Posted on Author rmaximum Categories Cyber Security, Infrastructure

Creating a Cloud Risk Framework with Internal Audit Support

As organizations increasingly migrate to cloud computing they could be putting their data at significant risk. Positioning the internal audit (IA) function at the forefront of cloud implementation and engaging IA to create a cloud risk framework tool can provide organizations a view on the pervasive, evolving and interconnected nature of risks associated with cloud computing. Engaging IA in discussions with the business and IT units early on also is critical to addressing potential risks.

Not Every Cloud Has a Silver Lining

“Cloud computing is changing the technology landscape, and the changes are only likely to intensify,” says Khalid Wasti, a director at Deloitte & Touche LLP. “For many organizations, the question is not whether the cloud should be part of their technology strategy, but when and how.” Under pressure to provide solutions, organizations may be tempted to leverage cloud services quickly, without weighing the associated risks, such as:

 

Data breaches—Particularly in multi-tenant cloud service databases. A flaw in one client’s application could give an attacker entrance to other clients’ data as well. Breaches could expose email databases, putting email accounts of thousands of end customers at risk of increased spam and phishing scams. Worse yet, data breaches could also reveal customers’ passwords, and even personal and financial information, to hackers.

Data loss—Malicious hackers, natural disasters or lapses in provider services could result in a loss of customer data. For example, bugs in web-based email services could lead to the disappearance of users’ messages, folders, inboxes or entire email accounts. Data loss could be particularly detrimental to organizations that are required to store information in compliance with industry regulations, such as healthcare organizations that must comply with the Health Insurance Portability and Accountability Act.

Downed reservations systems and websites—Whether due to denial of service attacks, severe storms or technical glitches, outages could result in thousands of inconvenienced customers (for example, airline travelers) and the disruption of traffic (and commerce) at client websites.

When a company opts for the speed and convenience of moving to the cloud, it also may relinquish control not only of its own data, but that of its customers.

Internal Audit and the Cloud Risk Framework

“Cloud computing presents a new frontier for many organizations, and IA can help provide the context and risk framework an organization should consider when moving to the cloud,” says Michael Juergens, principal, Deloitte & Touche LLP. “For internal auditors, meeting the challenges of cloud computing may mean stretching beyond their traditional audit roles, adding greater value as they assist the organization in building the required control environment,” he adds.

As an initial step, an organization should work with IA to create a cloud risk framework tool. “The tool can help the organization get to the heart of risks by providing a view on the pervasive, evolving and interconnected nature of risks associated with cloud computing,” adds Mr. Wasti. These include governance, risk management and compliance; delivery strategy and architecture; infrastructure security; identity and access management; data management; business resiliency and availability; and IT operations. Such a tool can also improve efficiency in compliance and risk management efforts and be used to develop risk event scenarios that require integrated responses.

To be more effective, the framework tool should be customized to include regulatory, geographic, industry and other specific issues that impact the organization. As IA modifies its organizational risk framework and guides the risk conversation with IT and the business, the following issues pertaining to infrastructure security, identity and access management and data management should be taken into account:

Infrastructure Security—Companies should verify that cloud providers have acceptable procedures in areas such as key generation, exchange, storage and safeguarding, as flawed security could result in the exposure of infrastructure or data.

Identity and Access Management—Organizations should consider how their authorization and access models will integrate with new cloud services and assess whether they are using appropriate identity and authorization schemes.

Data Management—Because organizations may have to relinquish control over their data to cloud providers, it is crucial that they fully understand how data will be handled in the cloud environment.

Moving Forward

Implementing a cloud strategy changes the risk landscape in profound ways. As some risks are minimized, others spring up in their place. “Recognizing and responding to this shifting organizational risk profile is IA’s purview,” says Charlie Willis, a senior manager at Deloitte & Touche LLP. “Because internal auditors understand the interplay between business processes and risk, they can help business leaders to articulate their appetite for risk and help develop strategies for mitigating it,” he adds. As the organization adopts technology initiatives that involve cloud computing, IA should consider taking proactive steps, including the following:

Engage stakeholders—Encourage IT and business executives to have an informed conversation about the move to the cloud. Help stakeholders understand the potential for rogue IT environments. Explore which applications and data are candidates for transfer to a cloud environment and be prepared to discuss the risk implications of the move.

Review the organizational risk framework—Revise the company’s risk framework, minimizing risks that are no longer a concern. This framework tool should measure the organization’s cloud capability state across the different cloud risk domains.

Evaluate potential cloud vendors—IT will be most familiar with the range of vendors, and the business leaders will be able to articulate the objectives of a move to the cloud. “IA should also be engaged in risk discussions,” notes Mr. Willis, “along with the organization’s security, risk and compliance groups, and help the organization develop an assessment profile for vendors.

Donec ornare, est sed tincidunt placerat, sem mi suscipit mi, at varius enim Mauris ienim id purus ort. Aene auat riss. Proin viverra. enim maurisupn est sed tincidunt placerat, ienim id purus ort

 

Read More
0
Posted on Author rmaximum Categories Uncategorized

As Cyberthreats Mount, Internal Audit Can Help Play Defense

Bolstered by technology expansion, a surge in data growth, evolving business models and motivated attackers, the threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could cost businesses more than $2 trillion by 2019, nearly four times the estimated 2015 expense.* In response to the increasing threat, many audit committees and boards have set an expectation for internal audit to perform an independent and objective assessment of the organization’s capabilities of managing the associated risks. A first step in meeting this expectation is for internal audit to conduct a cyber risk assessment and distill the findings into a concise report for the audit committee and board, which can provide the basis for a risk-based, multiyear internal audit plan to help manage cyber risks.

“The forces driving business growth and efficiency are also opening pathways to cyber assaults,” says Michael Juergens, an Advisory managing principal at Deloitte & Touche LLP. “Internet, cloud, mobile and social technologies—now mainstream—are platforms inherently oriented for sharing. At the same time, outsourcing, contracting and remote workforces are shifting operational control,” he adds.

Many organizations are addressing cyberthreats with multiple lines of defense. For example, business units and the information technology (IT) function at many organizations integrate cyber risk management into day-to-day decision-making and operations, which comprises an organization’s first line of defense. Making up a second line of defense are information and technology risk management leaders who develop governance and oversight protocols, monitor security operations and take action as needed, often under the direction of the chief information security officer (CISO).

“Increasingly, many companies are recognizing the compelling need for a third line of cyber defense—independent review of security measures and performance by the internal audit function,” says Sandy Pundmann, an Advisory managing partner at Deloitte & Touche LLP. “Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. Advising stakeholders on trends and leading practices in cyber and other areas is a growing expectation for internal audit leaders,” she adds.

At the same time, internal audit has a duty to inform the audit committee and board that the controls for which they are responsible are in place and functioning correctly—a growing concern across boardrooms as directors face potential legal and financial liabilities. Since many organizations have cyber readiness initiatives still in flight, some internal audit departments have elected to defer audit procedures until these projects are completed. While this may allow for a deeper level review, deferring cyber assurance procedures may not be the right answer.

Cyber Risk Assessment Framework

Many internal audit functions have developed and tested procedures for evaluating components of the organization’s preparedness for cyberthreats. These targeted audits, such as attack and penetration procedures, are valuable, but do not provide assurance across the spectrum of cyber risks. To provide a comprehensive view of an organization’s ability to be secure, vigilant and resilient in the face of cyber risks, internal audit should consider taking a broad programmatic approach to cyber assurance and not perform only targeted audits, which could provide a false sense of security.

 

In assessing cyber readiness, internal audit can benefit from understanding the capabilities across a number of domains, how they are addressed today and gaps that may exist within the organization. Several factors are noteworthy as internal audit professionals conduct a cyber readiness assessment:

—It is vital to involve people with the necessary experience and skills. Internal audit has the know-how to conduct assessments. However, understanding whether the IT department or the CISO is doing an effective job of threat modeling can require subject matter specialists who ask effective questions to help evaluate the strength of modeling exercises. A technology-oriented audit professional versed in the cyber world can be an indispensable resource.

—It is important to evaluate the full cyber readiness framework, rather than cherry pick items. This evaluation involves understanding multiple plan components, including the current state of readiness against framework characteristics, where the organization is moving with respect to improving its cyber preparedness plan, and the minimum expected practices across the industry or business sector.

—The initial assessment should be a broad evaluation. The first assessment is not intended to be an exhaustive analysis requiring extensive testing. Instead, it should drive additional risk-based, deep-dive reviews of the organization’s preparedness against cyberattack.

Maturity Analysis

Some organizations may prefer to use a maturity analysis approach, rather than a risk assessment strategy. “A maturity analysis can provide additional value to management and boards by providing a quick visual reference that provides clear cues about areas they may want to explore further,” says Mr. Juergens.

The five maturity stages—initial, managed, defined, predictable and optimized—reflect the progress the organization has made in maintaining security capabilities to help mitigate cyberthreats and achieve its desired maturity level. In a visual representation (click on “full” image link below), dotted lines indicate the level of maturity an organization is targeting, potentially identified in a remediation roadmap.

“In practice, the board would agree on the desired maturity level upon completion of the remediation work, at which point internal audit would test once again and come back to the board to confirm the targeted level has been achieved,” notes Ms. Pundmann.

In addition, a separate assessment scorecard would support the maturity evaluation, highlighting in detail the cyber risks surrounding people, process and technology. For the analysis to be effective, findings should be documented and recommendations made for closing identified gaps.

In some cases, a cyber risk assessment can also be structured to generate a list of gaps and provide the organization with a roadmap for short- and long-term remediation activities.

Building the Foundation for Ongoing Assessment

The cyber-risk assessment underpins both the maturity analysis provided to the audit committee and board, and the development of a risk-based, multiyear internal audit plan for cybersecurity. The multiyear plan can be developed through the results of the assessment, with some audits occurring at a higher frequency than others based upon urgency and consideration of other testing and assessment activities underway in the organization.

It is important to remember that the internal audit approach to cyber assurance is not set in stone. Adjustments can be made based on the emergence of new risks, changes in the relative intensity and importance of existing threats, and other organizational developments.

“Internal audit has a critical role in helping organizations in the ongoing battle of managing cyberthreats, both by providing an independent assessment of existing and needed controls, and by helping the audit committee and board address the diverse risks of a technology-driven world,” says Mr. Juergens.

We are experts in IT audits with rich experience in enterprise market. Please contact us for details.

 

Read More
0