A uditing Information and Cyber Security Governance I nternal Audit and IT Audit Series Editor: Dan Swanson Dan Swanson and Associates, Ltd., Winnipeg, Manitoba, Canada. The Internal Audit and IT Audit series publishes leading-edge books on critical subjects facing audit executives as well as internal and IT audit practitioners. Key topics include Audit Leadership, Cybersecurity, Strategic Risk Management, Auditing Various IT Activities and Processes, Audit Management, and Operational Auditing. B lockchain for Cybersecurity and Privacy Architectures, Challenges, and Applications Y assine Maleh, Mohammad Shojafar, Mamoun Alazab, Imed Romdhani T he Cybersecurity Body of Knowledge The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity D aniel Shoemaker, Anne Kohnke, Ken Sigler Corporate Governance A Pragmatic Guide for Auditors, Directors, Investors, and Accountants Vasant Raval The Audit Value Factor Daniel Samson M anaging IoT Systems for Institutions and Cities Chuck Benson Fraud Auditing Using CAATT A Manual for Auditors and Forensic Accountants to Detect Organizational Fraud Shaun Aghili H ow to Build a Cyber-Resilient Organization D an Shoemaker, Anne Kohnke, Ken Sigler Auditor Essentials 100 Concepts, Tips, Tools, and Techniques for Success Hernan Murdock A uditing Information and Cyber Security Governance A Controls-Based Approach R obert E. Davis Auditing Information and Cyber Security Governance A Controls-Based Approach Robert E. Davis Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business First edition published 2021 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487–2742 and by CRC Press 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN © 2021 Robert E. Davis CRC Press is an imprint of Taylor & Francis Group, LLC Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www. copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978–750–8400. For works that are not available on CCC please contact [email protected] Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. ISBN: 978-0-367-56850-4 (hbk) ISBN: 978-1-003-09967-3 (ebk) ISBN: 978-1-032-04448-4 (pbk) Typeset in Sabon by Apex CoVantage, LLC Brief Content Preface xi 1 Security Governance 1 2 Security Governance Environment 39 3 Security Governance Management 74 4 Security Governance Processes 108 5 Organizational Employees 141 6 External Organizational Actors 172 7 Information Security Governance Audit 203 8 Cyber Security Governance Audit 241 Index 283 Detail Content Preface xi 1 Security Governance 1 Abstract 1 Introduction 1 Governance Perspectives 2 Rational Management 4 Applied Technology 7 Security Program Evolution 9 I nformation Security Infrastructure Management 10 I nformation Security Service Management 11 Information Security Governance 13 Framing Governance 15 Tier One Governance 15 Tier Two Governance 17 Tier Three Governance 19 Security Governance Fusion 22 C yber Security Service Delivery for IT 23 C yber Security Service Support for IT 25 Security Governance Insights 29 Formal Authority 31 Interpersonal Roles 31 Informational Roles 32 Decisional Roles 32 References 33 Recommended Reading 38 2 Security Governance Environment 39 Abstract 39 Introduction 39 Entity-Centric Considerations 40 Entity Control Environment 41 Domain Convergence Effects 46 Entity Risk Determinants 53 Legal Issues 55 Managerial Practices 58 Control Inscriptions 59 viii Detail Content Technology Deployments 65 References 67 Recommended Reading 73 3 Security Governance Management 74 Abstract 74 Introduction 74 Planning 75 Security Risk Assessment 79 Control Objective Selection 95 Control Goal Selection 97 Organizing 97 Orchestrating 98 Directing 100 Controlling 101 References 102 Recommended Reading 106 Appendix: Information Protection Classifcations with Criteria and Defnitions 107 4 Security Governance Processes 108 Abstract 108 Introduction 108 Framing Information Security Governance 109 Tier Four Strategic Alignment 111 Tier Four Value Delivery 115 Tier Four Risk Management 119 Tier Four Resource Management 124 Tier Four Performance Measurement 128 References 131 Recommended Reading 137 Appendix: Control Evaluation Worksheets 139 5 Organizational Employees 141 Abstract 141 Introduction 141 Responsibility Delegation 142 Access Controls 144 Power Granting 148 Workplace Irregularities and Illegal Acts 150 IT Incident Response Team 154 Education, Training, and Awareness 159 IT Audit Team 164 Planning Activities 165 Study and Evaluation Activities 166 Testing Activities 166 Reporting Activities 167 Follow-Up Activities 167 References 167 Recommended Reading 170 Detail Content ix 6 External Organizational Actors 172 Abstract 172 Introduction 172 Supply Chain Partners 173 Information Sharing 174 Knowledge Sharing 176 Supply Chain Logistics 178 Managed Service Providers 179 Service Provider Audit 187 IT Audit Planning 190 IT Audit Study and Evaluation of Controls 192 IT Audit Testing of Controls 196 IT Audit Report on Controls 196 IT Audit Follow-Up 197 References 197 Recommended Reading 202 7 Information Security Governance Audit 203 Abstract 203 Introduction 203 ISG Audit Planning Process 204 Control Assessment 206 Audit Risk Assessment 209 ISG Audit Study and Evaluation of Controls 210 Information Security Strategic Alignment 212 Information Security Value Delivery 215 Information Security Risk Management 216 Information Security Resource Management 216 Information Security Performance Management and Measurement 217 Other Auditable Information Security Units 217 ISG Audit Testing and Evaluation of Controls 219 Information Security Compliance Testing 221 Information Security Substantive Testing 222 Information Security Evidence Assessment 223 ISG Audit Control Reporting 223 Unqualifed Opinion 224 Qualifed Opinion 225 Adverse Opinion 225 Disclaimer Opinion 225 Degree of Correspondence 226 Engagement Report Structuring 227 ISG Audit Follow-Up 227 ISG Audit Follow-Up Responsibilities 228 General ISG Audit Follow-Up Activities 229 References 233 Recommended Reading 235 Appendix A: Control Environment Characteristics – Internal Policies Matrix 236 Appendix B: Entity Culture – Audit Area Personnel Matrix 237 Appendix C: ISG Audit Risk Assessment Template 238