Cybersecurity Questions for Internal Auditors

Cybersecurity Risk

Cybersecurity is big news these days and deservedly so, as cybersecurity risks are at an all-time high. Any mention of cyberattacks, cyberthreats, cybersecurity, cyberbreach, cyber-this, or cyber-that, gets immediate headlines. If you think that your company has not been a target of a cyberattack, it likely has, you’re just not aware of it.

As an Internal Auditor, you do not need to know everything about cybersecurity, you simply need to make sure your company has taken the appropriate steps to properly oversee cybersecurity risks. Don’t know where to begin? Here are a few questions to get you started.

Who is ultimately responsible for cybersecurity?

The “buck” stops somewhere and the person responsible has to be clearly identified within the organization. The person must be in a Senior Leadership position with clear responsibility for cybersecurity preparedness with the support from the CEO and Board.

Does the company understand the cyber risks it faces, such as malware, nation states, cyber criminals, insiders, or hackers?

Cyber risks should be itemized and categorized with emphasis placed on the exploitation strategies that would impact the unique environment of your company. It is critical for the people responsible for cybersecurity to understand where data resides and who has access to it. Your conversation with management should include potential exposure / weakness within the network infrastructure, and potential vulnerabilities created through business partners, acquisitions, vendors, and other third-party service providers.

How has the cybersecurity risk assessment changed over time to stay current?

There are plenty of nefarious people who want your company’s data, and these “bad guys” are always innovating, seeking opportunities and techniques to bypass traditional protection mechanisms. Relying on the traditional best practices will not be sufficient, instead the risk assessment must continually evolve to incorporate cutting edge practices. Make sure the people responsible for cybersecurity can articulate and demonstrate the risk assessment process and how it has evolved.

Is there a comprehensive data privacy and cybersecurity program in place?

The company should have a policy on data collection, retention, and destruction. The policy should include instructions to prevent the collection and storage of non-essential customer data. The policy should also include additional safeguards for securing sensitive data, specifically restricting employee access to only the data that is required as part of their job duties. You should also validate that effective mechanisms are in place to prevent sensitive data from being transferred to outside sources.

The cybersecurity program must be reviewed and tested regularly (at least annually) to evaluate its effectiveness and any vulnerabilities must be formally mitigated. Management should be able to provide evidence of this for you.

How does management deal with a cybersecurity breach?

There must be a comprehensive breach response plan in place to include an understanding of what defines an actionable incident, what triggers the response plan, the steps required to resolve the incident, and the people involved in the response. At a minimum, the response team should include key individuals from IT, Legal, Corporate Communications, and as necessary, outside advisors (legal, forensic, law enforcement, public relations, and regulators). There must be an identified team leader who has ultimate responsibility for implementing the plan.

Is there a cybersecurity training program tailored to the workforce and customized for the current threats?

The training program should explain the company’s cybersecurity and data privacy protocol, emphasizing the importance of employees adhering to the protocol, and explaining the ramifications and consequences of non-compliance. The training must be designed to address the risks associated with different segments of the workforce and the potential exploitation strategies. If done well, the training should help create a culture of compliance with the cybersecurity policies, procedures, and protocols.

Do third-party providers comply with your company’s cybersecurity policies?

Third-parties pose a significant risk to cybersecurity and management should carefully control third-party access to sensitive information. Vendors and service providers who have access to sensitive data, should be aware of the company’s cybersecurity policies and adhere to the requirements.

Has the company invested in cyber liability insurance?

Management should be able to demonstrate that they reviewed the need for cyber liability insurance. If there is a policy, it should be reviewed to make sure the coverage is sufficient given the company’s specific circumstances. If there is not a policy, management should be able to provide valid reasons for not obtaining coverage.

This short list is designed to get you started and is in no way meant to be exhaustive. As always, internal auditors should be prepared to ask “why” to every answer they are provided. Management should be able to demonstrate the methods employed to manage, mitigate, and control cybersecurity risks. Your goal should be to create an ongoing dialog on the cybersecurity risks facing your company so that you can report on the effectiveness of cybersecurity risk management. Auditing the cybersecurity program will ensure that your company’s management team is preventing, detecting, deterring, and responding to data breaches and incidents in the most timely and effective manner possible.

There are many other questions that should be asked to determine the effectiveness of cybersecurity risk management. You are encouraged to add additional questions in the comment section.

This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services; a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors; a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research; the President of the Oz Park Baseball Association, a not-for-profit organization dedicated to providing fundamental based baseball in a safe environment in the city of Chicago; and an Advisory Board Member of the Chicago Youth Baseball Initiative, a University of Illinois at Chicago community group dedicated to providing Chicago youth with the opportunity to play baseball in a fun and safe environment, while offering educational experiences on a world-class college campus. If you would like more information about Vonya Global or if you have a question for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.