Executive management and the board of directors are increasingly required to attest to shareholders, regulators, and other stakeholders that customer data is being properly protected and that cyber risk is being managed in accordance with organization policy. According the Institute of Internal Auditors, such attestations are enabled by a “Third Line of Defense” provided by internal audit or a fully-independent cybersecurity assessor. Such audits supplement the reports provided by management and compliance leaders and provide the audit committee and the full board with the assurance they need to make such attestations.
However, many enterprises don’t have an internal audit function. If they do, the department may lack sufficient knowledge, experience, or resources to plan and execute cybersecurity audits.
All of this is a daunting challenge for many firms.
Coalfire can help
Coalfire provides cybersecurity assurance services on a co-sourced basis to internal audit departments, or via independent audits commissioned directly by the board of directors or senior management.
Since cybersecurity audits cover sensitive topics, Coalfire’s work is generally performed under attorney-client privilege. If you haven’t already engaged with an attorney with cybersecurity skills, Coalfire can help you find and select well-qualified counsel. We have worked with many of the best firms in the field.
In providing cybersecurity audit services, Coalfire typically recommends a four-step approach:
Enterprise Risk Assessment – This will establish a risk-based view of your organization’s crown jewels, enabling audits to be prioritized.
Controls Assessment – We can help you determine the maturity of your cybersecurity controls. As necessary, we will work with the CISO and security leaders to develop a cybersecurity improvement roadmap.
Audit Planning – Best practice dictates that cybersecurity is discussed by an audit committee or with the full board at least twice per year. To prepare for those meetings, we will work with your internal audit department and CISO to plan and schedule audits so that findings can be presented to the board. These audits are generally selected on a risk-appropriate basis (higher risk areas earlier and more frequently) or after a recent control implementation to verify the design and operating effectiveness of security controls.
- Auditing and Testing – Our assurance programs encompass:
- Audits – Our analysts will evaluate the design and effectiveness of controls through interviews, observation, sampling/inspections, and re-performance.
- Penetration Tests – Our qualified penetration testers will test the overall effectiveness of your controls by simulating the malicious actions of an insider or adversary.
Why Coalfire for your Cybersecurity Audit
Since our founding in 2001, Coalfire has established itself as a pure-play, vendor-neutral cybersecurity advisory firm serving as a trusted advisor to executives, legal counsel, compliance managers and security practitioners across numerous industries.
Unlike CPA firms who may be conflicted by their financial audit responsibilities, we focus exclusively on cybersecurity, and can independently audit and align your organization with regulatory and business best practices.
Each Coalfire project is led by a credentialed, industry-savvy senior director and supported by consultants armed with the methodologies, proven proprietary frameworks, insights and know-how accumulated through service to over 1,400 clients annually. We’re skilled communicators who present our findings in business terms for truly actionable insights.