Auditing the Crown Jewels From a Cyberrisk Perspective
Auditing standards require auditors to produce a documented risk-based audit plan, taking into account input from senior management and the board. Cyberrisk is one of the top risk scenarios about which boards are concerned and should, therefore, receive significant focus during audit planning as one of the higher priorities for auditors. Emerging risk (including cyber) and the evolution of the risk landscape is constant, resulting in numerous complications in the audit planning process that could lead to risk not being appropriately addressed in the audit plan. Additionally, executing on the audit plan can be tedious and manual in many cases, leading to limited coverage of key risk areas.
In an article on practical cyberrisk management, the author discusses the concepts of crown jewels, threat modeling, attack path mapping, the Cyber Kill Chain and data modeling, and how to apply each concept in cyberrisk management. The same concepts that apply to cyberrisk management can be applied to audit planning, both from an overall annual plan and a detailed audit plan perspective.
Management applies the crown jewel approach to determine which assets and processes are the most critical as an indication of where to design and implement controls. The auditor can apply the crown jewel approach to determine which assets and processes are the most critical and could have the most impact to the organization to guide where to focus audit efforts. Management uses threat modeling and attack-path mapping to determine what the most likely attacks are that the organization could expect and how the attacker would execute the attack to develop the appropriate controls for attack mitigation. The auditor can use threat modeling and attack-path mapping to assist with understanding where key controls are expected to exist; where they do not exist becomes the basis of control gap recommendations. The Cyber Kill Chain assists management with a logical analysis of how an attack would play out in various stages and where to implement controls. The Cyber Kill Chain can assist the auditor in ensuring that all the key controls to prevent and detect an attack in each of the stages are included in the audit plan.
Furthermore, if the testing of controls that mitigate these risk scenarios are automated as much as possible through building data models and using advanced techniques (e.g., robotic process automation [RPA]), the auditor can achieve superior coverage on the aspects that matter most.