- 10 Marks
Question
Recently one of your clients in the financial service sector has had its ICT system hacked and large sums of depositors’ funds stolen. He called and informed you about what happened. You intimated to him that his company needs a cyber security policy and cyber security audit. He requested a briefing on the issue.
Required:
i) Outline the purposes of a cyber security policy.
(5 marks)
ii) Explain cyber security audit and what it is intended to achieve.
(5 marks)
Answer
i) Purposes of Cyber Security Policy
- Information Protection Obligations
Organisations using electronic systems for the conduct of business need to have a cyber security policy and strategy. By their design, cyber security policies serve many purposes, including informing organisation users and third parties of their obligations to protect the organisation’s digital assets. - Asset Protection and Threat Awareness
The policy describes what must be protected and outlines possible threats to those assets. Cyber security policies also provide information on what is acceptable usage. For example, employees cannot use the organisation’s internet outside office hours or for private work. - Classification of Digital Assets
Another element of a cyber security policy is the classification of digital assets, where system files, data, and equipment can be classified either as confidential or non-confidential. - Mitigating Employee Risks
A good cyber security policy recognises the fact that employees are the biggest security threat to an organisation because their wilful action or inaction can cause damage. - Access Control and Monitoring
The policy provides mitigations such as limited access to qualified persons only, logging the usage of the system, and making it mandatory for employees to change their passwords periodically.
(5 points for 5 marks)
ii) Cyber Security Audit and What It Is Intended to Achieve
A cyber security audit is a formal process of carrying out a cyber security assessment. It is an assessment carried out by a certified third party, an independent organisation, or a consultant. Cyber security audits usually involve an external assessment to ascertain the level of cyber risks an organisation is exposed to.
(2 marks)
What It Is Intended to Achieve:
- Risk Identification
When done properly, a cyber security audit can help the organisation understand what risks to information systems and software exist in the situation. - Prioritisation of Risks
The audit can help prioritise these risks and align the information protection to that of the central authority, such as the Data Commission, Communication Authority, or even the Central Bank, and to external security frameworks such as the National Institute of Standards and Technology (NIST) cyber security framework of the USA, European Network and Security Agency (ENISA), as well as the ISO/IEC 27000 family on information security management systems. - Gap Analysis
Once the audit and assessment are completed, the reviewer will provide a detailed report articulating gaps or vulnerabilities in the organisation’s security profile. - Roadmap for Improvement
The tangible outcome of a cyber security audit is a clear-cut roadmap, which is expected not only to improve cyber security readiness but also to ensure long-term compliance and a robust system of risk management.
(3 points for 3 marks)
- Tags: Audit, Cyber Security, IT Systems, Policy
- Level: Level 3
- Topic: Audit-related services, Current issues
- Series: NOV 2019
- Uploader: Dotse