Table Of ContentA uditing Information and Cyber
Security Governance
I nternal Audit and IT Audit
Series Editor: Dan Swanson
Dan Swanson and Associates, Ltd., Winnipeg, Manitoba, Canada.
The Internal Audit and IT Audit series publishes leading-edge books on critical subjects
facing audit executives as well as internal and IT audit practitioners. Key topics include
Audit Leadership, Cybersecurity, Strategic Risk Management, Auditing Various IT
Activities and Processes, Audit Management, and Operational Auditing.
B lockchain for Cybersecurity and Privacy
Architectures, Challenges, and Applications
Y assine Maleh, Mohammad Shojafar, Mamoun Alazab, Imed Romdhani
T he Cybersecurity Body of Knowledge
The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity
D aniel Shoemaker, Anne Kohnke, Ken Sigler
Corporate Governance
A Pragmatic Guide for Auditors, Directors, Investors, and Accountants
Vasant Raval
The Audit Value Factor
Daniel Samson
M anaging IoT Systems for Institutions and Cities
Chuck Benson
Fraud Auditing Using CAATT
A Manual for Auditors and Forensic Accountants to Detect Organizational Fraud
Shaun Aghili
H ow to Build a Cyber-Resilient Organization
D an Shoemaker, Anne Kohnke, Ken Sigler
Auditor Essentials
100 Concepts, Tips, Tools, and Techniques for Success
Hernan Murdock
A uditing Information and Cyber Security Governance
A Controls-Based Approach
R obert E. Davis
Auditing Information and
Cyber Security Governance
A Controls-Based Approach
Robert E. Davis
Boca Raton London New York
CRC Press is an imprint of the
Taylor & Francis Group, an informa business
First edition published 2021
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487–2742
and by CRC Press
2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN
© 2021 Robert E. Davis
CRC Press is an imprint of Taylor & Francis Group, LLC
Reasonable efforts have been made to publish reliable data and information, but the
author and publisher cannot assume responsibility for the validity of all materials or the
consequences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if
permission to publish in this form has not been obtained. If any copyright material has not
been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted,
reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other
means, now known or hereafter invented, including photocopying, microfilming, and
recording, or in any information storage or retrieval system, without written permission
from the publishers.
For permission to photocopy or use material electronically from this work, access www.
copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978–750–8400. For works that are not available on CCC please
contact mpkbookspermissions@tandf.co.uk
Trademark notice: Product or corporate names may be trademarks or registered trademarks
and are used only for identification and explanation without intent to infringe.
ISBN: 978-0-367-56850-4 (hbk)
ISBN: 978-1-003-09967-3 (ebk)
ISBN: 978-1-032-04448-4 (pbk)
Typeset in Sabon
by Apex CoVantage, LLC
Brief Content
Preface xi
1 Security Governance 1
2 Security Governance Environment 39
3 Security Governance Management 74
4 Security Governance Processes 108
5 Organizational Employees 141
6 External Organizational Actors 172
7 Information Security Governance Audit 203
8 Cyber Security Governance Audit 241
Index 283
Detail Content
Preface xi
1 Security Governance 1
Abstract 1
Introduction 1
Governance Perspectives 2
Rational Management 4
Applied Technology 7
Security Program Evolution 9
I nformation Security Infrastructure Management 10
I nformation Security Service Management 11
Information Security Governance 13
Framing Governance 15
Tier One Governance 15
Tier Two Governance 17
Tier Three Governance 19
Security Governance Fusion 22
C yber Security Service Delivery for IT 23
C yber Security Service Support for IT 25
Security Governance Insights 29
Formal Authority 31
Interpersonal Roles 31
Informational Roles 32
Decisional Roles 32
References 33
Recommended Reading 38
2 Security Governance Environment 39
Abstract 39
Introduction 39
Entity-Centric Considerations 40
Entity Control Environment 41
Domain Convergence Effects 46
Entity Risk Determinants 53
Legal Issues 55
Managerial Practices 58
Control Inscriptions 59
viii Detail Content
Technology Deployments 65
References 67
Recommended Reading 73
3 Security Governance Management 74
Abstract 74
Introduction 74
Planning 75
Security Risk Assessment 79
Control Objective Selection 95
Control Goal Selection 97
Organizing 97
Orchestrating 98
Directing 100
Controlling 101
References 102
Recommended Reading 106
Appendix: Information Protection Classifcations with Criteria
and Defnitions 107
4 Security Governance Processes 108
Abstract 108
Introduction 108
Framing Information Security Governance 109
Tier Four Strategic Alignment 111
Tier Four Value Delivery 115
Tier Four Risk Management 119
Tier Four Resource Management 124
Tier Four Performance Measurement 128
References 131
Recommended Reading 137
Appendix: Control Evaluation Worksheets 139
5 Organizational Employees 141
Abstract 141
Introduction 141
Responsibility Delegation 142
Access Controls 144
Power Granting 148
Workplace Irregularities and Illegal Acts 150
IT Incident Response Team 154
Education, Training, and Awareness 159
IT Audit Team 164
Planning Activities 165
Study and Evaluation Activities 166
Testing Activities 166
Reporting Activities 167
Follow-Up Activities 167
References 167
Recommended Reading 170
Detail Content ix
6 External Organizational Actors 172
Abstract 172
Introduction 172
Supply Chain Partners 173
Information Sharing 174
Knowledge Sharing 176
Supply Chain Logistics 178
Managed Service Providers 179
Service Provider Audit 187
IT Audit Planning 190
IT Audit Study and Evaluation of Controls 192
IT Audit Testing of Controls 196
IT Audit Report on Controls 196
IT Audit Follow-Up 197
References 197
Recommended Reading 202
7 Information Security Governance Audit 203
Abstract 203
Introduction 203
ISG Audit Planning Process 204
Control Assessment 206
Audit Risk Assessment 209
ISG Audit Study and Evaluation of Controls 210
Information Security Strategic Alignment 212
Information Security Value Delivery 215
Information Security Risk Management 216
Information Security Resource Management 216
Information Security Performance Management and
Measurement 217
Other Auditable Information Security Units 217
ISG Audit Testing and Evaluation of Controls 219
Information Security Compliance Testing 221
Information Security Substantive Testing 222
Information Security Evidence Assessment 223
ISG Audit Control Reporting 223
Unqualifed Opinion 224
Qualifed Opinion 225
Adverse Opinion 225
Disclaimer Opinion 225
Degree of Correspondence 226
Engagement Report Structuring 227
ISG Audit Follow-Up 227
ISG Audit Follow-Up Responsibilities 228
General ISG Audit Follow-Up Activities 229
References 233
Recommended Reading 235
Appendix A: Control Environment Characteristics – Internal Policies Matrix 236
Appendix B: Entity Culture – Audit Area Personnel Matrix 237
Appendix C: ISG Audit Risk Assessment Template 238
