SlideShare a Scribd company logo

Cybersecurity-Audit-A-Case-Study-for-SME.pdf

Thilak Pathirage -Senior IT Gov and Risk Consultant
Thilak Pathirage -Senior IT Gov and Risk Consultant

Cybersecurity Audit Case study

Business
1 of 5
Download to read offline
Cyber security audit - A Case Study for SME Page 1 CYBERSECURITY AUDIT – A CASE STUDY FOR SME Author : Pascale Dominique, CISA, CRISC, CPA-CA, V-P Certification & Training ISACA – Montreal Chapter. We need to be flexible in the definition of a Cybersecurity Audit, especially when the mandate is for a “Small and Medium-sized Enterprise” (SME)! Our multidisciplinary team has been involved in security and information technology for more than 25 years. We advise our clients to take advantage of new technologies to maintain their strategic positioning. Our cybersecurity audit mandate with a SME aims at evaluating and proposing recommendations on the state of the network and cybersecurity; guide and advise our client on industry best-practices; and to propose a plan of action to correct weaknesses and vulnerabilities identified and thus reduce the risks related to cybersecurity. Being a member of the ISACA (Information Systems Audit and Control Association) - Montreal Chapter, I seek to provide leverage and added value by presenting a coherent report to the client with technical recommendations supported by standards of good practice. This will help the SMB business leaders understand the action plan, which is not always easy! When such is the case, we will use best practice guides developed by ISACA to address the particulars of SME’s in conjunction with the National Institute of Standards and Technology (NIST)1 Cybersecurity programs which promote the development and application of innovative and practical technologies and methodologies for security and improvement of critical cyber security infrastructures. FIRST PART – USE OF CYBERSECURITY GUIDES The cybersecurity guides for SMEs2 proposed by ISACA are essential resources. Aligned with the COBIT5 standard, these guides address the needs of the SME whose technical resources and budgets are often limited. The "Cybersecurity Guidance for Small and Medium-sized Entreprises" guide first defines the different categories of SMEs and then proposes 8 principles and 55 guidance clauses (requirements / controls). Each clause receives a "Critical" "Severe" or "Important" audit rating, identifying a cybersecurity risk level for an SME, see Table 1. 1 NIST, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity V1.1, USA 2017 2 ISACA, Cybersecurity Guidance for Small and Medium-sized Enterprises, USA, 2015 ISACA, Implementing Cybersecurity Guidance for Small and Medium-sized Enterprises, USA 2015 ISACA, Transforming Cybersecurity, USA, 2013
Cyber security audit - A Case Study for SME Page 2 Audit Rating Explanation Audit Rating Explanation Critical Major impact or risk to the enterprise, potentially endangering the existence of the enterprise. Impacts and risk may be financial, operational, reputational, legal or of any other kind. Significant Significant impact or risk to the enterprise, with potentially wide-ranging consequences within the business year. Important Impact or risk to the enterprise that goes beyond the tolerated levels of impact and risk, as defined by senior management Table 1- Audit Rating Explanation Each requirement is assigned with one of the audit rating. Table 2 presents an example of some of the requirements that emerged while in assignment. Auditable Cybersecurity Requirements Cybersecurity Guidance Clause (CGC) Requirements/Controls Audit Rating 1 Documented cybersecurity governance rules Critical 4 Documented cybersecurity strategy Significant 11 Documented procedures and management practices for cybersecurity Important 21 Documented information asset classification, cybersecurity risk and threats Significant Table 2 - Auditable Cybersecurity Requirements Once our tests and analyzes are completed, we develop recommendations for the identified gaps, weaknesses, or vulnerabilities and prioritize them from 1 to 3. By matching each of our recommendations to one or more of the guide's clauses - see some examples at Table 3 - Mapping of the requirements and the recommendations, we add consistency to the report. C.G.C. Requirements/Controls Audit Rating Recommendations Priority 1 Documented cybersecurity governance rules Critical R1 2 34 Secure configuration of logical points of entry Critical R5-R6-R9 1 37 Malware defense mechanisms Critical R7 3 38 Boundary defense mechanisms Critical R3-R4-R5-R6-R9 1 44 “Need to know” and “Least privilege” principles documented and in evidence Critical R8 3 4 Documented cybersecurity strategy Significant R1 1 21 Documented information asset inventory/ Documented information asset classification, cybersecurity risk and threats Significant R2 1 23 Identified critical IT services and applications, critical IT infrastructures and third party products and services Significant R2 2 24 Adequate extent and detail of cybersecurity architecture, size and complexity Important R3 2 25 Adequate skills and competencies of cybersecurity staff Significant R2 1 Table 3 - Mapping of the requirements and the recommendations
Cyber security audit - A Case Study for SME Page 3 Finally, we will map the proposed recommendations and controls-oriented clauses, which are the minimum requirement criteria for SMEs. Table 4 – Summary of recommendations by priority and rating, is an example of the result obtained. Priority Audit Rating No recommendations Recommendations Requirements/Controls C.G.C. 1 Critical R5 Refresh and review the routers configuration Secure configuration of logical points of entry 34 R6 Firewalls R9 Protect against malware softwares R3 Complexity of network Boundary defense mechanisms 38 R4 Wi-Fi Network R5-R6-R9 Refresh and review the routers configuration /firewalls / Protect against malware softwares 2 Critical R5-R6-R9 Secure configuration mechanisms for hardware/ applications and software 31 2 Significant R4-R5-R6-R9 Secure configuration mechanisms for network devices including third party devices 33 2 Significant R4-R5-R6-R7-R9 Identified vulnerabilities 35 1 Significant R1 No formal documentation regarding security policies and principles Documented cybersecurity strategy 4 2 Critical Documented cybersecurity governance rules 1 2 Important Documented procedures and management practices for cybersecurity 11 Table 4 – Summary of recommendations by priority and rating Table 4 serves as a basis for facilitating discussion and decision-making on the action plan for implementation of proposed recommendations and corrective actions to be taken to internal controls.
Cyber security audit - A Case Study for SME Page 4 PART TWO – IMPLEMENTATION OF RECOMMENDATIONS AND MAINTENANCE OF CRITICAL CYBERSECURITY INFRASTRUCTURES The proposed action plan will maintain the confidentiality, integrity and availability of the systems, considering three major axes: 1- good governance, by aligning IT objectives with business goals, 2- risk management deemed acceptable in the achievement of established objectives and 3- the proper use of company resources. To achieve this, our methodology will build on the NIST model for improving critical infrastructure of cybersecurity. This model is adaptive and integrates with the COBIT 5 framework for its implementation. As a Risk-based approach, it is used with a wide range of processes that integrate day-to-day operations by grouping them into 5 major functions as illustrated in Figure 1- Functions of the NIST CSF Framework Core. Figure 1- Functions of the NIST CSF Framework Core At a high level, these functions allow:  Identification of critical assets of the company;  Protection of the data they hold;  Detecting anomalies and incidents in systems;  The response to ongoing actions, monitoring and improvements to systems and processes when threats or vulnerabilities have been identified;  Recovery and restore any capabilities or services impaired during a cybersecurity event, follow-ups and actions to be taken for improvement and feedback.
Cyber security audit - A Case Study for SME Page 5 In light of this, the preferred strategy for securing information systems will include measures to protect critical assets at a reasonable cost for the company. This methodology, which incorporates practices widely used in the industry, is the essence of our professional practice because it allows us to better serve our customers and to enhance the security level of their critical cyber infrastructure. For more information regarding the cybersecurity audit, visit our website at https://www.connectalk.com/en/it-infrastructure-security/

Recommended

Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity OverviewBrian Matteson, CISSP CISA
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Criterios Minimos de Seguridad CTPAT 2019 conference
Criterios Minimos de Seguridad CTPAT 2019 conferenceCriterios Minimos de Seguridad CTPAT 2019 conference
Criterios Minimos de Seguridad CTPAT 2019 conferenceJoe Garza
 

Recommended

Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity OverviewBrian Matteson, CISSP CISA
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Criterios Minimos de Seguridad CTPAT 2019 conference
Criterios Minimos de Seguridad CTPAT 2019 conferenceCriterios Minimos de Seguridad CTPAT 2019 conference
Criterios Minimos de Seguridad CTPAT 2019 conferenceJoe Garza
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementContinuity and Resilience
 
Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsReliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsArrelic
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...CompTIA
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security CertificationsNithin Sai
 
The optimization method of the integrated management systems audit program v2+
The optimization method of the integrated management systems audit program v2+The optimization method of the integrated management systems audit program v2+
The optimization method of the integrated management systems audit program v2+Илья Лившиц
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityMike Lemire
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with SymantecArrow ECS UK
 
Security Readiness Profile
Security Readiness ProfileSecurity Readiness Profile
Security Readiness Profilepds2k.com
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Cyber Security Partners
 
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk AssessmentHow Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment360factors
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdfISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdfThilak Pathirage -Senior IT Gov and Risk Consultant
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseThilak Pathirage -Senior IT Gov and Risk Consultant
 

More Related Content

Similar to Cybersecurity-Audit-A-Case-Study-for-SME.pdf

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsReliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsArrelic
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...CompTIA
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security CertificationsNithin Sai
 
The optimization method of the integrated management systems audit program v2+
The optimization method of the integrated management systems audit program v2+The optimization method of the integrated management systems audit program v2+
The optimization method of the integrated management systems audit program v2+Илья Лившиц
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityMike Lemire
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with SymantecArrow ECS UK
 
Security Readiness Profile
Security Readiness ProfileSecurity Readiness Profile
Security Readiness Profilepds2k.com
 
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk AssessmentHow Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment360factors
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 

Similar to Cybersecurity-Audit-A-Case-Study-for-SME.pdf (20)

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsReliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic Insights
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security Certifications
 
The optimization method of the integrated management systems audit program v2+
The optimization method of the integrated management systems audit program v2+The optimization method of the integrated management systems audit program v2+
The optimization method of the integrated management systems audit program v2+
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with Symantec
 
Security Readiness Profile
Security Readiness ProfileSecurity Readiness Profile
Security Readiness Profile
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
 
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk AssessmentHow Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 

More from Thilak Pathirage -Senior IT Gov and Risk Consultant

More from Thilak Pathirage -Senior IT Gov and Risk Consultant (12)

ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdfISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
Capability_Assessment_of_IT_Governance_Using_the_2.pdfCapability_Assessment_of_IT_Governance_Using_the_2.pdf
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
 
cobit 2019 -current-user - ISACA Publication
cobit 2019 -current-user - ISACA Publicationcobit 2019 -current-user - ISACA Publication
cobit 2019 -current-user - ISACA Publication
 
Introduction to ISACA COBIT-2019 Framwork.pdf
Introduction to ISACA COBIT-2019 Framwork.pdfIntroduction to ISACA COBIT-2019 Framwork.pdf
Introduction to ISACA COBIT-2019 Framwork.pdf
 
Social media-assessment
Social media-assessmentSocial media-assessment
Social media-assessment
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Cissp nda
Cissp ndaCissp nda
Cissp nda
 
Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12
 
314
314314
314
 
Composite indicators
Composite indicatorsComposite indicators
Composite indicators
 

Recently uploaded

Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...Paul Menig
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxAbhayThakur200703
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 

Recently uploaded (20)

Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptx
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 

Cybersecurity-Audit-A-Case-Study-for-SME.pdf

  • 1. Cyber security audit - A Case Study for SME Page 1 CYBERSECURITY AUDIT – A CASE STUDY FOR SME Author : Pascale Dominique, CISA, CRISC, CPA-CA, V-P Certification & Training ISACA – Montreal Chapter. We need to be flexible in the definition of a Cybersecurity Audit, especially when the mandate is for a “Small and Medium-sized Enterprise” (SME)! Our multidisciplinary team has been involved in security and information technology for more than 25 years. We advise our clients to take advantage of new technologies to maintain their strategic positioning. Our cybersecurity audit mandate with a SME aims at evaluating and proposing recommendations on the state of the network and cybersecurity; guide and advise our client on industry best-practices; and to propose a plan of action to correct weaknesses and vulnerabilities identified and thus reduce the risks related to cybersecurity. Being a member of the ISACA (Information Systems Audit and Control Association) - Montreal Chapter, I seek to provide leverage and added value by presenting a coherent report to the client with technical recommendations supported by standards of good practice. This will help the SMB business leaders understand the action plan, which is not always easy! When such is the case, we will use best practice guides developed by ISACA to address the particulars of SME’s in conjunction with the National Institute of Standards and Technology (NIST)1 Cybersecurity programs which promote the development and application of innovative and practical technologies and methodologies for security and improvement of critical cyber security infrastructures. FIRST PART – USE OF CYBERSECURITY GUIDES The cybersecurity guides for SMEs2 proposed by ISACA are essential resources. Aligned with the COBIT5 standard, these guides address the needs of the SME whose technical resources and budgets are often limited. The "Cybersecurity Guidance for Small and Medium-sized Entreprises" guide first defines the different categories of SMEs and then proposes 8 principles and 55 guidance clauses (requirements / controls). Each clause receives a "Critical" "Severe" or "Important" audit rating, identifying a cybersecurity risk level for an SME, see Table 1. 1 NIST, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity V1.1, USA 2017 2 ISACA, Cybersecurity Guidance for Small and Medium-sized Enterprises, USA, 2015 ISACA, Implementing Cybersecurity Guidance for Small and Medium-sized Enterprises, USA 2015 ISACA, Transforming Cybersecurity, USA, 2013
  • 2. Cyber security audit - A Case Study for SME Page 2 Audit Rating Explanation Audit Rating Explanation Critical Major impact or risk to the enterprise, potentially endangering the existence of the enterprise. Impacts and risk may be financial, operational, reputational, legal or of any other kind. Significant Significant impact or risk to the enterprise, with potentially wide-ranging consequences within the business year. Important Impact or risk to the enterprise that goes beyond the tolerated levels of impact and risk, as defined by senior management Table 1- Audit Rating Explanation Each requirement is assigned with one of the audit rating. Table 2 presents an example of some of the requirements that emerged while in assignment. Auditable Cybersecurity Requirements Cybersecurity Guidance Clause (CGC) Requirements/Controls Audit Rating 1 Documented cybersecurity governance rules Critical 4 Documented cybersecurity strategy Significant 11 Documented procedures and management practices for cybersecurity Important 21 Documented information asset classification, cybersecurity risk and threats Significant Table 2 - Auditable Cybersecurity Requirements Once our tests and analyzes are completed, we develop recommendations for the identified gaps, weaknesses, or vulnerabilities and prioritize them from 1 to 3. By matching each of our recommendations to one or more of the guide's clauses - see some examples at Table 3 - Mapping of the requirements and the recommendations, we add consistency to the report. C.G.C. Requirements/Controls Audit Rating Recommendations Priority 1 Documented cybersecurity governance rules Critical R1 2 34 Secure configuration of logical points of entry Critical R5-R6-R9 1 37 Malware defense mechanisms Critical R7 3 38 Boundary defense mechanisms Critical R3-R4-R5-R6-R9 1 44 “Need to know” and “Least privilege” principles documented and in evidence Critical R8 3 4 Documented cybersecurity strategy Significant R1 1 21 Documented information asset inventory/ Documented information asset classification, cybersecurity risk and threats Significant R2 1 23 Identified critical IT services and applications, critical IT infrastructures and third party products and services Significant R2 2 24 Adequate extent and detail of cybersecurity architecture, size and complexity Important R3 2 25 Adequate skills and competencies of cybersecurity staff Significant R2 1 Table 3 - Mapping of the requirements and the recommendations
  • 3. Cyber security audit - A Case Study for SME Page 3 Finally, we will map the proposed recommendations and controls-oriented clauses, which are the minimum requirement criteria for SMEs. Table 4 – Summary of recommendations by priority and rating, is an example of the result obtained. Priority Audit Rating No recommendations Recommendations Requirements/Controls C.G.C. 1 Critical R5 Refresh and review the routers configuration Secure configuration of logical points of entry 34 R6 Firewalls R9 Protect against malware softwares R3 Complexity of network Boundary defense mechanisms 38 R4 Wi-Fi Network R5-R6-R9 Refresh and review the routers configuration /firewalls / Protect against malware softwares 2 Critical R5-R6-R9 Secure configuration mechanisms for hardware/ applications and software 31 2 Significant R4-R5-R6-R9 Secure configuration mechanisms for network devices including third party devices 33 2 Significant R4-R5-R6-R7-R9 Identified vulnerabilities 35 1 Significant R1 No formal documentation regarding security policies and principles Documented cybersecurity strategy 4 2 Critical Documented cybersecurity governance rules 1 2 Important Documented procedures and management practices for cybersecurity 11 Table 4 – Summary of recommendations by priority and rating Table 4 serves as a basis for facilitating discussion and decision-making on the action plan for implementation of proposed recommendations and corrective actions to be taken to internal controls.
  • 4. Cyber security audit - A Case Study for SME Page 4 PART TWO – IMPLEMENTATION OF RECOMMENDATIONS AND MAINTENANCE OF CRITICAL CYBERSECURITY INFRASTRUCTURES The proposed action plan will maintain the confidentiality, integrity and availability of the systems, considering three major axes: 1- good governance, by aligning IT objectives with business goals, 2- risk management deemed acceptable in the achievement of established objectives and 3- the proper use of company resources. To achieve this, our methodology will build on the NIST model for improving critical infrastructure of cybersecurity. This model is adaptive and integrates with the COBIT 5 framework for its implementation. As a Risk-based approach, it is used with a wide range of processes that integrate day-to-day operations by grouping them into 5 major functions as illustrated in Figure 1- Functions of the NIST CSF Framework Core. Figure 1- Functions of the NIST CSF Framework Core At a high level, these functions allow:  Identification of critical assets of the company;  Protection of the data they hold;  Detecting anomalies and incidents in systems;  The response to ongoing actions, monitoring and improvements to systems and processes when threats or vulnerabilities have been identified;  Recovery and restore any capabilities or services impaired during a cybersecurity event, follow-ups and actions to be taken for improvement and feedback.
  • 5. Cyber security audit - A Case Study for SME Page 5 In light of this, the preferred strategy for securing information systems will include measures to protect critical assets at a reasonable cost for the company. This methodology, which incorporates practices widely used in the industry, is the essence of our professional practice because it allows us to better serve our customers and to enhance the security level of their critical cyber infrastructure. For more information regarding the cybersecurity audit, visit our website at https://www.connectalk.com/en/it-infrastructure-security/