Crossing the Security Chasm – Beyond IT Control Assessments

As it has been well publicized in the media, there have been increased instances of security breaches and hacking activities at large retailers including Target, Neiman Marcus, Sony and many others.

What are you doing to manage cyber-security risks in the role of internal audit?  As businesses are increasingly dependent on emerging technologies, borderless infrastructures and use of third parties, they must assume there will be a high risk of breach instances occurring. Unfortunately it’s not a question of if, but when. Here’s a must-read summary to help you manage cyber-security risks beyond IT Control.

What’s at risk?

• Intellectual property (R&D, product design, emerging tech; military)
• Personally identifiable info (PIN – payment cards; health records – PHI)
• Reputation and revenue
• Civil and potential criminal liabilities

What’s the cost?

The economic impact can be staggering. The cost metrics cited in McAfee 2013 study “Economic Impact of Cybercrime and Cyber Espionage” and Ponemon Institute’s 2013 U.S. Cost of Data Breach a follows:

• estimated annual business losses $150B
• average cost of data breach in excess of $5M
• estimated $3M in lost business per incident

What is the response of regulators and how will it impact you?

• Expected increase in regulatory compliance and enforcement
• Expected increase of Board, Audit Committee and exec management responsibility and accountability (e.g., “Are we doing everything we can?”)
• Future legislation may reference and monitor adoption of frameworks to manage cyber-security risks i.e. NIST Cyber-security Framework (Executive Order 13636)

What are the regulators saying?

• SEC guidance instructs, but does not yet mandate, companies to disclose material breaches and risks; regulators now routinely review annual report disclosures; most disclosures “boilerplate” language thus far for fear of potential litigation if reveal intrusions
• SEC Commissioner called for the agency to establish a cyber-security task force in a March roundtable; market disruptions and investor harm are top of mind
• Future legislation may reference and monitor adoption of frameworks to manage risks (e.g., NIST Cyber-security Framework)
• AICPA Center for Audit Quality released an alert to audit firms outlining duties with respect to cyber-security – understand the use of IT on financial statements, including IT general controls, reliability of data and reports, and focus on access and system changes affecting internal control over financial reporting
• Changes in Federal Acquisition Regulations (FAR) applicable for businesses with government contracts

How are companies addressing cyber-security threats?

There are multiple considerations and investments in people, process and technology.

• Increased training and awareness of risks, including the ‘known’ and ‘unknown’
  • Required training, mandated through ‘tone from the top’, for new employees during on-boarding and routinely for existing employees
  • Firewall logs monitoring
  • Malware monitoring
  • More collaboration across functions (Operations, IT, Finance, IA) to avoid silos
  • Human factor – cell phones/mobile devices management
  • Awareness of phishing schemes, emails, phone calls (pretending to be internal IT help desk to obtain credentials) – this is happening!
  • Lock down of administrative rights
  • Network segmentation
  • Brainstorm the ‘unknown’ risks
• Formalize security strategy and program
• Develop or refresh security standards/policies – align with applicable frameworks (NIST, ISO, COBIT 5)
• Data classification and data management initiatives
• Identify and address control gaps to mitigate and manage risks
• Expect increase in IT budgets
• Implement breach instance management protocols with formalized response team (similar to Disaster Recovery)
• Increase focus on third party relationship management
• Cyber insurance coverage

What is Internal Audit’s role?

Internal Audit should be a strategic partner in cyber-security risk management. There is a need to go beyond SOX, PCI and/or other compliance activities performed in the past.

• Collaborate with and advise the business and IT on risk assessment/management and monitoring activities
• Refer to aforementioned items for how companies are addressing risks
• Educate management and staff on regulatory changes
• Include coverage in IA plans – communicate risk and understand ‘line of defense’ role
  • Monitor and communicate non-compliance to security team in timely manner
  • Vulnerability assessments – through an outsourced provider if need be for second opinion
  • Third-party assessments and monitoring – through an outsourced provider if need be for second opinion
  • Budget constraints continue to be a challenge

What are some ongoing initiatives to consider?

Security monitoring and improvement initiatives:

• Red Flag Policy
• Defined software and hardware update policies
• Internal staff and external traffic monitoring
• Network, OS Vulnerability scanning (goal of early detection through scanning tools)
• Firewall, IDS/IPS log review
• Independent testing – regular intervals and impromptu
• Partner with IT – create a common security vision

This summary of information was compiled by David Roe, Director of Risk Service. For more information, you may contact him at droe@bridgepointconsulting.com.

Bridgepoint Consulting has a multi-discipline team with broad industry and regulatory expertise in all facets of risk management, internal audit, SOX compliance and IT security.