Cybersecurity environment in malaysia and the function of internal auditor
1. Cybersecurity Environment in Malaysia
and The Function of Internal Auditor
1Kolej Universiti Islam Antarabangsa Selangor Khalizan Halid
2. Cybersecurity Environment in Malaysia and The Function of Internal AuditorWRITE YOUR SUBTITLE HERE
What Is Cybersecurity?
Why IsCybersecurity Important?
Examples of GlobalInitiatives
TheRole of Internal Auditors in
Cybersecurity
Vulnerabilities And Defences
TheRole of Governments
Cybersecurity in Malaysia
Careers in CyberSecurity
01.
03.
05.
07.
02.
04.
06.
08.
3. What Is
Cybersecurity?
“The protection of computer systems
and networks from the theft of or
damage to their hardware, software,
or electronic data, as well as from
the disruption or misdirection of the
services they provide.”
Source IEEE
4. Vulnerabilities
• What Are Vulnerabilities?
Weakness in design, implementation, operation
or internal control of computing resources
• What Are Exploits?
A piece of software, a chunk of data, or a
sequence of commands that takes advantage
of a bug or vulnerability to cause unintended
or unanticipated behavior to occur on
computer software, hardware, or something
electronic (usually computerized).
• Types of Exploits
https://www.exploit-db.com/
Check the Exploit Database
4
Source TechTarget
The OpenSSL vulnerability, which
was introduced to the open source
encryption library's code more than
two years ago, is the result of a
missing bounds check in the
handling of the TLS heartbeat
extension,
6. Defences (1/2)
• Application Security
• Secure Coding
• Secure by Default
• Security by Design
• Security by Architecture
• Secure Operating Systems
• Computer Access Controls
• Antivirus
• Authentication
• Multi-Factor Authentication
6
7. Defences(2/2)
• Capabilities and Access Control Lists
• Data-Centric Security
• Encryption
• Firewall
• Intrusion Detection System
• Mobile Secure Gateway
• Runtime Application Self Protection
7
8. Countermeasures
• Vulnerability Management
• Vulnerability Reduction
• Hardware Protection
• Training
• Cybersecurity Awareness
• Digital Hygene
• Responses to Breaches
Source: Comtact
9. Why is Cybersecurity Important?
• Pervasiveness of networks
• Growth in data-driven application
• Reliance on Artificial Intelligence
• Increase in reliance on computers
• Increased complexity of computing resources
• Increase in inter-depemdency of computer systems
• Increased capability of computing resources for launching of
attacks
9
10. Impacts of Threats
• Cyberwarfare and Cyberterrorism
“In the future, wars will not just be fought by soldiers with guns or with
planes that drop bombs. They will also be fought with the click of
mouse half a world away that unleashes carefully weaponized
computer programs that disrupt or destroy critical industries like
utilities, transportation, communications, and energy. Such attacks
could also disable military networks that control the movement of
troops, the path of jet fighters, the command and control of warships.”
10
12. Challenges:
Global Legal and Regulatory Matters
• No Common Base for Rules to define cyber
criminals, judge and punish them.
• Lack of law for prosecution
• Cross-Border Legalities
• Non-Human Attackers
12
13. Role Of Governments
• To formulate effective cyber criminal laws
• To formulate laws that impose responsibilities on
data/system custodians to implement cybersecurity
measures
• To liase and interact with other governments
• To implement and enforce these laws
13
14. Examples of National Intiatives
• Canada
• Canadian Cyber Security Strategy
Counterpart document to the National Strategy and Action Plan for Critical Infrastructure (computing resources are identified as critical national infrastructures.
• Securing Goverment Systems
• Securing vital private systems
• Helping Canadians to stay safe online
• Cyber Incident Managment Framework
How to respond to incidents in a coordinated manner.
• Canadian Cyber Incident Response Centre (CCIRC)
• Mitigate Cyber Threats
• Technical support on how to respond and recover from cyber attacks
• Publishes informative online cybersecurity bulletins
• Cyber Security Cooperation Program
• Running the Get CyberSafe portal for Canadian Citizens
• Running Cyber Security Awareness Campaigns
14
15. Examples of National Initiatives
• Germany
• National Cyber Defence Initiative
• National Center for Cyber Defence, working with
• Federal Office for Information Security
• Federal Police Organisation
• Federal Intelligence Service
• Military Intelligence Service
• Other agencies
• To detect and prevent attacks against national infrastructure
• The European Center for Research in Security and Privacy
15
16. Examples of National Initiatives
• China
• China Central Leading Group for Internet Security And Informatization
• Leading Small Group of the Communist Party of China
• Headed by General Secretary Xi Pinking
• To overcome incoherent policies and overlapping responsibilities amongst cyberspace decision-making
mechanisms
• Oversees policy-making in the economic, political, cultural, social and military fields relating to network
security and IT strategy
• Coordinates major policy initiatives in the international arena that promote norms and standards favored
by China
• Emphasize the principle of national soverignty in cyberspace
16
18. Examples of National Initiatives
•United States
• Legislations
• Computer Fraud and Abuse Act
• Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• NIST Cybersecurity Framework
• Standardized Tests
• General Services Administration Standardized Penetration Tests
• Highly Adaptive Cybersecurity Services
to rapidly address potential vulnerabilities, and stop adversaries before they impact US federal, state and local governments.
18
19. Examples of National Initiatives
• United States
• Agencies
• Department of Homeland Security
• National Cyber Security Division
Response system, risk management program and requirements for cybersecurity in the United States
• US-CERT operations
• National Cyber Alert System
• National Cybersecurity and Communications Integration Center
• Federal Bureau of Investigation (FBI) 3rd Order
• To protect the United States against cyber-based attacks and high-technology crimes
• National White Collar Crime Center
• Bureau of Justice Assistance
• Internet Crime Complaint Center
• United States Department of Justice (Criminal Division)
• Computer Crime and Intellectual Property Section
Investigating computer crime and intellectual property crime and is specialized in the search and seizure of digital evidence in computers and networks.
• Framework for a Vulnerability Disclosure Program for Online Systems
describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act
• Department of Defence
• United States Cyber Command (USCYBERCOM)
Defense of specified Department of Defense information networks and ensures "the security, integrity, and governance of government and military IT infrastructure and assets.
19
20. Examples of National Initiatives
•United States
• Computer Emergency Readiness Expert Teams
• US-CERT
• Under Department of Homeland Security
• CERT/CC
• Under Defense Advanced Research Projects Agency
20
21. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
Vision
Our vision is to be a globally recognised National Cyber Security Reference and Specialist Centre by 2020.
Mission
Our mission is to create and sustain a safer cyberspace to promote National Sustainability, Social Well-Being and
Wealth Creation.
21
22. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
Creation
The Cabinet Meeting on 28 September 2005, through the Joint Cabinet Notes by the Ministry of Finance (MOF)
and Ministry of Science, Technology and Innovation (MOSTI) No. H609/2005 agreed to establish the National
ICT Security and Emergency Response Centre (now known as CyberSecurity Malaysia) as a National Body to
monitor the National e-Security aspect, spin-off from MIMOS to become a separate agency and incorporated as
a Company Limited-by- Guarantee, under the supervision of the Ministry of Science, Technology and Innovation
(MOSTI)
Pursuant to Articles 43 and 43A of the Federal Constitution, according to Section 2, Functions of the Minister 1969,
the Federal Government Ministerial Order 2019, YB Minister of Communications and Multimedia Malaysia, with
effect from 21 May 2018, CyberSecurity Malaysia is under the supervision of the Ministry of Communications
and Multimedia Malaysia (KKMM) on cyber security matters.
22
23. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
Activities
In essence, CyberSecurity Malaysia is committed to provide a broad range of cybersecurity innovation-led services, programmes and
initiatives to help reduce the vulnerability of digital systems, and at the same time strengthen Malaysia’s self-reliance in cyberspace.
CyberSecurity Malaysia provides specialised cyber security services, as follows:
• Cyber Security Responsive Services
• Cyber Security Proactive Services
• Outreach and Capacity Building
• Strategic Study and Engagement
• Industry and Research Development
23
24. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
• Malaysian Computer Emergency Response Team (MyCert)
Performs 24x7 computer security incident response services to any user, company, government agency or organisation.
• Cyber999
Provides response and management of cyber security incidents for all types of internet users.
• MyCSC
Discover cyber security consulting and support services as well as learn what you need to know to protect your digital devices.
• CyberSAFE
Cybersecurity Awareness For Everyone
Increases awareness of online safety and security issues among Malaysians while harnessing the benefits of cyberspace.
• CyberGuru
Comprehensive, robust, and cost-effective information security programmes for your ongoing professional development.
• Malaysian Trustmark
Clearly establishing your credibility and professionalism while dramatically increasing the appeal of your online services.
24
25. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
• Malware Research Center
• e-Security Bulletins
25
26. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
• Guidelines
• Cybersecurity Guideline for Industrial Control
Purpose:
This guideline is developed as a reference for holistic implementation of security controls in ICS development.
Target Audience:
This guideline provides practical security guide intended to benefit the key players of ICS industry.
The following audience are identified but not limited to:
Engineers or individuals authorized to design, implement, administer, patch, assess or secure ICS
Researchers of ICS security practical implementation
Vendors in charge, offer, supply and maintain ICS
26
27. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
• Guidelines
• Cyber Security Guideline for Secure Software Development Life Cycle (SSDLC)
Purpose:
This guideline is developed as a reference for holistic implementation of security controls in SSDLC development.
Target Audience:
This guideline provides practical security guide intended to benefit the key players of SSDLC industry.
The following audience are identified but not limited to:
Engineers or individuals authorized to design, implement, administer, patch, assess or SSDLC
Managers responsible for SSDLC
Researchers of SSDLC practical implementation
Vendors in charge, offer, supply and maintain SSDLC
27
28. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
• Guidelines
• Cyber Security Guideline for Internet of Things (IoT)
Purpose:
This guideline is developed as a reference for holistic implementation of security controls in IoT development.
Target Audience:
This guideline provides practical security guide intended to benefit the key players of IoT industry.
The following audience are identified but not limited to:
Engineers or individuals authorized to design, implement, administer, patch, assess or secure IoT
Managers responsible for IoT
Researchers of IoT practical implementation
Vendors in charge, offer, supply and maintain IoT28
29. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
• Guidelines
• Cloud Security Implementation for Cloud Service Subscriber (CSS) Guideline
Purpose:
This document is prepared for Cloud Service Subscriber (CSS) to understand public cloud subscription that focuses on IT
security perspective covering three (3) stages: 1) pre-subscription, 2) during subscription and 3) post-subscription of the
cloud services.
Target Audience:
The intended audience for this document is the public Cloud Service Subscriber (CSS) that refers to the following crowds,
as stated below:
Public Sectors; and
Private Sectors (e.g. individual for personal usage, the organisation for business and operational use managed by relevant
person-in-charge such as
IT Technician, Chief Information Security Officer (CISO) and IT Administrator).
29
30. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
• Guidelines
• Guideline for Securing MyKAD EBA Ecosystem
Purpose:
This document serves as a guidance that provides best practices in deploying a secure operational environment in MyKAD
EBA Ecosystem with security controls that need to be incorporated or addressed.
Target Audience:
This document provides guidance to the relevant stakeholders on the deployment of MyKAD EBA Reader within its
ecosystem including:
Public Sectors (e.g. Government Agencies)
Private Sectors (e.g. Financial Institution and Industries)
Kindly submit your comments or review, by email to the following email address: smartcard@cybersecurity.my by 7th April
2020
30
31. The State of Cybersecurity In Malaysia
CyberSecurity Malaysia
• Knowledge Bank
• https://www.cybersecurity.my/en/knowledge_banks/principles_guidelines/main/detail/2339/index.html
• Common Criteria Collaboration Programme
• General Information Security Best Practices
• General Information Safety Guidelines
• Articles
• Journals and Conference Proceedings
• AGCSM Slide Presentations
• Careers
Opportunities now exist for you to join our organisation as we advertise existing vacancies right here on our website. If you could not find a suitable
position and would like to send in a general application, please email your application to career@cybersecurity.my.
31
32. The State of Cybersecurity In Malaysia
National Cyber Security Agency (NACSA)
The National Cyber Security Agency (NACSA) was officially established in February 2017 as the national lead agency for cyber security
matters, with the objectives of securing and strengthening Malaysia's resilience in facing the threats of cyber attacks, by co-ordinating
and consolidating the nation's best experts and resources in the field of cyber security.
NACSA is also committed to developing and implementing national-level cyber security policies and strategies, protecting Critical National
Information Infrastructures (CNII), undertaking strategic measures in countering cyber threats, spearheading cyber security awareness,
acculturation and capacity-building programmes, formulating strategic approach towards combatting cyber crimes, advising on
organizational cyber risk management, developing and optimizing shared resources among agencies, and fostering constructive regional
and global networks among entities with shared interests in cyber security.
VISION
Establishing a stable, safe and resilient cyber environment to meet the economic and social needs of Malaysia.
32
33. The State of Cybersecurity In Malaysia
National Cyber Security Agency (NACSA)
MISSION
We are committed towards the implementation of the national cyber security policy and management in an integrated and
coordinated manner.
• Report Incidences
• https://www.nacsa.gov.my/incident_report.php
33
34. The State of Cybersecurity In Malaysia
National Cyber Security Agency (NACSA)
Alerts (Example)
• Alert On Whatsapp VOIP Vulnerability
INTRODUCTION
On May 14, 2019, WhatsApp has announced a vulnerability that could be used to target selected WhatsApp users. The National Cyber Coordination and Command Centre (NC4) would like to
advise all Malaysian WhatsApp users to update their WhatsApp application to the latest version as recommended by WhatsApp to mitigate this issue.
IMPACT
Information leakage.
DESCRIPTION
WhatsApp has recently released a statement of a security flaw found in their mobile application, which allows attackers to inject spyware into targets' smartphones through a WhatsApp phone call
to the target's number.
It does not require the target to pick up the phone call for it to be infected.
A successful attacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and
other information on a device and could potentially further compromise the target's device.
Call logs can also be altered to hide the method of infection.
The vulnerability, which has been classified as CVE-2019-3568, is a buffer overflow vulnerability in WhatsApp VOIP stack allows remote code execution via specially crafted series of SRTCP
packets sent to a target phone number.
WhatsApp has released the latest update of the mobile applications on May 14, 2019 to fix this vulnerability.
34
35. The State of Cybersecurity In Malaysia
National Cyber Security Agency (NACSA)
Alerts (Example)
• Alert On Whatsapp VOIP Vulnerability
Affected Products
iOS and Android platform and affecting the following version of WhatsApp:
WhatsApp for Android prior to v2.19.134;
WhatsApp Business for Android prior to v2.19.44;
WhatsApp for iOS prior to v2.19.51;
WhatsApp Business for iOS prior to v2.19.51;
WhatsApp for Windows Phone prior to v2.18.348; and
WhatsApp for Tizen prior to v2.18.15.
Recommendation
NC4 advises everyone who uses the WhatsApp to take the following ACTIONS:
Update your mobile applications with the latest security patches and updates immediately;
Update the operating system of the mobile devices (iOS, Android, Tizen) with the latest security patches and updates immediately;
Switch on automatic updates on your mobile devices to get the latest updates;
For Android users, please visit the Play Store, click on menu and choose 'My apps and Games'. Tap update next to the WhatsApp messenger.35
36. The State of Cybersecurity In Malaysia
National Cyber Security Agency (NACSA)
Alerts (Example)
• Alert On Whatsapp VOIP Vulnerability
For iOS users, please visit the App Store and select Updates. Select WhatsApp to update; and
For Windows 10 users, please visit the Microsoft store and click on 'Menu'. Select 'My Library' and tap 'Update' next to WhatsApp.
Reference
CVE-2019-3568
https://www.facebook.com/security/advisories/cve-2019-3568
https://nvd.nist.gov/vuln/detail/CVE-2019-3568
It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware
https://www.theregister.co.uk/2019/05/14/whatsapp_zero_day/
36
37. The State of Cybersecurity In Malaysia
National Cyber Security Agency (NACSA)
• Cyber Security Awareness In Malaysia
• Intelligence Sharing Amongst Relevant Industries
• State of The Industry
37
38. The Role Of Internal Auditors In CyberSecurity
Differences Between External Auditors And Internal Auditors
38
Institute of Internal Auditors UK
The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively.
• Responsibility
• External
Auditors
None, however there is a duty to report
problems.
• Internal Auditors
Improvement is fundamental to the
purpose of internal auditing. But it is
done by advising, coaching and
facilitating in order to not undermine
the responsibility of management.
• Scope
• External
Auditors
Financial reports, financial
reporting risks.
• Internal
Auditors
All categories of risk, their
management, including
reporting on them.
• Objectives
• External
Auditors
Add credibility and reliability to financial
reports from the organisation to its
stakeholders by giving opinion on the report
• Internal Auditors
Evaluate and improve the effectiveness of
governance, risk management and control
processes. This provides members of the
boards and senior management with
assurance that helps them fulfil their duties to
the organisation and its stakeholders.
39. The Role Of Internal Auditors In CyberSecurity
• Risk Management
The profession of internal audit is fundamentally concerned with evaluating an organisation’s management of risk. All organisations face risks.
For example, risks to the organisation’s reputation if it treats customers incorrectly, health and safety risks, risks of supplier failure, risks
associated with market failure, cyber security and financial risks to name some key areas. The key to an organisation’s success is to
manage those risks effectively - more effectively than competitors and as effectively as stakeholders demand.
To evaluate how well risks are being managed the internal auditor will assess the quality of risk management processes, systems of internal
control and corporate governance processes, across all parts of an organisation and report this directly and independently to the most senior
level of executive management and to the board’s audit committee.
• Evaluating Risks
It is management’s job to identify the risks facing the organisation and to understand how they will impact the delivery of objectives if they
are not managed effectively. Managers need to understand how much risk the organisation is willing to live with and implement controls
and other safeguards to ensure these limits are not exceeded. Some organisations will have a higher appetite for risk arising from
changing trends and business/economic conditions. The techniques of internal auditing have therefore changed from a reactive and
control based form to a more proactive and risk based approach. This enables the internal auditor to anticipate possible future concerns
and opportunities providing assurance, advice and insight where it is most needed.
Institute of Internal Auditors UK
The role of internal audit is to provide independent assurance that an organisation's risk
management, governance and internal control processes are operating effectively.
40. The Role Of Internal Auditors In CyberSecurity
• Risk Management
41. The Role Of Internal Auditors In CyberSecurity
• Internal Controls
An internal auditor’s knowledge of the management of risk also enables him or her to act as a consultant providing advice and acting as a
catalyst for improvement in an organisation’s practices.
So, for example if a line manager is concerned about a particular area of responsibility, working with the internal auditor could help to identify
improvements. Or perhaps a major new project is being undertaken – the internal auditor can help to ensure that project risks are clearly
identified and assessed with action taken to manage them.
• Evaluating Controls
Internal audit’s role in evaluating the management of risk is wide ranging because everyone from the mailroom to the boardroom is involved
in internal control. The internal auditor’s work includes assessing the tone and risk management culture of the organisation at one level
through to evaluating and reporting on the effectiveness of the implementation of management policies at another.
• Analysing Operations
Achieving objectives and managing valuable organisational resources requires systems, processes and people. Internal auditors work
closely with line managers to review operations then report their findings. The internal auditor must be well versed in the strategic
objectives of their organisation and the sector in which it operates in, so that they have a clear understanding of how the operations of
any given part of the organisation fit into the bigger picture.
Institute of Internal Auditors UK
The role of internal audit is to provide independent assurance that an organisation's risk
management, governance and internal control processes are operating effectively.
42. The Role Of Internal Auditors In CyberSecurity
• Reporting
By reporting to executive management that important risks have been evaluated and highlighting where improvements are
necessary, the internal auditor helps executive management and boards to demonstrate that they are managing the
organisation effectively on behalf of their stakeholders. This is summarised in the mission statement of internal audit
which says that internal audit’s role is 'to enhance and protect organisational value by providing risk-based and objective
assurance, advice and insight'.
Hence, internal auditors, along with executive management, non-executive management and the external auditors are a
critical part of the top level governance of any organisation.
Institute of Internal Auditors UK
The role of internal audit is to provide independent assurance that an organisation's risk
management, governance and internal control processes are operating effectively.
43. Providing assurance to executive management and
the board’s audit committee that risks are being
managed effectively is not the exclusive domain of
internal audit. There are likely to be other assurance
providers who perform a similar role. This can include
risk management professionals, compliance officers,
fraud investigators, quality managers and security
experts to name just a few.
The difference between these assurance sources and
internal auditors is that internal audit are independent
from management operations and are able to give
objective and unbiased opinions about the way risk
are reported and managed. Internal audit’s
independence of executive managements is achieved
through its functional reporting line to the chair of the
audit committee and an administrative reporting line
to the chief executive, as the most senior executive.
The Role Of Internal Auditors In CyberSecurity
Institute of Internal Auditors UK
The role of internal audit is to provide independent assurance that an organisation's risk
management, governance and internal control processes are operating effectively.
But like all professions, internal audit has
its own skills and its own qualifications,
technical standards and codes of practice.
These are all provided through the internal
audit professional body – the Chartered
Institute of Internal Auditors. As an affiliate
member of the global Institute of Internal
Auditors, the Chartered Institute of Internal
Auditors promotes the International
Professional Practices Framework (IPPF) in
the UK and Ireland, so that internal
auditors here around the world work
towards a globally agreed set of core
principles and standards.
The interesting aspect within this structure is that
internal auditors can work constructively with other
assurance providers to make sure the board’s audit
committee receives all the assurance they need to
form an opinion about how well the organisation is
managing its risks. It also means that the available
assurance resources are optimised by avoiding
duplication and gaps in the provision of assurance.
Teamwork and developing effective working
relationships is a key feature of internal auditing.
Whilst the financial skills of accountants are very
useful, to do their job effectively, internal auditors
must possess a high level of technical internal
auditing skills and knowledge. They must also be
effective communicators, good project managers,
analytically strong and good negotiators.
Working With Other Assurance Providers
44. The Role Of Internal Auditors In CyberSecurity
Internal Audit Best Practices for Cybersecurity (PwC)
• https://www.pwc.com/us/en/services/risk-assurance/library/it-audit-risk-technology-sector.html
Effective IT Oversight and The Role of Internal Auditors
• https://www.pwc.com/us/en/risk-assurance/publications/assets/itas-perspectives-directors-and-it-
confidence-gap.pdf
Enterprise Wide Technology Assessment
Internal audit should perform a technology risk assessment—or evaluate an organization’s existing one—
so as to identify cyber-threats, privacy risks, third-party risk, cloud exposures, and other emerging hazards
and to determine the likelihood of the occurrence of such risks and their impacts on the organization.
This kind of risk assessment is typically performed annually, and structured to be a repeatable process
- Alignment between IT and the business
– Business dependency on technology
– The nature and extent of technology in use
– The nature and extent ofexternally facing systems
44
45. The Role Of Internal Auditors In CyberSecurity
Internal Audit Best Practices for Cybersecurity (PwC)
Quality Assurance Review of Second Line of
Defence
Internal audit can perform a quality assurance review of programs and
processes designed to manage risks—some of which are IT risks—
involving secondline-of-defense functions such as an enterprise risk
management program, a compliance program, and a security
program.
• Quality Assurance Over The IT Internal Audit Function
Quality assurance reviews of an organization’s IT internal audit
function and IT internal audit capabilities can provide the board and
senior management with further insights into any staffing, resource, or
knowledge gaps that require filling to sustain a mature IT internal audit
function.
45
46. The Role Of Internal Auditors In CyberSecurity
Internal Audit Best Practices for Cybersecurity (PwC)
• Technical Audits
Internal audit can perform an assessment of or evaluate management’s existing processes and controls related to the
following current and emerging technology focus areas.
– Business continuity and disaster recovery planning
– Pre- and post-implementation audits and project assurance
– Security maturity assessment
– IT general controls, including user access management
– Social media
– Mobile Computing/Bring Your Own Device (BYOD)
– Threat and Vulnerability Management including Attack and Penetration
- Third-party risk management and vendor management
– Security incident management and response
46
47. The Role Of Internal Auditors In CyberSecurity
Internal Audit Best Practices for Cybersecurity (PwC)
• Data Analytics
Internal audit can evaluate management’s existing cyber metrics that include information and statistics about
the organization’s IT systems and data. Metrics can include:
– Outcomes of the scanning of a company’s systems, including detection and remediation of spyware and
malware
– The results of unplanned downtime caused by security incidents and IT outages
– Number of security access violations by third parties
– Number of authorized and unauthorized mobile devices that are accessing IT systems
47
48. The Role Of Internal Auditors In CyberSecurity
The Role Of Internal Audit In Cyber Security Readiness
(KPMG)
• https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2019/cyber-data-breach-brochure.pdf
Impact of Changes
• Technology Changes
• Business Changes
• Regulatory Changes
• Third Party Risks
48
49. The Role Of Internal Auditors In CyberSecurity
The Role Of Internal Audit In Cyber Security Readiness
(KPMG)
• Internal Audit Involvement In Cyber Security Readiness
• Business Goals and Strategies
• Framework Alignment
• Emerging Risks and Threats
• Talent and Staffing
49
50. The Role Of Internal Auditors In CyberSecurity
The Role Of Internal Audit In Cyber Security Readiness (KPMG)
• Cyber Maturity Assessment
• Leadership and Governance
Demonstration of due dilligence, ownership, and effective risk management
• Human Factors
Security culture within the organization
• Management of Information Risk
Comprehensiveness and effectiveness of information risk managment throughout the organization and supply
partners.
• Business Continuity and Crisis Management
Ability to prevent and preparation for the occurrence of security breach events
• Operations and Technology
Mapping of identified risks to control measures and their operations
• Legal and Compliance
Regulatory and standard compliances50
51. The Role Of Internal Auditors In CyberSecurity
Cyber Risk and Internal Audit (Deloitte)
https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-cyber-ia-urgent-call-to-action.pdf
The threat from cyberattacks is significant and continuously evolving. Many audit committees and boards have set
an expectation for internal audit to understand and assess the organization’s capabilities in managing the
associated risks. Our experience shows that an effective first step for internal audit is to conduct a cyber risk
assessment and distill the findings into a concise summary for the audit committee and board which will then drive
a risk-based, multiyear cybersecurity internal audit plan.
• 1st Line of Defence
Business units and the information technology (IT) function integrate cyber risk management into day-to-day
decision making and operations and comprise an organization’s first line of defense.
• 2nd Line of Defence
The second line includes information and technology risk management leaders who establish governance and
oversight, monitor security operations, and take action as needed.
• 3rd Line of Defence
Increasingly, many companies are recognizing the need for a third line of cyber defense–independent review of
security measures and performance by the internal audit function. Internal audit should play an integral role in
assessing and identifying opportunities to strengthen enterprise security. At the same time, internal audit has a
duty to inform the audit committee and board of directors that the controls for which they are responsible are in
place and functioning correctly, a growing concern across boardrooms as directors face potential legal and
financial liabilities.51
52. Careers
• Security Analyst
Analyzes and assesses vulnerabilities in the infrastructure
(software, hardware, networks),
investigates using available tools and countermeasures to
remedy the detected vulnerabilities, and recommends
solutions and best practices.
Analyzes and assesses damage to the data/infrastructure
as a result of security incidents, examines available
recovery tools and processes, and recommends
solutions.
Tests for compliance with security policies and procedures.
May assist in the creation, implementation, or management
of security solutions.
• Security Engineer
Performs security monitoring, security and data/logs
analysis, and forensic analysis, to detect security
incidents, and mounts the incident response.
Investigates and utilizes new technologies and processes
to enhance security capabilities and implement
improvements.
May also review code or perform other security
engineering methodologies.
• Security Architect
Designs a security system or major components of a
security system, and may head a security design team
building a new security system.
• Security Administrator
Installs and manages organization-wide security systems.
This position may also include taking on some of the
tasks of a security analyst in smaller organizations.
53. Careers
• Chief Information Security Officer
A high-level management position responsible for the entire information security division/staff. The position may include hands-on
technical work.
• Information Security Consultant/ Specialist/ Intelligence
Broad titles that encompass any one or all of the other roles or titles tasked with protecting computers, networks, software, data or
information systems against viruses, worms, spyware, malware, intrusion detection, unauthorized access, denial-of-service
attacks, and an ever increasing list of attacks by hackers acting as individuals or as part of organized crime or foreign
governments.
53
54. Careers
• Study The Subject Further And Improve Your Job
Prospects
• UK Cyber Security Forum
https://www.ukcybersecurityforum.com/
Supported by the Government's cyber security strategy in order to encourage start-ups and innovation and to address the skills
gap identified by the U.K Government.
It is a social enterprise spanning the United Kingdom, representing small and medium-sized enterprises (SMEs) in the UK cyber
sector. It is divided up into 20 regional cyber clusters which provide free membership and events for their members. It forms
part of the UK cyber security community.
54
55. Conclusions
Internal Audit has an important role to play as an independent party reporting
directly to top management on the state of cybersecurity in their
organizations.
Cybersecurity has grown into a complex area and Internal Auditors need to
enhance their skills sets to address cybersecurity issues adequately.
There are many emerging job opportunities in Internal Audit to address
cybersecurity issues if organizations embrace the importance of Internal
Audit's role in cybersecurity.
55