Design of a Risk-Based Auditing Program
Pages in Design Document
Cybersecurity Auditing Frameworks Leveraged
Total Time in Months to Design
Customer was executing compliance inspections and was looking for an innovative way to transform their service to quantify risk, take into account business operations, increase security posture and provide value added to its customers. Compliance inspections are limited in nature and thus did not provide the holistic assessment in which the client warranted.
Context / Action
We Designed a Risk-Based Auditing Program labeled as cybersecurity assessment (People, Processes and Technologies) which not only covered their previous compliance inspection items but also enhanced the program to cover NIST’s 14 families of Security Controls.
In the DoD, the Command Cyber Readiness Inspection (CCRI) managed by the Defense Information Systems Agency (DISA) is being utilized to assess the readiness of DoD agencies’ networks and systems. Compliance inspections are limited in nature and thus our design built upon the current limitations. Our design was for the client but the client also intended to inform the DoD CCRI program of these changes.
Understanding the customer requirements and end state, we knew shifting from compliance inspections to a risk-based auditing approach was necessary. A risk-based audit encompasses compliance testing but compliance testing does not encompass a risk-based audit.
Lastly, a key component of our program was to incorporate the practice of performing Root Cause Analysis (RCA). Often, when vulnerabilities and weaknesses are identified, system and process owners tend to only address them at the surface level. In other words, they only mitigate the symptoms of a greater issue. This causes the weakness to reoccur and potentially increase risk to the environment. In order to effectively remediate weaknesses, an RCA needs to be performed. RCAs can reveal deeper underlying and potentially systemic issues that led to material risk.
This practice enabled the organization to implement effective corrective actions to permanently resolve and / or prevent the problem, and possibly others, from occurring or reoccurring. Furthermore, it ensures that decision makers have the necessary information needed to commit resources for a resolution.