Auditor Evaluation and Reporting on Cybersecurity Risks

Auditor Evaluation and Reporting on Cybersecurity Risks

Jeffrey S. Zanzig (Jacksonville State University, USA) and Guillermo A. Francia III (University of West Florida, USA)
DOI: 10.4018/978-1-7998-3473-1.ch082
OnDemand PDF Download:
No Current Special Offers


Tremendous improvements in information networking capabilities have brought with them increased security risks resulting from the deterioration of the ability of a physical layer of computer security to protect an organization's information system. As a result, audit committees have had to deal with new security issues as well as the need to understand the cyber perpetrator and ensure the proper training of employees to consider cybersecurity risks. Standard setters including the Institute of Internal Auditors and the American Institute of Certified Public Accountants have issued guidance about lines of defense and reporting on an entity's cybersecurity risk management program and controls, respectively. Each of these topics is considered along with how cybersecurity guidance from COBIT, the National Institute of Standards and Technology, and the Center for Internet Security can be mapped into five cyber infrastructure domains to provide an approach to evaluate a system of cybersecurity.
Chapter Preview


A primary focus of an audit committee is to provide an independent oversight function to ensure that the processing and storage of information is performed in a secure and reliable manner to meet the needs of information users. Although the birth of the Internet and extensive networking capabilities has substantially increased the ability of organizations to process and disseminate information, it has also opened the door to allow greater access to information systems by unauthorized and many times malicious intruders. It is certainly a difficult task to address these security issues due to the constantly changing availability of technology that is both within and outside of an organization’s control. This section discusses challenges faced by audit committees as a result of cybersecurity issues. It also considers common profiles of the cyber perpetrator and how noncompliance with information security policy by well-meaning organizational personnel can allow unauthorized access into an organization’s information system.

Key Terms in this Chapter

Security Metric: A quantitative, repeatable, accurate, and scalable measurement of an organization’s security posture.

Blockchain: A digital register or ledger which embodies a permanent, time stamped, and cryptographically validated record of transactions.

Standards: A set of rules that can be monitored for compliance by a specialized field’s authoritative bodies and related professionals.

Cyber Infrastructure: A collection of information technology systems and software, physical and information assets, processes, and people that enables an organization to efficiently and securely function on cyberspace.

Regulatory Compliance: The state of being in conformance to the requirements of a relevant law, policy, or regulation.

Cybersecurity: A set of processes, practices, and technologies designed to protect, on the realm of cyberspace, the three tenets of information security: confidentiality, integrity, and availability.

Security Monitoring: A process of data collection, analysis, and detection with the goal of proactively securing an organization.

Frameworks: A grouping of rules and related concepts into a logical approach that can be used to identify complex problems and decide upon appropriate courses of action to address them.

Complete Chapter List

Search this Book: