Page 402 - ITGC_Audit Guides
P. 402

Appendix C. Insider Threat Assessment Using NIST

                   Cybersecurity Framework


                   In accordance with Standard 2240.A1, “Work programs must include the
                   procedures  for  identifying,  analyzing,  evaluating,  and  documenting
                   information during the engagement.” As a starting point for building a
                   work program, internal auditors may use an existing risk and control
                   framework. The chart below uses NIST’s Cybersecurity Framework as
                   the  criteria  against  which  an  insider  threat  program  may  be
                   compared.  Internal  auditors  may  adapt  this  chart  to  suit  their
                   organization and specific engagement. Based on the chart, auditors may
                   develop a risk and control matrix and risk assessment, which may then be
                   expanded into a work program.                                        N. Hanacek/NIST

                   NIST’s  Cybersecurity  Framework  was  created  to  provide  a  common  language  to  understand,
                   manage, and express cybersecurity risk both internally and externally. The framework helps users
                   identify and prioritize actions for reducing cybersecurity risks that include insider threats, which
                   can be easily translated into actions for reducing insider threat risks.

                   The  framework  is  organized  into  functions  (identify,  protect,  detect,  respond,  and  recover),
                   categories,  and  subcategories.  Categories  are  used  in  this  work  program  to  represent  control
                   objectives, and the subcategories are used to represent control activities. Internal auditors may
                   use the last column to document the controls that exist in their organizations. (Reprinted courtesy
                   of  the  National  Institute  of  Standards  and  Technology,  U.S.  Department  of  Commerce.  Not
                   copyrightable in the United States.)


                    Function: Identify

                    Risk Area: Asset Management
                    Control Objective: The data, personnel, devices, systems, and facilities that enable the organization to achieve
                    business purposes are identified and managed consistent with their relative importance to business objectives and
                    the organization’s risk strategy.
                    Control Activities                                                          Assessment
                    Physical devices and systems within the organization are inventoried.

                    Software platforms and applications within the organization are inventoried.

                    Organizational communication and data flows are mapped.
                    External information systems are cataloged.

                    Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their
                    classification, criticality, and business value.
                    Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g.,
                    suppliers, customers, and partners) are established.


                         www.theiia.org                                      Auditing Insider Threat Programs   34
   397   398   399   400   401   402   403   404   405   406   407