By: Mitchell H. Levine, CISA
Audit Serve, Inc.
This is the second part of an article which discusses alternative approaches for establishing the scope for a Cyber Security Audit. When planning a Cyber Security audit the first question is whether a Cyber Security Framework has been established by the organization which defines the key controls which comprise the cyber security program. If this IT Governance initiative has not occurred this should be escalated as an IT Governance issue and then the audit approach should proceed with the auditor pre-defining control areas to be included in the scope of the audit based on a Cyber Security framework which have been established within the industry such as NIST http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
NIST does it good job in defining the functions within a Cyber Security Framework (Identify, Protect, Detect, Respond and Recover) which truly reflects the stages an organization needs to go through to protect themselves and respond to a cyber security attack. The NIST Framework also uses a logical approach for grouping categories with these functions (e.g., Asset Management, Risk Assessment and Governance Categories within the “Identity” function).
However, the NIST defined controls within these Categories/Functions in many cases includes controls which are unrelated to identify, preventing and responding to a cyber security attack. For instance requiring a “SDLC to manage systems is implemented (PR-IP-2)” which is listed under NIST “Prevent” controls seems not be a control which belongs in any phase of a cyber security program. The auditor when establishing a list of controls to include in the scope of the Cyber Security Audit should perform a detailed reviewed on all of the NIST controls and “cherry pick” the controls which truly represents controls that would identify, prevent and recover from a cyber security attack.
There are also cases where it would be unrealistic to be able to cover certain NIST specified controls because they would require testing across an entire organization. For example “PR.DS-1: Data-at-rest is protected” would require a review of all of the production data across all production application systems which is a type of audit that cannot be performed as a single audit.
One other critical item to consider when establishing the scope of the Cyber Security Audit is to understand that some of the controls included within the scope of the Cyber Security Audit may have been performed in a prior audit in which credit can be taken that these controls have already been tested.
The overall end product of the scope of the Cyber Security Audit scope document is to establish a list of NIST controls mapped to the NIST functions which includes a specification of whether the each of the detailed audit procedures will be executed as part of the Cyber Security Audit or if they will be linked to past audits which were performed in which the audit procedures were previously executed.
Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team have conducted several Cyber Security Audits and related audits over the past three years for the financial, utility and government sectors. Contact Mr. Levine Levinemh@auditserve.com if you looking to have a Cyber Security Audit performed within your organization. Audit Serve conducts these audits using an outsourcing audit model or a co-sourcing model working with audit departments in order to share our knowledge with our audit colleagues