Page 369 - ITGC_Audit Guides
P. 369
Executive Summary
In the digital era, organizations must treat data the same way they would treat cash: as an
organizational asset that must be protected from insiders and outsiders alike. Protecting the
organization’s digital assets from catastrophic data breaches should no longer be viewed as the
responsibility of information technology (IT) management only. Senior management and the board
are ultimately accountable for managing the organization’s risks to levels that enable the
organization to achieve its objectives.
Whether malicious or unintentional, insider threats often fail to receive the attention they
deserve, considering the significance of the risks to which they expose the organization. The key
risks associated with insider threats include sabotage, theft of organizational data, espionage,
fraud, and criminal acts. Additionally, research trends indicate that the insider threat landscape
is growing as organizations become more dependent on information systems (IS), automated
processes, web-based applications, digitally transmitted data, and cloud-based data storage.
Organizations are realizing that investments in technology are only part of the solution; it is equally
important to assess whether their governance and management controls (e.g., IS policies, training,
and awareness campaigns) are capable of addressing insider threats.
Internal auditors are well positioned to help senior management and the board recognize the
importance of implementing or strengthening an insider threat program and to help organizations
improve their governance, risk management, and control processes related to insider threats.
www.theiia.org Auditing Insider Threat Programs 2
