Page 321 - ITGC_Audit Guides
P. 321

Component 1: Cybersecurity Governance


            The internal audit activity should understand the organization’s cybersecurity governance. IIA
            Standard 2100 – Nature of Work requires the internal audit activity to evaluate and contribute
            to the improvement of governance, risk management, and control processes. Governance may
            include clarifying roles and responsibilities, establishing accountability, adopting a multiyear
            strategy, and prioritizing action plans to include strategic collaboration with multiple
            stakeholders.

            Strong cybersecurity governance depends on:

                 Collaborating and collecting cybersecurity risk intelligence and expertise based on
                   threats that could affect the organization.
                 Setting risk appetite and tolerance.
                 Planning for business continuity and disaster recovery in the event of an interruption.
                 Responding promptly to security breaches.
                 Establishing a culture of awareness of cybersecurity risks and threats.

            Effective governance is evidenced in clearly defined policies, relevant tools, sufficient staffing,
            and insightful training.

            Multiple stakeholders with varied perspectives strengthen the quality of governance. A
            cybersecurity governance committee usually includes senior management and representatives
            from first, second, and third line roles, including technology and process owners, and
            potentially key external stakeholders, such as suppliers, customers, service providers, and
            peer groups.

            Incident response teams regularly report to management and the board the types of breaches
            encountered to provide additional insight into previously unknown gaps. Management can then
            track the identified issues through remediation.

            Component 2: Inventory of Information Assets


            The IT department should keep a current inventory of all information assets and prioritize those
            that are most essential to advancing the organization’s objectives and sustaining operations.
            To meet strategic organizational goals and initiatives, these assets require more than
            traditional IT general controls and periodic evaluations. Preventive and detective controls
            designed to protect the most valuable assets need to be continuously monitored to ensure
            ongoing effectiveness.


            When evaluating the organization’s information assets, the following should be considered:
                     Data




                      www.theiia.org                                            Assessing Cybersecurity Risk    17
   316   317   318   319   320   321   322   323   324   325   326