Audit and Assurance

Expand all | Collapse all

Cyber/digital resilience

  • 1.  Cyber/digital resilience

    Posted 13 Sep, 2019 10:12
    Hi,

    Has anybody ever carried out a review of digital /cyber resilience at an organisation, or public body? Or can you point me in the direction of any examples?

    Many thanks,
    Gareth

    ------------------------------
    Gareth Lewis
    IM&T Auditor
    ------------------------------


  • 2.  RE: Cyber/digital resilience

    Online Forum Topic Leader
    Posted 26 days ago
    @Gareth Lewis,

    See https://www.isaca.org/Journal/archives/2019/Volume-2/Pages/auditing-cybersecurity.aspx

    Have members any other thoughts on this one?

    Best Regards,

    Ian​

    ------------------------------
    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist
    ------------------------------



  • 3.  RE: Cyber/digital resilience

    Posted 25 days ago
    Many thanks for your response Ian.

    ------------------------------
    Gareth Lewis
    IM&T Auditor
    ------------------------------



  • 4.  RE: Cyber/digital resilience

    Posted 25 days ago
    Ian,  Great reference and information and I say that not just because you're the author.​
    Gareth, my only add to this would be that enterprise or organizational resiliency assessments gain value by really looking at the organizational security culture and the employee understanding and adoption of this culture. We follow the NIST CSF and cybersecurity goals and objectives, we then cross-walk employee response, skills, and training.  I will continue to look for examples or reference materials for you.

    Thank you,
    Brian

    ------------------------------
    Brian Moore
    President, EWA - Government Systems, Inc.
    ------------------------------



  • 5.  RE: Cyber/digital resilience

    Posted 24 days ago
    Thanks Brian, this is also useful.

    I'm also considering looking at it from a perspective of how, and whether appropriate cyber arrangements are in place to allow for/adequately support any digital transformation plans that an organisation might have. So there is an element of planning for the future in it too...

    ------------------------------
    Gareth Lewis
    IM&T Auditor
    ------------------------------



  • 6.  RE: Cyber/digital resilience

    Online Forum Topic Leader
    Posted 24 days ago
    Edited by Niel Harper 24 days ago
    Hello Gareth,

    I am a Cybersecurity Expert on the European Union's roster of consultants, and I have carried out country-specific cybersecurity assessments in the past.

    The scope of work usually includes the following areas (this is an extract of the table of contents from my reports):

    CYBERSECURITY POLICY & STRATEGY .........................................................................7
    1. National Cybersecurity Strategy....................................................................7
    2. Incident Response.........................................................................................7
    3. Critical Infrastructure Protection ...................................................................8
    4. Crisis Management........................................................................................9
    CYBERSECURITY CULTURE & SOCIETY.......................................................................10
    5. Cybersecurity Mind-set ...............................................................................10
    6. Trust and Confidence on the Internet .........................................................11
    7. Understanding of Personal Information Protection Online..........................12
    8. Traditional Media, Social Media & Reporting Mechanisms .........................13
    CYBERSECURITY EDUCATION, TRAINING & SKILLS....................................................14
    9. Awareness Raising ......................................................................................14
    10. Executive Awareness Raising......................................................................14
    11. Framework for Education ............................................................................15
    12. Framework for Professional Training...........................................................16
    LEGAL & REGULATORY FRAMEWORKS........................................................................17
    13. Legal Frameworks .......................................................................................17
    14. Criminal Justice System ..............................................................................18
    15. Formal and Informal Cooperation Frameworks ...........................................19
    STANDARDS, ORGANIZATIONS & TECHNOLOGIES.....................................................21
    16. Adherence to Standards & National Infrastructure Resilience ....................21
    SECURITY OPERATIONS................................................................................................22
    17. Identity and Access Management...............................................................22
    18. Secure Configuration Management ............................................................22
    19. Remote Access & Mobile Device Management ..........................................23
    20. Endpoint Protection ....................................................................................24
    21. Network Security .........................................................................................24
    22. Physical Security .........................................................................................25
    23. Business Continuity Management...............................................................26

    The resources I based my assessments on are the Cyber Security Capability Maturity Model (CMM) as prescribed by the Global Cyber Security Capacity Centre (Oxford University), the NIST Cybersecurity Framework, ISO 27001, and a couple of others.

    Hope that this is helpful.

    Regards,

    ------------------------------
    Niel Harper, CISA, CRISC, CISSP
    Online Forum Topic Leader
    Emerging Technology
    ------------------------------



  • 7.  RE: Cyber/digital resilience

    Posted 24 days ago
    Thanks Niel, again, very helpful.

    I'll have a proper look through your scope, at a glance, it look interesting, particularly the bit about culture and society etc.

    Gareth

    ------------------------------
    Gareth Lewis
    IM&T Auditor
    ------------------------------