Audit Tips

March 16, 2021

10 Key Cybersecurity Risk Areas to Audit

Audit Tips

Cybersecurity refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Cybersecurity may also be referred to as information technology security¹.

Information technologies are ubiquitous in the 21^st century. Smart phones, tablets, and various other connected devices have, in only a few years, become fully integrated in our daily lives. While all these new technologies have brought citizens of all nations important benefits and opportunities, they have also introduced new risks that need to be carefully managed. Computer viruses, ransomware, phishing, hacking, and identity theft are all examples of cybersecurity threats that can have disastrous and costly consequences.

All connected assets are at risk of being hacked. And, as the number and types of connected devices increases with time, so does the number of hackers and their skills at finding weaknesses in IT systems.

In this environment, public sector organizations must remain hyper-vigilant. They must implement the latest good practices in IT risk management to protect their IT assets from unauthorized access and to prevent the use, disclosure, disruption, modification, review, and destruction of the information they contain.

Internal and legislative auditors can support public sector organizations by providing independent assurance about whether cybersecurity risks are well managed and by making recommendations for improvements where needed.

The list below presents 10 key cybersecurity risk areas that should be considered for audit (the areas appear in alphabetical order). The importance of each area is briefly explained and some specific elements to inquire about are mentioned.

	Application whitelisting Application whitelisting is a control that protects against unauthorized applications on a system. Whitelisting can be an effective mechanism to prevent IT systems from being compromised by the execution of malicious code. To be effective, whitelisting requires (1) a policy that defines what types of application users are allowed to run on their devices as part of their duties, (2) a detailed list of approved applications, and (3) technical implementation that meets the policy’s intent.
	Business continuity Cyber attacks and data breaches can significantly disrupt an organization and even prevent it from providing key services to the public. A cyber attack can result in lost data, compromised personal or financial information, unplanned downtime, and other challenges. To mitigate the consequences of a cyber attack, organizations should integrate IT security measures in their business continuity plan. This plan should include, among other things, information on data backup and recovery processes.
	Governance IT security governance refers to the systems and practices by which an organization directs and controls IT security. It is essentially about: defining roles and responsibilities, establishing policies, providing strategic directions, ensuring that risks are well managed, reviewing performance, and monitoring compliance with policies and regulations.
	Logical access Public sector organizations often maintain IT systems and databases that include sensitive personal information about large numbers of citizens. In the wrong hands, this data can be used for malicious purposes. Therefore, strict controls should ensure that only authorized personnel can access this data. Logical access safeguards (such as defined access rights and authority levels, user identification, and passwords) should be in place to prevent the unauthorized access to IT systems and databases by outsiders seeking to exploit Internet weaknesses, or by insiders seeking to misuse their trusted status.
	Networks Workers in government organizations are connected to computer networks through which they can exchange and store sensitive information. If not adequately protected, these networks can be breached and the information they contained accessed by unauthorized users. To prevent such breaches, proper network configurations should be maintained on all wired and wireless devices that can access the network. This includes, among other measures, using encryption software, installing and updating anti-virus software, and properly configuring firewalls, routers, and printers.
	Malware Malware (malicious software) is a harmful computer program that can steal information from a user (such as usernames and passwords, credit card numbers, or files and documents) or enable an attacker to remotely take control of a computer and access any connected network. A computer can be infected by malware by a user downloading an infected file, opening an attachment in a phishing message, or using an infected USB key. Effective protection against malware includes up-to-date anti-virus software and operating systems, adequate monitoring of IT systems, and awareness training for public servants.
	Patches Hackers are constantly trying to find flaws in software and IT systems that will allow them to gain unauthorized access to sensitive data. As a result, IT specialists are constantly developing solutions, or patches, to identified problems in software and IT systems. Organizations that do not implement these patches on a timely basis expose their IT systems to cyber attacks. To ensure that all required patches are implemented on a timely basis, organizations should have documented policies and processes about identifying and implementing patching requirements for workstations and servers. They should also regularly assess compliance levels with patching requirements.
	Security awareness An organization with good IT systems and a good team of IT specialists will still be at risk if its employees, who use a variety of applications each day, are not aware of internal IT policies and cannot identify behaviours that create IT risks for the organization. For this reason, providing IT security awareness training to all staff who use IT equipment should be a key element of an effective IT security strategy.
	Vulnerability assessments By having a process for ongoing detection, classification, and prioritization of vulnerabilities in its IT systems, complemented with swift actions to address priority issues, an organization can reduce the vulnerability of its IT systems and the likelihood of a successful cyber attack. Various tools and methodologies exist to conduct assessments of networks, applications, and databases. Some of these tools are automated and can help organizations to conduct regular standardized assessments.
	Web applications Web applications are computer programs that are built into websites, and that help websites work. Public sector organizations often design Web applications that allow citizens to access specific government services. When not properly designed, Web applications can display weaknesses that can be exploited by cyber pirates to access sensitive information (such as birthdates or credit card numbers) while it is being processed by the application or being stored on a network. To protect against such breaches, organizations should be using a multi-layered security approach that can still provide protection even if one layer is compromised. Firewalls, secure coding protocols, and logical access controls are some of the measures that can be put in place to secure Web applications.