Professional Documents
Culture Documents
Iia Whitepaper Cyber Risk Readiness Response and Ransom An Audit
Iia Whitepaper Cyber Risk Readiness Response and Ransom An Audit
White Paper
Cyber Risk Readiness,
Response & Ransom:
An Audit Committee
Perspective
July 2021
Level 7, 133 Castlereagh Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au
Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
Contents › 20 Critical Questions Series – ‘What Directors should
ask about Information and Cyber Security’.
Background 2
› Factsheet – ‘ICT Governance and Assurance’.
- Purpose 2
- Background 2 Other useful guidance to assist ARCs in examining and
Discussion 2 questioning cyber risk maturity of their organisation includes,
et al:
- Readiness and Response 2
- Responsibility 4 › Australian Signals Directorate (ASD) ‘Essential Eight’.
› Cybersecurity Toolkit. Recent briefings from official sources within Australia suggest
that 2021 is seeing two serious trends:
› IIA-Australia has issued guidance including:
› Questioning the level and nature of cyber risk prevention › Condition and effectiveness of soft controls – also often
and mitigation by their organisation. referred to as ‘culture’.
› Assessing cyber risk maturity of their organisation. › The organisation’s validated readiness to respond should
a cyber-attack succeed.
› Reviewing the cyber risk roadmap of their organisation.
The Dimension of Soft Controls (Culture)
› Deploying internal audit and other assurance providers
to: The IIA places a strong emphasis on soft controls (aka culture)
as a key dimension of the control environment.
› Assess, test and provide assurance regarding
appropriateness and effectiveness of the Hard controls include such elements as organisational
organisation’s cyber risk arrangements. structure, assignment of authority and responsibility,
standards, policies, procedures and human resources.
› Utilise cyber tools to:
Management puts hard controls in place to mitigate identified
› Test vulnerabilities for third-party data breaches inherent risks down to acceptable levels of residual risk in line
› Test capabilities to continuously monitor with approved risk appetite.
vendors. Soft controls are intangible controls like morale, integrity,
› Understand the organisation’s attack surface. ethical climate, empowerment, competencies, openness and
shared values.
ARCs are then concerned to:
Hard controls can guide employee behaviour through defined
› Monitor progress of further actions identified by those policies and procedures, while soft controls can influence
enquiries. the behaviour of the employees and ensure compliance with
› Monitor the ongoing operation of cyber risk mitigations. procedures.
› Monitor the evolving nature and form of cyber risks that Soft controls are a vital component of control DNA. They
relate to their organisation. lead to efficient hard controls and help in strengthening hard
controls or, if not aligned to desired values and outcomes,
› Encourage continuous improvement of their organisation’s
can seriously impede and undermine the operation of hard
approach to cyber risk.
controls.
Discussion
Soft controls (culture) are so important to an effective control
Initially, it is quite common and logical for ARCs to focus on environment that they must be understood, influenced and
the standards, frameworks, artefacts (policies, procedures) tested.
and actions (training, implementation plans) put in place by
With regard to cyber risk mitigation, effectiveness of hard
their organisation.
controls relies heavily on the awareness, diligence, maturity
and conformance of employees and other relevant agents
› The community as appropriate. A great deal of focus has been afforded by organisations and
ARCs over many years to risks related to ‘traditional’ aspects
Communications have proven to be a particularly important
of computer technology variously captured by terms such as
element of managing cyber breaches, which if left unplanned
information and communication technologies (ICT).
or unmanaged may be a material risk factor.
Areas where less focus may have been given by some ARCs
Responsibility
include the management and mitigation of cyber vulnerability
Another aspect of great importance for ARCs is the clarity issues for:
for, and effectiveness of, responsibility arrangements. A
› Technical systems such as building and factory control
holistic approach is required for strong cyber resilience but,
systems.
typically, responsibility is scattered for the various aspects of
technology across the organisation. › Smartphones and tablets.
If a person deals with money or property where there › Cyber risk control environment.
is a risk that the money or property will become an › Cyber incident response preparedness.
“instrument of crime” – money or other property is an
“instrument of crime” if it is used in the commission of, › Scope of technology risks.
or used to facilitate the commission of, an indictable › Cyber insurance.
offence (Australian or foreign); AND the person making
› Cyber ransom policy.
the payment is reckless or negligent as to the fact that
there is a risk that the money or property will become an Bibliography and References
instrument of crime.
Bibliography
There are also anti money-laundering and counter-terrorism GTAG – Assessing Cyber Security Risk, IIA Global
laws that may need to be considered.
Factsheet – ICT Governance and Assurance, IIA-Australia
If consideration of paying a ransom is permitted under the
The Essential Eight, Australian Cyber Security Centre
organisation’s policy, it is essential that:
International Standard ISO/IEC 27001:2013 Information
› The legal position applying at the specific time is fully security management, ISO/IEC
understood and documented.
Cybersecurity Framework, National Institute of Standards and
› Disclosure requirements are understood and actioned. Technology (NIST, USA)
› Optional disclosures to staff, stakeholders, customers and NSW Cyber Security Strategy, Digital.NSW
the community are carefully considered. NSW Government Internet of Things Policy Guidelines, Digital.
NSW
The ACSC recommends that:
IoT Security Compliance Framework, IoT Security Foundation
› Organisations DO NOT pay a ransom.
References
› You restore your files from backup and seek advice.
GTAG – Assessing Cyber Security Risk: https://na.theiia.org/
The ACSC provides practical guides for: standards-guidance/recommended-guidance/practice-guides/
Pages/GTAG-Assessing-Cybersecurity-The-Three-Lines-Model.
› Protecting your organisation against Ransomware aspx
attacks.
IIA Cyber Security Resource Exchange: https://na.theiia.org/
› What to do if you’re held to ransom. standards-guidance/topics/Pages/Cybersecurity-Resource-
Exchange.aspx
Conclusion
ICT Governance and Assurance (Members only): https://iia.org.
Summary au/technical-resources/knowledgeitem.aspx?ID=347
Cyber risk is a fast-moving tide and ARCs are charged with The Essential Eight: https://www.cyber.gov.au/acsc/view-all-
staying abreast of the risk frontier to be able to make relevant content/publications/essential-eight-explained
enquiries of their organisations. This White Paper: The Essential Eight Maturity Model: https://www.cyber.gov.au/
acsc/view-all-content/publications/essential-eight-maturity-
› Considers some current angles where existing guidance model
may be limited.
Disclaimer
Whilst the Institute of Internal Auditors–Australia has
attempted to ensure the information in this White Paper is
as accurate as possible, the information is for personal and
educational use only, and is provided in good faith without
any express or implied warranty. There is no guarantee given
to the accuracy or currency of information contained in this
White Paper. The Institute of Internal Auditors–Australia does
not accept responsibility for any loss or damage occasioned
by use of the information contained in this White Paper.