Posted in Articles on Friday, February 15, 2019
by Richard Vester - Group Executive for EOH Cloud Division
Cyber security audits have a critical role in helping organisations in the ongoing battle of managing cyber threats, both by providing an independent assessment of existing and needed controls, and helping the audit committee and board understand and address the diverse risks of the digital world.
How an organisation conducts an audit will depend on the company, its resources and, in some instances, its size. Larger organisations may have the internal resources and IT expertise to perform internal audits, while organisations whose budgets cannot afford the internal personnel look to specialist service providers for assistance.
In every business, business units and IT integrate cyber risk management into day-to-day decision making and operations, providing an organisation’s first line of defence. The second line includes information and technology risk management leaders who establish governance and oversight, monitor security operations, and take action as needed.
Increasingly, as more companies move to the cloud, they are recognising the need for a third line of cyber defence – an independent review of security measures and performance of their cloud service provider. As a result, many cloud providers are investing in their own internal audits in order to assess and identify opportunities to strengthen their security posture.
The purpose of a cyber security audit is to act as a ‘checklist’ that validates that what a company has said in a policy is actually happening, and that there’s a control mechanism in place to enforce it. While a cyber security audit is used to find the presence of controls, auditors rarely test the effectiveness of those controls. And the fact that a control exists does not necessarily mean that it is effective in mitigating cyber risk. It is for this reason that cyber security assessments are often conducted.
In order for an audit to be successful, there are a number of factors to be taken into consideration. It is critical to involve audit professionals with the appropriate depth of technical skills and knowledge of the current risk environment. The full cyber security framework must be evaluated, rather than cherry picked items. This evaluation involves understanding the current state against framework characteristics, where the organisation is going, and the minimum expected cyber security practices.
The initial assessment should inform further, more in-depth reviews. It is not intended to be an exhaustive analysis requiring extensive testing. Rather, the initial assessment should drive additional risk-based cyber security deep dive reviews, and will form the foundation of the audit.
With cyber security becoming increasingly important to companies in every sector and industry – whether they have an on-premises environment, operate in the cloud, or in a hybrid environment, security audits are becoming an essential component to the overall security posture. These audits are especially useful for companies evaluating cloud providers, providing a guarantee and a framework for effective security.