Cyber security audit (blockchain)

Cybersecurity audit is conducted to determine the maturity level of key information security processes and to obtain an overall picture of the company’s information security status, the effectiveness of its applied technical and organizational measures for protecting information, the identification of deficiencies in the processing of confidential information, and vulnerabilities that pose threats to intrusions into the company’s internal infrastructure.

A cybersecurity audit identifies weak points in the security system and IT infrastructure through which malicious actors can gain privileged access to steal, modify, encrypt, or perform other actions regarding the organization’s information assets. The obtained data can be used against both the organization itself and its clients. The audit allows the organization to identify groups of information assets, prioritize them, select an optimal set of solutions to protect them, and determine the sequence of implementation.

Conducting a cybersecurity audit involves a systematic approach to obtaining quantitative and qualitative information about the state of information security in a financial organization, its information resources (websites, web applications, mobile applications, software used, servers, routers), and the processes in which they are involved. The result of the audit is the creation of an audit report and a list of recommendations aimed at improving the maturity of information security processes and enhancing the effectiveness of the protective measures implemented by the organization.

A cybersecurity audit is fundamentally different from compliance assessment. The result of a compliance assessment is the preparation of a report document for submission to a regulatory body. Compliance assessment is conducted according to a strictly defined methodology developed by the regulatory body. On the other hand, an audit is more flexible in terms of work plan and methodology selection, taking into account the organization’s own vision and the consultant’s expertise. It allows for the identification of significant aspects for setting goals, tasks, and areas of development. The primary goal of compliance assessment is to determine the degree of compliance with the mandatory requirements for the organization, while the goals of an audit can be diverse and include obtaining an overall picture of information security status, determining process maturity, assessing the real impact of information security and IT on the business in terms of security risks, and identifying critical points in the security system where the organization needs to focus its resources.

Compliance assessment, as a type of audit, allows a financial organization to compare itself with the current organizational and technical requirements of the regulator and determine compliance or non-compliance with these requirements. In the process of conducting a compliance assessment, external penetration testing is also typically performed, simulating a hacker attack on the organization from public (external) information resources of the organization.

The topic of cybersecurity threats is highly relevant today. Almost every day, news emerges in the media about hackers breaching yet another system and leaking confidential information. This is due to the continuous digitization of businesses and government institutions, as well as an increase in the number of threats from cybercriminals. Danger lurks for users at every step. Nowadays, infecting a computer with a virus is as simple as clicking on a banner on the official website of a well-known media outlet – you will be automatically redirected to a compromised website, and a so-called exploit kit will be downloaded onto your computer, which will immediately start analyzing the software installed on your system for vulnerabilities.

Cybersecurity issues are being discussed more frequently in companies at all levels of management. The internal audit department, in turn, when formulating its annual plan, should primarily rely on risk assessment, taking into account the opinions of management and the board of directors.

When assessing risks in the field of cybersecurity, the following questions need to be addressed:

How closely is the company’s business linked to IT? If it’s a bank, any attack or disruption of IT services will directly impact customer satisfaction and the bank’s reputation. If it’s an agricultural company, a server breach will not significantly affect the processes of fertilizer application or crop harvesting.

What information systems and resources are being used? How critical are they? It is necessary to understand the extent of the damage that would be caused to the company if one of the characteristics of information resources – confidentiality, availability, or integrity – is compromised.

Let’s assume that the risks in the field of cybersecurity are sufficiently high, and you have decided to conduct an audit. The question arises about the qualifications and adequacy of resources within the internal audit department. If there is an employee with experience in IT or IT audits in the department, it may be sufficient to conduct a cybersecurity audit. This employee will need additional training, but there is no need to send them to expensive face-to-face courses that are only offered at specific times and sometimes taught by questionable instructors. It would be much more convenient and beneficial to undergo online training by listening to video lessons from instructors at leading universities worldwide and top practitioners.

If the internal audit department does not have specialists in IT or information security, it is necessary to consider involving external experts.

After resource allocation, planning and preliminary examination begin. During these stages, it is necessary to determine which information systems/legal entities/physical sites will be included in the audit scope and which areas will be examined. Usually, compliance with legislation is not addressed in such projects as it is analyzed either in a separate compliance project or in an information security audit (which is a broader concept compared to cybersecurity). It is also important not to forget about other departments and external companies that conduct checks in this area. For example, external auditors, as part of the financial statement audit, assess the effectiveness of IT control systems that generate financial statements. The boundaries of these projects may partially overlap.

After the preliminary examination, the stage of detailed testing begins. Here are some tips for this stage:

It is preferable not to request data remotely but to extract data from the information systems independently, after obtaining the necessary authorizations, or to take screenshots and perform extractions while being in close proximity to an IT specialist. The reason is that any settings in the information systems can be easily changed, and extractions can be manipulated. If the IT specialist suspects the purpose of the test, they can always modify the information provided to their advantage.

Significant attention should be given to real security issues, for example:

Is penetration testing performed? By whom? What goal is set for the performer? What is included within the scope of such a project? What are the results? Are identified shortcomings addressed?

As practice shows, users are the weakest link in the security system. Therefore, it is necessary to understand how users are trained in cybersecurity matters. Is their level of knowledge assessed? Is a social engineering attack conducted on users as part of the penetration testing?

What cybersecurity incidents were recorded during the audited period? How did the information security specialists react? Was an investigation conducted? What measures were taken to prevent such incidents in the future?

If your company has Supervisory Control and Data Acquisition (SCADA), such a system is usually the most critical and requires special attention. For such systems, the greatest threat is their unavailability, as it can lead to production shutdown. The number of attacks on SCADA systems is constantly increasing, and the consequences of such attacks can be significant.

It is desirable to prepare two reports based on the audit results. One report will be intended for IT specialists and will contain a detailed description of the deficiencies using specific IT terminology. The second report or presentation for top management and the audit committee will describe key points in business language.

As we can see, cybersecurity audits are not significantly different from traditional audits of procurement or investments. While cybersecurity audits were previously considered specialized and specific, they are now being conducted more frequently, and their results help companies enhance their business resilience against cyber threats and reduce expenses in this area.