Back to blog

Does Your Audit Board Know How to Review Cyber Security Ops?

Pathlock
March 17, 2016

Does Your Audit Board Know How to Review Cyber Security Ops?

CyberSecurity_Fotolia_89418129_XS.jpgCyber security is on everyone’s mind these days. Keeping abreast of the latest in cyber crime and how it affects your business is an increasingly difficult job. Your IT department can not do it alone. They need the board’s commitment to cyber security efforts through C-Suite level oversight. They need the board’s understanding that cyber security is critical to your company’s financial security and stability. Companies often hire outside auditors to review their cyber security policies and procedures to help identify system weaknesses. Even if you are not ready to hire an independent auditor, you have probably created an audit board or audit committee to keep the C-Suite apprised of all things cyber crime related. To help in that critical undertaking, we’ve put together a list of the top things audit boards look for when reviewing cyber security operations.
  • Identify tangible and intangible business assets. Knowing your tangible assets is the easiest part of identifying corporate IT assets. IT can count smart phones, printers, computers, servers, hard-copy files, cameras, etc., and should spend considerable time making a detailed inventory list of every component subject to attack risk. When it comes to intangible assets, however, it is not possible to take everything into account. Therefore, the audit board needs to define the audit boundaries. Within that boundary reside items the audit team will consider and outside lie the items they will ignore. The goal is to defined the smallest audit area that will allow you to protect your assets and control cyber security.
  • Develop a potential threat list. Every company’s threat list will consist of different components. A few common examples are: passwords, data backups, customer financial and personal information, emails, and data log-in information. It’s also important to prioritize those risks on the basis of how costly (in terms of dollars) and how devastating the potential impact.
  • Identify possible future threats. Protecting the company from future attacks is just as important as protecting it from potential attacks today. Having a system in place to log industry threats, competitors’ cyber security attacks, and your own company’s past history with security issues will help you predict the potential for future attacks.
  • Network Access Controls. This term means setting user controls and permissions for employee access to certain resources. It can also mean file encryption, checking web page cookies, tracking user names, and verifying IP addresses.
  • Intrusion Prevention. This term encompasses setting up second generation firewalls that not only determine risk in content but also check into web and traffic patterns.
  • Identity Controls. It is imperative that the company set up identity control systems that include manual or automatic identification and authentication to prevent employees’ unauthorized access to certain information or resources.
  • Backups. Don’t underestimate that security breaches often occur from accidental loss of information. To protect against such loss, your company should have backup systems that store data on-site, secondary backups for critical information on off-site facilities, and secure access to both. Automated backups are best — and done frequently if you want them effective.
  • Email Protections. By now, most employees know not to open attachments they aren’t expecting, or any unusual mail for that matter. Some email systems no longer accept attachments at all. IT can also encrypt email to prevent hacking. And, of course, any email system should include spam filters.
  • Physical Break-ins. With all the talk about computer hacking, it’s easy to forget that you can experience physical break-ins as well. Video cameras and other intrusion detection and protection systems can help identify if intruders have compromised your brick-and-mortar office. You can avert lap-top theft’s impact with encrypted hard drives. If your employees use smart phones in their jobs, you can protect them with a service that requires authorization. If the authorization is not forthcoming, the phone emits a high-pitched scream and wipes all data from the phone. If recovered and the correct authorization given, the data restores.
If you would like to discuss cyber security audits, or other cyber security issues, please contact us. We can help you protect your business’s cyber security.