Fundamentals of Cybersecurity Auditing

Who will benefit from this course?

This course intends to provide a comprehensive overview of key cybersecurity concepts, along with practical applications, that can be used to facilitate audit efforts within your organization. This course is designed for internal auditors who are looking for a fundamental understanding of cybersecurity and common exploits. It is recommended for internal auditors that are involved in operational audit activities and need to know how to assess the strength of controls that influence the impact of cybersecurity events on organizational risks.

Course Objectives

• Define cybersecurity from an internal audit perspective.
• Describe the scope, purpose, and limitations of cybersecurity.
• Recognize how to measure effectiveness within the cybersecurity program.
• Express the importance of information security governance with the cybersecurity program.
• Examine the importance of cybersecurity and vendor risk assessments.
• Explore basic auditing considerations for cybersecurity-related compliance.
• Recognize typical cybersecurity-related preventive, directive, detective, mitigating, redundant, compensating, and corrective controls.
• Identify simple internal audit activities to assess cyber resiliency within existing operational audit programs.

Course Topics

Overview of Cybersecurity

• An overview of cybersecurity, including its history and impact on organizations.
• The breach process, and the motivations and tactics of a bad actor.
• Control types to protect against or minimize cyberattacks.
• An overview of defense in depth, layered security, and the Open System Interconnection (OSI) model.

Information Security – Governance, Risk, and Control

• An overview of cybersecurity governance and the associated standards.
• An overview of cybersecurity risk management and the associated standards.
• The development of a cybersecurity risk management program, including the utilization of cybersecurity risk management frameworks and cybersecurity maturity models.
• Cybersecurity control areas and program development.
• Assurance on cybersecurity governance, risk, and controls, and auditing cybersecurity.

Control Primer

• The characteristics of the various controls – by function – that should be present in an organization’s internal control environment to achieve and maintain a robust cybersecurity program, including:
  • Control design and maintenance.
  • Types of controls.
  • Control levels.
  • Control classifications.
  • Controls by function.
  • Asset and control inventory.
  • Controls and the Standards.

Directive Controls

• An overview of directive controls and their importance in cybersecurity.
• An exploration of common threats to directive controls.
• Utilizing cybersecurity frameworks, standards, and guidelines to establish directive controls.
• The importance of cybersecurity training as a directive control.
• Building directive controls to support incentive programs.

Preventive Controls

• An overview of preventive controls and their importance in cybersecurity.
• An exploration of the use of preventive controls regarding the anatomy of a breach, including:
  • Infiltration.
  • Propagation.
  • Aggregation.
  • Exfiltration.
• An introduction to techniques for monitoring and reporting.

Detective Controls

• An overview of detective controls and their importance in cybersecurity.
• The cybersecurity triad (CIA Triad).
• Detective controls for detecting cyber incidents.
• The Security Operations Center (SOC) in response to a cybersecurity breach.
• Containing any breaches in security and determining resulting data exposure and exfiltration.
• Audit logging and security information and event management (SIEM) for continuous monitoring.
• Considerations for auditing detective controls.
• Data classification, ownership, and detective controls.

Corrective Controls

• An overview of corrective controls and their importance in cybersecurity.
• An exploration of common types of corrective controls:
  • Backup and restoration.
  • Business continuity.
  • Disaster recovery.
  • Incident response.
• Potential threats to the functionality of the common types of corrective controls.
• Essential auditing concepts for assessing cybersecurity corrective controls.

Mitigating Controls

• An overview of mitigating controls and their importance in cybersecurity.
• Potential threats to the functionality of the common types of mitigating controls.
• The cybersecurity risk management process and mitigating controls.
• An exploration of common types of mitigating controls.
• Essential auditing approaches for assessing cybersecurity-related mitigating controls.

Compensating and Redundant Controls

• An overview of compensating and redundant controls and their importance in cybersecurity.
• An exploration of common types of compensating and redundant controls.
• Potential threats to the functionality of the common types of compensating and redundant controls.
• Audit approaches for assessing cybersecurity-related compensating and redundant controls.

Assessing Cybersecurity in Operational Audit Programs

• An overview of the Global Internal Audit Standards related to work programs that account for cyber-related risks.
• An overview of GTAGs and Practice Guides related to work programs that account for cyber-related risks.
• An overview of industry-recognized cybersecurity and cloud control frameworks.
• Suggestions for enhancing operational audit programs with cyber-related audit activities.