GTAG: Auditing Insider Threat Programs

Er zijn aanvullende richtlijnen verschenen in de vorm van een Global Technology Audit Guide. Deze GTAG gaat over het auditen van ‘Insider Threats’ ofwel het risico dat eigen medewerkers bewust of onbewust informatiesystemen of data beschadigen.

In het huidige digitale tijdperk wordt de bescherming daarvan steeds belangrijker, zowel tegen externe als interne bedreigingen. De Global Technology Audit Guide: Auditing Insider Threat Programs is zodoende een zinvolle aanvulling op de vele publicaties op het gebied van cybersecurity.

De GTAG gaat uitgebreid in op de aard van de interne bedreigingen alsmede op de rol die internal audit daarbij kan en moet spelen, zowel in audits als in mogelijke adviesdiensten.

De guide geeft:
• Een overview van de risico’s en hun impact;
• Handvatten voor het opzetten van een audit, inclusief voorbeelden van te gebruiken control-frameworks;
• Tips om de resultaten te rapporteren.

Global Technology Audit Guide: Auditing Insider Threat Programs

Whether malicious or unintentional, insider threats often fail to receive the attention they deserve, considering the significance of the risks to which they expose the organization. The key risks associated with insider threats include sabotage, theft of organizational data, espionage, fraud, and criminal acts. Additionally, research trends indicate that the insider threat landscape is growing as organizations become more dependent on information systems (IS), automated processes, web-based applications, digitally transmitted data, and cloud-based data storage.

Organizations are realizing that investments in technology are only part of the solution; it is equally important to assess whether their governance and management controls (e.g., IS policies, training, and awareness campaigns) are capable of addressing insider threats.

Internal auditors are well positioned to help senior management and the board recognize the importance of implementing or strengthening an insider threat program and to help organizations improve their governance, risk management, and control processes related to insider threats.

This GTAG helps internal auditors understand insider threats and related risks by providing an overview of common dangers, key risks, and potential impacts. Additionally, the guide defines key terms in the insider threat universe, and presents security frameworks, techniques, considerations, and resources that can help during the planning and execution of audit engagements.

By becoming aware of insider threats and the associated risks and by learning about insider threat programs, internal auditors have a tremendous opportunity to add value by helping their organizations strengthen governance, risk management, and control processes.