A proposed framework that enhances the quality of cyber security audits

Matsikidze, Hezel

23 March 2023

The need to protect information systems or assets remains crucial today. Innovations in technology have led to rapid developments and as technology continues to advance, so is the need to protect information systems. Amongst numerous effects of cyber-attacks on organizations, huge financial losses which in turn affect the economy have since been reported. Cyber security audits need to be strengthened to tighten the protection of information systems. The importance of cybersecurity audits is widely endorsed in literature. Nonetheless, frameworks used to audit cybersecurity are viewed as‘sometimes' weak links to cybersecurity due to their drawbacks in auditing cyber security. A review of literature indicated that cyber-attacks are more rampant in the African continent with the financial sector being the most targeted. Literature also highlighted that the use of relevant frameworks for auditing cyber security improves the quality and effectiveness of audits thereby enhancing cyber security. Studies in information systems have mostly looked at the adoption of frameworks, types of cyber threats and tools needed to audit. Nonetheless, it is important to note that few scholars have examined the applicability and effectiveness of the existing frameworks in auditing cyber security. Furthermore, previous studies emphasize on enhancing cyber security without a particular focus on auditing cyber security including assessing the role of the auditor during the process. As a result, this study looked at cyber security from an auditing perspective with a particular focus on the strengths and weaknesses of the current frameworks that are being used to audit cyber security including. The study also looked at the factors that enhance the effectiveness of cyber security audits. The study draws from different theories, literature and from the strengths and drawbacks of existing frameworks to create an explanatory model. To statistically test and evaluate the model, a quantitative research approach was employed to collect, analyze, and interpret data from South Africa. Data was collected using a questionnaire which was distributed to IT auditors and cyber security professionals from the Information Systems Audit and Control Association (ISACA) South African chapter members. The National Institute of Standards and Technology (NIST) cyber security framework was found to be the widely adopted framework followed by the International Organization for Standardization (ISO) standards, with the Control Objectives for Information Technologies (COBIT) being the least employed framework. The COBIT framework was found to be more aligned to Information Technology governance rather than cyber security. Furthermore, results of this study indicate that effectiveness of cyber security audits is dependent upon competencies of auditors including their ethics and integrity. Results further indicate that frameworks used for auditing are effective to some extent if properly implemented. A proper alignment of an auditor's competencies which include ethics and integrity, and an adoption of a relevant framework will result in effective cyber security audits that reduce the risks of cyber-attacks. Concerning the contribution to practice, results from this study can help organizations to determine and review focus areas of cyber security auditing that they need to emphasize and develop on. Furthermore, the developed model can be used by auditors to develop an audit plan and conduct audits that are effective in identifying, protecting, detecting, preventing, and recovering information systems or assets. The methodological, theoretical, and practical contributions are further discussed in this thesis along with limitations, recommendations, and areas for future research.

Cyber security

Frameworks

IT auditing

Information assets

Information systems

The attributes of information as an asset

Stenson, Joan

January 2006

Attempts to identify information as an asset has led to an increased awareness of the role of information in enhancing organisational performance. Central to this role is the identification of attributes of information assets which include quality, utility, productivity, effectiveness and financial and economic aspects. Measurement of attributes of information as an asset may provide an identifiable link between information management and improved business performance. Identifying attributes of information assets that are recognised and valued by senior managers in today's information-intensive UK organisations is a key step in developing evidence for a link between information management and organisational performance. The research study engaged with a range of stakeholders in the information as an asset domain, including: senior British information managers, senior executives and managers and internationally-active information professionals and academics. Open-ended guided interviews were conducted with stakeholders. Four case studies in information-intensive UK organisations formed the major data collection strategy. Findings highlighted the importance of customer information assets. The most important attribute identified was quality. Information assets and their attributes were linked to competitive advantage with customer involvement and management attention being the key issues identified. A grounded theory of information assets that takes competitive advantage as its core category, is proposed.

658.4038

Reference Model to Identify the Maturity Level of Cyber Threat Intelligence on the Dark Web

Santos, Ricardo Meléndez, Gallardo, Anthony Aguilar, Aguirre, Jimmy Armas

01 January 2021

El texto completo de este trabajo no está disponible en el Repositorio Académico UPC por restricciones de la casa editorial donde ha sido publicado. / In this article, we propose a reference model to identify the maturity level of the cyber intelligence threat process. This proposal considers the dark web as an important source of cyber threats causing a latent risk that organizations do not consider in their cybersecurity strategies. The proposed model aims to increase the maturity level of the process through a set of proposed controls according to the information found on the dark web. The model consists of three phases: (1) Identification of information assets using cyber threat intelligence tools. (2) Diagnosis of the exposure of information assets. (3) Proposal of controls according to the proposed categories and criteria. The validation of the proposal was carried out in an insurance institution in Lima, Peru, with data obtained by the institution. The measurement was made with artifacts that allowed to obtain an initial value of the current panorama of the company. Preliminary results showed 196 emails and passwords exposed on the dark web of which one corresponded to the technology manager of the company under evaluation. With this identification, it was diagnosed that the institution was at a “Normal” maturity level, and from the implementation of the proposed controls, the “Advanced” level was reached. / Revisión por pares

Cyber threat intelligence

Cybersecurity

Dark web

Maturity model

Information assets

Intelligence tool

Maturity levels

Reference modeling

Technology managers

Diseño de un Sistema de Gestión de Seguridad de Información para la empresa Neointel SAC basado en la norma ISO/IEC 27001:2013 / Design of an Information Security Management System for Neointel SAC based on ISO / IEC 27001: 2013

Vásquez Ojeda, Agustín Wilmer

16 April 2020

El presente trabajo de tesis tiene como objetivo Diseñar un Sistema de Gestión de Seguridad de Información (SGSI), para mejorar la calidad en el servicio del Call Center de la empresa Neointel SAC. En este sentido, en presente modelo se detalla la manera más efectiva de como el Call Center va tratar sus riesgos de seguridad información, en base al anexo A de la norma ISO/IEC 27001: 2013, que permita reducir y mitigar los riesgos de los activos de información. Asimismo, se podrá reducir las vulnerabilidades tecnológicas a las que se encuentra expuesta el Call Center. Por otro lado, el diseño de este trabajo nos permite, clasificar los principales activos de información, así como determinar los principales riesgos de información a los que se encuentran expuestos y como se va a tratar los riesgos de seguridad de información alineados a los objetivos de negocio. Por último, se define los roles y responsabilidades dentro de la estructura organizacional de un Sistema de Gestión de Seguridad de Información (SGSI) y se propone un plan de tratamiento de riesgos, sobre los activos de información, la misma que ha permitido establecer a la empresa sus propios procedimientos de seguridad, los cuales se podrán apreciar en las políticas que la conforman. / This thesis work aims to Design an Information Security Management System (ISMS), to improve the quality of the service of the Call Center of the company Neointel SAC. In this sense, this model details the most effective way in which the Call Center will deal with its information security risks, based on Annex A of ISO / IEC 27001: 2013, which allows reducing and mitigating the risks of information assets. Likewise, the technological vulnerabilities to which the Call Center is exposed can be reduced. On the other hand, the design of this work allows us to classify the main information assets, as well as to determine the main information risks to which they are exposed and how the information security risks aligned with the objectives of deal. Finally, the roles and responsibilities within the organizational structure of an Information Security Management System (ISMS) are defined and a risk treatment plan on information assets is proposed, which has allowed the establishment of company its own security procedures, which can be seen in the policies that comprise it. / Tesis

Activos de información

Plan de tratamiento de riesgos

Information Security Management System

Information assets

Risk treatment plan

Управление информационными рисками на промышленных предприятиях : магистерская диссертация / Information Risk Management in Industrial Enterprises

Криницын, К. А., Krinitsyn, K. A.

January 2017

Магистерская работа состоит из введения, трех глав, заключения, списка литературы из 45 источников. Основное содержание изложено на 106 страницах, работа включает 12 таблиц, 12 рисунков и 2 приложения. Основное содержание работы. В первой главе «Сущность информационных рисков» определены основные понятия, связанные с управлением рисками, информационными технологиями, оценкой рисков. Описана классификация информационных рисков по различным критериям, рассмотрены общепринятые принятые методы анализа и управления рисками. Во второй главе «Роль информационных рисков в деятельности промышленных предприятий» проведен анализ тенденций развития информационных технологий на промышленных предприятиях, проведен анализ использования систем управления рисками на промышленных предприятиях. Так же в этой главе проведен анализ влияний информационных рисков на деятельность промышленных предприятий на примере ООО «ВИЗ-Сталь». В третьей главе определено понятие систему управления информационными рисками (СУИР) и предложено использовать ее в деятельности как основного элемента по минимизации влияния информационных рисков. Ключевым элементом для этой системы стала разработанная классификация информационных рисков. / The master's work consists of an introduction, three chapters, conclusion, a list of literature and 45 sources. The main content is set out on 106 pages, the work includes 12 tables, 12 drawings and 2 applications. The main content of the work. In the first chapter "The essence of information risks", the main concepts associated with risk management, information technology, risk assessment are defined. The classification of information risks by different criteria is described, generally accepted accepted methods of analysis and risk management are considered. In the second chapter, "The Role of Information Risks in the Activity of Industrial Enterprises," an analysis of trends in the development of information technology in industrial enterprises was conducted, an analysis was made of the use of risk management systems in industrial enterprises. Also in this chapter, an analysis of the effects of information risks on the activities of industrial enterprises on the example of OOO VIZ-Stal. In the third chapter, the concept of an information risk management system (ISIR) is defined and it is proposed to use it in the activity as the main element in minimizing the impact of information risks. A key element for this system was the developed classification of information risks.

MASTER'S THESIS

INFORMATION RISKS

MANAGEMENT

IT-RISKS

INFORMATION SYSTEMS

INFORMATION TECHNOLOGIES

RISK ANALYSIS

RISK MANAGEMENT METHODS

INFORMATION ASSETS

ANALYSIS OF INFLUENCE

ИНФОРМАЦИОННЫЕ РИСКИ

УПРАВЛЕНИЕ

IT-РИСКИ

АНАЛИЗ РИСКОВ

ИНФОРМАЦИОННЫЙ АКТИВ

АНАЛИЗ ВЛИЯНИЯ