Internal Audit and IT & OT Cybersecurity Program

✅[ST # 25] Challenges and Suggest Approach for Internal Audit Teams. [Securing Things by M. Yousuf Faisal]

Disclaimer: All views presented here, in this newsletter, are my own.

Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.

M. Yousuf Faisal

Table of Contents

Hi Securing Things Community, this newsletter edition is specific to internal audit teams, working at an asset owners / end user environments (industrial manufacturing and or critical infrastructure), that are tasked to conduct audit activities, not only around IT infrastructure or operations, but also for OT/ICS or production control network environments.

Special Message:

Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!

Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.

Internal Audit and IT & OT Cybersecurity Program

1. Challenges for Internal Audit Teams

Internal audit teams are now being challenged to keep a rigorous view on OT security program activities as well, in addition to IT security / services and other technology based program activities. In many cases, audit teams may not be familiar or skilled in understanding the risks across the OT/ICS or production control systems / network environments. So they may rely completely on either their internal counterparts in CISO/CIO business unit(s) and or external auditors (typically big 4 or niche specialist consulting firms) to help with an independent view on the current state and or maturity of the program. While that is important and totally fine; audit teams should also be equipping themselves to build some internal skill sets and capabilities on understanding IT & OT cybersecurity risks and be able to digest views presented by internal / external stakeholders to form their audit opinions.

2. Suggested Approach for Internal Auditors

Below is a high-level approach that audit teams / internal auditors can adopt to have a sound grasp in keeping tabs on IT & OT cybersecurity program activities across the business (but not limited) to:

👉 Understand business vision and mission.

👉 Understand departments (Audit) mission in support for the business mission.

👉 Understand what drives the business and what's critically important for its success?

👉 Understand a typical manufacturing workflow or lifecycle for the business.

👉 Know the key stakeholders across that manufacturing workflow.

👉 Understand Governance and Org. structure.

👉 Understand IT/enterprise technology stack and business processes.

👉 Understand OT/ICS key technology stack and production processes.

👉 Understand what local / regional regulatory frameworks the business needs to comply with?

👉 Understand Digital strategy for the business (if business have one documented) - if none exists - highlight this as a potential risk.

👉 Understand both IT & OT Cybersecurity Strategy - if none exists - highlight this as a potential risk.

👉 Understand joint IT & OT Governance steering committee structure and either get the steering co. regular updates and or and be a participant - depending upon org. culture. If no such joint committee - highlight this as a potential risk.

👉 Understand Cybersecurity program / roadmap - typically a 1 to 3 year plan (if any) and its alignment with the business mission.

👉 Understand ISMS for IT and CSMS for OT (if business have one) and or any other frameworks used - if none exists - highlight this as a potential risk.

👉 Understand IT & OT/ICS network architecture and segregation - if none exists - highlight this as a potentially high risk.

👉 Understand IT Cybersecurity controls and their ability to reduce risks on business systems / operations - if none exists - highlight this as a potential risk.

👉 Understand OT Cybersecurity controls and their ability to reduce risks on production systems / operations - if none exists - highlight this as a potential risk.

👉 Understand security controls / solution that provides visibility across production control network environments e.g., any OT IDS / Network Monitoring or Anomaly Detection Solution used. Ensure at-least a foundational high-level understanding of the solution monitoring scope (any exclusions), solution components, architecture and capabilities or control functions it provides.

👉 Understand Cybersecurity Monitoring and see if enterprise SIEM is ingesting logs both from key IT security tools and OT IDS/anomaly detection solution for log correlation and being monitored (in house / by MSSP) - if none exists - highlight this as a potential risk.

👉 Understand the type of monitoring use cases that are in place, any baselines created for network traffic, SOPs for handling alerts - if none exists - highlight this as a potential risk.

👉 Develop an internal checklists and request information from IT & OT security, technology, production and engineering teams to ensure a sound due diligence process in place by audit team (as an independent business unit) on measuring the security program effectiveness and risks are tracked.

👉 Keep up-to-date with latest developments within the business itself, overall within the industry, emerging tech and its uses, geopolitical or environmental risks, attacks and or threat groups targeting the industry sector in which the business operates.

👉 Keep routine checks per the define audit frequency. In addition, perform spot checks during the year to take a proactive approach on identifying potential outlier scenarios and engage relevant teams for addressing them in a timely fashion.

Hope this helps providing a foundation approach an internal audit team can rely on to build its understanding and the ability to approach auditing cybersecurity program activities both for IT & OT/ICS environments.

All this and more are covered in Securing Things Academy upcoming offering - IT & OT CySEAT (Cybersecurity Education & Awareness Training).

Anything critical I missed? - Anything additional you’d like to add and or you’ve included in your internal audit strategy that have helped your or your client’s businesses? - please add below.

3. My most viewed social media posts

Securing Things Academy:

IT & OT CySEAT (Cyber Security Education And Transformation) course is designed for IT and OT cybersecurity practitioners. Join the wait-list → here.

Checkout a brief overview below:

Ways in which I can help?

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.

How are we doing?

I invite you as part of #SecuringThings community to share your feedback.

Rate the newsletter content

Did you find the content valuable?

Login or Subscribe to participate in polls.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society.

Let us know how we can improve this and or what you’d like to see in future?

Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Thanks for reading - until the next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal. (Advice | Consult Cyber & business leaders in their journey on Securing Things (IT, OT/ICS, IIOT, digital transformation, Industry 4.0, & AI) & share everything I learn on this Newsletter | and upcoming Academy). 

Follow Securing Things on LinkedIn | X/Twitter & YouTube.

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.