Internal Audit and IT & OT Cybersecurity Program

[Securing Things by M. Yousuf Faisal]

In partnership with

Disclaimer: All views presented here, in this newsletter, are my own.

Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.

M. Yousuf Faisal

Table of Contents

Hi Securing Things Community, this newsletter edition is specific to internal audit teams, working at an asset owners / end user environments (industrial manufacturing and or critical infrastructure), that are tasked to conduct audit activities, not only around IT infrastructure or operations, but also for OT/ICS or production control network environments.

Special Message:

Before we begin, do me a favour and make sure you hit the β€œSubscribe” button to let me know that you care and keep me motivated to publish more. Thanks!

Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.

Internal Audit and IT & OT Cybersecurity Program

1. Challenges for Internal Audit Teams

Internal audit teams are now being challenged to keep a rigorous view on OT security program activities as well, in addition to IT security / services and other technology based program activities. In many cases, audit teams may not be familiar or skilled in understanding the risks across the OT/ICS or production control systems / network environments. So they may rely completely on either their internal counterparts in CISO/CIO business unit(s) and or external auditors (typically big 4 or niche specialist consulting firms) to help with an independent view on the current state and or maturity of the program. While that is important and totally fine; audit teams should also be equipping themselves to build some internal skill sets and capabilities on understanding IT & OT cybersecurity risks and be able to digest views presented by internal / external stakeholders to form their audit opinions.

Suggested Approach for Internal Auditors

Below is a high-level approach that audit teams / internal auditors can adopt to have a sound grasp in keeping tabs on IT & OT cybersecurity program activities across the business (but not limited) to:

πŸ‘‰ Understand business vision and mission.

πŸ‘‰ Understand departments (Audit) mission in support for the business mission.

πŸ‘‰ Understand what drives the business and what's critically important for its success?

πŸ‘‰ Understand a typical manufacturing workflow or lifecycle for the business.

πŸ‘‰ Know the key stakeholders across that manufacturing workflow.

πŸ‘‰ Understand Governance and Org. structure.

πŸ‘‰ Understand IT/enterprise technology stack and business processes.

πŸ‘‰ Understand OT/ICS key technology stack and production processes.

πŸ‘‰ Understand what local / regional regulatory frameworks the business needs to comply with?

πŸ‘‰ Understand Digital strategy for the business (if business have one documented) - if none exists - highlight this as a potential risk.

πŸ‘‰ Understand both IT & OT Cybersecurity Strategy - if none exists - highlight this as a potential risk.

πŸ‘‰ Understand joint IT & OT Governance steering committee structure and either get the steering co. regular updates and or and be a participant - depending upon org. culture. If no such joint committee - highlight this as a potential risk.

πŸ‘‰ Understand Cybersecurity program / roadmap - typically a 1 to 3 year plan (if any) and its alignment with the business mission.

πŸ‘‰ Understand ISMS for IT and CSMS for OT (if business have one) and or any other frameworks used - if none exists - highlight this as a potential risk.

πŸ‘‰ Understand IT & OT/ICS network architecture and segregation - if none exists - highlight this as a potentially high risk.

πŸ‘‰ Understand IT Cybersecurity controls and their ability to reduce risks on business systems / operations - if none exists - highlight this as a potential risk.

πŸ‘‰ Understand OT Cybersecurity controls and their ability to reduce risks on production systems / operations - if none exists - highlight this as a potential risk.

πŸ‘‰ Understand security controls / solution that provides visibility across production control network environments e.g., any OT IDS / Network Monitoring or Anomaly Detection Solution used. Ensure at-least a foundational high-level understanding of the solution monitoring scope (any exclusions), solution components, architecture and capabilities or control functions it provides.

πŸ‘‰ Understand Cybersecurity Monitoring and see if enterprise SIEM is ingesting logs both from key IT security tools and OT IDS/anomaly detection solution for log correlation and being monitored (in house / by MSSP) - if none exists - highlight this as a potential risk.

πŸ‘‰ Understand the type of monitoring use cases that are in place, any baselines created for network traffic, SOPs for handling alerts - if none exists - highlight this as a potential risk.

πŸ‘‰ Develop an internal checklists and request information from IT & OT security, technology, production and engineering teams to ensure a sound due diligence process in place by audit team (as an independent business unit) on measuring the security program effectiveness and risks are tracked.

πŸ‘‰ Keep up-to-date with latest developments within the business itself, overall within the industry, emerging tech and its uses, geopolitical or environmental risks, attacks and or threat groups targeting the industry sector in which the business operates.

πŸ‘‰ Keep routine checks per the define audit frequency. In addition, perform spot checks during the year to take a proactive approach on identifying potential outlier scenarios and engage relevant teams for addressing them in a timely fashion.

Hope this helps providing a foundation approach an internal audit team can rely on to build its understanding and the ability to approach auditing cybersecurity program activities both for IT & OT/ICS environments.

All this and more are covered in Securing Things Academy upcoming offering - IT & OT CySEAT (Cybersecurity Education & Awareness Training).

Anything critical I missed? - Anything additional you’d like to add and or you’ve included in your internal audit strategy that have helped your or your client’s businesses? - please add below.

2. My most viewed social media posts

Whenever you are ready - I can help you / your organizations’ or your customers’ secure digital transformation journey through:

B - IT & OT Cybersecurity Trainings & Education

Reach out at info[at]securingthings[dot].com or DM via LinkedIn.

Interested in automating compliance with different industry frameworks e.g., ISO 27001, SOC2, NIST CSF, ISO 42001 and more? checkout Vanta offerings below.

Scale your GRC program with Automation and AI

Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.

  • Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring

  • Centralize risk and report on program impact to internal teams

  • Create your own Trust Center to proactively manage buyer needs

  • Leverage AI to answer security questionnaires faster

Over 7,000 global companies like Atlassian, Flo Health, and Quora use Vanta to build trust and prove security in real time. Connect with a team member to learn more.

My Ask

I invite #Securing Things community to share their insights, feedback. Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.

Take care and Best Regards,

M. Yousuf Faisal (Founder Securing Things).

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Follow: #securingthings on LinkedIn and or @securingthings on X/Twitter.

#securingthings #internalaudit #auditors #securityawareness #otids #itotstrategy #otsecuritydozen #cybersecuritystrategy #auditprogram #auditchecklist #digitaltransformation #ot #ics #otsecurity #otsecuritydozen #otcybersecurity  #icssecurity #isa #icscybersecurity #securedigitaltransformation #iiot #operationaltechnology #industry40 #iec62443 #criticalinfrastructure #NIST #ISO #criticalinfrastructureprotection #criticalinformationinfrastructure #sgcii  #securityawareness  #otsecurityawareness #icssecurityawareness #otstrategy  #icscybersecurityprogram #otcybersecurityprogram #manufacturing  #industrialcontrolsystems #industrialautomation #strategypresentation #security

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mentionβ€”responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.