In recent days, various technological advancement takes place in several organizations to uplift their performance. In this context, technology has also resulted in some illegal practices such as data breaches and many more. Due to lack of awareness towards the handling of technological usage, cybercrime rises rapidly. As per Zengy et al., (2022), cybercrime is placed among the top five business risks nowadays. Here the requirement of cyber security audit gains the increasing shed of light.
Concept of Cyber Security Audits
The role of cyber security audit is to monitor all the IT infrastructure of any business on a continuous process. From the view of a Chief Executive officer (CAE), it is again understood that, cyber security audits also have contributed to the detection of vulnerabilities and threats of any cyber crime issue. As per Yamin & Katt, (2019), this audit is developed for evaluating any risk of illegal practices or to assess a company or a product against any particular standard validation.
Role of Cyber Security Audits
Cyber security addresses not only the IT security but it also works on the security provision for the crucial information and data protection. All the processes, procedures and people are linked with each other for hacking and cyber security audits place security aspects on the noticing field of any risks or threats. As per Lois et al., (2021), cyber security audit in that case provides data and network security as well as the system and physical security. For data security all, the transmission is adhered to the review of the network control and any use of encrypted data. On the other hand, it offers security for the network through a review and control SOC and anti-virus configuration.
It also enhances the monitoring capabilities for the security measurement. Again, through patching process and account management system security also is done. As per the CAE, cyber security audit helps to figure out the threats and deliver an in detailed analysis of the internal and external security holding. Lois, Karagiorgos & Tsikalakis, (2020) have also opined that by noticing the defense gap by a company this audit provides an assurance to the employees, business partners and customers and through this the reputational value of the company rises. Thus CAE thinks that some effective ways to incorporate this new practice should be included and those are discussed further.
Effective ways for performance of cyber security audit:
It is the first required area that the process is to address the particular goals or objectives for an organization for which the audit performance should be included. CAE in the board meetings also can place a question which type of audit goals needs to be performed. It can be digital infrastructure or can be business operation or anything else but the specification must be added (Kahyaoglu & Caliyurt, 2018).
After the specification of the goals, the next effective way is to collect the information required for planning an audit (Haqaf & Koyuncu, 2018). For the internal audit control, team members have to share responsibilities for collecting information. CAE also suggested some required information such as system or network management related data or any security architecture and many more. Moreover, it is the responsibility of team member to maintain confidentiality regarding organization data. In this context, a link between the auditor and the subject matter expert is also made for smoothing the audit process and it saves a lot of time as well.
After imposing a compliance regulation to standardize an audit, disclosing the security gap is important. In this step, provision of the detailed network structure of that company to the auditor is important. As per Khan & Parkinson, (2018), a wide overview of the IT infrastructure of a company improves the effectiveness of the audit to start the vulnerability assessment to identify the security gap.
The completion of the detection and recording of those technological vulnerabilities is important. As per Valinejad & Rahmani, (2018), after the identification of a complete chain of risk, the performance credibility needs to be addressed. The evaluation of the performance regarding the defense power against cyber crime is also proceeding in this step for effective audit control management. It is not only to update the security provision through vulnerability scanning or the monitor of the network. Hence as per Amali et al., (2020), also the workforce needs to be upgraded by following the current method. An effective cyber security audit can be functioned with more emphasis on the internal value creation or by enhancing the internal preferences.
The final way to incorporate cyber security audits in an organization. In this step, security risk is grouped according to priority value and it reduces the risk engaged to an organization that causes damage to their functionality. Here possible response to the threats or risks can be made through some best suitable method for the industry or any specific business organization. A weighting system can be followed to address the risks that create more damage on the business level (Chergui & Chakir, 2020). Thus, the continuous monitoring through the cyber security audit on monthly, quarterly or yearly basis can reduce the disruption in workflow.
The cyber risk management procedure helps an organization to detect risk and fight against the assessed risk throughout. As per Stafford, Deitz & Li, (2018), the intensity of the potential risks is also addressed in the management process. Through this management, penetration of the required Cybersecurity testing helps an organization to refine procedures of the digital attributes related to the business infrastructure. Then the cyber security audit determines the framework for the by identifying risk types and also the different types of threats related to that organization. Cyber securities audits then follow up on the following area for wider protection and the link between these two are raised here in this context.
Threat of Malware:
A technological infrastructure is designed to engage any disruption to a computer system. On the other hand, unauthorized access is also made to the computer system and many of the hackers use this type of malware to decrease the quality of the data protection of a company and weaken their security system (Zheng et al., 2019). Cyber security audits reduce the risk of this type of malware by assessing the security gap that prevailed in that business organization.
Threat of Phishing:
This is another type of cyber security attack while sharing any password or OTP to the trusted entity or to a person. By clicking any malicious link or malicious file, downloading can open up all the important information that can be personal or in the industrial level. As per Kahyaoglu & Caliyurt, 2018), this is a kind of social engineering that tries to take an attempt for any manipulation to the computer users. In that context, cyber security audits add detection procedures for checking the blacklisted contacts or software.
Form Jacking:
This is a tremendously risky process of cyber crime where hackers try to catch a complete signal or loophole of a company. Khan & Parkinson, (2018) have discussed that in this process, hackers use JavaScript coding to generate an access to all the information of a company. Hence, through the checking procedure of the vulnerabilities there are clear opportunities for the security manager to control and manage this type of data breaching risk and add value to the working procedure of the company.
The opportunity of the multiple vulnerability scanning through the 360-degree cyber security holding an advanced security tool is developed for an in-depth analysis. Important data of business and customer are all safeguarded by the combined work of security audit and security management as well. Irrespective of the previously mentioned factors, the role of cyber security is also linked with the management department for other various means. Firstly, a security audit helps to measure the existing program of security management that is beyond the industry standard (Valinejad & Rahmani, 2018). This approach makes the security manager acquire some new strategies. Again, the appropriate policy and procedures enabled by the audit securities makes the managers in track to take feasible steps regarding cyber crime for the business upliftment.
Both the provision of internal and external scanning of vulnerability helps to address the risk from a little early stage and the protection regarding the service can be obtained easily. Vulnerability checking linked both the management and audit team for better protectionary measurement. There is no false assurance made from the security audit that can make the management team in the wrong direction as well. Lastly, through the audit process, the management team can perform numerous scans that ensure the correct risk detection.
COBIT framework is a necessary area required to link up the business with the IT operations inclusion. Their function is to restrain integrity approaches towards the business opportunities. As per Amali et al., (2020), COBIT framework includes two main parameters such as “scope” and “operation” to control over the IT procedures. These procedures include the practice of existing organizational structure and their policies. By connection with this, COBIT generally gives a brief structure of the IT governance suitable for a business organization. Their elementary holding helps to maintain the security for achieving the business objectives. To ensure this security COBIT includes five components and those are as follows:
COBIT Framework:
This framework is dedicated to meet the demand for an organization of being organized. As per Febriyani, Alhari & Kusumasari, (2022), the framework study helps to make a list and categorize all the objectives of their concerns with specific governance related to IT context. They have also added in their discussion that this framework makes a company to follow a good holding as per the field of IT domain. Thus, an integration process as a whole can be achieved as per the business requirements.
Description of the Process:
This component makes that company choose a common language for the entire departmental area holding. Blanco & Piattini, (2020) have opined that this not only helps organizations to get a processed model throughout, useful for the enterprise.
Guideline regarding Management:
This management area focuses on the assignment of the roles and responsibilities in the department of IT governance. Through the guideline, a uniform structure is established and as result, teamwork can be achieved (Moudoubah, Mansouri & Qbadou, 2021). This not only enhances the brand value of a company but also achieves business objectives in a great manner.
Maturity Model:
This model helps the COBIT framework to address any gap that prevailed in the process and work. As per Chergui & Chakir, (2020), capability of each process of IT governance are also addressed and maturity level of this procedure is been checked.
Control over Objectives:
It offers a company their certain requirements for affectivity holding and their reliable approach is being addressed in the control of their IT processes.
The US government has made the ideology of NIST Cybersecurity framework and it was published in 2014. It sets out a number of recommended standards which organizations in the public and private sector can follow to reinforce their Cybersecurity profile. As per Blanco & Piattini, (2020), the key elements of the NIST framework are constructed with five factors. the first one is to the identification, then data protection, detection of risks and the last two factors are respond and recover.
Figure 1: NIST Framework
(Source: Blanco & Piattini, 2020)
The goal of this framework is to reach the “targeted people” those are dependent on the particular organization for various role performances. Here the main area is to record the compliances of the software and workers for data protection security measurement. Cyber attacks have been widely noticeable risk in certain years of digitalization. This will not be much of a surprise, given how often data breaches and hacks make the news today, but the sophistication of wide-scale social engineering attacks on SMBs and their propensity to cause enormous issues with smaller companies is proving to be a massive threat to modern businesses.
Before analyzing the contribution of these frameworks, the process of internal audit function needs to be understood.
The Procedure of an Internal Audit
An internal audit is carried out to determine whether a corporation adheres to its own set of norms, regulations, and standards in the appropriate manner. Every company is required to adhere to a predetermined set of guidelines. As a result, the businesses have an auditor who is working toward obtaining certification in internal auditing so that they can guarantee that their workers and senior officials comply with all of the regulations for the sake of maintaining legal and operational efficiency. The management of a company may better determine whether or not there are problems with the business by carrying out internal audits. It is determined, by an analysis of the companies’ financial reports and data gathering procedures, whether or not the companies are objective in their use of a variety of strategies to accomplish their business objectives.
Figure 2: Internal Audit Function
(Source: Yamin & Katt, 2019)
There are various kinds of internal audits such as compliance audits, IT audit, performance and operational audits and many more. Hence, in this question the framework for COBIT is made then the IT audit is the mandatory area to focus on.
Audits of IT systems can include analyzing and grading the underlying hardware and software. To determine whether or not requests are being processed and whether or not the software and hardware are functioning correctly, the auditor conducts tests. The cyber concerns that may need rapid care are inspected in this audit. The expert also looks at things like backup and recovery procedures, system functionality, and broader IT governance (Moudoubah, Mansouri & Qbadou, 2021). In the further section, COBIT audit is further discussed in the following section assessing their role for IT.
Successful IT governance and management is based on the COBIT framework, which was created, developed, and is constantly updated by the “Information Systems Audit and Control Association (ISACA)”. It is a comprehensive set of guidelines designed to help businesses establish IT governance and control structure that works for them. The entire name of the COBIT framework is Control Objectives for Information and Related Technology; however, following the 5th iteration, it was agreed to simply use the acronym.
Chicago, Illinois is home to the headquarters of the “Information Systems Audit and Control Association, Inc. (ISACA)”, a non-profit organization. ISACA’s primary goal ever since its inception has been to make available practical resources and effective answers to the challenges faced by organizations of all kinds that rely on IT. “International Society of Auditing, Control, and Assurance Professionals (ISACA)” serves those in the business of auditing, controlling, and assurance all around the world (Yamin & Katt, 2019). The organization offers a variety of certifications in addition to COBIT, which is one of the most widely used frameworks for auditing IT infrastructure. Some examples of credentials that belong here include the “Certified Information Systems Auditor (CISA)”, the “Certified Information Systems Manager (CISM), the Certified in the Governance of Enterprise Information Technology (CGEIT), and the Certified in Risk and Information Systems Control (CRISC)”.
COBIT was developed so that IT managers, business leaders, and compliance auditors could all speak the same language when discussing IT governance, strategy, and results. When an organization is audited without a shared language, auditors may need to be briefed on the “when, where, and why” of certain IT controls. In-depth guidelines like those provided by COBIT make full implementation challenging for small and medium-sized businesses. This is due to the comprehensive nature of the COBIT framework. Despite being comprehensive and providing clear principles for IT governance, putting it into practice is a time-consuming ordeal. In today’s information technology-driven business climate, COBIT is a valuable tool for assessing internal controls. As a result of its complexity, COBIT implementation is best handled with the help of experienced experts.
Decisions on COBIT implementation should not be made hastily. Discussion with upper-level management and, if available, the internal audit group is suggested before making a final decision. The aid of specialized audit specialists is crucial for SMEs to achieve a successful COBIT implementation (Yudiantoro, WA & Wibowo, 2021). The organization should first teach its key audit team members on COBIT before using the framework in its internal audits. The next internal audit that is being planned, executed, and recorded should serve as an opportunity for the organization to try out COBIT for evaluating internal controls. It is also important to remember that following COBIT standards is only one part of performing an internal audit. Although there is much more to a successful system audit than just adopting COBIT, this is a good first step.
The five stages of the NIST framework again provide data security and protection to the information through different subcategories. By “PR.DS-1” and 2 all the rest and transit data is protected (Krumay, Bernroider & Walser, 2018). The CAE officer confirms ePHI data that are encrypted. Network managers should maintain the responsibility to restrict all the external data transmissions from being unencrypted. Again, through PR.DS-5, the Cybersecurity team protects all the data that has the risk of being leaked. The Cybersecurity team of NIST rapidly monitors the DLP alerts and cultivates the potential loss of any ePHI. In that context, PR-DS-6 incorporated an integrity checking for the verification of any newly engaged software and firmware. Again, for the information protection, through the subcategory of PR.IP-1 and 2, a baseline is created to configure the information technology to the industrial level. It also implemented a “system development life cycle”. On the other hand, PR.IP-3 and 4 introduce new ways to change the control process used in configuration and limited though effective backup of the information can also be conducted and continued testing properly.
Amali, L. N., Katili, M. R., Suhada, S., & Hadjaratie, L. (2020). The measurement of maturity level of information technology service based on COBIT 5 framework. TELKOMNIKA (Telecommunication Computing Electronics and Control), 18(1), 133-139. http://telkomnika.uad.ac.id/index.php/TELKOMNIKA/article/view/10582
Blanco, M. A., & Piattini, M. (2020, September). Adapting COBIT for Quantum Computing Governance. In International Conference on the Quality of Information and Communications Technology (pp. 274-283). Springer, Cham. https://link.springer.com/chapter/10.1007/978-3-030-58793-2_22
Chergui, M., & Chakir, A. (2020). IT GRC smart adviser: Process driven architecture applying an integrated framework. Advances in Science, Technology and Engineering Systems, 5(6), 247-255.
Febriyani, W., Alhari, M. I., & Kusumasari, T. F. (2022, July). Design of IT Governance based on Cobit 2019: A Case Study of XYZ Education Foundation. In 2022 1st International Conference on Information System & Information Technology (ICISIT) (pp. 289-294). IEEE. https://ieeexplore.ieee.org/abstract/document/9872888/
Haqaf, H., & Koyuncu, M. (2018). Understanding key skills for information security managers. International Journal of Information Management, 43, 165-172. https://www.sciencedirect.com/science/article/pii/S0268401218302251
Kahyaoglu, S. B., & Caliyurt, K. (2018). Cyber security assurance process from the internal audit perspective. Managerial Auditing Journal. https://www.emerald.com/insight/content/doi/10.1108/MAJ-02-2018-1804/full/html
Khan, S., & Parkinson, S. (2018). Review into state of the art of vulnerability assessment using artificial intelligence. Guide to Vulnerability Analysis for Computer Networks and Systems, 3-32. https://link.springer.com/chapter/10.1007/978-3-319-92624-7_1
Krumay, B., Bernroider, E. W., & Walser, R. (2018, November). Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST cybersecurity framework. In Nordic Conference on Secure IT Systems (pp. 369-384). Springer, Cham. https://link.springer.com/chapter/10.1007/978-3-030-03638-6_23
Lois, P., Drogalas, G., Karagiorgos, A., & Tsikalakis, K. (2020). Internal audits in the digital era: opportunities risks and challenges. EuroMed Journal of Business. https://www.emerald.com/insight/content/doi/10.1108/EMJB-07-2019-0097/full/html
Lois, P., Drogalas, G., Karagiorgos, A., Thrassou, A., & Vrontis, D. (2021). Internal auditing and cyber security: audit role and procedural contribution. International Journal of Managerial and Financial Accounting, 13(1), 25-47.
Moudoubah, L., Mansouri, K., & Qbadou, M. (2021, November). COBIT 5 Concepts: Towards the Development of an Ontology Model. In The International Conference on Information, Communication & Cybersecurity (pp. 247-256). Springer, Cham. https://link.springer.com/chapter/10.1007/978-3-030-91738-8_24
Stafford, T., Deitz, G., & Li, Y. (2018). The role of internal audit and user training in information security policy compliance. Managerial Auditing Journal. https://www.emerald.com/insight/content/doi/10.1108/MAJ-07-2017-1596/full/html
Valinejad, F., & Rahmani, D. (2018). Sustainability risk management in the supply chain of telecommunication companies: A case study. Journal of Cleaner Production, 203, 53-67. https://www.sciencedirect.com/science/article/pii/S0959652618325174
Yamin, M. M., & Katt, B. (2019, August). Cyber security skill set analysis for common curricula development. In Proceedings of the 14th International Conference on Availability, Reliability and Security (pp. 1-8). https://dl.acm.org/doi/abs/10.1145/3339252.3340527
Yudiantoro, D. C., WA, B. S., & Wibowo, F. W. (2021). Internal Performance Evaluation of PT. Kimia Farma to Maintain Human Resources Skills and Motivation. Journal of Information Technology, 1(1), 37-42. https://journal.shantibhuana.ac.id/index.php/jifotech/article/download/236/113
Zengy, J., Wang, X., Liu, J., Chen, Y., Liang, Z., Chua, T. S., & Chua, Z. L. (2022, May). Shadewatcher: Recommendation-guided cyber threat analysis using system audit records. In 2022 IEEE Symposium on Security and Privacy (SP) (pp. 489-506). IEEE. https://ieeexplore.ieee.org/abstract/document/9833669/
Zheng, R., Jiang, J., Hao, X., Ren, W., Xiong, F., & Ren, Y. (2019). bcBIM: A blockchain-based big data model for BIM modification audit and provenance in mobile cloud. Mathematical Problems in Engineering, 2019. https://www.hindawi.com/journals/mpe/2019/5349538/