monitoring and remote updating of smart devices for
malware security should be in place.