Scribd Logo
Upload

Welcome to Scribd!

  • Internal Audit Framework by Mahendra Joshi - Rebit

    Uploaded by

    Veena Hingarh
    28 views20 pages

    Original Title

    Internal Audit Framework by Mahendra Joshi- Rebit

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views20 pages

    Internal Audit Framework by Mahendra Joshi - Rebit

    Uploaded by

    Veena Hingarh

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    CYBER SECURITY –

    INTERNAL AUDIT
    FRAMEWORK
    Mahendra S. Joshi
    Vertical Head – Systems Audit
    Internal Audit
     Three Lines of Defense

     Audit Committee of the Board – Requirements, Responsibilities, Factors to consider

     Audit – Life Cycle

     IS Audit - Scope and Responsibilities

     Cyber Security Incident

     Risk-based Internal Audit (RBIA)

     RBI – Cyber Security Framework

    2
    3
    Cyber Risk Management across Three lines of Defense

    • Business/Operations
    o Direct accountability for owning, understanding and managing cyber risks
    o “Business best knows its own data flows and business processes.”
    o Cyber risks need be woven into the fabric of the first line’s risk and control self-assessment and into
    fraud, crisis management and resiliency processes
    • Control Groups
    o Independent authority to effectively challenge the first line’s approach to cyber risks
    o Cyber risk should be embedded into the broader second-line risk management framework.
    o Compare cyber risks to other risks using the same financial and probability benchmarks, to justify
    investment on cyber risk prevention and remediation.
    o Develop a comprehensive picture of cyber exposures, vulnerabilities, and risks. Generate metrics to
    inform decision-making and to establish the risk/return trade-offs involved with investments in
    cybersecurity.
    • Internal Audit
    o Evaluation of the design and operating effectiveness of cyber risk management across the first and
    second lines of defence
    o Perform assessments/Validate applications and connections/Evaluate third-party risk/Conduct
    independent penetration tests and vulnerability assessments/Enhance regular audit procedures with
    cyber risk considerations/Stay abreast of threat intelligence

    4
    Internal Audit

    Definition - Institute of Internal Auditors (IIA)

    “Internal Audit is an independent, objective assurance and consulting activity designed to


    add value and improve an organization’s operations. The internal audit activity helps an
    organization accomplish its objectives by bringing a systematic, disciplined approach to
    evaluate and improve the effectiveness of risk management, control and governance
    processes.”

    5
    Audit Committee of the Board - Requirement

     Adequately skilled Audit Committee composition to manage the


    complexity of the IS Audit oversight

     Designated member in Audit committee:


    o Knowledge of Information Systems, related controls and audit issues
    o Competencies to understand the ultimate impact of deficiencies
    identified in IT internal control framework by the IS Audit

    Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
    RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11

    6
    Audit Committee of the Board - Responsibilities

     Bank's compliance with legal and regulatory requirements

     Appointment of the IS Audit Head

     Review critical issues highlighted and provide appropriate guidance to a


    Bank’s management

    Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
    RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11

    7
    Audit Committee of the Board – Responsibilities Contd.,

     Devote appropriate time to IS audit findings

     Performance of IS Audit

     Evaluation of significant IS Audit issues

     A Board or its Audit Committee members should seek training to fill any
    gaps in the knowledge, related to IT risks and controls

    Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
    RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11

    8
    Audit Committee of the Board – Key Focus Areas

     Independence of the audit function

     Competency of the personnel

     External entities conducting audit

     Quality assurance process

    Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
    RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11

    9
    NACD Principles for the Board

    • Directors need to understand and approach cybersecurity as an enterprise-wide risk


    management issue, not just an IT issue.
    • Directors should understand the legal implications of cyber risks as they relate to their
    company’s specific circumstances.
    • Boards should have adequate access to cybersecurity expertise, and discussions about
    cyber-risk management should be given regular and adequate time on the board meeting
    agenda.
    • Directors should set the expectation that management will establish an enterprise-wide
    risk management framework with adequate staffing and budget.
    • Board-management discussion of cyber risk should include identification of which risks to
    avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated
    with each approach.

    10
    IS Audit - Scope and Responsibilities
     Determining effectiveness of planning and oversight of IT activities

     Evaluating adequacy of operating processes and internal controls

     Determining adequacy of enterprise-wide compliance efforts, related to IT


    policies and internal control procedures

     Identifying areas with deficient internal controls, recommend corrective


    action to address deficiencies and follow-up, to ensure that the
    management effectively implements the required actions

    Source: Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations
    RBI/2010-11/494 - DBS.CO.ITC.BC.No. 6/31.02.008/2010-11

    12
    Cyber Security Incident

     IS Audit:
    o Review the sufficiency of the anti-malware solution and security
    controls
    o Review of the configuration of infrastructure, network and security
    devices (servers, desktops, routers, firewall etc.)
    o Review of the security operations center
    o Review of the incident management plan.

    13
    Cyber Security Incident

     Board of Directors:
    o Pursue the Root Cause Analysis (RCA) for critical incident
    o Time taken to detect, respond and act upon the incident
    o Deficiency due to which the incident occurred
    o Steps taken to improve the current processes and security posture

    14
    Risk-based Internal Audit (RBIA)

    Testing - Risk Identification


    - Prioritization
    - Allocation of resources

    Source: Guidance note on risk-based internal audit - https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=1021

    15
    What is expected of C-Suite
    Board/Senior Management support is the key pillar in strengthening an organization’s
    security posture.
    Collaboration

    Which assets require


    Is the cyber resilience protection??
    part of board charter?

    How cybersecurity Which


    practice is in line with vulnerabilities
    industry-leading should be focused
    standards? upon??

    Are the investments in the Is there a vigorous incident


    area of cyber security response in place?
    assessed?

    17
    RBI - Cyber Security Framework
    2) Preventing
    1) Inventory 4) Network 6) Application
    execution of 3) Environmental 5) Secure
    Management of Management and Security Life Cycle

    Supported by Gopal krishna Committee Report


    unauthorized Controls Configuration
    Business IT Assets Security (ASLC)
    software
    BASELINE CONTROLS

    7) Patch/ Vulnerability 8) User Access 9) Authentication


    10) Secure mail and 11) Vendor Risk
    & Change Control / Framework for 12) Removable Media
    messaging systems Management
    Management Management Customers

    18) Vulnerability
    13) Advanced Real- 16) Maintenance,
    15) Data Leak assessment and
    time Threat 14) Anti-Phishing Monitoring, and 17) Audit Log settings
    prevention strategy Penetration Test and
    Management Analysis of Audit Logs
    Red Team Exercises

    20) Risk based 23) User / Employee/ 24) Customer


    19) Incident Response
    transaction 21) Metrics 22) Forensics Management Education and
    & Management
    monitoring Awareness Awareness

    Security Operations
    Centre (SOC)

    Available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435

    18
    To which Board Committee - Systems
    Audit report will be placed as an agenda?

    A. Risk Management Committee


    B. Audit Committee
    C. IT Strategy Committee

    19
    Who is accountable for owning,
    understanding and managing cyber risks?

    A. Internal Audit Dept.


    B. Information Security Dept.
    C. Business/Operations

    20
    Audit Committee of the Board – Key Focus
    Areas

    A. Independence of the audit function


    B. Outsourcing of audit work
    C. Quality assurance process
    D. All of the above

    21
    Thank You

    23

    You might also like