SlideShare a Scribd company logo

Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116

M
Mohammed J. Khan
1 of 3
Download to read offline
Feature 1ISACA JOURNAL VOLUME 1, 2016 Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca. org/journal), find the article and choose the Comments tab to share your thoughts. Go directly to the article: Data protection and cybersecurity go hand-in- hand due to the nature of the risk involved. The underlying assumption is that all data, whether they are stationary or in motion, are threatened to be compromised. A prime example of this can be seen in the medical device industry. Due to the explosion of medical device innovation, resulting in both economic and consumer/patient health advancement, the industry has seen a growing number of threats from a cybersecurity risk landscape. The US is the largest medical device market in the world with a market size of approximately US $110 billion, and it is expected to reach US $133 billion by 2016.1 The industry has seen a rise in innovation since the early 2000s, primarily due to the advent of technological advancement and the demand from consumers and health care practitioners to further the quality of the patient care provided. A few of the relevant, more commonly known medical devices are pacemakers, infusion pumps, operating room monitors, dialysis machines—all of which retain and potentially transmit vital patient and equipment data to medical professionals and other sources gathering data. Security experts say cybercriminals are increasingly targeting the US $3 trillion US health care industry, in which many companies remain reliant on aging computer systems that do not use the latest security features.2 As a result, the percentage of health care organizations that have reported a criminal cyberattack rose to 40 percent in 2013 from 20 percent in 2009, according to an annual survey by the Ponemon Institute think tank on data protection policy. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost of a breach to a company was US $3.5 million dollars, 15 percent more than what it cost the previous year.3 The role of IT security professionals, especially in the audit function, is to be the front line in identifying and helping to address the risk that enterprises face in the growing threat landscape operating at a global level. As a result, every audit function should consider spending time on identifying opportunities to perform a review around data protection and cybersecurity within its respective enterprise to help identify gaps and work with key departments in the enterprise to help reduce and/or eliminate the gaps as best as possible. RISK ASSESSMENT To begin, enterprises should consider performing a risk assessment of the threat landscape; making this happen starts with the tone at the top. The risk assessment normally should be owned by the enterprise-level functions, and it can be a joint effort between the audit function and the business functions in an effort to ensure that there is synergy between the two. Risk assessments are meant to help identify and address the gaps that may be exacerbated in the event of a cyberrisk due to a lack of key controls. One of the primary resources for creating an internal risk assessment analysis of an organization is the framework provided by the American Institute of Certified Public Accountants (AICPA).4 The AICPA has drafted a white paper that attempts to simplify the practitioner’s understanding of the risk assessment standards and process by focusing on the end game and how that objective can be achieved in an effective, yet efficient, manner.5 An effective way to simplify the risk assessment is by dividing the areas of the assessment into the following categories (figure 1): • Understand the business. It is vital to include the fundamentals of the organization from the top. This includes knowing who the customers are and what the key products are that drive the very engine of the enterprise. One of the best resources for US companies to utilize to further the organizational knowledge is to review Form 10-K, an annual report required by the US Securities and Exchange Mohammed J. Khan, CISA, CRISC, CIPM, is a global audit, security and privacy manager serving the teams of the chief information security officer, chief privacy officer and chief audit executive at Baxter International. He has spearheaded multinational global audits in several areas, including enterprise resource planning systems, global data centers, third-party reviews, process reengineering and improvement, global privacy assessments (EMEA,APAC, UCAN), and cybersecurity readiness in several major countries over the past five years. Khan has worked previously as a senior assurance and advisory consultant for Ernst & Young and as a business systems analyst for Motorola. Managing Data Protection and Cybersecurity—Audit’s Role
2 ISACA JOURNAL VOLUME 1, 2016 Commission (SEC). This gives a comprehensive summary of a company’s financial performance. It can help further an understanding of the enterprise based on the knowledge already amassed and enable a view of the risk from a business and financial perspective. • Know the organization’s internal control environment. Elements of a strong internal control environment include the right combination of IT and transactional-level controls that are backed by a process to manage the reporting of any breakdown of controls and actionable plans stemming from such a breakdown. The DNA of the internal controls of an organization is composed of the philosophy, adaptation, integrity and stance of the organization’s resources toward the control environment. • Collaborate among departments. The audit function has one of the best positions in the company when it comes to bringing together various departments to collaborate on all aspects of key business, financial and regulatory risk—both internal and external. Collaboration among the chief privacy officer (CPO), chief information security officer (CISO), chief audit executive (CAE) and chief risk officer (CRO) is vital to have a robust risk assessment program in place.6 • Summarize and communicate the risk assessment. Risk communication is commonly defined as the “process of exchanging information among interested parties about the nature, magnitude, significance, or control of a risk.”7 It is important to include all the key stakeholders of the organization as part of the risk assessment summary of recipients, which should be ideally communicated for each key business and function, as well as at the enterprisewide level. This helps with the delivery and the overall execution of the proposed audits that are planned for the year and in paving the way for having a robust audit plan clearly defining the audit and the risk that correlates to why the audit is being conducted. DATA PROTECTION AND CYBERSECURITY AUDIT SCOPE To have a meaningful scope for an audit around data protection and cybersecurity, one must consider all relevant areas of the organization that require inclusion in the scope of the audit. The functional entities that ought to be considered in scope should include customer operations, finance, human resources (HR), IT systems and applications, legal, pharmacovigilance, purchasing, regulatory affairs, Figure 1—Steps Required to Perform a Robust Risk Assessment Source: Mohammed J. Khan. Reprinted with permission. environmental/physical security, and all applicable vendors or third parties in any of these areas. Specifically, for each of the areas, the auditor should consider the following areas as part of the audit: • Key IT systems and applications located in the local data centers: – Verification of the security management of the systems and applications, including the logging and monitoring of systems containing sensitive data • HR (full-time and temporary labor): – Recruitment and vetting of candidates for key roles within the organization that have access to highly confidential data – Management of the on-boarding process and proper training and compliance monitoring as needed for specific roles, while paying attention to company and country laws around employee rights and privacy – Off-boarding process of employees and agreements of noncompete and confidentiality of organizational and product intellectual property • Internal collaboration tools management: – Enterprise content and document management (ECDM) system usage and data handling: Collaborate Among Departments Risk Assessment Understand the Business Summarize and Communicate the Risk Assessment Know the Organization’s Internal Control Environment
3ISACA JOURNAL VOLUME 1, 2016 . Verification of the overall management of data within the organization that are shared among peers on collaboration tools and platforms – File share management: . File management and permissions on massive file shares utilized by the organization’s departments, the protection of the file shares via proper system administrative authorities, and monitoring of key file shares • Third-party interaction and data sharing: – Contract management end-to-end life cycle, including standard language of key vendors that would have access to highly confidential data, including patient health information and intellectual property • Personal computer device physical protection and encryption: – Internal and external technological controls necessary to deter flight of data from employees and/or contractors • Records storage and management: – Onsite and off-site physical security of confidential paper data, including electronic tapes if off-site storage is utilized for backup purposes • Incident response and handling: – Electronic asset management of key devices, including laptops, desktops, servers and mobile devices: . End-to-end life cycle of asset loss and disposal process CONCLUSION Data protection and cybersecurity management is a key area that all organizations have to manage well. A CIO Network event held by The Wall Street Journal included a panel of CIOs who prioritized a set of recommendations to drive business and policy in the coming years. Cybersecurity was one of the key themes that came out of the event and corresponding special report. A primary responsibility for a CIO or CISO when talking to the chief executive officer (CEO) or board of directors (BoD) is to articulate how cybersecurity translates into revenue. Putting monetary value on security events and tying security to real-life business cases can show senior executives the potential impact of a cyberevent in terms that make sense to them.8 The role of audit is to embrace the function it plays as a key member of the organization that has to independently assess the organization’s management of risk around data loss and prevention by performing robust risk assessments at the organization level and delivering meaningful data protection and cybersecurity-related audits. This will help further the chance of an organization’s maturity level to increase when it comes to fighting the ever-growing threat of cyberespionage and internal malicious data loss through organizational employee resources and temporary labor workforces. ENDNOTES 1 SelectUSA, “The Medical Device Industry in the USA,” http://selectusa.commerce.gov/industry-snapshots/medical- device-industry-united-states 2 Humer, C.; J. Finkle; “Your Medical Record Is Worth More to Hackers Than Your Credit Card,” Reuters, 24 September 2014, www.reuters.com/article/2014/09/24/us- cybersecurity-hospitals-idUSKCN0HJ21I20140924 3 Ponemon Institute, 2014 Cost of Data Breach: Global Analysis, www.ponemon.org/blog/ponemon-institute- releases-2014-cost-of-data-breach-global-analysis 4 While the AICPA framework is generally used for financial statements, it has proven to be a valuable framework for the general management and creation of guidance that embodies a generic model for other risk assessments—those that are not necessarily related to financial statements. 5 American Institute of Certified Public Accountants, “Risk Assessment,” USA, www.aicpa.org/InterestAreas/FRC/ AuditAttest/Pages/RiskAssessment.aspx 6 Tsikoudakis, M.; “Collaboration Between Risk Management, Internal Audit Valuable: Report,” Business Insurance, 11 April 2012, www.businessinsurance.com/article/20120411/ NEWS06/120419970 7 Covello, V. T.; “Risk Communication: An Emerging Area of Health Communication Research,” Communication Yearbook 15, Sage, USA, 1992, p. 359-373 8 Norton, S.; “CIOs Name Their Top 5 Strategic Priorities,” The Wall Street Journal CIO Journal, 3 February 2015, http://blogs.wsj.com/cio/2015/02/03/cios-name-their-top-5- strategic-priorities/ • Learn more about, discuss and collaborate on privacy/data protection and cybersecurity in the Knowledge Center. www.isaca.org/knowledgecenter

Recommended

Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016jennyhollingworth
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - ProtivitiSimone Luca Giargia
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot SpotsRon Steinkamp
 
Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Hiten Sethi
 
Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Ben-Ari Boukai
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 

Recommended

Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016jennyhollingworth
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - ProtivitiSimone Luca Giargia
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot SpotsRon Steinkamp
 
Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Hiten Sethi
 
Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Ben-Ari Boukai
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and controlYulias Sihombing, Ak, MAk, CIA
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017Josef Sulca Cueva
 
Preparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPreparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPYA, P.C.
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment.AIR UNIVERSITY ISLAMABAD
 
Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_TurnerBob Turner
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIvonne Yeste
 
My slides
My slidesMy slides
My slidesveronikako
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessmentHappiest Minds Technologies
 
2013 cost of data breach study - France
2013 cost of data breach study - France2013 cost of data breach study - France
2013 cost of data breach study - FranceBee_Ware
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
La mystérieuse afrique
La mystérieuse afriqueLa mystérieuse afrique
La mystérieuse afriqueUma Nova Visão do Graal
 
A Game-play Architecture for Performance
A Game-play Architecture for PerformanceA Game-play Architecture for Performance
A Game-play Architecture for Performancetektor
 
5a) Magazine Fall 2012 (4 articles)
5a) Magazine Fall 2012 (4 articles)5a) Magazine Fall 2012 (4 articles)
5a) Magazine Fall 2012 (4 articles)Samar Al-Sayed
 
gabby_cv(1)
gabby_cv(1)gabby_cv(1)
gabby_cv(1)Gabby Dizon
 

More Related Content

What's hot

Preparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPreparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPYA, P.C.
 
Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_TurnerBob Turner
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIvonne Yeste
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
2013 cost of data breach study - France
2013 cost of data breach study - France2013 cost of data breach study - France
2013 cost of data breach study - FranceBee_Ware
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 

What's hot (18)

Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
 
Preparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPreparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA Audit
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_Turner
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - Final
 
My slides
My slidesMy slides
My slides
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
2013 cost of data breach study - France
2013 cost of data breach study - France2013 cost of data breach study - France
2013 cost of data breach study - France
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 

Viewers also liked

A Game-play Architecture for Performance
A Game-play Architecture for PerformanceA Game-play Architecture for Performance
A Game-play Architecture for Performancetektor
 
5a) Magazine Fall 2012 (4 articles)
5a) Magazine Fall 2012 (4 articles)5a) Magazine Fall 2012 (4 articles)
5a) Magazine Fall 2012 (4 articles)Samar Al-Sayed
 
Bài luyện thi anh văn đại học 2016 (lesson 21)
Bài luyện thi anh văn đại học 2016 (lesson 21)Bài luyện thi anh văn đại học 2016 (lesson 21)
Bài luyện thi anh văn đại học 2016 (lesson 21)Ôn Thi Đại Học
 
ELES TAMBÉM SÃO NOSSOS IRMÃOS - manfred kyber
ELES TAMBÉM SÃO NOSSOS IRMÃOS - manfred kyberELES TAMBÉM SÃO NOSSOS IRMÃOS - manfred kyber
ELES TAMBÉM SÃO NOSSOS IRMÃOS - manfred kyberUma Luz além do Mundo
 
Đề thi thử THPT Quốc gia môn Hóa học Trường THPT Thanh Oai A – Hà Nội lần 1 n...
Đề thi thử THPT Quốc gia môn Hóa học Trường THPT Thanh Oai A – Hà Nội lần 1 n...Đề thi thử THPT Quốc gia môn Hóa học Trường THPT Thanh Oai A – Hà Nội lần 1 n...
Đề thi thử THPT Quốc gia môn Hóa học Trường THPT Thanh Oai A – Hà Nội lần 1 n...schoolantoreecom
 
Прогулки по Мурманску. Виртуальная книжная выставка
Прогулки по Мурманску. Виртуальная книжная выставкаПрогулки по Мурманску. Виртуальная книжная выставка
Прогулки по Мурманску. Виртуальная книжная выставкаAndrey210680
 
30 ноября. момент истины.виртуальная книжная выствка ко дню памяти жертв поли...
30 ноября. момент истины.виртуальная книжная выствка ко дню памяти жертв поли...30 ноября. момент истины.виртуальная книжная выствка ко дню памяти жертв поли...
30 ноября. момент истины.виртуальная книжная выствка ко дню памяти жертв поли...Andrey210680
 
Unidad III Línea de Vida/Autobiografía
Unidad III Línea de Vida/AutobiografíaUnidad III Línea de Vida/Autobiografía
Unidad III Línea de Vida/AutobiografíaCarlos Macallums
 
FMCG в digital: Андрей Молев (AMNET), Михаил Шкляев (DAN)
FMCG в digital: Андрей Молев (AMNET), Михаил Шкляев (DAN) FMCG в digital: Андрей Молев (AMNET), Михаил Шкляев (DAN)
FMCG в digital: Андрей Молев (AMNET), Михаил Шкляев (DAN) Dentsu_Aegis_Network_Russia
 

Viewers also liked (16)

La mystérieuse afrique
La mystérieuse afriqueLa mystérieuse afrique
La mystérieuse afrique
 
A Game-play Architecture for Performance
A Game-play Architecture for PerformanceA Game-play Architecture for Performance
A Game-play Architecture for Performance
 
5a) Magazine Fall 2012 (4 articles)
5a) Magazine Fall 2012 (4 articles)5a) Magazine Fall 2012 (4 articles)
5a) Magazine Fall 2012 (4 articles)
 
gabby_cv(1)
gabby_cv(1)gabby_cv(1)
gabby_cv(1)
 
Comunicato papa
Comunicato papaComunicato papa
Comunicato papa
 
Bài luyện thi anh văn đại học 2016 (lesson 21)
Bài luyện thi anh văn đại học 2016 (lesson 21)Bài luyện thi anh văn đại học 2016 (lesson 21)
Bài luyện thi anh văn đại học 2016 (lesson 21)
 
Iden fratag fritsch-dernieres-paroles
Iden fratag fritsch-dernieres-parolesIden fratag fritsch-dernieres-paroles
Iden fratag fritsch-dernieres-paroles
 
Урок профориентации для 1-4-х классов
Урок профориентации для 1-4-х классовУрок профориентации для 1-4-х классов
Урок профориентации для 1-4-х классов
 
ELES TAMBÉM SÃO NOSSOS IRMÃOS - manfred kyber
ELES TAMBÉM SÃO NOSSOS IRMÃOS - manfred kyberELES TAMBÉM SÃO NOSSOS IRMÃOS - manfred kyber
ELES TAMBÉM SÃO NOSSOS IRMÃOS - manfred kyber
 
O mestre universal - kurt Iling
O mestre universal - kurt IlingO mestre universal - kurt Iling
O mestre universal - kurt Iling
 
Đề thi thử THPT Quốc gia môn Hóa học Trường THPT Thanh Oai A – Hà Nội lần 1 n...
Đề thi thử THPT Quốc gia môn Hóa học Trường THPT Thanh Oai A – Hà Nội lần 1 n...Đề thi thử THPT Quốc gia môn Hóa học Trường THPT Thanh Oai A – Hà Nội lần 1 n...
Đề thi thử THPT Quốc gia môn Hóa học Trường THPT Thanh Oai A – Hà Nội lần 1 n...
 
Прогулки по Мурманску. Виртуальная книжная выставка
Прогулки по Мурманску. Виртуальная книжная выставкаПрогулки по Мурманску. Виртуальная книжная выставка
Прогулки по Мурманску. Виртуальная книжная выставка
 
30 ноября. момент истины.виртуальная книжная выствка ко дню памяти жертв поли...
30 ноября. момент истины.виртуальная книжная выствка ко дню памяти жертв поли...30 ноября. момент истины.виртуальная книжная выствка ко дню памяти жертв поли...
30 ноября. момент истины.виртуальная книжная выствка ко дню памяти жертв поли...
 
Unidad III Línea de Vida/Autobiografía
Unidad III Línea de Vida/AutobiografíaUnidad III Línea de Vida/Autobiografía
Unidad III Línea de Vida/Autobiografía
 
FMCG в digital: Андрей Молев (AMNET), Михаил Шкляев (DAN)
FMCG в digital: Андрей Молев (AMNET), Михаил Шкляев (DAN) FMCG в digital: Андрей Молев (AMNET), Михаил Шкляев (DAN)
FMCG в digital: Андрей Молев (AMNET), Михаил Шкляев (DAN)
 
Galaxia
GalaxiaGalaxia
Galaxia
 

Similar to Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116

The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Please read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxPlease read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxLeilaniPoolsy
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperrickkaun
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedJames Blake
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Role of AI Safety Institutes in Trustworthy AI.pdf
Role of AI Safety Institutes in Trustworthy AI.pdfRole of AI Safety Institutes in Trustworthy AI.pdf
Role of AI Safety Institutes in Trustworthy AI.pdfBob Marcus
 
Determine Maintenance strateg.docx
Determine Maintenance strateg.docxDetermine Maintenance strateg.docx
Determine Maintenance strateg.docxDarkKnight367793
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
COURSE PROJECT2Operating System and Application Security Str.docx
COURSE PROJECT2Operating System and Application Security Str.docxCOURSE PROJECT2Operating System and Application Security Str.docx
COURSE PROJECT2Operating System and Application Security Str.docxmarilucorr
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeCareer Communications Group
 

Similar to Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116 (20)

The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
AICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for CybersecurityAICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for Cybersecurity
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Please read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxPlease read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docx
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Role of AI Safety Institutes in Trustworthy AI.pdf
Role of AI Safety Institutes in Trustworthy AI.pdfRole of AI Safety Institutes in Trustworthy AI.pdf
Role of AI Safety Institutes in Trustworthy AI.pdf
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
Determine Maintenance strateg.docx
Determine Maintenance strateg.docxDetermine Maintenance strateg.docx
Determine Maintenance strateg.docx
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
 
COURSE PROJECT2Operating System and Application Security Str.docx
COURSE PROJECT2Operating System and Application Security Str.docxCOURSE PROJECT2Operating System and Application Security Str.docx
COURSE PROJECT2Operating System and Application Security Str.docx
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation Age
 

Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116

  • 1. Feature 1ISACA JOURNAL VOLUME 1, 2016 Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca. org/journal), find the article and choose the Comments tab to share your thoughts. Go directly to the article: Data protection and cybersecurity go hand-in- hand due to the nature of the risk involved. The underlying assumption is that all data, whether they are stationary or in motion, are threatened to be compromised. A prime example of this can be seen in the medical device industry. Due to the explosion of medical device innovation, resulting in both economic and consumer/patient health advancement, the industry has seen a growing number of threats from a cybersecurity risk landscape. The US is the largest medical device market in the world with a market size of approximately US $110 billion, and it is expected to reach US $133 billion by 2016.1 The industry has seen a rise in innovation since the early 2000s, primarily due to the advent of technological advancement and the demand from consumers and health care practitioners to further the quality of the patient care provided. A few of the relevant, more commonly known medical devices are pacemakers, infusion pumps, operating room monitors, dialysis machines—all of which retain and potentially transmit vital patient and equipment data to medical professionals and other sources gathering data. Security experts say cybercriminals are increasingly targeting the US $3 trillion US health care industry, in which many companies remain reliant on aging computer systems that do not use the latest security features.2 As a result, the percentage of health care organizations that have reported a criminal cyberattack rose to 40 percent in 2013 from 20 percent in 2009, according to an annual survey by the Ponemon Institute think tank on data protection policy. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost of a breach to a company was US $3.5 million dollars, 15 percent more than what it cost the previous year.3 The role of IT security professionals, especially in the audit function, is to be the front line in identifying and helping to address the risk that enterprises face in the growing threat landscape operating at a global level. As a result, every audit function should consider spending time on identifying opportunities to perform a review around data protection and cybersecurity within its respective enterprise to help identify gaps and work with key departments in the enterprise to help reduce and/or eliminate the gaps as best as possible. RISK ASSESSMENT To begin, enterprises should consider performing a risk assessment of the threat landscape; making this happen starts with the tone at the top. The risk assessment normally should be owned by the enterprise-level functions, and it can be a joint effort between the audit function and the business functions in an effort to ensure that there is synergy between the two. Risk assessments are meant to help identify and address the gaps that may be exacerbated in the event of a cyberrisk due to a lack of key controls. One of the primary resources for creating an internal risk assessment analysis of an organization is the framework provided by the American Institute of Certified Public Accountants (AICPA).4 The AICPA has drafted a white paper that attempts to simplify the practitioner’s understanding of the risk assessment standards and process by focusing on the end game and how that objective can be achieved in an effective, yet efficient, manner.5 An effective way to simplify the risk assessment is by dividing the areas of the assessment into the following categories (figure 1): • Understand the business. It is vital to include the fundamentals of the organization from the top. This includes knowing who the customers are and what the key products are that drive the very engine of the enterprise. One of the best resources for US companies to utilize to further the organizational knowledge is to review Form 10-K, an annual report required by the US Securities and Exchange Mohammed J. Khan, CISA, CRISC, CIPM, is a global audit, security and privacy manager serving the teams of the chief information security officer, chief privacy officer and chief audit executive at Baxter International. He has spearheaded multinational global audits in several areas, including enterprise resource planning systems, global data centers, third-party reviews, process reengineering and improvement, global privacy assessments (EMEA,APAC, UCAN), and cybersecurity readiness in several major countries over the past five years. Khan has worked previously as a senior assurance and advisory consultant for Ernst & Young and as a business systems analyst for Motorola. Managing Data Protection and Cybersecurity—Audit’s Role
  • 2. 2 ISACA JOURNAL VOLUME 1, 2016 Commission (SEC). This gives a comprehensive summary of a company’s financial performance. It can help further an understanding of the enterprise based on the knowledge already amassed and enable a view of the risk from a business and financial perspective. • Know the organization’s internal control environment. Elements of a strong internal control environment include the right combination of IT and transactional-level controls that are backed by a process to manage the reporting of any breakdown of controls and actionable plans stemming from such a breakdown. The DNA of the internal controls of an organization is composed of the philosophy, adaptation, integrity and stance of the organization’s resources toward the control environment. • Collaborate among departments. The audit function has one of the best positions in the company when it comes to bringing together various departments to collaborate on all aspects of key business, financial and regulatory risk—both internal and external. Collaboration among the chief privacy officer (CPO), chief information security officer (CISO), chief audit executive (CAE) and chief risk officer (CRO) is vital to have a robust risk assessment program in place.6 • Summarize and communicate the risk assessment. Risk communication is commonly defined as the “process of exchanging information among interested parties about the nature, magnitude, significance, or control of a risk.”7 It is important to include all the key stakeholders of the organization as part of the risk assessment summary of recipients, which should be ideally communicated for each key business and function, as well as at the enterprisewide level. This helps with the delivery and the overall execution of the proposed audits that are planned for the year and in paving the way for having a robust audit plan clearly defining the audit and the risk that correlates to why the audit is being conducted. DATA PROTECTION AND CYBERSECURITY AUDIT SCOPE To have a meaningful scope for an audit around data protection and cybersecurity, one must consider all relevant areas of the organization that require inclusion in the scope of the audit. The functional entities that ought to be considered in scope should include customer operations, finance, human resources (HR), IT systems and applications, legal, pharmacovigilance, purchasing, regulatory affairs, Figure 1—Steps Required to Perform a Robust Risk Assessment Source: Mohammed J. Khan. Reprinted with permission. environmental/physical security, and all applicable vendors or third parties in any of these areas. Specifically, for each of the areas, the auditor should consider the following areas as part of the audit: • Key IT systems and applications located in the local data centers: – Verification of the security management of the systems and applications, including the logging and monitoring of systems containing sensitive data • HR (full-time and temporary labor): – Recruitment and vetting of candidates for key roles within the organization that have access to highly confidential data – Management of the on-boarding process and proper training and compliance monitoring as needed for specific roles, while paying attention to company and country laws around employee rights and privacy – Off-boarding process of employees and agreements of noncompete and confidentiality of organizational and product intellectual property • Internal collaboration tools management: – Enterprise content and document management (ECDM) system usage and data handling: Collaborate Among Departments Risk Assessment Understand the Business Summarize and Communicate the Risk Assessment Know the Organization’s Internal Control Environment
  • 3. 3ISACA JOURNAL VOLUME 1, 2016 . Verification of the overall management of data within the organization that are shared among peers on collaboration tools and platforms – File share management: . File management and permissions on massive file shares utilized by the organization’s departments, the protection of the file shares via proper system administrative authorities, and monitoring of key file shares • Third-party interaction and data sharing: – Contract management end-to-end life cycle, including standard language of key vendors that would have access to highly confidential data, including patient health information and intellectual property • Personal computer device physical protection and encryption: – Internal and external technological controls necessary to deter flight of data from employees and/or contractors • Records storage and management: – Onsite and off-site physical security of confidential paper data, including electronic tapes if off-site storage is utilized for backup purposes • Incident response and handling: – Electronic asset management of key devices, including laptops, desktops, servers and mobile devices: . End-to-end life cycle of asset loss and disposal process CONCLUSION Data protection and cybersecurity management is a key area that all organizations have to manage well. A CIO Network event held by The Wall Street Journal included a panel of CIOs who prioritized a set of recommendations to drive business and policy in the coming years. Cybersecurity was one of the key themes that came out of the event and corresponding special report. A primary responsibility for a CIO or CISO when talking to the chief executive officer (CEO) or board of directors (BoD) is to articulate how cybersecurity translates into revenue. Putting monetary value on security events and tying security to real-life business cases can show senior executives the potential impact of a cyberevent in terms that make sense to them.8 The role of audit is to embrace the function it plays as a key member of the organization that has to independently assess the organization’s management of risk around data loss and prevention by performing robust risk assessments at the organization level and delivering meaningful data protection and cybersecurity-related audits. This will help further the chance of an organization’s maturity level to increase when it comes to fighting the ever-growing threat of cyberespionage and internal malicious data loss through organizational employee resources and temporary labor workforces. ENDNOTES 1 SelectUSA, “The Medical Device Industry in the USA,” http://selectusa.commerce.gov/industry-snapshots/medical- device-industry-united-states 2 Humer, C.; J. Finkle; “Your Medical Record Is Worth More to Hackers Than Your Credit Card,” Reuters, 24 September 2014, www.reuters.com/article/2014/09/24/us- cybersecurity-hospitals-idUSKCN0HJ21I20140924 3 Ponemon Institute, 2014 Cost of Data Breach: Global Analysis, www.ponemon.org/blog/ponemon-institute- releases-2014-cost-of-data-breach-global-analysis 4 While the AICPA framework is generally used for financial statements, it has proven to be a valuable framework for the general management and creation of guidance that embodies a generic model for other risk assessments—those that are not necessarily related to financial statements. 5 American Institute of Certified Public Accountants, “Risk Assessment,” USA, www.aicpa.org/InterestAreas/FRC/ AuditAttest/Pages/RiskAssessment.aspx 6 Tsikoudakis, M.; “Collaboration Between Risk Management, Internal Audit Valuable: Report,” Business Insurance, 11 April 2012, www.businessinsurance.com/article/20120411/ NEWS06/120419970 7 Covello, V. T.; “Risk Communication: An Emerging Area of Health Communication Research,” Communication Yearbook 15, Sage, USA, 1992, p. 359-373 8 Norton, S.; “CIOs Name Their Top 5 Strategic Priorities,” The Wall Street Journal CIO Journal, 3 February 2015, http://blogs.wsj.com/cio/2015/02/03/cios-name-their-top-5- strategic-priorities/ • Learn more about, discuss and collaborate on privacy/data protection and cybersecurity in the Knowledge Center. www.isaca.org/knowledgecenter