We live in a world full of risk, and nowhere is risk more prevalent than in technology.
The Center of Internet Security (CIS) has recommended 20 critical security controls to respond to threats and vulnerabilities associated with the internet. The premise is that proper implementation of these controls will mitigate the risks of damage, unauthorized alteration or theft of information and technology assets. However, when it comes to risk mitigation, how much is enough? How much reduction of risk is required? In other words, what is the risk appetite of the enterprise?
This varies from company to company depending on multiple factors, such as the industry in which it operates, the type of service or product provided, the current economic climate and companies’ financial position. Risk appetite also depends on the overall risk landscape. As evidenced by a continual wave of news reports, the cyber arena is full of threats designed to steal, destroy, alter or simply gain unauthorized access to information assets.
In this digital world, it stands to reason that managements are more and more cognizant of cyber threats that endanger their assets. Managing these risks could benefit immensely from a cybersecurity audit. While the CIS Controls Audit/Assurance Program is not designed to provide assurance beyond the security program of an enterprise, the controls are presented in a prioritized fashion to assist the enterprise in leveraging its potentially limited resources to protect key assets and realize the most benefit.
The purpose of an audit is to assess the efficiency and effectiveness of current controls and provide a level of assurance that assets are adequately protected and accessible to authorized users when needed.
To ensure proper safeguards are in place, management should not rely solely on the CIS Controls IS Audit/Assurance Program. Audits of other pertinent operational processes should take place. A holistic approach is necessary and requires a strategic partnership between the board of directors, senior management, IT and functional business units, and audit. While the board of directors provides guidance and direction, management is responsible for executing based on those directives. This holistic approach can result in the creation and implementation of policies and processes that are designed for business value, as well as the security of all company assets.