In the aftermath of the SolarWinds cyberattack, the federal government is still working out its vulnerabilities, and the Department of Homeland Security’s cybersecurity agency has no idea how many federal civilian agencies are segmenting and segregating internal networks from unwanted outside traffic.
According to a June 3 letter obtained earlier this month, Brandon Wales, the acting head of the Cybersecurity and Infrastructure Security Agency, couldn’t tell Democratic Senator Ron Wyden of Oregon how many agencies were doing so.
Meanwhile, President Joe Biden’s cybersecurity executive order, issued on May 12 in response to the incident, requires agencies to implement multifactor authentication and encryption for data at rest and in transit by mid-November, two basic cyber hygiene best practises. CISA, the head of the Office of Management and Budget, and the national security adviser are all obligated to report on their progress in implementing these measures.
According to the order, “such agencies shall provide such reports every 60 days following the date of this order until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption.”
Agencies can and should perform frequent cybersecurity audits to determine how effective their cybersecurity measures are. Cybersecurity risk assessments, on the other hand, look into an agency’s IT security defences and ability to address problems. Instead, according to SecurityScorecard, cybersecurity audits “function as a checklist that enterprises may use to assess their security policies and procedures.”
What Is the Purpose of a Cybersecurity Audit?
Compliance is the goal of a cybersecurity audit. According to SecurityScorecard, agencies that undertake a cybersecurity audit will be able to “evaluate whether or not they have the right security procedures in place while also ensuring they are in compliance with relevant rules.”
Cybersecurity audits enable companies to take “a proactive approach when creating cybersecurity rules, resulting in more dynamic threat management,” according to the firm.
According to SecurityScorecard, third-party suppliers do cybersecurity audits to eliminate any potential conflicts of interest. “They can also be administered by an in-house team if they act independently of their parent organisation,” says the author.
“All control sets, management practises, and governance, risk, and compliance (GRC) rules in force at the enterprise level” are included in the cybersecurity audit universe. According to ISACA, an IT governance and certification business, “the extended audit universe may include third parties bound by a contract incorporating audit rights in some situations.”
“With the growing number of cyberthreats, it is becoming increasingly important for every organization’s audit plan to include cybersecurity,” says ISACA. “As a result, auditors are increasingly being called upon to examine cybersecurity processes, policies, and tools in order to ensure that their company has enough controls in place.” Cybersecurity flaws can put the entire organization at risk, so IT auditors who are familiar with cybersecurity audits are more important than ever.”
Cybersecurity Auditing Best Practices
There are a few best practises that agencies should follow before and during a cybersecurity audit, especially if it is undertaken by a reputable third party.
On its website, SecurityScorecard lists a number of them. One thing you can do is look over the agency’s data security policies. “Make sure you examine this policy with regard to data confidentiality, integrity, and availability before the audit begins,” the business advises.
According to SecurityScorecard, having firm information security standards aids auditors in “classifying data and determining which degrees of protection are required to secure it.”
Another best practise is to compile all cybersecurity and compliance policies into a single list or document, which allows auditors to have a better grasp of the agency’s IT security procedures. As a result, the auditor will have an easier time identifying deficiencies. Network access control, disaster recovery and business continuity, remote work, and permissible use are among the policies SecurityScorecard suggests implementing.
According to SecurityScorecard, agencies should also disclose their network structure. “One of the objectives of cybersecurity audits is to assist in the identification of potential security gaps on company networks.” “Providing your auditor with a network diagram allows them to acquire a thorough understanding of your IT infrastructure, which speeds up the evaluation process,” according to the firm. “To make a network diagram, lay out your network assets and explain how they interact. Auditors can more quickly spot potential flaws and edges with a top-down view of your network.”
Before the audit begins, an agency’s IT and cybersecurity officials should review key compliance standards and criteria. These should be communicated with the audit team so that the audit may be tailored to the agency’s needs.
Finally, SecurityScorecard suggests that agencies compile a list of security employees and their tasks. “Interviewing employees is a vital part of a cybersecurity audit.” “In order to obtain a better knowledge of an organization’s security architecture, auditors frequently interview multiple security personnel,” the business claims.
Agencies can speed up the process by supplying a list of IT security personnel to the auditing team.
How Often Should Agencies Conduct Cybersecurity Audits?
A cybersecurity audit is more formal than an assessment, according to cybersecurity ratings business BitSight, and it’s supposed to “serve as a ‘checklist’ that validates the policies a cybersecurity team said are actually in place, and that there are control mechanisms in place to enforce them.”
“What is termed a cyber security audit, on the other hand, just shows a snapshot of your network health,” BitSight adds. “While an audit can provide you a detailed look at your cyber-health at a single point in time, it can’t give you any insight into your ongoing cyber management.”
Cybersecurity audits should be performed at least once a year, according to security experts. “Software vulnerabilities are discovered on a daily basis,” writes Carole Fennelly, an independent IT security analyst, in TechTarget. “To verify that security rules are followed, a yearly security evaluation by an objective third party is required.”
Other experts advocate for more frequent audits, although a number of factors influence how frequently an agency should audit its cybersecurity, including money, recent system or software upgrades, and how severe compliance criteria are.
Cybersecurity Audit Recommendations
Before beginning an audit, ISACA recommended that cybersecurity auditors establish the audit subject and purpose. According to the organization, boundaries and constraints to consider for cybersecurity audits include enterprise vs. private sphere of control, as well as whether non-agency devices and apps should be evaluated. Another factor that may limit the scope of the audit is whether the audit will focus on internal or external IT infrastructure.
“In most cases, IT use extends beyond the internal organizational network, such as in travelling, home-use settings, or cloud adoption,” according to ISACA. “While this may increase cybersecurity risk, it is now standard practise in most businesses.” This is especially true given the large number of federal employees who continue to work from home.
“It is advisable to adopt a risk-based view and establish the objectives accordingly,” ISACA advises auditors. “Audit objectives should be limited to a reasonable scope and should also match to cybersecurity and protection goals as established by the company,” according to ISACA.