Design of a Risk-Based Auditing Program

 

Results

 

Pages in Design Document

Cybersecurity Auditing Frameworks Leveraged

Total Time in Months to Design

Challenge

Customer was executing compliance inspections and was looking for an innovative way to transform their service to quantify risk, take into account business operations, increase security posture and provide value added to its customers. Compliance inspections are limited in nature and thus did not provide the holistic assessment in which the client warranted.

Context / Action

We Designed a Risk-Based Auditing Program labeled as cybersecurity assessment (People, Processes and Technologies) which not only covered their previous compliance inspection items but also enhanced the program to cover NIST’s 14 families of Security Controls.

In the DoD, the Command Cyber Readiness Inspection (CCRI) managed by the Defense Information Systems Agency (DISA) is being utilized to assess the readiness of DoD agencies’ networks and systems. Compliance inspections are limited in nature and thus our design built upon the current limitations. Our design was for the client but the client also intended to inform the DoD CCRI program of these changes.

Understanding the customer requirements and end state, we knew shifting from compliance inspections to a risk-based auditing approach was necessary. A risk-based audit encompasses compliance testing but compliance testing does not encompass a risk-based audit.

Lastly, a key component of our program was to incorporate the practice of performing Root Cause Analysis (RCA). Often, when vulnerabilities and weaknesses are identified, system and process owners tend to only address them at the surface level. In other words, they only mitigate the symptoms of a greater issue. This causes the weakness to reoccur and potentially increase risk to the environment. In order to effectively remediate weaknesses, an RCA needs to be performed. RCAs can reveal deeper underlying and potentially systemic issues that led to material risk.

This practice enabled the organization to implement effective corrective actions to permanently resolve and / or prevent the problem, and possibly others, from occurring or reoccurring. Furthermore, it ensures that decision makers have the necessary information needed to commit resources for a resolution.

 

Enter your email to get instant access to the case study

Enter your email to get instant access to the case study

Thank you for your time; we hope you enjoy the free case study.

Enter your email to get instant access to schedule your free Cyber strategy session today

Enter your email to get instant access to schedule your free Cyber strategy session today

Thank you for your time; we hope you enjoy the free case study.

Enter Your Email To Schedule Your Free Cyber Strategy Session Today

Enter Your Email To Schedule Your Free Cyber Strategy Session Today

Thank you for your time; we hope you enjoy the free case study.

Pin It on Pinterest