Page 353 - ITGC_Audit Guides
P. 353

o  Types (e.g., transactional, IT configuration, unstructured)
                       o  Classification (enables standardization and prioritization)
                       o  Environments (e.g., data warehouses, key databases)
                     Infrastructure repository of technology assets
                       o  Servers
                       o  Network devices
                       o  Storage
                       o  End-user devices (e.g., laptops, mobile devices)
                     Applications
                     External relationships
                       o  Third-party hosted environments
                       o  Sharing of data files with external organizations (e.g., vendors, regulatory bodies,
                          governments)


            The capability to identify which software and devices are interacting on the network is
            fundamental to being able to defend against cyber threats. The organization cannot defend
            against network attacks on unknown devices and software. Organizations that allow
            employees to bring their own devices experience a larger volume and variety of devices and
            software accessing data via the corporate network. Controlling employee-owned devices and
            connectivity to the network should be a key focus of management. Increasingly, more
            employees are being required to have greater accessibility to organizational information
            around the clock. The ability to detect, authenticate, and inventory unknown devices would
            allow the organization to track, monitor, and measure changes in those devices to ensure the
            overall cybersecurity strategy is effective.


            Component 3: Standard Security Configurations

            Centralized, automated configuration management software can be used to establish and
            maintain baselines for devices, operating systems, and application software. Using
            management software is more effective than managing systems manually or in a nonstandard
            fashion. Information security and the internal audit activity should review baselines to ensure
            an accurate assessment of environments based on risk can be achieved (e.g., externally
            facing web environments may require additional protection). Processes to apply necessary
            patches, as well as software and hardware updates, are also needed to ensure secure
            configurations remain current as new threat information becomes available in the industry.

            Component 4: Information Access Management


            Management should consider implementing preventive controls such as having a process to
            approve and grant access to users based on job roles. Additionally, a process to detect when
            employees move within the organization would help to ensure that user access is adjusted and





                      www.theiia.org                                            Assessing Cybersecurity Risk    18
   348   349   350   351   352   353   354   355   356   357   358