In celebration of Cyber Security Awareness Month this October I would like to share some practical tips on auditing cyber security.
Tip #1: Clarification on Cyber Security Domain
Audit should bring clarity to the situation being audited. For this to happen, one should have strong foundation in the terms used when auditing cyber security. Google the definition of cyber security and look at results. Did you find the top results from authoritative sources on what cyber security is and what it is not?
So I propose you start reading ISO 27032 (you can find a cheaper version when looking at national sales of the standard (for example, for Lithuanian one should write to staff here).
Relevant definitions from ISO 27032:
4.20 Cybersecurity (a.k.a. Cyberspace security) - preservation of confidentiality, integrity and availability of information in the Cyberspace
NOTE 1 In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
NOTE 2 Adapted from the definition for information security in ISO/IEC 27000:2009.
4.21 the Cyberspace - complex environment resulting from the interaction of people, software and services on the Internet by means
of technology devices and networks connected to it, which does not exist in any physical form.
Additionally, the same standard provides an understanding of the relationship between cyber security and other security domains (figure 1 below):
The figure below explains security concepts and relationships:
The ISO 27032 standard provides explanations of other sources and interrelationships of the terms. By starting with this standard and accepting the terms used there, or modifying to your own use, you will have a strong foundation for defining the scope of a cyber security audit.
As a side effect, it might appear that cyber security has too narrow of a scope for you, and you should include full network security domain (not only Internet-related, but local inside threats). In reality, businesses do not care how they were hacked (cyberspace or local network), they care about the impact.
Tip #2: The Auditing Process and Cybersecurity
ISACA has published a very good and short visual guiding document on audit program structure - Information Systems Auditing: Tools and Techniques—Creating Audit Programs. I especially like figure 2:
This figure allows structure where cyber security comes into the picture. For example, cyber security will probably not be an audit subject (first step), but could be reflected in the second or third stage; this, however, is a topic for another post.
Tip #3: CIS‘s Critical Security Controls
When auditing cyber security, it is relevant to use the frameworks that are particularly designed for cyber security domain (for example, ISO 27001/2 are designed for generic Information Security, thus no boundaries for cyber security are present). The most respected and practical one, in my opinion, is the Center for Internet Security‘s Critical Security Controls (CIS CSC).
The value comes from the principles of the methodology:
- Offense informs defense
- Continuous diagnostics and mitigation
Other methodologies, skills and tools align to the CIS CSC methodology, assisting in validating your own thinking and designs on cyber security auditing.
Tip #4: Auditing Cyber Security Skills
When we are talking about the success of cyber security, it relies on policy, skills of staff and technology. Due to the threat model of the cyber security, there is more of an emphasis on the skills of people. Thus it becomes relevant to audit the skills and competences in cyber security.
Below is the figure from a presentation on skills auditing at EuroCACS 2016:
View large graphic.
The following value is presented for:
- HR: Re-organization preparation. What skillsets we need to plan? What skillsets to hire?
- CISO office: Information security should be handled better. What skills are missing?
- Personal career planning: What should I focus on for my cyber security career?
Performing a skills audit can start with a simple question (What skills are we missing to reach the goals?) or an inventory of skills via self-questionnaires or professional tests.
The outcome of a skills audit can be represented as a list of current competences versus what is needed, and could include required levels of skills, or even a detailed professional skills assessment, depending on available resources and size of the audit.
This short post tries to bring some practical and actionable tips on how to make sense, plan and run cyber security audits, which, due to big cyber security hype, require some thinking and good grounding points for knowledge. For more information please attend my ISACA webinar titled Tips for Auditing Cyber Security, which I will present live on Tuesday, 18 October, from 11AM (CDT) to 12 noon.
Editor’s note: ISACA is a 2016 Champion sponsor organization of the National Cyber Security Alliance’s (NCSA) National Cyber Security Awareness Month. NCSA builds strong public/private partnerships to create and implement broad-reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cyber security. The ISACA Now blog will celebrate National Cyber Security Awareness Month throughout October.