A Practical Model to Perform Comprehensive Cybersecurity Audits
DOI:
https://doi.org/10.29019/enfoqueute.v9n1.214Keywords:
cybersecurity, cybersecurity audit, cybersecurity audit model, cybersecurity assurance, cybersecurity controlsAbstract
These days organizations are continually facing being targets of cyberattacks and cyberthreats; the sophistication and complexity of modern cyberattacks and the modus operandi of cybercriminals including Techniques, Tactics and Procedures (TTP) keep growing at unprecedented rates. Cybercriminals are always adopting new strategies to plan and launch cyberattacks based on existing cybersecurity vulnerabilities and exploiting end users by using social engineering techniques. Cybersecurity audits are extremely important to verify that information security controls are in place and to detect weaknesses of inexistent cybersecurity or obsolete controls. This article presents an innovative and comprehensive cybersecurity audit model. The CyberSecurity Audit Model (CSAM) can be implemented to perform internal or external cybersecurity audits. This model can be used to perform single cybersecurity audits or can be part of any corporate audit program to improve cybersecurity controls. Any information security or cybersecurity audit team has either the options to perform a full audit for all cybersecurity domains or by selecting specific domains to audit certain areas that need control verification and hardening. The CSAM has 18 domains; Domain 1 is specific for Nation States and Domains 2-18 can be implemented at any organization. The organization can be any small, medium or large enterprise, the model is also applicable to any Non-Profit Organization (NPO).
Downloads
References
Bodeau, D., Boyle, S., Fabius-Greene, J. and Graubart R. (2010). “Cyber Security Governance”, MITRE. Retrieved January 24, 2018, from https://www.mitre.org/sites/default/files/pdf/10_3710.pdf.
Boyce, R. (2001). “Vulnerability Assessment: The Pro-Active Steps to Secure your Organization”, SANS Institute. Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/threats/vulnerability-assessments-pro-active-steps-secure-organization-453.
CERT Division (2017). “CSIRT Frequently Asked Questions”, Carnegie Mellon University.
Retrieved January 24, 2018, from https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm.
Department of Homeland Security (2012). “Vulnerability Assessment and Management”, NICSS. Retrieved January 24, 2018, from https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/vulnerability-assessment-and-management.
Donaldson, S., Siegel, S., Williams, C. and Aslam, A. (2015). “Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats”. New York: Apress, pp. 201-204.
Financial Executives International – FEI (2014). “Financial Executives, Cyber Security & Business Continuity”, Canadian Executives Research Foundation (CFERF). Retrieved January 24, 2018, from https://www.feicanada.org/enews/file/CFERF%20studies/2013-2014/IBM%20Cyber%20Security%20final3%202014.pdf.
Financial Industry Regulatory Authority – FINRA (2015). “Report on Cybersecurity Practices”, pp 1- 46. Retrieved January 24, 2018, from https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.
Foresite (2016). “Quick guide to common Cybersecurity Frameworks”.
Retrieved January 24, 2018, from https://www.foresite.com/blog/quick-guide-to-common-cybersecurity-frameworks/.
ISACA (2014). Implementing the NIST Cybersecurity Framework. Rolling Meadows: ISACA.
ISACA (2013). Transforming Cybersecurity. Rolling Meadows: ISACA.
ISACA (2015). Cybersecurity Fundamentals. Rolling Meadows: ISACA
Kaspersky Lab (2015). “Top 10 Tips for Educating Employees about Cybersecurity”, AO Kaspersky Lab. Retrieved January 24, 2018, from http://go.kaspersky.com/rs/kaspersky1/images/Top_10_Tips_For_Educating_Employees_About_Cybersecurity_eBook.pdf.
Lee, R. (2015). “The Sliding Scale of Cybersecurity”, SANS Institute.
Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/analyst/sliding-scale-cyber-security-36240.
Ministry of Economic Affairs and Communication (2017). “2014-2017 Estonia Cybersecurity Strategy”, ENISA. Retrieved January 24, 2018, from https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/Estonia_Cyber_security_Strategy.pdf.
National Cyber Security Alliance (2017). “Stay Safe Online”, NCS.
Retrieved January 24, 2018, from https://staysafeonline.org/ncsam/.
National Institute of Standards and Technology - NIST (2017). “Framework for Improving Critical Infrastructure Cybersecurity”, version 1.1.
National Institute of Standards and Technology – NIST(2017). “NIST Special Publications SP”. Retrieved January 24, 2018, from http://csrc.nist.gov/publications/PubsSPs.html.
NATO Cooperative Cyber Defence Centre of Excellence – CCDCOE (2015). “Cyber Security Strategy Documents”. Retrieved January 24, 2018, from https://ccdcoe.org/strategies-policies.html.
North American Electric Relaibility Corporation – NERC (2010). “Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets”, NERC. Retrieved January 24, 2018, from
Organisation for Economic Co-Operation and Development – OECD (2012). “Cybersecurity Policy Making at a Turning Point”, OECD. Retrieved January 24, 2018, from http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf.
PCI Security Standards Council (2014). “Best Practices for implementing a Security Awareness Program”, PCI DSS. Retrieved January 24, 2018, from <https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf.
Pricewaterhouse Coopers - PwC (2016). “PwC’s Board Cybersecurity Governance Framework”, PwC. Retrieved January 24, 2018, from <https://www.pwc.com/ca/en/consulting/publications/20160310-pwc-reinforcing-your-organizations-cybersecurity-governance.pdf.
Proaño, R., Saguay, C., Jacome, S. and Sandoval, F. (2017). “Knowledge based systems as an aid in information systems audit”. Enfoque UTE V.8 Sup. 1, Feb 2017, pp.148-159.
https://doi.org/10.29019/enfoqueute.v8n1.122
Sabillon, R., Serra-Ruiz, J., Cavaller, V. and Cano, J. (2017). "A Comprehensive Cybersecurity Audit Model to Improve Cybersecurity Assurance: The CyberSecurity Audit Model (CSAM)". 2017 Second International Conference on Information Systems and Computer Science (INCISCOS), Quito, Ecuador.
SANS Institute (2017). “SANS Forensics Whitepapers”, SANS Institute.
Retrieved January 24, 2018, from https://digital-forensics.sans.org/community/whitepapers.
Shackleford, D. (2015). “Who’s using Cyberthreat Intelligence and how?”,SANS Institute.
Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767.
Trusted Computing Group (2013). “Architect’s Guide: Cybersecurity”.
Retrieved January 24, 2018, from https://www.trustedcomputinggroup.org/wp-content/uploads/Architects-Guide-Cybersecurity.pdf.
United States Computer Emergency Readiness Team - US-CERT (2017). “Cybersecurity Framework”, US-CERT. Retrieved January 24, 2018, from https://www.us-cert.gov/ccubedvp/cybersecurity-framework.
U.S. Department of Homeland Security (2016). “Cybersecurity”.
Retrieved January 24, 2018, from https://www.dhs.gov/topic/cybersecurity.
U.S. Department of Energy (2007). “IT Security Architecture”.
Retrieved January 24, 2018, from https://energy.gov/sites/prod/files/cioprod/documents/DOE_Security_Architecture.pdf.
Published
How to Cite
Issue
Section
License
The articles and research published by the UTE University are carried out under the Open Access regime in electronic format. This means that all content is freely available without charge to the user or his/her institution. Users are allowed to read, download, copy, distribute, print, search, or link to the full texts of the articles, or use them for any other lawful purpose, without asking prior permission from the publisher or the author. This is in accordance with the BOAI definition of open access. By submitting an article to any of the scientific journals of the UTE University, the author or authors accept these conditions.
The UTE applies the Creative Commons Attribution (CC-BY) license to articles in its scientific journals. Under this open access license, as an author you agree that anyone may reuse your article in whole or in part for any purpose, free of charge, including commercial purposes. Anyone can copy, distribute or reuse the content as long as the author and original source are correctly cited. This facilitates freedom of reuse and also ensures that content can be extracted without barriers for research needs.
This work is licensed under a Creative Commons Attribution 3.0 International (CC BY 3.0).
The Enfoque UTE journal guarantees and declares that authors always retain all copyrights and full publishing rights without restrictions [© The Author(s)]. Acknowledgment (BY): Any exploitation of the work is allowed, including a commercial purpose, as well as the creation of derivative works, the distribution of which is also allowed without any restriction.