CYBER AUDIT

Problem Statement:

Organisations, their business functions, their systems of systems are increasingly dependent on cyberspace and attacks in cyberspace are no longer limited to simple discrete events such as the spread of a virus or a worm, or a denial-of-service attack on an organization. As we see in the many newsfeeds that hit our desktop every day, campaigns are being waged by advanced persistent threats and involve persistent and sophisticated attacks aimed at establishing a foothold in an organization to deliver a set of resources and controls that an adversary may hold and execute at a time of their choosing.

They will then infiltrate organisational sensitive information for the purpose of working with other cyber criminals on the dark web to get the biggest bang for their buck. Ransomware attacks are common-place, recent examples such as the Colonial Pipeline hack and the JBS foods paid $14m to ransomware attackers in early 2021. Yet despite this, some organisations choose to take a light touch when it comes to Governance, Risk and Compliance (GRC) activities because it means a continuous commitment to invest in assurance activities and this is a new expense that hits the organisation’s bottom line with no clear payback outside of not being offline and/or inconvenience.

Those assurance activities include the policies, procedures, and processes to manage and monitor an organisation’s regulatory, legal, risk, environmental, and operational requirements which help inform the leadership team of the cyber security risk and the posture of the organization. Its so much more than just ticking a box. It will serve as a helpful tool when providing evidence on a Financial Statements audit.

A cyber security audit is designed to be a comprehensive review and analysis of your business IT infrastructure, the people who use the infrastructure and services, the processes, and the policies for use, the audit is as much about understanding the culture of an organisation as it is understanding the decisions made by its executives with respect to risk. Ultimately the outcome of an audit is to learn about the weaknesses in your environment and implement controls to mitigate the risks by embedding repeatable processes that continue to build a resilient capability. An audit should be viewed as a tool to help mitigate the risks and help your executive understand if their organisation has embedded the correct controls to protect their organisation if they have been effective and serve as a recognised baseline of maturity for your organization’s level of cyber resilience.

Service Description:

AUSCSEC will work with your team to discuss what is in scope in accordance with your organisation’s business objectives. What your leadership team have agreed as their optimal acceptable cyber security posture and when you have agreed to accept an exemption and when you rule them out of scope, AUSCSEC will provide you with an audit trail to keep track of your business decisions.

The audit should identify any threats, vulnerabilities, and risks. “You cannot secure what you cannot see”, AUSCSEC makes it possible to see the forest for the trees and speaks to you in your language about how to improve your security posture.

Aside from basic cyber awareness training and understanding the security culture of your organization, an audit will determine the state of your asset management system to help understand the age of your fleet, the version levels of the software, hardware, and firmware as a baseline.

Audit information helps to inform your organisation’s resilience requirements and whether they are appropriate to enable and support the delivery of critical services to your customers. What you have in place may not be effective enough to ensure the resilience of your organization. AUSCSEC will work in co-design with your team to help you understand any vulnerabilities in your environment and show you how you can implement controls to mitigate the risks by embedding repeatable processes that continue to build a resilient capability.

Benefits:

Building these standards, guidelines and practices enables organisations to identify and describe their current cyber security posture and describe their target state for cyber security. Additionally, AUSCSEC can help identify and prioritise opportunities for improvement within the context of building continuous and repeatable processes. Ideally, this also enables clear communications among internal and external stakeholders about your acceptable cyber security risk and defines a clear roadmap to maximize cyber security resilience at a cost that suits your budget and timeframe but doesn’t compromise your business outcomes.

Real Life Example:

Many business leaders now understand that building cyber security is a real challenge to them, and that it’s not a matter of if, but when, they will come under attack. In fact, it’s no longer considered an individualized problem as we have seen in recent events protection of your patch is not good enough you also have to understand your end-to-end supply chains and your third-party application interactions. Everything is inherently connected by default, the cyber security vulnerabilities of anyone you interact with for your business, can now also leave you vulnerable and at high risk.

You don’t have to go far to see the extent to which cyber criminals will go in threatening our way of life, our economy and our national security. The Ransomware attacks on JBS Foods and Nine Entertainment alone during early 2021 are a reminder that, if successful, these criminals have the potential to bring a nations critical infrastructure to its knees and demand a ransom to bring it back online, and if you are lucky, they won’t sell your information to the highest bidder when you pay the ransom. Nine Entertainment warns that ransomware recovery ‘will take time’.

This is particularly crucial if you are working with providers supporting critical infrastructure assets or other government agencies. The table below demonstrates the likelihood of a risk happening and the consequences that risk has without remediation. This table also defines the roles and responsibility of the business owners in the presence of a final risk outcome, what ongoing management of that risk will be required and who can review it.