Page 386 - ITGC_Audit Guides
P. 386
Mapping the Process or Subprocesses Flow
One way to identify risks and controls is to develop a high-level process map that depicts inputs,
outputs, interfaces, and controls. Mapping an entire insider threat management program may be
difficult, but internal auditors can focus the mapping exercise on high-risk processes. To gain an
understanding of key risks and controls, for instance, internal auditors may map processes for
employee management; vendor management; mergers and acquisitions; identity management
and access control; and asset classification and prioritization. Figure 8 provides an example of a
high-level process map.
Figure 8: Example of a High-level Process Map: Employee Management
R1 R2
Employee Screening Hiring
application
C1 C2
R3 C3
R6, R5 R4
Termination Reaccreditation Onboarding
C6, C5 C4
Subprocess Risks Controls
R1: Employees from major competitors C1: Employment history is evaluated as part of the
Employee are hired, increasing the likelihood employment application process, and additional
application of IP theft and loss of competitive screening is conducted to determine if they
advantage. may pose a threat.
R2: Employees with criminal backgrounds C2: Criminal and financial background checks are
Screening are hired, increasing the likelihood conducted as allowed by privacy laws.
of fraud.
R3: Employees with stakes in major C3: Employees must declare conflicts of interest
Hiring
competitive organizations are hired during the hiring process and every 12 months
for positions that handle critical data. thereafter.
C4: Every employee must complete awareness
R4: The onboarding process does not
Onboarding training as part of the onboarding process.
include awareness training about Access to the network should be granted only
insider threats and protocols to when the employee can prove completion of
address potential IT incidents.
compulsory training.
R5: Employees are not reaccredited after C5: Employee access is reviewed at least every six
Reaccreditation changing jobs within the organization months and any time the employee changes
resulting in unnecessary access to jobs. Access is automatically revoked if the
systems. employee is not properly reaccredited.
R6: During employment termination, the C6: HR notifies the help desk immediately after an
Termination
organization does not revoke network employee resigns or is terminated. Help desk
access immediately. employees trigger a workflow to remove access
from all systems applicable.
www.theiia.org Auditing Insider Threat Programs 18
