Establishing the Scope for a Cyber-security Audit Part 1 of 2

By: Mitchell H. Levine, CISA
Audit Serve, Inc.

With the level of hacking into corporate networks increasing at an alarming rate over the last few months, audit departments are confronted with the requirement to include cyber-security audits within their Audit Universe.  In the past, companies relied on penetration tests performed by independent security firms to provide the corporate “higher ups” peace of mind that their companies will not be embarrassed by a media release that they have their companies have been hacked and even worse that there was a release of private customer data.  Paying for an independent firm to perform a penetration test using the approach of an external hacker is not sufficient to validate the adequacy of cyber-security controls which need to be built within an organization.  Since most penetration tests are designed to be only internet based attacks, this type of test only partially addresses the external threats from the internet and does not address internal threats which include employees, contractors, and business partner connections. 

Just analyzing the individual components from the definition of Cybersecurity, “ the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access”, an auditor can relate these components to existing IT Infrastructure audits that are typically listed as standalone audits within the Audit Universe.  The most common IT Infrastructure audits which relate directly to the which scope should be included within a Cyber-security audit include Data Privacy Audits, Vulnerability and Threat Management Audits, Network Security Audits, Data Access Audits, Mid-Tier audits, Operating System Domain/Server Audits and certain aspects of an IT Governance Audit.

Over the past two years US Federal Government and Federal/State regulatory agencies have issued frameworks for improving cyber-security controls.  In addition, these agencies have mandated control initiatives to be established within government agencies and private sector companies and have also mandated that independent third-party cyber-security audits be performed on an annual basis.

For instance to meet the State of New York Public Service Commission Order (CASE 13-M-0178 – In the matter  of Comprehensive Review of Security for the Protection of Personally Identifiable Customer Information), the order required water and sewer companies to conduct a 3rd party cyber-security audits of its New York Operations.   The New York Public Service Commission Order was very specific on what it required to be included in the scope of the audits which included:

  • Policies and standards relating to overall data security at the network, host, database and application levels have been established.
  • Policies, standards and procedures have been established regarding the handling and protection of PII (Personally Identifiable Information) data.
  • Data Loss Prevention (DLP) measures have been deployed.
  • Effective Network Access Controls have been implemented.
  • Intrusion Prevention/Detection (IPS/IDS) systems have been deployed.
  • Privacy training has been conducted.
  • Physical and logical security controls have been established at all sites containing PII data.
  • An effective incident response program has been implemented.
  • Customer PII data has been properly separated from corporate data


The second part of this article will discuss the Cyber-security Framework to reduce cyber risks to critical infrastructure which was issued by the National Institute of Standards and Technology February 12, 2014 based on the Executive Order 13636 which was issued February 12, 2013.  This Framework introduces many areas which should be included in the scope of a Cyber-security Audit.


Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team have conducted several cyber-security audits and related audits over the past three years for the financial, utility and government sectors.  Contact Mr. Levine if you looking to have a cyber-security audit performed within your organization.  Audit Serve conducts these audits using an outsourcing audit model or using a co-sourcing module working with audit departments in order to share our knowledge with our audit colleagues.

AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.