Page 311 - ITGC_Audit Guides
P. 311

The organization may also employ a chief
            security officer (CSO), a chief information
            security officer (CISO), or a similar role         Table 2:  Common First Line
            responsible for IT security. The CSO or            Activities
            CISO, as a cornerstone in identifying and                 Administer security procedures,
            understanding cyber threats, generates                     training, and testing.
            and deploys the cybersecurity strategy                    Maintain secure device
            and enforces security policy and                           configurations, up-to-date
            procedures. The role often leads the                       software, and security patches.
            development of oversight programs to                      Deploy intrusion detection
            validate that the organization’s assets and                systems and conduct penetration
            stakeholder data are properly protected.
                                                                       testing.

            A chief information officer (CIO) may be                  Securely configure the network to
            accountable for driving competitive                        adequately manage and protect
            advantage and strategic change                             network traffic flow.
            throughout the organization. The CIO                      Inventory information assets,
            may also be responsible for developing                     technology devices, and related
            the information cybersecurity program                      software.
            and policy and implementing an                            Deploy data protection and loss
            enterprisewide cybersecurity training                      prevention programs with related
            program.
                                                                       monitoring.

            The CTO, CSO, CISO, and CIO                               Restrict least-privilege access
            collaborate with the CEO and other                         roles.
            members of senior management in the                       Encrypt data where feasible.
            fight against cybercrime and related                      Implement vulnerability
            cyberattacks. If entities within the                       management with internal and
            organization have assumed responsibility                   external scans.
            for their own technology, these entities                  Recruit and retain certified IT, IT
            take responsibility to design and
            implement appropriate controls that                        risk, and information security
            coordinate with other risk management                      talent.
            activity to secure their technology and
            data.

            When organizations do not have the scale to support the positions described above, a
            common approach is to assemble a council of business and IT managers who have a stake in
            responding to cybersecurity risk. The aforementioned responsibilities may be covered by
            individuals in first line roles who have the appropriate authority to address the corresponding
            risk.






                      www.theiia.org                                             Assessing Cybersecurity Risk    7
   306   307   308   309   310   311   312   313   314   315   316