Internal auditors need to provide assurance over eight categories of resiliency.
Organizations continue to implement cybersecurity defenses to prevent an attack from occurring. Cyber resiliency shifts the paradigm away from defense and toward withstanding a hack and returning to business operations. To achieve these goals, IT functions must identify the aspects of cybersecurity that focus on resiliency, and internal auditors must determine the areas in which they can provide assurance and consulting value.
U.S. Presidential Policy Directive 21 (Homeland Security) defines cyber resiliency as "the ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents." The assumption of cyber resiliency is that an organization will be attacked and a breach will occur, so organizations need to focus on how to detect and recover from incidents.
A 2013 publication from The MITRE Corp. notes that there are about 860 controls and enhancements in the U.S. National Institute of Standards and Technology's (NIST's) Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (PDF). The MITRE publication, Cyber Resiliency and NIST Special Publication 800-53 Rev.4 Controls (PDF), points out that most of the controls are focused on achieving the security goals of confidentiality, integrity, and availability. Depending on how they are categorized, approximately 17 percent of the controls focus on cyber resiliency, according to the MITRE publication.
Cyber resiliency controls can be grouped into several categories, such as governance, user permission strategy, segmentation, active response, data integrity assurance, monitoring, recovery solutions, and coordinated defense.
Cyber resilient organizations should permeate the governance process through their enterprise risk management (ERM) process, overall security strategy, organizational policies and procedures, communication and awareness strategies, and use of standard frameworks and maturity level assessment. Indeed, cyber resiliency is one part of a far more global picture of cybersecurity within these categories. A cyber resiliency emphasis should include policies and procedures surrounding data and system classifications. The organization's security strategy should focus on critical data and systems to ensure they are least affected by an intruder and have become the more resilient areas. When a hack occurs, the organization should be decisive with its communications strategy and ensure that its employees are aware of the latest cyber threats. Additionally, the current cyber resiliency maturity level should be evaluated based on a cyber resiliency framework.
User Access Permissions
User access should follow the principle of least privilege to ensure access is granted based on the minimum access needed to perform one's job function. This principle is the primary focus of resiliency within the four tiers of information security: authentication, authorization, access, and monitoring. For higher privilege users, organizations should implement enhanced authentication mechanisms such as two-factor authentication. Authorization for these users may require more than one approval level. Monitoring should be directed primarily toward active review and evaluation of employees with higher privileges. The extent of access can be changed if the threat level changes.
Cyber resiliency primarily focuses on a segmented architecture approach for the network, using a defense-in-depth strategy. This approach should include isolation of critical data and systems as denoted by the organization's data and system policies and procedures. A multilayered network approach should encompass both logical and physical networks and incorporate limited trust relationships. Key network internal segments and external network connections should include a set of boundary protections such as firewalls that use policies and procedures to restrict access to each segment. Other key assumptions include prohibiting direct connections to the internet and allowing incoming communications from trusted sources.
Resiliency denoted by active response can ensure timely follow-up and resolution of detected alerts. Although this should include timely manual response, it is more focused on automated responses. Firewalls and other network appliances should adapt to deny access to certain portions of the network and limit access based on the current threat level. Intrusion detection and response processes should be in active mode, and potentially shut down portions of the network or internet access for the entire organization in the event of an incident. A downside of active automated responses is that unintended consequences can occur that may interrupt key business processes. Therefore, a combination of some network appliances placed in limited active mode and more timely manual active response might be considered a best alternative versus entirely allowing automated responses to occur.
Data Integrity Assurance
Cyber resiliency can limit the impact of an incident on a system or data corruption. Organizations can use a combination of physical and logical restrictions to ensure data integrity is maintained, including:
- Limiting the flow of data between network boundaries or segments based on the threat level.
- Manually disabling write protect on devices or allowing on read-only disks for operating system or other executables.
- Implementing a secure system development life cycle.
- Performing supplier and vendor due diligence to ensure hardware and software is acquired from reputable sources.
- Establishing white lists to ensure data is received only from trusted sources, or ensuring that malware cannot be injected into the organization's web pages.
- Ensuring tainted data can be recovered timely.
To be cyber resilient, monitoring should be engaged at a higher level of activity overall so that the standard response processes become the minimum acceptable level. Tracking, logging, and alerting should occur timely and promote an active response. Vulnerability and penetration tests should be performed on a scheduled and unscheduled basis. Incident response plans should be continuously updated and user awareness training should be conducted based on current threats.
Resiliency recovery is based on the standard recovery processes of backup, disaster recovery, and continuity planning. However, the level of overall engagement and response may be more active or diversified. Backup resiliency aspects include storing data on-site and off-site in secure locations that can facilitate faster recovery, as well as using redundant systems, locations, power, and environmental systems. Disaster recovery and business continuity should include more diversified locations for planning, with additional testing and plans updated more frequently based on current cyber threats.
Coordinated defense is the most important category for cyber resiliency. A coordinated defense should include aspects of all the previous categories combined into a comprehensive architecture and strategy. Additionally, this should include purchasing appropriate cyber insurance and hiring external specialists to ensure sufficient competent resources are available in the event of a breach. Cyber insurance can provide both financial coverage and additional specialists, if contained within the policy. Therefore, the overall coordination should ensure there is no duplication between the specialists the organization hires and those provided for under the insurance policy.
Overall, coordination is necessary to manage all the moving parts during a cyber crisis, including forensic investigation, public relations, and breach notifications. Integral to this coordinated defense is having a crisis management plan. Moreover, the organization will need to perform many activities that require both technical and nontechnical resources. Using external specialists to supplement existing resources within a coordinated, unified approach can greatly enhance the organization's overall cyber response.
Go Forth and Audit Resiliency
While it may take some level of IT competency, there are many assessing and consulting aspects of cyber resiliency that internal auditors with just a basic understanding of IT general controls can perform. For more IT-intensive resiliency aspects, the internal audit department could either have staffing that includes auditors with a higher level of IT competency or outsource certain reviews that require such skills. The CAE could evaluate the current staff's skills and then create formal plans to enhance its IT competency. Several IIA training courses are available that provide basic IT and cybersecurity training. The focus should be to provide all staff members with a degree of IT skills to enable them to assess cyber resiliency in all audits.
Once internal audit understands what cyber resiliency is and has trained its staff in fundamental IT general controls, it should develop an assessment and consulting plan. This plan could include incorporating cyber resiliency assessments into areas that the internal audit team currently reviews (see "Cyber Resiliency Activities" below). Equipped with the IT competency skills and plan, internal audit can be at the forefront of assessing and consulting on its organization's cyber resiliency strategies.
Cyber Resiliency Activities
Internal auditors can perform assessment and consulting activities for each category of cyber resilience.
- Ensure that the chief audit executive and chief information officer jointly communicate the need for resiliency to executive management and the audit committee.
- Review cyber resiliency using a recognized framework. This could include working with the organization's security function to evaluate resiliency controls.
- Review user awareness and training programs, and those metrics management uses to measure whether current training levels are successful.
- Review alignment of policies and procedures that denote which systems and data are critical to the current security architecture and strategies.
- Review privileged access capability by affirming users with domain admin capability and ensuring their activity is monitored.
- Perform access management audits on various systems on a rotational basis.
- Review user account activation and deactivation processes ensuring correct access is assigned for new users and terminated users' accounts are disabled timely. Also determine whether appropriate authorization for access occurs and minimal access is assigned.
- Work with the IT staff to evaluate each system's roles to validate that they meet the least privilege principle.
- Assist in training application owners to ensure users' access is reviewed periodically.
- Assess the strategy used to place network appliances in active response mode and evaluate whether business impacts are incorporated into the strategy.
- Review testing of incident response plans and ensure plans are updated as threat levels change.
Data Integrity Assurance
- Participate in system and development projects to ensure security is discussed during the entire process.
- Evaluate vendor and supplier management processes to ensure the organization is contracting with reputable vendors.
- Review how data flows between physical and logical networks or network segments, and ensure confidential data is not moving into less secure areas.
- Work with the security function to develop or assess metrics denoting that alert messages are communicated timely and resolved.
- Employ a third-party expert to perform a penetration test — with only minimal IT participation — to validate the adequacy of IT detection and mitigation strategies.
- Ensure vulnerability scans are performed periodically and results are remedied timely.
- Test the effectiveness of threat-awareness programs.
- Conduct a walk-through of the off-site storage facility to ensure adequate security procedures are in place.
- Test whether regular backups of all systems occur.
- Participate in the IT department's regular recovery testing procedures by randomly selecting backup tapes from off-site storage and observing recovery procedures.
- Review redundancy of power and cabling.
- Participate in disaster recovery and continuity exercises.
- Review the adequacy of the network segmentation strategy to protect critical data and systems. Additionally, review whether network boundaries that segment critical data and systems are protected with a network appliance (i.e., firewall).
- Review cybersecurity policies and procedures, and suggest enhancements.
- Review cyber insurance coverage and requirements, and ensure there is no duplication of services between cyber insurance-provided expertise and contracted specialists.