- Securing Things Newsletter
- Posts
- Internal Audit and IT & OT Cybersecurity Program
Internal Audit and IT & OT Cybersecurity Program
[Securing Things by M. Yousuf Faisal]
M. Yousuf Faisal
July 02, 2024
In partnership with
Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Table of Contents
Hi Securing Things Community, this newsletter edition is specific to internal audit teams, working at an asset owners / end user environments (industrial manufacturing and or critical infrastructure), that are tasked to conduct audit activities, not only around IT infrastructure or operations, but also for OT/ICS or production control network environments.
Special Message:
Before we begin, do me a favour and make sure you hit the βSubscribeβ button to let me know that you care and keep me motivated to publish more. Thanks!
Note: remember to validate your email address to ensure that you donβt miss any future newsletter editions.
Internal Audit and IT & OT Cybersecurity Program
1. Challenges for Internal Audit Teams
Internal audit teams are now being challenged to keep a rigorous view on OT security program activities as well, in addition to IT security / services and other technology based program activities. In many cases, audit teams may not be familiar or skilled in understanding the risks across the OT/ICS or production control systems / network environments. So they may rely completely on either their internal counterparts in CISO/CIO business unit(s) and or external auditors (typically big 4 or niche specialist consulting firms) to help with an independent view on the current state and or maturity of the program. While that is important and totally fine; audit teams should also be equipping themselves to build some internal skill sets and capabilities on understanding IT & OT cybersecurity risks and be able to digest views presented by internal / external stakeholders to form their audit opinions.
Suggested Approach for Internal Auditors
Below is a high-level approach that audit teams / internal auditors can adopt to have a sound grasp in keeping tabs on IT & OT cybersecurity program activities across the business (but not limited) to:
π Understand business vision and mission.
π Understand departments (Audit) mission in support for the business mission.
π Understand what drives the business and what's critically important for its success?
π Understand a typical manufacturing workflow or lifecycle for the business.
π Know the key stakeholders across that manufacturing workflow.
π Understand Governance and Org. structure.
π Understand IT/enterprise technology stack and business processes.
π Understand OT/ICS key technology stack and production processes.
π Understand what local / regional regulatory frameworks the business needs to comply with?
π Understand Digital strategy for the business (if business have one documented) - if none exists - highlight this as a potential risk.
π Understand both IT & OT Cybersecurity Strategy - if none exists - highlight this as a potential risk.
π Understand joint IT & OT Governance steering committee structure and either get the steering co. regular updates and or and be a participant - depending upon org. culture. If no such joint committee - highlight this as a potential risk.
π Understand Cybersecurity program / roadmap - typically a 1 to 3 year plan (if any) and its alignment with the business mission.
π Understand ISMS for IT and CSMS for OT (if business have one) and or any other frameworks used - if none exists - highlight this as a potential risk.
π Understand IT & OT/ICS network architecture and segregation - if none exists - highlight this as a potentially high risk.
π Understand IT Cybersecurity controls and their ability to reduce risks on business systems / operations - if none exists - highlight this as a potential risk.
π Understand OT Cybersecurity controls and their ability to reduce risks on production systems / operations - if none exists - highlight this as a potential risk.
π Understand security controls / solution that provides visibility across production control network environments e.g., any OT IDS / Network Monitoring or Anomaly Detection Solution used. Ensure at-least a foundational high-level understanding of the solution monitoring scope (any exclusions), solution components, architecture and capabilities or control functions it provides.
π Understand Cybersecurity Monitoring and see if enterprise SIEM is ingesting logs both from key IT security tools and OT IDS/anomaly detection solution for log correlation and being monitored (in house / by MSSP) - if none exists - highlight this as a potential risk.
π Understand the type of monitoring use cases that are in place, any baselines created for network traffic, SOPs for handling alerts - if none exists - highlight this as a potential risk.
π Develop an internal checklists and request information from IT & OT security, technology, production and engineering teams to ensure a sound due diligence process in place by audit team (as an independent business unit) on measuring the security program effectiveness and risks are tracked.
π Keep up-to-date with latest developments within the business itself, overall within the industry, emerging tech and its uses, geopolitical or environmental risks, attacks and or threat groups targeting the industry sector in which the business operates.
π Keep routine checks per the define audit frequency. In addition, perform spot checks during the year to take a proactive approach on identifying potential outlier scenarios and engage relevant teams for addressing them in a timely fashion.
Hope this helps providing a foundation approach an internal audit team can rely on to build its understanding and the ability to approach auditing cybersecurity program activities both for IT & OT/ICS environments.
All this and more are covered in Securing Things Academy upcoming offering - IT & OT CySEAT (Cybersecurity Education & Awareness Training).
Anything critical I missed? - Anything additional youβd like to add and or youβve included in your internal audit strategy that have helped your or your clientβs businesses? - please add below.
AI Cybersecurity Policy & Reference Guidance - covers:
-> AI cybersecurity policy construction (key elements)
-> AI cybersecurity policy build - project execution (steps to follow)
-> AI cybersecurity standards, framework, guidance reference resources.
Step 4 of Phase A of Getting Started in IT & OT Cybersecurity - blueprint by M. Yousuf Faisal - covers:
-> IT & OT Cybersecurity Competence Frameworks (reference examples)
-> IT & OT - Plan cybersecurity career roadmap.
-> Securing Things Academy (STA) updates.Step 3 of Phase A of Getting Started in IT & OT Cybersecurity - blueprint by M. Yousuf Faisal - covers:
-> Manufacturing workflow
-> IT & OT - layers of automation stack,
-> IT & OT security principles and typical list of processes,
-> Example specific CII sectors & more.
-> few other interesting cybersecurity resources / links,
-> Securing Things Academy (STA) updates.
IT & OT Cybersecurity - Strategy, Program, Execution & Management - covers:
-> A recommended approach towards building and executing IT & OT Cybersecurity & Resilience Strategy
-> a brief introductory video explainer
-> Securing Things Academy (STA) updates.
Whenever you are ready - I can help you / your organizationsβ or your customersβ secure digital transformation journey through:
vCISO / fractional CISO services, CISO security advisor, GRC, Assessments / Reviews / Gap Analysis, Advisory, Strategy, Security / AI Policy or standards development, ISO 27001, PCI DSS and other frameworks, architectural reviews, configuration hardening for IT & OT cybersecurity engagements. (few examples - IT & OT Cybersecurity - Strategy, Program, Execution and Management, for SME manufacturers - OT Cybersecurity Best Practices Requirements Specification OTCBPRS Toolkit, 3 step process for evaluating & implementing OT IDS / Anomaly detection / network security monitoring solutions β here; OT Cybersecurity Management System β OT CSMS and Cybersecurity SMB toolkits includes ISO 27001, etc.)
B - IT & OT Cybersecurity Trainings & Education
General Security Awareness Training & Phishing Awareness Portal for SMBs. Start your cybersecurity journey with a free cyber heath check / questionnaire based review & build a cybersecurity strategy and security awareness program.
Securing Things Academy (STA) - Training, Coaching and digital downloads for IT & OT Practitioners - pre-launch coming soon.
Securing Things Newsletter - providing insights and educational content on IT / OT / IOT / IIOT cyber-physical and AI security.
Reach out at info[at]securingthings[dot].com or DM via LinkedIn.
Interested in automating compliance with different industry frameworks e.g., ISO 27001, SOC2, NIST CSF, ISO 42001 and more? checkout Vanta offerings below.
Scale your GRC program with Automation and AI
Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.
Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring
Centralize risk and report on program impact to internal teams
Create your own Trust Center to proactively manage buyer needs
Leverage AI to answer security questionnaires faster
Over 7,000 global companies like Atlassian, Flo Health, and Quora use Vanta to build trust and prove security in real time. Connect with a team member to learn more.
My Ask
I invite #Securing Things community to share their insights, feedback. Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.
Take care and Best Regards,
M. Yousuf Faisal (Founder Securing Things).
Itβs a Great Day to Start Securing Things for a Smart & Safer Society.
Follow: #securingthings on LinkedIn and or @securingthings on X/Twitter.
#securingthings #internalaudit #auditors #securityawareness #otids #itotstrategy #otsecuritydozen #cybersecuritystrategy #auditprogram #auditchecklist #digitaltransformation #ot #ics #otsecurity #otsecuritydozen #otcybersecurity #icssecurity #isa #icscybersecurity #securedigitaltransformation #iiot #operationaltechnology #industry40 #iec62443 #criticalinfrastructure #NIST #ISO #criticalinfrastructureprotection #criticalinformationinfrastructure #sgcii #securityawareness #otsecurityawareness #icssecurityawareness #otstrategy #icscybersecurityprogram #otcybersecurityprogram #manufacturing #industrialcontrolsystems #industrialautomation #strategypresentation #security
The Newsletter Platform Built for Growth
When starting a newsletter, there are plenty of choices. But thereβs only one publishing tool built to help you grow your publications as quickly and sustainably as possible.
Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.
The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.
Not to mentionβresponsive audience polls, a custom referral program, SEO-optimized webpageβs, and so much more.
If youβve considered starting a newsletter, thereβs no better place to get started and no better time than now.
Reply