By helloDarwin
January 06, 2022
Cybersecurity audit - a case study for SME
We need to be flexible in the definition of a Cybersecurity Audit, especially when the mandate is for a “Small and Medium-sized Enterprise” (SME)! Our multidisciplinary team has been involved in security and information technology for more than 25 years. We advise our clients to take advantage of new technologies to maintain their strategic positioning.
Our cybersecurity audit mandate with an SME aims at evaluating and proposing recommendations on the state of the network and cybersecurity; guide and advise our client on industry best practices, and to propose a plan of action to correct weaknesses and vulnerabilities identified and thus reduce the risks related to cybersecurity. Being a member of the ISACA (Information Systems Audit and Control Association) - Montreal Chapter, I seek to provide leverage and added value by presenting a coherent report to the client with technical recommendations supported by standards of good practice. This will help the SMB business leaders understand the action plan, which is not always easy!
When such is the case, we will use best practice guides developed by ISACA to address the particulars of SME’s in conjunction with the National Institute of Standards and Technology (NIST)¹ Cybersecurity programs which promote the development and application of innovative and practical technologies and methodologies for security and improvement of critical cybersecurity infrastructures.
First part – use of cybersecurity guides
The cybersecurity guides for SMEs² proposed by ISACA are essential resources. Aligned with the COBIT5 standard, these guides address the needs of the SME whose technical resources and budgets are often limited. The "Cybersecurity Guidance for Small and Medium-sized Entreprises" guide first defines the different categories of SMEs and then proposes 8 principles and 55 guidance clauses (requirements/controls). Each clause receives a "Critical" "Severe" or "Important" audit rating, identifying a cybersecurity risk level for an SME, see Table 1.
Audit Rating Explanation
Audit Rating | Explanation |
|---|---|
Critical | Major impact or risk to the enterprise, potentially endangering the existence of the enterprise. Impacts and risk may be financial, operational, reputational, legal or of any other kind. |
Significant | Impact or risk to the enterprise, with potentially wide-ranging consequences within the business year. |
Important | Impact or risk to the enterprise that goes beyond the tolerated levels of impact and risk, as defined by senior management |
Table 1- Audit Rating Explanation
Each requirement is assigned with one of the audit ratings. Table 2 presents an example of some of the requirements that emerged while on assignment.
Auditable Cybersecurity Requirements
Cybersecurity Guidance Clause (CGC) | Requirements/Controls | Audit Rating |
|---|---|---|
1 | Documented cybersecurity governance rules | Critical |
4 | Documented cybersecurity strategy | Significant |
11 | Documented procedures and management practices for cybersecurity | Important |
4 | Documented information asset classification, cybersecurity risk and threats | Significant |
Table 2 - Auditable Cybersecurity Requirements
Once our tests and analyzes are completed, we develop recommendations for the identified gaps, weaknesses, or vulnerabilities and prioritize them from 1 to 3. By matching each of our recommendations to one or more of the guide's clauses - see some examples in Table 3 - Mapping of the requirements and the recommendations, we add consistency to the report.
C.G.C. | Requirements/Controls | Audit Rating | Recommendations | Priority |
1 | Documented cybersecurity governance rules | Critical | R1 | 2 |
34 | Secure configuration of logical points of entry | Critical | R5-R6-R9 | 1 |
37 | Malware defense mechanisms | Critical | R7 | 3 |
38 | Boundary defense mechanisms | Critical | R3-R4-R5-R6-R9 | 1 |
44 | “Need to know” and “Least privilege” principles documented and in evidence | Critical | R8 | 3 |
4 | Documented cybersecurity strategy | Significant | R1 | 1 |
21 | Documented information asset inventory/ Documented information asset classification, cybersecurity risk and threats | Significant | R2 | 1 |
23 | Identified critical IT services and applications, critical IT infrastructures and third party products and services | Significant | R2 | 2 |
24 | Adequate extent and detail of cybersecurity architecture, size and complexity | Important | R3 | 2 |
25 | Adequate skills and competencies of cybersecurity staff | Significant | R2 | 1 |
Table 3 - Mapping of the requirements and the recommendations
Finally, we will map the proposed recommendations and controls-oriented clauses, which are the minimum requirement criteria for SMEs. Table 4 – Summary of recommendations by priority and rating, is an example of the result obtained.
Priority | Audit Rating | No recommendations | Recommendations | Requirements/Controls | C.G.C. |
1 | Critical | R5 | Refresh and review the routers configuration | Secure configuration of logical points of entry | 34 |
R6 | Firewalls | ||||
R9 | Protect against malware softwares | ||||
R3 | Complexity of network | Boundary defense mechanisms | 38 | ||
R4 | Wi-Fi Network | ||||
R5-R6-R9 | Refresh and review the routers configuration /firewalls / Protect against malware softwares | ||||
2 | Critical | R5-R6-R9 | Secure configuration mechanisms for hardware/ applications and software | 31 | |
2 | Significant | R4-R5-R6-R9 | Secure configuration mechanisms for network devices including third party devices | 33 | |
2 | Significant | R4-R5-R6-R7-R9 | Identified vulnerabilities | 35 | |
1 | Significant | R1 | No formal documentation regarding security policies and principles | Documented cybersecurity strategy | 4 |
2 | Critical | Documented cybersecurity governance rules | 1 | ||
2 | Important | Documented procedures and management practices for cybersecurity | 11 |
Table 4 – Summary of recommendations by priority and rating
Table 4 serves as a basis for facilitating discussion and decision-making on the action plan for implementation of proposed recommendations and corrective actions to be taken to internal controls.
Part Two – Implementation of recommendations and maintenance of critical Cybersecurity infrastructures
The proposed action plan will maintain the confidentiality, integrity and availability of the systems, considering three major axes: 1- good governance, by aligning IT objectives with business goals, 2- risk management deemed acceptable in the achievement of established objectives and 3- the proper use of company resources.
To achieve this, our methodology will build on the NIST model for improving critical infrastructure of cybersecurity. This model is adaptive and integrates with the COBIT 5 framework for its implementation. As a Risk-based approach, it is used with a wide range of processes that integrate day-to-day operations by grouping them into 5 major functions as illustrated in
Figure 1- Functions of the NIST CSF Framework Core
Figure 1- Functions of the NIST CSF Framework Core</strong>
- At a high level, these functions allow:
- Identification of critical assets of the company;
- Protection of the data they hold;
- Detecting anomalies and incidents in systems;
- The response to ongoing actions, monitoring and improvements to systems and processes when threats or vulnerabilities have been identified;
- Recovery and restore any capabilities or services impaired during a cybersecurity event, follow-ups and actions to be taken for improvement and feedback.
In light of this, the preferred strategy for securing information systems will include measures to protect critical assets at a reasonable cost for the company
This methodology, which incorporates practices widely used in the industry, is the essence of our professional practice because it allows us to better serve our customers and to enhance the security level of their critical cyber infrastructure.
For more information regarding the cybersecurity audit, visit our website Sources:
1) NIST, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity V1.1, USA 2017
2) ISACA, Cybersecurity Guidance for Small and Medium-sized Enterprises, USA, 2015</p><p>ISACA, Implementing Cybersecurity Guidance for Small and Medium-sized Enterprises, USA 2015
ISACA, Transforming Cybersecurity, USA, 2013
Auteure : Pascale Dominique,
Co-founder and Vice-President Finances of ConnecTalk.
In addition to her duties within her company, she also acts as an analyst and a project manager in information technology.
Academic diploma:
- Bachelor of Business Administration, University of Quebec in Montreal,1984
Assocations and Certifications
Member of CPA Canada since 1986 she is a CPA-CA
- Member of Information Systems Audit and Control Association (ISACA) since 2002
- CISA Certification (Certified Information Systems Auditor) since 2006
- CRISC Certification (Certified in Risk and Information Systems Controls) since 2011
- Member of the Board of Directors at ISACA-Montreal Chapter as Vice-présidente Training and Certification since 2016.
Related Tags
Cybersecurity
Collaborations
About the author
helloDarwin
We create successful business alliances through tailor-made partnerships. Web marketing, video production, ERP/CRM integration... Whatever professional service you need for your business, helloDarwin helps you find the best service providers for your project. Free of charge, without any obligation and within 48 hours on average. We help you find grants, loans, aid and assist you throughout your digital transformation.