网络安全 has become a pressing issue worldwide, 因此,需要强有力的审计程序,为高级管理层和董事会提供保证。. 网络安全审计可以简单地认为是对确保网络活动安全的系统和控制措施的评估. 目标是评估当前的技术, 政策, 以及更深层次的程序,以确定是否所有适用的标准和法规都得到了有效和高效的满足. 在审计期间,组织可以应用一些最佳实践来衡量网络安全系统的效率和有效性, 过程和控制.
进行网络安全审计的原因
网络安全审计员的目的是验证组织是否按照各种网络安全标准运行, 规例及指引. 网络安全审计从合规性方面衡量组织的当前现实,并根据特定的行业标准对其进行基准测试. 然后进行差距分析,以确保通过有针对性的建议尽早确定和纠正所有控制差距.
There are several reasons why an auditor should conduct regular cybersecurity audits, including:
- To regularly monitor the organization’s IT infrastructures, systems and 控制 to detect any potential risk or defects
- To confirm the systems in place meet minimum compliance requirements and mitigate expected risk
- To evaluate the efficiency and effectiveness of cybersecurity operational systems and processes
- 检查资讯系统, security 控制 and management procedures put in place with the aim of mitigating risk
- 就制定应对紧急网络攻击或其他漏洞的应急计划提供意见
The essential aspects of any cybersecurity audit include the review of cybersecurity 政策, development of an integrated approach to cybersecurity, 分析人员的网络能力和促进组织中基于风险的审计举措.
The essential aspects of any cybersecurity audit include the review of cybersecurity 政策, development of an integrated approach to cybersecurity, 分析人员的网络能力和促进组织中基于风险的审计举措.
检讨网络安全政策
信息安全策略对于网络安全审计员来说是至关重要的,因为对策略的了解使审计员能够对组织的数据进行分类,并确定需要哪些安全级别来保护它们. When reviewing any pertinent cybersecurity policy, the cybersecurity auditor should strive to compare it to the ideal version or global standard. Determining whether an enterprise’s cybersecurity policy meets both industry and global standards is essential. 在执行此步骤之前,了解哪些遵从性法规与组织相关并适用于组织也很重要.
Some of the global barometers to which cybersecurity programs and 政策 should be compared include:
- The Payment Card Industry Data Security Standard (PCI-DSS)
- 系统和组织控制(SOC)
- 美国2002年萨班斯-奥克斯利法案(SOX)
- The International Organization for Standardization (ISO)
- The EU General Data Protection Regulation (GDPR)
- The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- The Center for Internet Security (CIS) Controls, formerly known as the Critical Security Controls
组织可能需要遵守一个或多个标准,具体取决于其各自的部门和/或管辖范围. 例如, financial institutions typically must adhere to PCI-DSS due to their widespread use of credit and debit cards, while publicly traded entities (especially multinationals) require compliance with SOX. 网络安全 auditors should also consider jurisdictions, 例如, how GDPR affects mostly countries domiciled in or undertaking business in the European Union. However, some standards apply universally across sectors and jurisdictions (e.g.、CCM、ISO标准).
Developing an Integrated Approach to 网络安全审计ing
网络安全的集中化至关重要, 将风险管理和合规政策整合到一个统一的工作文件中,以帮助网络安全审核员更全面地了解组织的网络安全脉搏. 反过来, 这使得审计师更容易同时发现漏洞,因为网络安全之间总是存在关系, 风险管理和合规.
网络安全的集中化至关重要, 将风险管理和合规政策整合到一个统一的工作文件中,以帮助网络安全审核员更全面地了解组织的网络安全脉搏.
在审计开始之前,网络安全审核员应该审查相关的合规标准和要求. 如果一个组织有合规功能, it should share relevant information with the audit team. 共享合规性信息使网络安全审计人员能够及时了解法律法规的变化,并根据组织的迫切需求相应地调整特定的审计. 为此目的, 重要的是,内部审计职能部门和审计委员会应定期与首席信息官(CIO)和首席信息安全官(CISO)会面,讨论重要的网络安全问题,并就新出现的威胁分享看法, 漏洞, 网络安全法律法规.
利用自动化工具(如.g., dashboards) that help teams communicate seamlessly and coordinate audit activities efficiently. A centralized data repository where internal audit, 遵从性和IT团队可以很容易地维护, access and share pertinent data can be set up in the cloud for easy access by each team. This centralized repository allows audit teams to map security risk to auditable entities, IT资产, 控制, regulations and other key factors in a cybersecurity audit. 无缝集成的数据流使内部审计能够一目了然地确定网络安全风险或无效和低效的控制如何影响整个组织. 相应的, 然后,内部审计师将能够主动提供有针对性的建议,以解决已发现的问题.
人员网络能力分析
在全球范围内, it has become exceedingly difficult to find adequate personnel to fill the cybersecurity skills shortage. 组织应该创建一个信息安全人员及其职责的清单,作为在持续的基础上处理网络安全问题的基本步骤. 员工访谈是网络安全审计的重要组成部分,因为他们试图确定组织是否雇用了合格的网络安全人员来协助防御网络风险. 网络安全审核员通常会采访各种IT和信息安全人员,以更好地了解组织的安全架构和威胁情况. They should also interview board members to gauge their understanding of cybersecurity risk. 网络安全 auditors can then verify whether all organizational employees, 包括领导, are educated enough to contend with constantly evolving cyberrisk.
It should be noted that in addition to evaluating IT infrastructure on the technological side, cybersecurity audits also include reviewing and interviewing individuals responsible for security, 数据保护和IT基础设施. 因此, 网络安全审核员应该具备良好的软技能,能够成功地与各级利益相关者互动.
促进基于风险的审计方法
网络安全 risk is pervasive across enterprises and, 因此, beyond the scope of an effective cybersecurity audit, 哪一个可能是巨大的和压倒性的. 网络安全 audit teams should know where to begin their assessments, 尤其是在资源有限的情况下. This is where a risk-based approach to cybersecurity auditing adds value. 基于风险的审计使审计团队能够根据组织中最高风险的领域对其活动和资源进行优先排序. 网络安全审计员必须通过有效的风险评估等干预措施,为基于风险的审计开发情报, continuous risk monitoring and scenario analysis. 由此产生的数据有助于他们制定一个系统的、基于风险的审计计划,该计划具有明确的目标和可实现的目标. An aligning scope can then be devised to prioritize areas of greater risk. 技术可以用于简化风险评估,并提供澳门赌场官方下载范围内网络风险的实时可见性. 例如, cybersecurity auditors should understand where the organization’s critical data reside. 他们还应该了解正在使用的组织的整个治理框架,并通过在必要时引入正确的第三方资源来提供帮助.
结论
While the field of cybersecurity auditing is fairly new, the value of undertaking such audit assignments must be more commonly recognized. There is need for continuous improvement in the undertaking of cybersecurity audits, 哪些本质上是高度专业化的. 采取纪律严明的, systematic approach to the audit process is essential for enterprises to gain the most from the process. 这将确保审计结果的交付,使组织能够应对在不断变化的网络环境中遇到的挑战.
弹塑性Chimwanda, CISA, CIA, CISSP
Is an auditor with more than 10 years of experience in internal auditing, 信息系统审计, cybersecurity auditing and cloud security auditing. He also serves as an independent adviser to boards and audit committees. 中国是ISACA的成员之一® 资讯科技审计及鉴证谘询小组及英国内部核数师学会公营部门知识小组.