KnowledgeLeader provides best practice articles, tools, guides and other resources on cybersecurity. This page contains an alphabetized list of all of the resources and tools on cybersecurity that are available for download on KnowledgeLeader. The tools are provided in downloadable versions, so they can be customized for use in your organization.
#
2015 IT Audit Benchmarking Survey: Key Takeaways
A closer look at some of the notable takeaways from Protiviti and ISACA's 5th Annual IT Audit Benchmarking Survey.
2016 Audit Committee Agenda Webinar Q & A (Part 1)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this article, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Audit Committee Agenda Webinar Q & A (Part 2)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this second article of a four-part series, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Audit Committee Agenda Webinar Q & A (Part 3)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this third article of a four-part series, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations
This report details the results of the 2016 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations, which provides a benchmark of current perceptions in the industry.
A
A Matter of Trust: Taking a Look at the CISA Controversy
The Global Leader of Protiviti’s IT Consulting Practice takes a look at the concerns surrounding the Cybersecurity Information Sharing Act (CISA), a proposed law that has spurred controversy in the United States and abroad.
Acceptable Use Policy: Sample 2
This policy establishes guidelines for the acceptable usage of a company's information resources and assets.
Access to Programs and Data Audit Work Program
The purpose of this work program—focused on access to programs and data—is to outline the IT general controls to be tested, review the results of management’s testing, and document the procedures to test each control. Document the procedures to be performed to conclude on the operating effectiveness of the controls identified, including a specific description of the nature, timing and extent of procedures to be performed. For all controls that are tested at an interim date, list the procedures performed to roll-forward the interim testing to period end.
Active Directory Audit Work Program: Infrastructure
This work program focuses on the general, platform configuration, and platform security areas of the infrastructure of an active directory.
Active Directory Work Program: User Management/Administration, Access Request Procedures
This active directory audit work program focuses on the access request procedures within user management/administration. It includes questions on key controls, the goal state for production and the status of designed controls.
An Integrated Approach to Managing Identity and Privileged Access Risk
This article outlines the Protiviti IAM Capability Model, which can be used to provide an understanding of an organization’s current IAM strengths and weaknesses.
Application Control Review RCM
This document outlines risks and controls common to the application control review process in a risk and control matrix (RCM) format.
Application Controls Audit Work Program
This application controls audit program applies when auditing financial end-user-developed spreadsheets and other applications.
Application Security Review and Testing Audit Work Program
Application security involves checking the security controls of an application, not the operating system or device that hosts the application. This work program focuses on the security issues related to e-business applications.
Approved Software Policy
This sample policy outlines procedures for the usage and maintenance of approved software in a company.
2016 Internal Audit Capabilities and Needs Survey
In the 10th year of the Internal Audit Capabilities and Needs Survey, Protiviti believes that internal audit has arrived at a tipping point.
AS400 Review Audit Work Program
This work program outlines steps for an AS400 review audit. It identifies major areas to investigate during a general or specific controls review in an AS400 installation as well as critical control validation tests to perform.
B
Background Checks and Confidentiality Policy: Contractors
This policy outlines procedures for extending background checks to temporary personnel and independent contractors.
Bank Controls: Information Systems Evaluation Questionnaire
This guide can help bank management and internal auditors to analyze the effectiveness of the internal control structure over financial reporting as it relates to information systems.
Barclays’ Internal Audit Function Harnesses Data Visualization to Gain a Clear Picture of Business Risks
This performer profile details how Barclays’ internal audit function harnesses data visualization to gain a clear picture of its business risks.
Business Continuity Management Audit Work Program
This audit work program focuses on the appropriateness of enterprise-wide business continuity planning, oversight and support, business impact analysis, and risk management.
C
Cellular Phone Policy
This sample policy provides company associates with a cost-effective and convenient way to manage cellular phones required for business purposes.
Computer Operations/Job Scheduling Audit Work Program
This audit work program focuses on computer operations and IT job scheduling. Audit objectives and test steps help determine and review the role of computer operations within an organization, the responsibilities of the computer operations department, and ability to proactively manage computer operations.
Credit Card Data Purge Policy
This policy outlines a set of procedures for the credit card data purge process including specific purge procedures, a purge schedule, and related definitions.
Cybersecurity Audit Report
This audit report presents the results of vulnerability assessments and penetration testing performed on an organization’s external and internal facing environment.
Cybersecurity Requires a Healthy Dose of Collaboration at Baylor Scott & White Health
In this performer profile, Monica Frazer, VP of internal audit at Baylor Scott & White Health, describes how she keeps her team focused on risk-based fundamentals to monitor cybersecurity risks.
D
Data Backup and Retention Policy
The following sample outlines a set of policies and procedures for data backup and retention including network server backups, tape backups and job scheduling.
Data Backup Policy
This policy provides standardized procedures for backing-up and maintaining computer files within an organization on a regular basis.
Data Breach Notification Memo
This memo's purpose is to notify an individual regarding the possibility of a personal information breach and explain the steps taken by a company to protect against identity theft or abuse of information.
Data Center Review Audit Work Program
This audit work program evaluates access and environmental controls and provides recommendations for meaningful changes to an organization's data center.
Database Administration Audit Work Program
This audit work program provides steps for a database administration review.
Define IT Strategy and Organization RCM
This document outlines risks and controls common to the "define IT strategy and organization” process in a risk control matrix (RCM) format.
Desktop Management Audit Work Program
This document outlines steps to audit the process used to deploy software to desktop computers.
Devices Are Mobile—Is Your Security Policy on Board?
While many employees may find the BYOD trend convenient—and the applications and cloud services that come with those devices certainly enable this convenience—the security risks worry employers.
E
Email Policy: Sample 2
This policy outlines a set of procedures governing the use of email on company computers. The scope of this policy includes email and Webmail (whether Company X Webmail or third-party, such as Yahoo! mail, Hotmail, etc.), the rules and limitations governing email use, and the enforcement of those rules. The topic of email retention is beyond the scope of this document. The classification of email types and the length of time that email must be retained (stored) in-house or in a specialized facility is covered in a separate policy.
Encryption Key Management Policy
This policy outlines procedures taken to create, rotate, and purge encryption keys used for securing credit card data within software applications.
Enterprise Accounting System Post-Implementation Review Memo
This review focuses on the configurable application controls, application security, and segregation of duties for the accounts payable and general ledger modules.
External Access Risk Key Performance Indicators (KPIs)
This tool outlines the business risks associated with inappropriate access to systems, data or information and suggests best practices to counter these risks.
F
Financial Institution Security Audit Work Program
This work program is an aid to assess the quantity of risk and the effectiveness of a financial institution’s risk management processes as they relate to the security measures instituted to ensure confidentiality, integrity, and availability of information, instilling accountability for actions taken on the institution’s systems.
Firewall Administration Audit Work Program
This work program provides general steps for a firewall administration audit, including documentation, logical access, configuration, operating systems logs, firewall tests, application logs, physical security and continuity of operations. Sample steps include: obtain network diagrams illustrating firewall connections and segmentation on the network; determine if the expectations/goals/strategies of the firewall have been identified and are sound; and ensure that logical access to the various components (routers, firewall software) of the firewall solution is appropriately restricted to the individuals with authorized need for such access.
Firewall Administration Policy
The purpose of this policy is to establish procedures and requirements to ensure the appropriate protection and continuous operation of a company’s firewall infrastructure.
Firewall Audit Work Program
This firewall audit program focuses on internet and firewall configuration security, internet and firewall configuration change management, network monitoring and intrusion detection, and firewall vulnerability assessment. The control objectives include: the connection to an external network, such as the Internet, is secured with an application gateway firewall and the firewall is properly configured to secure internet traffic; firewall change management procedures are appropriate to prevent incomplete, unintended or unauthorized changes to the PIX firewall and/or other critical network devices; network traffic is monitored to detect availability issues or security events; and the firewall is configured properly to prevent unauthorized security breaches.
G
General Password Policy
The following sample outlines a policy for ensuring secure use of network passwords. This policy provides guidance regarding initial password setup, complexity, sharing, storage, and many other topics.
General IT Controls Questionnaire
This questionnaire assists with the collection of information regarding the control environment of all aspects of an IT department.
I
Information Security Work Program
This 11-page work program is intended to provide an internal audit team with guidance and direction when evaluating information security programs. It lists key project execution steps in the areas of strategies and policies, event monitoring, architecture and solutions, and managing deployment.
Internal Audit at a Tipping Point and Ten-Year Trends
The tenth edition of Protiviti’s Internal Audit Capabilities and Needs Survey includes 10-year trend data to illustrate top priorities and how they have evolved, dating back to when Protiviti began conducting the survey in 2007.
Internal Audit Integrates Control Into Emerging Technologies at American Airlines Group
This performer profile shares how the American Airlines Group is strengthening data security by performing reviews that compare internal processes to frameworks, such as the NIST Cybersecurity Framework and AICPA’s Generally Accepted Privacy Principles.
Internal Audit Plays Leading Role in Promoting Cybersecurity Risk Awareness at Beam Suntory
In this profile, Luci Roberts, vice president of internal audit and Beam Suntory’s chief audit executive (CAE), discusses how a stronger focus on cybersecurity risk management might help focus the IT procurement discussions within the business on risk rather than on who controls the purse strings.
Internal Auditing Around the World: Volume 12
In our latest edition of Internal Auditing Around the World, we interviewed 22 inspiring female internal audit leaders who are devoted to evolving their departments through the use of technology.
Internal Lab Security Policy
The purpose of this policy is to ensure that company confidential information and technologies are not compromised. This policy also establishes requirements for internal labs so that production services and other company interests are protected from lab activities.
Internet Usage Policy
This sample policy defines the conditions under which an employee, contractor, vendor or other person may access and use the internet via a company’s private network.
Intranet and Internet Security Policy
This policy outlines guidelines for internet and intranet security within a company. It applies to all users who access the company’s computing or networking resources, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners and vendors.
IT Application Management Audit Work Program
This sample IT application management audit work program is designed around key risk indicators of potential problems.
IT Controls and Governance Guide
This guide highlights challenges that may disrupt an organization's IT governance and provides a roadmap for activating an effective IT governance framework.
IT Data Management Audit Work Program
This document outlines steps to audit an organization’s data management process and includes a self-assessment questionnaire that gives the auditee an opportunity to inform internal audit about controls and processes employed.
IT Data Management Policy
This policy outlines procedures for implementing data management (backup and recovery) processes. The major activities included are file backup and recovery, tape backup and offsite storage, restoration testing, and production server jobs. In this example, all servers that contain unique information are backed up. A full backup of these servers is performed weekly, in addition to daily incremental. Backup logs are maintained for a period of seven years. Backup media for critical systems is temporarily stored onsite in the data center prior to being rotated to the offsite tape storage vendor. The backup tapes are being rotated to the vendor on a weekly basis. Tape retention is seven years.
IT Data Management Policy: Sample 2
The purpose of this policy is to ensure that the critical data stored in applications and on servers is frequently backed up, stored and secured offsite. This process allows for prompt recovery of important and critical company data in the event of accidental or intentional corruption, loss or destruction of data. In the event of any computer and/or business operation disruptions, this policy ensures that critical information systems processing functions can continue or be resumed promptly, that information processed and provided by these applications is complete and accurate, and that network server files and non-application data can be restored.
IT Employee Termination Checklist
This checklist outlines steps to follow when an IT employee stops working for a company. It should be modified to reflect each organization’s employee termination process.
IT General Controls: Computer Operations Audit Work Program
This work program focuses on auditing computer operations. It concentrates on the IT general controls to be tested, reviews the results of management’s testing, and documents the procedures used to test each control.
IT Governance Review Report
The Institute of Internal Auditors (IIA) Standards identify IT governance as a key area that should be regularly reviewed by the internal audit function. Objectives of this sample IT governance report include gaining a high-level understanding of the organization's IT governance processes and providing management with a benchmark against which to determine and pursue improved IT governance performance.
IT Network Access Policy
This sample policy outlines guidelines for granting, modifying and disabling network user access to a company’s network and applications.
IT Operations Management Audit Work Program
This document outlines steps to audit an organization’s IT operations management process.
IT Organization Audit Work Program
This document outlines steps to perform an IT organization audit.
IT Security and Privacy Survey Webinar Highlights
One in three organizations falls victim to a cyberattack. If your organization is not keeping pace with the threats, then you are falling behind.
It’s That Time of Year: The 2016 Audit Committee Agenda
Jim DeLoach recaps Protiviti’s ten Mandates for Audit Committees in 2016.
M
Manage Security and Privacy RCM
This document outlines risks and controls common to the "manage security and privacy" process in a risk control matrix (RCM) format.
Managing Cyber Threats With Confidence
The realities of risk management are that risks are impossible to eliminate, resources are finite, and risk profiles are ever-changing. Such is the case with cyber threats. Cybersecurity attacks continue to be the focus of front-page media coverage and remain a highly relevant topic in the boardroom. Cutting across strategy, risk management, change management and access control, information security is concerned with confidentiality, integrity and availability of information systems. This issue of Board Perspectives: Risk Oversight, articulates why it’s important to focus on protecting an organization’s most important information assets and systems, by understanding the changing threat landscape and preparing for the inevitable incidents.
Managing Cybersecurity Risk
In this issue of Board Perspectives: Risk Oversight, we present four considerations for managing cybersecurity risk.
N
Network Access and Infrastructure Audit Work Program
This audit program outlines steps to test the effectiveness of an organization’s network access and infrastructure. The test steps focus on the organization’s related policies and procedures, review and follow up of prior audit recommendations, custom reports, segregation of duties, business continuity/disaster recovery, laws and regulations, general ledger, outsourced processes, and fraud consideration regarding the network infrastructure.
Network Audit Management Memo
This memo documents low-risk opportunities in the network infrastructure environment identified during an internal audit review and meant for management’s information and consideration only.
Network Infrastructure Audit Work Program
These two sample work programs provide general steps for an IT network infrastructure audit.
Network Security Policy
The purpose of this security policy is to protect user accounts, corporate data, and intellectual property owned by an organization.
P
Physical Security Audit Work Program
This 45-page work program outlines physical security best practices for data centers and information processing/storage facilities.
Portable Computing Device Security Policy
This sample policy establishes safeguards for the use of portable media and computing devices, including their connection to the company network.
Privacy Controls Audit Work Program
This audit program provides steps for a privacy controls review, including verifying management direction and support for privacy controls.
R
Record Retention Policy
This policy provides guidance on retention of and access to corporate accounting documents by employees. Procedures cover general retention requirements and electronic record retention. Requests from corporate office personnel should be formerly communicated to the office manager. Requests by external parties for access to company records, or for confidential information, should not be granted before consulting your office manager. Requests for approved access to offsite information should be directed to the office manager’s administrative assistant who will coordinate the delivery of information to the requester.
Remote Network Access Policy
This sample policy defines the conditions under which an employee, contractor, vendor, or other person may have remote access to a company’s private network.
S
Scope of Application Security Memo
This memo outlines the assumptions and decision criteria in scoping the documentation efforts around application security.
Security Administration Audit Work Program
The purpose of this work program is to determine whether company policy and the structure of the security administration function provide for adequate administration of logical security.
Security and Access Policy and Procedures
This sample outlines a set of policies and procedures to provide a company with a single reference for governance pertaining to matters of security for personnel, facilities, assets, information, and business operations. In addition, this policy allows the development of more specific policies, standards, processes, and procedures as required. This policy should be periodically reviewed and updated, where necessary, to reflect changes in the technology environment.
Security Assessment Report
This sample audit report discusses the key observations and recommendations of an enterprise security assessment for an organization’s external and internal IT infrastructure.
Security Management Audit Work Program
This document outlines steps to audit an organization’s security management process.
Security Policy and Procedure Evaluation – Data Security
This report records the results of an evaluation of data security policies and procedures. This report format that can be used to communicate the status of company policies, and also to present recommendations for policy changes to management, including details of specific policy and procedure findings and gaps.
Security Policy and Procedure Evaluation Report: Application Development and Change Control
This audit report records the result of an evaluation of application development and change control security policies and procedures.
Security Policy and Procedure Evaluation Report: Communications
This report records the result of a security policies and procedures evaluation. The sample illustrates communications security policy issues and practices and provides a useful format for reporting the results.
Security Policy and Procedures Evaluation Report: Controls and Responsibilities Report
This sample report records the results of an evaluation of security policies and procedures. It illustrates security policy issues and leading practices regarding controls and responsibilities that could be incorporated into a review, and provides a useful format for reporting the results.
Security Policy Review Audit Work Program
The purpose of this work program is to determine whether the right security policies exist and determine if existing policies cover the necessary issues and are disseminated to the right people.
Security, Data Analytics, Smart Leadership: The Trifecta in Consumer Products and Services
This article discusses how consumer demands are increasing as technology and competition foster expectations of a consistent and fluid shopping experience across multiple channels.
Sensitive Data Handling Policy
The purpose of this policy is to ensure that all sensitively classified data is properly handled whether being transmitted within the organization or to a trusted third party.
Server Configuration Policy
This policy defines the standard security settings utilized on a company's servers.
Setting the 2016 Audit Committee Agenda
Interesting challenges are in store for audit committees in the coming year and in this issue of The Bulletin, we deliver the top risk issues warranting consideration by audit committees for inclusion on the 2016 agenda.
Siebel/Oracle Information Security Audit Work Program
This audit program outlines procedures to evaluate six system control objectives.
Software Licensure Compliance Audit Work Program
This sample work program can be modified for scope considerations that will depend on the extent of the software agreement under review.
System Backup Review Audit Work Program
The purpose of this audit program is to review an organization’s system backup procedures. This includes identifying all applications key to the organization, identifying the responsible person for the back-up procedure, analyzing actual procedures performed, and determining the appropriateness of handling related media. A key step in this work program is to identify all key applications in use at the company. In this list, include all SOX-related applications as well as any other applications deemed critical to company operations.
System Intrusion Audit Work Program
The objective of this audit work program is to evaluate a business’s ability to detect unauthorized system access attempts.
System Management Risk Assessment and Control Audit Work Program
Since most financial transactions are processed and maintained in the IT environment, the IT function is critical for all financial audits performed. This work program will assist audit teams with identifying risks and related controls for logical security administration and monitoring, physical security, change management, problem management, and system availability.
Systems Development Life Cycle (SDLC) and Change Management Policy
This sample outlines a set of policies and procedures designed to provide an orderly process in which changes to a company's IT infrastructure are requested and approved prior to the installation or implementation of a change.
T
Technology, Privacy and Cybersecurity Among Top Risks for Healthcare
This article by Susan Haseley, Protiviti managing director, outlines the responses of healthcare survey participants from the Executive Perspectives on Top Risks for 2016 survey.
Ten Cybersecurity Action Items for CAEs and Internal Audit Departments
As detailed in this article, cybersecurity risk is a growing concern—not only for internal stakeholders, but for customers and insurers.
Third-Party Access Policy
The purpose of this policy is to define security policies that apply to temporaries, contractors, consultants, and third parties, when such connectivity is necessary for business purposes. This policy covers both the physical and administrative requirements needed to manage secure network connectivity between an organization and any third party requiring access to the organization’s computing resources.
Top Risks in Financial Services: Ever the Same, Always Changing
Protiviti Managing Director Cory Gunderson provides insight into executive perspectives and the evolution of risks within the financial services industry.
U
Understanding the FFIEC Cybersecurity Assessment Tool: An Internal Audit Perspective
This white paper discusses the FFIEC Assessment Tool, which supplements the popular NIST framework with guidance specific to federally supervised financial institutions.
UNIX Security Audit Work Program
This audit program outlines steps for reviewing the security of systems running the UNIX operating system.
User Access Security Process Flow
This sample process flow outlines the steps to manage user access changes to company IT systems.
User Information Security Policy
This sample policy provides guidelines for securing user information.
User Malicious Software Policy
The purpose of this security policy is to outline the user’s responsibilities in ensuring updates and maintenance of anti-virus computer software.
V
Virtual Private Network (VPN) Administration Audit Work Program
This audit work program includes test steps in the areas of documentation, logging, monitoring and user pool for VPN administration.
Virus Awareness Policy: Employee Responsibilities
This policy highlights an employee's responsibility with regard to keeping their workstation virus free. The document describes tasks that an employee should undertake on a routine basis to identify and remove infected files.
Virus Protection Policy
This sample policy outlines procedures for preventing virus infestation from electronic mail attachments and external disks and software.
W
Watch What You Say: Auditing Cybersecurity Disclosures
In the face of data breaches, corporate assurances to the security of information are rightfully met with investor and regulatory skepticism. And while companies have rushed to inoculate themselves against potential damage by purchasing cyber insurance, regulators—and insurers—are reviewing published cybersecurity disclosures carefully to determine whether the companies’ claims regarding their cybersecurity programs—people, processes and technology—are consistent with reality. The price for failing to adequately assess and disclose cyber risks could be regulatory sanction and/or a denied insurance claim. In this article, we stress the importance of having a strong cyber risk control and governance framework, such as the one developed by the National Institute of Standards and Technology (NIST), in place.
Website Privacy Policy
This sample can be used to create an information privacy policy for a company website.