Page 306 - ITGC_Audit Guides
P. 306

Table of Contents


            Executive Summary ................................................................................................................... 3
            Introduction and Business Significance ..................................................................................... 4

            Key Risks and Threats Related to Cybersecurity ...................................................................... 5
            The Three Lines Model: Roles and Responsibilities .................................................................. 5
              Owners and Key Activities of First Line Roles ........................................................................ 6

                 Common Cyber Threat Controls ......................................................................................... 8
              Owners and Key Activities of Second Line Roles .................................................................. 9

                 Pitfalls of the First and Second Line Roles ....................................................................... 10
              The Internal Audit Activity as the Third Line Role ................................................................ 11
                 Internal Audit Scope and Collaboration ............................................................................ 15
            An Approach for Assessing Cybersecurity Risks and Controls ................................................ 16

              Cybersecurity Risk Assessment Framework ........................................................................ 16
                 Component 1: Cybersecurity Governance ........................................................................ 17

                 Component 2: Inventory of Information Assets ................................................................. 17
                 Component 3: Standard Security Configurations ............................................................. 18
                 Component 4: Information Access Management .............................................................. 18

                 Component 5: Prompt Response and Remediation ......................................................... 19
                 Component 6: Ongoing Monitoring ................................................................................... 19
            Role of CAE in Reporting Assurance to the Board and Other Governing Bodies .................... 21

            Appendix A. Key IIA Standards ............................................................................................... 23
            Appendix B. Related IIA Guidance .......................................................................................... 24
            Appendix C. Definition of Key Concepts .................................................................................. 25

            Appendix D. Internal Audit Considerations for Cybersecurity Risk .......................................... 26
            Authors/Contributors ................................................................................................................ 29














                      www.theiia.org                                             Assessing Cybersecurity Risk    2
   301   302   303   304   305   306   307   308   309   310   311