TAUFIK SN PURBA, CISA,

CIA

JAKARTA, DESEMBER 2019

 To enhance and protect
organizational value by
providing risk-based and objective
MISSION
assurance, advice, and insight.
OF
INTERNAL
AUDIT
The Mission of Internal Audit articulates what internal audit aspires to accomplish
within an organization.
Its place in the New IPPF is deliberate, demonstrating how practitioners should
leverage the entire framework to facilitate their ability to achieve the Mission.
• Prevention of damage to, protection of, and restoration of computers, electronic
communications systems, electronic communications services, wire communication, and
electronic communication, including information contained therein, to ensure its
availability, integrity, authentication, confidentiality, and nonrepudiation. - NIST Glossary (
https://csrc.nist.gov/glossary/term/cybersecurity)

• The protection of information assets by addressing threats to information processed,

stored, and transported by inter-networked information systems – ISACA Glossary (
http://www.isaca.org/Knowledge- Center/Documents/Glossary/glossary.pdf)

• The first known use of cybersecurity was in 1989 – Merriam Webster dictionary
Source : GTAG Assessing Cybersecurity risk, IIA
2016
PRACTICAL
APPROACH
 Plannin Performing
Communicati
&
2200 series g 2300 2400 ng
[Cybersecurity] Objectives series Supervisin series
Testing
Risk Assessment
Scope
g Evaluatin
Criteri g
a
Documen
Audit ting
Progra
Functio
n

Categor
y

Source : Framework for Improving Critical Infrastructure Cybersecurity , NIST

2018
Functio
n

Categor
y

Source : Framework for Improving Critical Infrastructure Cybersecurity , NIST

 Internal Audit Considerations for Cybersecurity
Risk*
• Clear, strategic purpose with accountable stakeholders and defined
roles and responsibilities.
• Reporting line to enable suitable authority and objectivity.
• Expertise to deploy security tools and enforce policy.
• Elements of practice
• Ongoing communication, metrics, reporting, and action tracking.
• Incident management.
• Planning business continuity related to cyberattack scenarios.
• Senior management and board visibility and involvement
• Continuous improvement of the cybersecurity
program from raising recommendations and taking
timely action to completion.
• Assess vulnerabilities, analyse threat intelligence, and
identify gaps. • Inventory of data
• Measure performance and compare to industry • Inventory of authorized and unauthorized devices
benchmarks • Inventory of authorized and unauthorized software
and peer organizations.
• Identify specific knowledge, skills, and abilities
needed to support program

• Malware defences
• Limitation and control of network ports,
protocols, and services
• Application software security
• Wireless access control
• Boundary defence
• Penetration tests, phishing tests, and red team
exercises • Secure configurations for hardware and software on
• Maintenance, monitoring, and analysis of mobile devices, laptops, workstations, and servers
change events • Secure configurations for network devices such as
• Data protection/data loss prevention firewalls, routers, and switches

• Controlled use of administrative privileges

• Account monitoring and control
• Controlled access based on the need to know
• Population of users

)* Source : GTAG Assessing Cybersecurity risk, IIA

 Assets - Threat -
- Organization Policy- Tangible or intangible
Vulnerabilities
Any natural or man-made The absence or weakness of a
value is worth circumstance that could have safeguard in an asset that makes
-Function
Culture protecting, including an adverse impact on an a threat potentially more likely to
organizational asset occur, or likely to occur more
- Social people, information,
infrastructure, finances &
frequently

Engineering reputation
• Malware • Lack of
- Knowledge-skill • People •
•
Phishing
Denial of Services awareness
• Data/ • Lack of policy
- Awareness Information
•
•
Spam
Data breach • Failure to monitor
• Application
- 3rd • Storage
•
•
Web based attacks
Botnets
logs
• Inadequate
parties/vendor • Computing
• Network
• Identity thefts-social
engineering passwords
• APT • Open network
ports
• Coding errors
• Interoperability
errors

Integri
ty
Confidential Availabili
ity ty
Source : Transforming Cybersecurity, ISACA
 Category Subcategory Informative Reference

Sub- Control Controls Control Control Control Testing NIST Addition Ref.Fram Ref.Wor Pass/ Comments
Proces Objectives Type Classifcation Frequency Step ref to al Ref. e k Fail
s COBIT to work/Sta paper
5 COBIT5
nd ard

Source : Framework for Improving Critical Infrastructure Cybersecurity , NIST 2018

: IS Audit/Assurance Program Cybersecurity: Based on the NIST Cybersecurity Framework, ISACA
 Column Name Description
Process Sub-area An activity within an overall process influenced by the enterprise's policies and procedures that takes inputs from a number of
sources, manipulates the inputs and produces outputs
Ref. Risk Specifies the risk this control is intended to address
Control Objectives A statement of the desired result or purpose that must be in place to address the inherent risk in the review areas within scope

Controls The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be
of an administrative, technical, management or legal nature
Control Type Controls can be automated (technical), manual (administrative) or physical.

Automated/technical controls are things managed or performed by

computer systems. Manual/administrative controls are usually things
that employees can or cannot do.
Physical controls include locks, fences, mantraps and even
geographic specific controls.
Control Classification Another way to classify controls is by the way they address a risk exposure.

Preventive controls should stop an event from happening.

Detective controls should identify an event when it is happening and generate an alert that prompts a corrective control to act.
Corrective controls should limit the impact of an event and help resume normal operations within a reasonable time frame.
Compensating controls are alternate controls designed to accomplish the intent of the original controls as closely as possible
when the originally designed controls cannot be used due to limitations of the environment.

Control Frequency Control activities can occur in real-time, daily, weekly, monthly, annually, etc.
Testing Step Identifies the steps being tested to evaluate the effectiveness of the control under review
NIST Ref. to COBIT 5 Identifies the COBIT 5 processes related to the control objective or control activities as defined by the NIST Cybersecurity
Framework
Additional Ref. COBIT 5 Identifies additional COBIT 5 processes related to the control objective or control activities
Ref. Framework/Standards Specifies frameworks and/or standards that relate to the control under review (e.g., NIST, HIPAA, SOX, ISO)
Ref. Workpaper The evidence column usually contains a reference to other documents that contain the evidence supporting the pass/fail mark for
the audit step.
Pass/Fail Document preliminary conclusions regarding the effectiveness of controls.
Comments Free format field
Source : IS Audit/Assurance Program Cybersecurity: Based on the NIST Cybersecurity Framework, ISACA
Source : IS Audit/Assurance Program Cybersecurity: Based on the NIST Cybersecurity Framework, ISACA
Auditor(s) need to equipped with relevant knowledge, skill & tool, recent
trends/research (1200 - proficiency & due professional care)

Leverage available best practices-guidelines, frameworks, standard

including technology-vendor relevant with organization

Audit/assurance programs should be considered a starting point and

adjusted based upon risk and criteria that are relevant to the organization
being audited

Identify and categorize audit areas where reliance on the work of others
makes sense (SSAE 16/SOC Report)

“one cannot plan against everything and prevent it” and addresses exactly
those (probable or improbable) attacks and breaches that require targeted
response and investigative activities.
ABOUT CYBERSECURITY

LEVERAGE EXISTING NEED A CYBER INCIDENT RESPONSE

FRAMEWORKS/GUIDELINE POLICY AND PLAN THAT IS FULLY
S TESTED
CYBER SECURITY STRATEGY NEEDS TO
CONSIDER FORTHCOMING
BE
LEGISLATION
AGILE – LANDSCAPE IS “MUTATING”

ALL RISKS ARE CYBER SECURITY AWARENESS DEPENDS

SUBJECTIVE ON THE RIGHT TRAINING

USERS ARE (AND WILL ALWAYS EVERYTHING IS CONNECTED

BE) THE BIGGEST SECURITY RISK TO EVERYTHING

BASIC INFORMATION BE AWARE OF CREDENTIAL

SECURITY THEFT TECHNIQUES
CONTROLS STILL HOLD TRUE

Source : ISACA 2016 https://m.isaca.org/Knowledge-Center/Research/Documents/Auditing-Cyber-Security-

Infographic_ifg_eng_0217.pdf
•
•

•
•

•
•
[email protected]
0811224093
www.linkedin.com/in/taufiksnp
urba