Cyber Security Reporting - preparing for an Audit and Board Meeting

Cyber Security Reporting – preparing for an Audit and dealing with the Board

Auditor getting ready for inspection
Photo by Hunters Race on Unsplash

Estimated Reading Time: 7 Minutes
Welcome to part 5 of our content series on Managing Technology Risk and Governance. In this chapter, we will investigate how to prepare for a Cyber Security audit and prepare comprehensive reports for the board. These are recommendations based on our audit and board reporting experience over 15 years. Being ready for it is key to saving time and effort.

If you are only picking this up now, we have already discussed a lot of crucial steps to get here. In the previous stages, we have addressed:

  • Step 1 – Assessing your Current Position – Understanding where you are and where you want to be in terms of infrastructure, cybersecurity, business continuity and tech risk.
  • Step 2 – Building your Asset and Risk Register – An essential part of managing your risk is to fully understand and register it.
  • Step 3 – Develop your Action Plan and Scorecard – This is where we establish the priorities and define how to address each risk.
  • Step 4 Gather Evidence and Support the System – A process that will be essential for when the audit nears.
  • Step 5 Handling Audits and the Board – Where we are now
  • Step 6 – Developing the System

Some of the content is available on our website and the rest you can obtain via email by Subscribing to our Content Series or talking to us. We’ll be happy to assist and provide more information and guidance on this significant topic.

What is the purpose of a Cyber Security Audit

A cybersecurity audit is a vital process for identifying fundamental weaknesses in your company’s cybersecurity architecture. These assessments help you verify what lives inside your network, what needs to be protected, and how to improve protection. Auditors are looking for proof that you are doing the right thing and improving. It is not a name and shame process; audits exist to help you grow.

However, as relevant as cybersecurity audits are, many companies are not very well prepared for them. So, how can you prepare for a cyber security audit so that it can be completed quickly and efficiently? Here is a short list of the main tips to help you get ready:

Create a Diagram of Your Network Assets

While part of the goal of any audit is to identify potentially unknown assets on your business network, giving your auditor a network diagram can help them save time and get a head start on their assessment. A network diagram outlines the overall structure of your network—what assets are present, how they’re connected, and how they are linked. Many tools exist today that can provide a real-time view of your network assets. These make the process of gathering data simpler than drawing diagrams that go out of date as you finish them.

Verify with the  Auditor Which Stakeholders They Need to Talk to

Board Level Meeting
Photo by Tim Gouw on Unsplash

At one point, the auditor will need to speak to subject matter experts within your organisation to get a complete picture of your cybersecurity policies and architecture. So, before the audit begins, ask the auditor which of your key stakeholders they will need to talk to during their inspection, and set aside some time for these stakeholders to attend a meeting and what tools or access they may need during their audit.

Build Your Cyber Security Policies into a Single, Easy-to-Read Book

While your auditor will likely conduct interviews of your staff to get a feel for their grasp of security, it can be helpful for them to have access to your cybersecurity policies during their audit. Here, taking all of the documentation regarding your business’ cybersecurity policies and procedures and organising them into a single book can be massively helpful.

Spector provides a book of 20+ cyber security policies as well as other key business documents that we build into a single policy book. We also include evidence in these documents – which will likely be asked for. Some examples include:

  • Password policies
  • User Access Controls
  • Acceptable Usage Policies
  • Backup and DR Policies
  • Incident Management Procedures
  • Data Mapping Processes and many more.
  • Cyber security training logs

This policy book helps the auditor understand your organisation’s overall cybersecurity awareness as well as spot potential gaps in your security policies and procedures that need to be addressed.

Study Up on All Applicable regulatory and Compliance Standards Prior to the Audit

Most organisations have one or more compliance or regulatory standards that they strive to meet, such as PCI DSS, GDPR etc. In 2016 the Central Bank of Ireland released the Cross-Industry Guidance in respect of Information Security and Cybersecurity Risk. It is a fantastic resource – albeit a little dated – on recommendations of what may be expected at audit time.

By educating yourself about your compliance requirements, you can put yourself in a position to work more collaboratively with your cybersecurity audit & compliance team as well as verify that the suggestions they make are realistic and positive.

Define the Project Scope with the Auditor

One of the most vexing problems companies face is determining the scope of an audit and how to prepare for the review. Without a scope, lags are inevitable because there are always unforeseen events that can disrupt outcomes, your time and costs. An experienced auditor should be able to anticipate these events to some extent and inform you (to some degree) of their requirements in advance.

When discussing project scope for an audit, be sure to ask questions about why the auditor needs certain resources, or if there are any resources they require that you haven’t provided yet. Get details about why specific assessment steps are necessary and what they entail. Be confident!

After the Cybersecurity Audit Starts

When the auditor begins making their assessment of your organisation’s cybersecurity infrastructure, be sure to ask them to bring any significant issues to your attention as soon as possible. No-one needs surprises at the conclusion of the audit. This also gives you a chance to start remediating these issues as soon as you can.

Also, be sure to take any alerts from the auditor seriously and ask for suggestions about how you can fix these issues. Many experienced auditors are familiar with numerous cybersecurity tools and quick fixes for common problems that you can implement very quickly. However, they may want to complete their full audit before making some recommendations so they can suggest the most comprehensive solution possible.

Dealing with the Board

Board Level Meeting
Photo by Campaign Creators on Unsplash

Concerning the board, our advice is to keep it simple. There are often over 20 items to be discussed at a board meeting. You have a short time window in which to get your point across – and possibly ask for investment.

Educating the board about the relevance and role of the tech infrastructure of your business is a good place to start. We recommend reading the document mentioned above; the Central Bank Guidelines in respect of IT and Cybersecurity Risks. The report is easy to read and highlights the main requirements and risks of a regulated firm.

After introducing them to the topic effectively, your job will be much more straightforward. The following insights will also be valuable in transmitting your message in the best way possible.

Guiding principles for board reports

  • Relevant: Relevant to the audience (full board; key committee)
  • Reader-friendly: Use summaries, callouts, graphics, and other visuals, avoid technical jargon
  • Meaningful: Communicate insights, not just information.
  • Highlight changes, trends, patterns over time
  • Concise: Avoid information overload
  • Discussion: Reports should also enable dialogue and debate.
  • Continuous improvement: Review the format and content regularly.

Key questions to help identify and develop cybersecurity metrics

What metrics do we have that indicate risk to the organisation? Boards need to know that the organisation’s critical assets are being protected.

What investments are necessary for cyber security?

Organisations need to understand their current and future cyber security needs before they decide what investments will drive down risk. Useful questions include:

  • What initiatives were not funded in this year’s budget, and why?
  • What trade-offs were made?
  • Do we have the right resources, including staff and systems, and are they being deployed effectively?

How do we measure the effectiveness of our organisation’s cyber security programme and how does it compare to those of other organisations?

Board-level metrics should highlight changes, trends and patterns over time, show relative performance,  and indicate impact. External cybersecurity specialists may be able to provide useful comparisons within industry sectors.

How many data incidents (e.g. exposed sensitive data) has the organisation experienced in the last reporting period?

Report Dashboard
Photo by Stephen Dawson on Unsplash

This metric will inform conversations about trends, patterns and root causes. Remember to reinforce the fact that incidents are bound to happen – it’s not a matter of “if”, but “when”. How effectively the organisation reacts to these incidents is the primary point of discussion.

How do we assess the cyber-risk position of our suppliers, vendors, JV partners and customers?

Supply chain relationships typically pose increased risk for organisations given the degree of system interconnectivity and data-sharing that is now part of everyday business operations. Useful questions include:

  • How do we conduct ongoing monitoring of third-party risks?
  • How many external vendors connect to our network or receive sensitive data from us?

What metrics do we use to evaluate cybersecurity awareness across the organisation?

People are often the biggest cybersecurity threat for many organisations. Data about policy compliance and the implementation and completion of training programmes will help inform conversations about insider risks.

Use the Content that you got

Throughout this content series, we have provided you with the tools and knowledge you will need to perform much better in this stage. This knowledge is based on years of experience operating in many regulated industries and having internal lead-auditing capabilities. It is the material we wish we had when we were starting.

The pieces of content you have will aid you in assessing your vulnerabilities, understanding your risks, prioritising and acting on them. The material can give your business a significant edge in this aspect, and you should use it as a competitive advantage.

If your objective is to get audit-ready and increase your organisational maturity, you must be in a much better place by now. However, to have your business ready for the future and secured against evolving risks, you still have to develop an evolving system.

Our next step in this series will talk about how we have developed our system and how you can leverage this knowledge to take your business to the next level. To receive the last part, subscribe to our series. Stay tuned and talk to us if you have any doubts.

Leave a Reply

  Subscribe  
Notify of
Back to articles list