Internal Audits and Assessments

(OBJ 5.5)

Internal Audits

• Systematic evaluations conducted by an organization's own audit team

• Assess the effectiveness of internal controls, compliance with regulations, and the integrity of information systems and processes

• Focus areas may include

  • Data protection
  • Network security
  • Access controls
  • Incident response procedures

• Examples of internal audit focus areas

  • Password policies
    • Requiring complex passwords and regular password changes
  • User access controls
    • Ensure that only authorized individuals have access

• Review access control policies and procedure for alignment with best practices and regulatory requirements

• Process

  1. Reviewing policies and procedures
     • Review access control policies and procedures for alignment with best practices and regulatory requirements
       • Principle of least privilege
       • Segregation of duties
  2. Examining access rights
     • Verify whether employees have access rights that align with their job responsibilities and whether there are any instances of excessive or unnecessary access
  3. Testing effectiveness of controls
     • Verify access rights processes, including approvals and timely revocation
  4. Findings documented for recommendations and improvements
     • Document findings to serve as basis for recommending access control policy and procedure improvements

• Concepts in Internal Audits

  • Compliance Requirements
    • Ensuring adherence to established standards, regulations, and laws
    • Compliance is essential for protecting sensitive data and avoiding legal penalties and maintaining trust
    • Internal audits may be required for compliance with specific laws or regulations
    • Thanks to this, you need to conduct internal audits every quarter or every year, depending on your industry compliance requirements.
  • Audit Committee
    • A group, often comprising members of a company's board of directors, overseeing audit and compliance activities
    • Responsibilities
      • Reviewing financial reporting
      • Internal controls
      • Internal and external audits
      • Legal and regulatory compliance
    • Addresses issues raised by auditors

Internal Assessments

• An in-depth analysis conducted to identify and evaluate potential risks and vulnerabilities in an organization's information systems

• Commonly performed before implementing new systems or making significant changes to existing ones

• Self-assessments

  • Internal evaluations assessing compliance with specific standards or regulations
  • Valuable tool for identifying security gaps

• Vulnerability assessments, threat modeling exercises, and risk assessments are part of internal assessments

• Example:

  • Conducting a vulnerability assessment on the organization's network, this would involve using automated tools to scan the network for known vulnerabilities such as outdated software or misconfigured firewalls.
  • The result of the assessment would then be used to prioritize and address these vulnerabilities.

• Assisted internal assessments and assessments may involve dedicated assessment groups

• Internal Assessment Process

  1. Threat Modeling Exercise
     • Identifies potential threats to applications (e.g., SQL injection, XSS, DoS attacks)
  2. Vulnerability Assessment
     • Uses automated scanning tools and manual testing techniques to identify known vulnerabilities and code weaknesses
  3. Risk Assessment
     • Evaluates the potential impact of the following
       • Identified threats and vulnerabilities
       • Considering likelihood
       • Potential damage
       • Cost of security measures
  4. Mitigation Strategies
     • Recommendations to address risks and vulnerabilities
       • Code fixes
       • Additional security controls
       • Architectural changes