KnowledgeLeader provides best practice articles, tools, guides and other resources on cybersecurity. This page contains an alphabetized list of all of the resources and tools on cybersecurity that are available for download on KnowledgeLeader. The tools are provided in downloadable versions, so they can be customized for use in your organization.
#
2014 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations
In this report, we will detail the results of the 2014 Internal Audit Capabilities and Needs Survey to present a portrait of a healthcare internal audit function that is intent on delivering assurance across multiple risk realms while simultaneously enhancing the efficiency and quality of heavy workloads.
2014 IT Security and Privacy Survey
Protiviti conducted its IT Security and Privacy study in the second quarter of 2014. In this report, we will detail the findings in this study.
2014 Vendor Risk Management Benchmark Study
The Shared Assessments Program recently partnered with Protiviti to conduct a third-party risk management benchmarking study. The study revealed some interesting trends that we will detail in this report.
2015 Vendor Risk Management Benchmark Study
The results of this year’s Vendor Risk Management Benchmark Study can be viewed as cause for optimism or concern, depending on your view of the world. That said, the findings are crystal clear on a crucial point: there is still a lot of vendor risk management work to be done.
2015 IT Audit Benchmarking Survey
In this report, we summarize the findings from ISACA and Protiviti’s fourth annual IT Audit Benchmarking Survey in the third quarter of 2014. This global survey, conducted online, consisted of a series of questions grouped into five categories: Today’s Top Technology Challenges; IT Audit in Relation to the Internal Audit Department; Assessing IT Risks; Audit Plan; Skills and Capabilities.
2015 IT Audit Benchmarking Survey: Key Takeaways
A closer look at some of the notable takeaways from Protiviti and ISACA's 5th Annual IT Audit Benchmarking Survey.
2016 Audit Committee Agenda Webinar Q & A (Part 1)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this article, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Audit Committee Agenda Webinar Q & A (Part 2)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this second article of a four-part series, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Audit Committee Agenda Webinar Q & A (Part 3)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this third article of a four-part series, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations
This report details the results of the 2016 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations, which provides a benchmark of current perceptions in the industry.
2016 Internal Audit Capabilities and Needs Survey Podcast
This podcast features Protiviti executives Brian Christensen and David Brand, who discuss some of the key findings from Protiviti’s 2016 Internal Audit Capabilities and Needs Survey, focusing on cybersecurity and technology trends as well as what the future holds for internal auditors.
2016 IT Audit Benchmarking Survey
ISACA and Protiviti partnered to conduct the 5th Annual IT Audit Benchmarking Survey in the third quarter of 2015 to determine where IT audit functions stand in their capabilities to address key challenges. What may be most notable in this year’s results is the lack of significant change over the findings in the prior years of our study. The results are not changing, the question is, “Why?” In this report, we explore this and highlight valuable IT audit insights from this year’s Annual IT Audit Benchmarking Survey study.
A
A Barista, A Shot and Better Security
When reviewing security failure’s root cause, a frequent contributing factor is the organization’s inability to move at the speed of the wild. Looking to the future, the wrong security methods will increasingly struggle as attackers learn more lessons in deception from the history of armed conflict, sports or the natural wild. To meet the threat, methods must be able to move at the speed of the wild. Designed to move at the speed of the wild is the 5+2 Step Cycle for managing risk. The 5+2 Step Cycle achieves this because it was designed to be simple, save time and money, and enable both technical and cultural change at the same time. In addition to the 5+2 Step Cycle, security professionals can improve their success with two other actions.
A Global Look at IT Audit Best Practices
This article summarizes insights into internal IT audit practices gained from the 5th Annual IT Audit Benchmarking Survey, conducted by Protiviti and ISACA.
A Matter of Trust: Taking a Look at the CISA Controversy
The Global Leader of Protiviti’s IT Consulting Practice takes a look at the concerns surrounding the Cybersecurity Information Sharing Act (CISA), a proposed law that has spurred controversy in the United States and abroad.
Acceptable Use Policy: Sample 2
This policy establishes guidelines for the acceptable usage of a company's information resources and assets.
Access to Programs and Data Audit Work Program
The purpose of this work program—focused on access to programs and data—is to outline the IT general controls to be tested, review the results of management’s testing, and document the procedures to test each control. Document the procedures to be performed to conclude on the operating effectiveness of the controls identified, including a specific description of the nature, timing and extent of procedures to be performed. For all controls that are tested at an interim date, list the procedures performed to roll-forward the interim testing to period end.
Active Directory Audit Work Program: Infrastructure
This work program focuses on the general, platform configuration, and platform security areas of the infrastructure of an active directory.
Active Directory Work Program: User Management/Administration, Access Request Procedures
This active directory audit work program focuses on the access request procedures within user management/administration. It includes questions on key controls, the goal state for production and the status of designed controls.
Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry
In this report, we detail the key findings of our study. In addition to beefed up security, the financial services industry IT leaders we surveyed cited an increased and competing number of IT priorities they are juggling, including regulatory and compliance issues, big data planning, and standards and framework governance.
An Integrated Approach to Managing Identity and Privileged Access Risk
This article outlines the Protiviti IAM Capability Model, which can be used to provide an understanding of an organization’s current IAM strengths and weaknesses.
Application Control Review RCM
This document outlines risks and controls common to the application control review process in a risk and control matrix (RCM) format.
Application Controls Audit Work Program
This application controls audit program applies when auditing financial end-user-developed spreadsheets and other applications.
Application Security Review and Testing Audit Work Program
Application security involves checking the security controls of an application, not the operating system or device that hosts the application. This work program focuses on the security issues related to e-business applications.
Approved Software Policy
This sample policy outlines procedures for the usage and maintenance of approved software in a company.
2016 Internal Audit Capabilities and Needs Survey
In the 10th year of the Internal Audit Capabilities and Needs Survey, Protiviti believes that internal audit has arrived at a tipping point.
AS400 Review Audit Work Program
This work program outlines steps for an AS400 review audit. It identifies major areas to investigate during a general or specific controls review in an AS400 installation as well as critical control validation tests to perform.
Assessing SharePoint Security: Are You Due for a Check-Up?
Microsoft’s SharePoint enterprise content management platform is everywhere, but only about one-third of companies have a SharePoint security plan in place. This article explains how a secure SharePoint environment is certainly possible and not too difficult to achieve.
Auditing Network Security - Defining the Scope
This multi-part guide details the steps required to ensure that your network is secure. This second part of five provides more detail regarding determining what should be included in a review or audit.
Auditing Network Security – Securing a Network
This multi-part guide details the steps required to ensure that your network is secure. This first part discusses the overall approach to reviewing/auditing the existing security.
Auditor Travel Stories: From Local to Exotic to Downright Dangerous
In this article, Protiviti executive Paul Pettit shares stories and advice from of traveling to audit assignments and client meetings for over 20 years and discusses the pros and cons of the traveling auditor’s life.
B
Background Checks and Confidentiality Policy: Contractors
This policy outlines procedures for extending background checks to temporary personnel and independent contractors.
Bank Controls: Information Systems Evaluation Questionnaire
This guide can help bank management and internal auditors to analyze the effectiveness of the internal control structure over financial reporting as it relates to information systems.
Barclays’ Internal Audit Function Harnesses Data Visualization to Gain a Clear Picture of Business Risks
This performer profile details how Barclays’ internal audit function harnesses data visualization to gain a clear picture of its business risks.
Benchmarking Analysis: Enterprise Security
This questionnaire helps to assess network security at universities. To facilitate the analysis, the questionnaire uses an adaptation of the Carnegie Mellon University Software Engineering Institute’s Process Maturity Model.
Beyond HIPAA: Improving Cybersecurity for Healthcare Organizations
In this article, we stress the importance of healthcare leaders initiating risk discussions among their boards and the technology, medical and legal stakeholders within their organizations.
Business Continuity Management Audit Work Program
This audit work program focuses on the appropriateness of enterprise-wide business continuity planning, oversight and support, business impact analysis, and risk management.
C
Cellular Phone Policy
This sample policy provides company associates with a cost-effective and convenient way to manage cellular phones required for business purposes.
Chip Shot: The Long-View on the EMV Short Game
In this article, we discuss what EMV technology means for credit card security and where security gaps still linger.
Clear and Present Danger: Cybersecurity Should Be a Top Priority
To avoid making 2015 synonymous to 2014 when it comes to cybersecurity issues, internal auditors must play an important role in securing the organization. That responsibility entails working closely with the board, executive management and functional leaders.
Cloud Security: Keeping Data Safe in the “Boundaryless” World of Cloud Computing
As cloud service providers mature and expand and refine their offerings, it is increasingly difficult for many organizations not to at least consider moving certain functions to the cloud. Cost-reduction opportunities, scalability, flexibility and elasticity are just some of the potential benefits of such a move.
COBIT[]®[] Framework
Control Objectives for Information and Related Technology (COBIT) is a management tool for IT. It has been developed by ISACA as an accepted standard for good IT security and control practices. It is intended for use by management, IT auditors, and control and security practitioners. COBIT defines what needs to be done to implement an effective control structure.
Computer Operations/Job Scheduling Audit Work Program
This audit work program focuses on computer operations and IT job scheduling. Audit objectives and test steps help determine and review the role of computer operations within an organization, the responsibilities of the computer operations department, and ability to proactively manage computer operations.
Core Competency: The Case for FSI IT Modernization
FSI respondents to Protiviti’s 2015 IT Priorities Survey identified some important catalysts driving them to replace core systems. In this article, we discuss the three main drivers: risk mitigation; cost savings; revenue generation.
Credit Card Data Purge Policy
This policy outlines a set of procedures for the credit card data purge process including specific purge procedures, a purge schedule, and related definitions.
Cybersecurity Audit Report
This audit report presents the results of vulnerability assessments and penetration testing performed on an organization’s external and internal facing environment.
Cybersecurity Capabilities
In this article, Jordan Reed, a managing director in Protiviti’s Houston office, answers questions related to
Cybersecurity Disclosures in Risk Factors
This article focuses on the industry-specific disclosure rates of cybersecurity risk factors for a select group of industries.
Cybersecurity Requires a Healthy Dose of Collaboration at Baylor Scott & White Health
In this performer profile, Monica Frazer, VP of internal audit at Baylor Scott & White Health, describes how she keeps her team focused on risk-based fundamentals to monitor cybersecurity risks.
Cybersecurity: What Are the Boardroom Implications?
What does safeguarding your assets really mean? Who is responsible for it? This article answers those questions and helps you determine how to protect your digital assets, ensure cybersecurity is appropriately considered, and decide what actions to take.
D
Data Backup and Retention Policy
The following sample outlines a set of policies and procedures for data backup and retention including network server backups, tape backups and job scheduling.
Data Backup Policy
This policy provides standardized procedures for backing-up and maintaining computer files within an organization on a regular basis.
Data Breach Notification Memo
This memo's purpose is to notify an individual regarding the possibility of a personal information breach and explain the steps taken by a company to protect against identity theft or abuse of information.
Data Center Review Audit Work Program
This audit work program evaluates access and environmental controls and provides recommendations for meaningful changes to an organization's data center.
Data Leakage Prevention Guide
This illustrated guide provides a variety of information on data leakage prevention benefits and processes. It also highlights some of the major causes, risks and trends associated with data loss.
Database Administration Audit Work Program
This audit work program provides steps for a database administration review.
Define IT Strategy and Organization RCM
This document outlines risks and controls common to the “define IT strategy and organization” process in a risk control matrix (RCM) format.
Designing NetSuite ERP Application Security: Leveraging Fastpath Assure Access Monitoring Solutions
Defining security requirements in the early phase of a NetSuite implementation can help ensure efficiency and achievement of a clean slate with regard to mitigation of security risks prior to go-live.
Designing SAP Application Security
This white paper provides six steps organizations should take when implementing SAP application security using a top-down approach.
Desktop Management Audit Work Program
This document outlines steps to audit the process used to deploy software to desktop computers.
Devices Are Mobile—Is Your Security Policy on Board?
While many employees may find the BYOD trend convenient—and the applications and cloud services that come with those devices certainly enable this convenience—the security risks worry employers.
E
Email Policy: Sample 2
This policy outlines a set of procedures governing the use of email on company computers. The scope of this policy includes email and Webmail (whether Company X Webmail or third-party, such as Yahoo! mail, Hotmail, etc.), the rules and limitations governing email use, and the enforcement of those rules. The topic of email retention is beyond the scope of this document. The classification of email types and the length of time that email must be retained (stored) in-house or in a specialized facility is covered in a separate policy.
Encryption Key Management Policy
This policy outlines procedures taken to create, rotate, and purge encryption keys used for securing credit card data within software applications.
Enterprise Accounting System Post-Implementation Review Memo
This review focuses on the configurable application controls, application security, and segregation of duties for the accounts payable and general ledger modules.
Executive Perspectives on Top Risks for 2015
This report focuses on the top risks on the minds of global boards of directors and executives in 2015.
Executive Perspectives on Top Risks for 2015: T&F Article
This article summarizes the results of Executive Perspectives on Top Risks for 2015, a study conducted by North Carolina State University’s ERM Initiative and Protiviti.
External Access Risk Key Performance Indicators (KPIs)
This tool outlines the business risks associated with inappropriate access to systems, data or information and suggests best practices to counter these risks.
F
Financial Institution Security Audit Work Program
This work program is an aid to assess the quantity of risk and the effectiveness of a financial institution’s risk management processes as they relate to the security measures instituted to ensure confidentiality, integrity, and availability of information, instilling accountability for actions taken on the institution’s systems.
Firewall Administration Audit Work Program
This work program provides general steps for a firewall administration audit, including documentation, logical access, configuration, operating systems logs, firewall tests, application logs, physical security and continuity of operations. Sample steps include: obtain network diagrams illustrating firewall connections and segmentation on the network; determine if the expectations/goals/strategies of the firewall have been identified and are sound; and ensure that logical access to the various components (routers, firewall software) of the firewall solution is appropriately restricted to the individuals with authorized need for such access.
Firewall Administration Policy
The purpose of this policy is to establish procedures and requirements to ensure the appropriate protection and continuous operation of a company’s firewall infrastructure.
Firewall Audit Work Program
This firewall audit program focuses on internet and firewall configuration security, internet and firewall configuration change management, network monitoring and intrusion detection, and firewall vulnerability assessment. The control objectives include: the connection to an external network, such as the Internet, is secured with an application gateway firewall and the firewall is properly configured to secure internet traffic; firewall change management procedures are appropriate to prevent incomplete, unintended or unauthorized changes to the PIX firewall and/or other critical network devices; network traffic is monitored to detect availability issues or security events; and the firewall is configured properly to prevent unauthorized security breaches.
First-in-the-Nation Regulation Proposed to Protect New York State from Growing Cyberthreats
This Flash Report outlines the new, long-anticipated cybersecurity regulation proposed by New York Governor Andrew Cuomo.
Focus on Healthcare: Top Priorities for Internal Auditors
In this article, we summarize the five key priority areas for healthcare IA functions this year that were identified in Priorities for Internal Auditors in U.S. Healthcare Provider Organizations, a joint survey from Protiviti and the Association of Healthcare Internal Auditors (AHIA).
From Cybersecurity to Collaboration
In this year’s Internal Audit Capabilities and Needs Survey, we’ve devoted a special section to the current state of cybersecurity. Our findings show that cybersecurity represents a major focus for internal audit programs, but it is far from the only pressing issue on internal audit’s plate.
G
General Password Policy
The following sample outlines a policy for ensuring secure use of network passwords. This policy provides guidance regarding initial password setup, complexity, sharing, storage, and many other topics.
General IT Controls Questionnaire
This questionnaire assists with the collection of information regarding the control environment of all aspects of an IT department.
H
Handheld Devices Checklists
These checklists help ensure handheld devices are correctly configured and used, and provide assistance in performing audits of environments containing handheld devices.
High-Value Targets – Retailers Under Fire
In this article, we discuss the many actions that organizations can take to minimize the duration and impact of cyberattacks.
Hot Topics in Cybersecurity: An IT Audit Perspective
In this article, we review the hot topics in cybersecurity. All organizations—regardless of size—should review and discuss the following points.
How to Audit Business Continuity Programs
In this article, we will discuss why today, successful information security and business continuity programs (BCPs) both address the technical issues involved and strive to support the organization’s efforts to improve and sustain an adequate level of operational resiliency.
I
Identity and Access Management and the Extended Enterprise
Organizations must enter the current brave new world with care. As identity access management decisions and controls are extended further from the core of the enterprise, organizations must implement a rigorous governance regimen to mitigate security and privacy risks.
Information Security for Systems
This article explains how, in the absence of the order provided through security architecture, organizations tend to implement various security technologies "helter-skelter," that is, ad hoc at best.
Information Security Work Program
This 11-page work program is intended to provide an internal audit team with guidance and direction when evaluating information security programs. It lists key project execution steps in the areas of strategies and policies, event monitoring, architecture and solutions, and managing deployment.
Internal Audit at a Tipping Point and Ten-Year Trends
The tenth edition of Protiviti’s Internal Audit Capabilities and Needs Survey includes 10-year trend data to illustrate top priorities and how they have evolved, dating back to when Protiviti began conducting the survey in 2007.
Internal Audit Integrates Control Into Emerging Technologies at American Airlines Group
This performer profile shares how the American Airlines Group is strengthening data security by performing reviews that compare internal processes to frameworks, such as the NIST Cybersecurity Framework and AICPA’s Generally Accepted Privacy Principles.
Internal Audit Plays Leading Role in Promoting Cybersecurity Risk Awareness at Beam Suntory
In this profile, Luci Roberts, vice president of internal audit and Beam Suntory’s chief audit executive (CAE), discusses how a stronger focus on cybersecurity risk management might help focus the IT procurement discussions within the business on risk rather than on who controls the purse strings.
Internal Auditing Around the World: Volume 12
In our latest edition of Internal Auditing Around the World, we interviewed 22 inspiring female internal audit leaders who are devoted to evolving their departments through the use of technology.
Internal Auditing in a Culture of Avoidance
It's no secret that technology is frequently used to bring about harm rather than good. Yet many enterprises continue to allow technology to be implemented with weak controls and the absence of effective measures to detect when controls are breached. As a consequence, sensitive information is stolen or disclosed on a massive scale and it is virtually impossible to hold anyone accountable for the harm done.
Internal Lab Security Policy
The purpose of this policy is to ensure that company confidential information and technologies are not compromised. This policy also establishes requirements for internal labs so that production services and other company interests are protected from lab activities.
Internet Usage Policy
This sample policy defines the conditions under which an employee, contractor, vendor or other person may access and use the internet via a company’s private network.
Intranet and Internet Security Policy
This policy outlines guidelines for internet and intranet security within a company. It applies to all users who access the company’s computing or networking resources, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners and vendors.
Intranet and Internet Security Policy: Sample 2
This policy, a necessary part of an organization’s security strategy, outlines intranet and Internet security procedures for responding to new risks and threats.
IS Resource Management Internal Audit Review Report
This sample report focuses on how a company prioritizes information systems (IS) projects and manages IS resources.
IT Application Management Audit Work Program
This sample IT application management audit work program is designed around key risk indicators of potential problems.
IT Controls and Governance Guide
This guide highlights challenges that may disrupt an organization's IT governance and provides a roadmap for activating an effective IT governance framework.
IT Controls Best Practices, Part 1 - Generic
This is Part 1 of a document created to identify leading practices for auditing IT controls. The presentation includes process maps and defines risk objectives and control points for change management, security administration, operations and application controls.
IT Data Management Audit Work Program
This document outlines steps to audit an organization’s data management process and includes a self-assessment questionnaire that gives the auditee an opportunity to inform internal audit about controls and processes employed.
IT Data Management Policy
This policy outlines procedures for implementing data management (backup and recovery) processes. The major activities included are file backup and recovery, tape backup and offsite storage, restoration testing, and production server jobs. In this example, all servers that contain unique information are backed up. A full backup of these servers is performed weekly, in addition to daily incremental. Backup logs are maintained for a period of seven years. Backup media for critical systems is temporarily stored onsite in the data center prior to being rotated to the offsite tape storage vendor. The backup tapes are being rotated to the vendor on a weekly basis. Tape retention is seven years.
IT Data Management Policy: Sample 2
The purpose of this policy is to ensure that the critical data stored in applications and on servers is frequently backed up, stored and secured offsite. This process allows for prompt recovery of important and critical company data in the event of accidental or intentional corruption, loss or destruction of data. In the event of any computer and/or business operation disruptions, this policy ensures that critical information systems processing functions can continue or be resumed promptly, that information processed and provided by these applications is complete and accurate, and that network server files and non-application data can be restored.
IT Employee Termination Checklist
This checklist outlines steps to follow when an IT employee stops working for a company. It should be modified to reflect each organization’s employee termination process.
IT General Controls: Computer Operations Audit Work Program
This work program focuses on auditing computer operations. It concentrates on the IT general controls to be tested, reviews the results of management’s testing, and documents the procedures used to test each control.
IT Governance Review Report
The Institute of Internal Auditors (IIA) Standards identify IT governance as a key area that should be regularly reviewed by the internal audit function. Objectives of this sample IT governance report include gaining a high-level understanding of the organization's IT governance processes and providing management with a benchmark against which to determine and pursue improved IT governance performance.
IT Network Access Policy
This sample policy outlines guidelines for granting, modifying and disabling network user access to a company’s network and applications.
IT Operations Management Audit Work Program
This document outlines steps to audit an organization’s IT operations management process.
IT Organization Audit Work Program
This document outlines steps to perform an IT organization audit.
IT Security and Privacy Survey Webinar Highlights
One in three organizations falls victim to a cyberattack. If your organization is not keeping pace with the threats, then you are falling behind.
It’s That Time of Year: The 2016 Audit Committee Agenda
Jim DeLoach recaps Protiviti’s ten Mandates for Audit Committees in 2016.
K
2013 IT Security and Privacy Study
The findings from this IT Security and Privacy Survey and our analysis are included in this report.
L
Large Banks Hit With New Cybersecurity Rules
This Flash Report summarizes the proposed requirements to enhance cyber risk management standards for large financial services firms and their service providers.
Lessons Learned from Natural Disasters
In this article, we stress the importance for organizations to monitor risks and build their own organizational resilience to prepare for a natural disaster.
Locking Out the Investigator: The Need to Circumvent Security in Embedded Systems
This paper examines how consumer law may be stifling research that the forensic community could ultimately depend upon to examine devices.
Looking Deeper Into Robotic Automation
This white paper offers considerations and case studies for robotic process and desktop automation.
M
Maintaining Margins While Staying Vigilant
Finance functions were historically busy last year. Whether or not these workloads are leveling off, finance functions cannot afford to back off. In the coming year, between maintaining margins, forecasting cash flow, complying with new regulations and combatting cyberthreats, finance functions will have much to monitor on their radars and need to be incredibly vigilant. The results of the 2016 Finance Priorities Survey from the Financial Executives Research Foundation and Protiviti indicate that CFOs and finance professionals remain alert to intensifying volatility while continuing to address a large and growing set of priorities.
Manage Security and Privacy RCM
This document outlines risks and controls common to the "manage security and privacy" process in a risk control matrix (RCM) format.
Managing Cyber Threats With Confidence
The realities of risk management are that risks are impossible to eliminate, resources are finite, and risk profiles are ever-changing. Such is the case with cyber threats. Cybersecurity attacks continue to be the focus of front-page media coverage and remain a highly relevant topic in the boardroom. Cutting across strategy, risk management, change management and access control, information security is concerned with confidentiality, integrity and availability of information systems. This issue of Board Perspectives: Risk Oversight, articulates why it’s important to focus on protecting an organization’s most important information assets and systems, by understanding the changing threat landscape and preparing for the inevitable incidents.
Managing Cybersecurity Risk
In this issue of Board Perspectives: Risk Oversight, we present four considerations for managing cybersecurity risk.
Measuring the Right Metrics and Leveraging Key Risk and Performance Indicators to Enhance the End-To-End Transaction Monitoring Program
Financial institutions ask themselves "How do we know whether our transaction monitoring (TM) systems and/or processes are optimized or not?" This article answers that question.
mHealth: How Mobile Apps Can Help Health Plans Improve Consumer Engagement and Facilitate Behavior Change
Extensive adoption of mobile health (mHealth) offers payers, providers and consumers a new model for engaging with each other, and can promote a more meaningful relationship and exchange of information between parties. This new form of consumer engagement is particularly important for healthcare payers as they look for ways to improve member satisfaction, loyalty and retention.
More Resources Are Required to Master Third-Party Risks
As corporate boards, auditors and regulators increase their scrutiny of vulnerabilities associated with third-parties, vendor risk management (VRM)—and particularly the danger of lost or compromised data through third-party service providers—remains cause for concern at most organizations.
N
Network Access and Infrastructure Audit Work Program
This audit program outlines steps to test the effectiveness of an organization’s network access and infrastructure. The test steps focus on the organization’s related policies and procedures, review and follow up of prior audit recommendations, custom reports, segregation of duties, business continuity/disaster recovery, laws and regulations, general ledger, outsourced processes, and fraud consideration regarding the network infrastructure.
Network Audit Management Memo
This memo documents low-risk opportunities in the network infrastructure environment identified during an internal audit review and meant for management’s information and consideration only.
Network Infrastructure Audit Work Program
These two sample work programs provide general steps for an IT network infrastructure audit.
Network Security Policy
The purpose of this security policy is to protect user accounts, corporate data, and intellectual property owned by an organization.
O
Online Banking: Fraud and Loss Prevention
Online banking fraud has become a serious issue in financial crime management for banks, and corporate account takeovers are becoming increasingly common - particularly for small businesses. This guide highlights key trends in online banking fraud, and includes prevention techniques and tools.
P
Physical Security Audit Work Program
This 45-page work program outlines physical security best practices for data centers and information processing/storage facilities.
Portable Computing Device Security Policy
This sample policy establishes safeguards for the use of portable media and computing devices, including their connection to the company network.
Preparing for the Change to EMV and New Fraud and Security Risks: What U.S. Merchants Need to Know
This white paper provides an overview of the potential implications of the Europay, MasterCard and Visa (EMV) standard for U.S. merchants (including new risk areas) and offers tips for making a successful transition.
Preparing for the General Data Protection Regulation – The Clock Starts Ticking Now
This Flash Report details the final requirements of the European Union’s General Data Protection Regulation and what organizations will need to do to begin complying with them.
PreView Evaluates Emerging Risks
Data breach vulnerabilities, social media issues, crowdfunding and on demand service challenges are the dynamic trends that we discuss in this issue of PreView.
Privacy Controls Audit Work Program
This audit program provides steps for a privacy controls review, including verifying management direction and support for privacy controls.
Privacy: Our Next Organizational Challenge?
Even as information privacy and protection objectives grow more critical and complex, they are also increasingly subject to scrutiny by both internal and external auditors. This article explains how management and internal/external audit can get more involved in the process of protecting sensitive and personal data.
Protiviti 2015 IA Capabilities and Needs Survey
This article summarizes the results of Protiviti’s 2015 Internal Audit Capabilities and Needs Survey.
Protiviti 2015 IT Priorities Survey
This article summarizes the results of Protiviti’s 2015 IT Priorities Survey.
R
Record Retention Policy
This policy provides guidance on retention of and access to corporate accounting documents by employees. Procedures cover general retention requirements and electronic record retention. Requests from corporate office personnel should be formerly communicated to the office manager. Requests by external parties for access to company records, or for confidential information, should not be granted before consulting your office manager. Requests for approved access to offsite information should be directed to the office manager’s administrative assistant who will coordinate the delivery of information to the requester.
Reducing Security Risks in Information Technology Contracts: Best Practices and Guiding Principles
This article outlines best practices—both within and outside a company—for controlling the handling and distribution of intellectual property.
Remote Network Access Policy
This sample policy defines the conditions under which an employee, contractor, vendor, or other person may have remote access to a company’s private network.
Risk-Based Approach to Software Testing Guide
This 13-page guide describes the key elements, best practices and challenges associated with risk-based software testing.
S
Scope of Application Security Memo
This memo outlines the assumptions and decision criteria in scoping the documentation efforts around application security.
Security Administration Audit Work Program
The purpose of this work program is to determine whether company policy and the structure of the security administration function provide for adequate administration of logical security.
Security and Access Policy and Procedures
This sample outlines a set of policies and procedures to provide a company with a single reference for governance pertaining to matters of security for personnel, facilities, assets, information, and business operations. In addition, this policy allows the development of more specific policies, standards, processes, and procedures as required. This policy should be periodically reviewed and updated, where necessary, to reflect changes in the technology environment.
Security Assessment Report
This sample audit report discusses the key observations and recommendations of an enterprise security assessment for an organization’s external and internal IT infrastructure.
Security by Design at FIS
FIS is the world’s largest global provider dedicated to banking and payment technologies. With more than 55,000 worldwide employees, FIS empowers the financial world with payment processing and banking solutions, including software, services and technology outsourcing. In this type of business environment, where the data security stakes are so high, it is imperative for internal auditors to be viewed as valued and trusted business partners – and at FIS that is exactly the case. In this profile, Katy Thompson, Chief Audit Executive, believes that proficiency with data mining and analytics and building specific subject-matter expertise are key trends. Also important is developing truly deep knowledge of the industry, the organization and the external factors impacting the business. She identifies three essential goals for the FIS internal audit team: coverage, building skills, and data analytics.
Security Management Audit Work Program
This document outlines steps to audit an organization’s security management process.
Security Policy and Procedure Evaluation – Data Security
This report records the results of an evaluation of data security policies and procedures. This report format that can be used to communicate the status of company policies, and also to present recommendations for policy changes to management, including details of specific policy and procedure findings and gaps.
Security Policy and Procedure Evaluation Report: Application Development and Change Control
This audit report records the result of an evaluation of application development and change control security policies and procedures.
Security Policy and Procedure Evaluation Report: Communications
This report records the result of a security policies and procedures evaluation. The sample illustrates communications security policy issues and practices and provides a useful format for reporting the results.
Security Policy and Procedure Evaluation: Controls and Responsibilities Report
This sample report records the result of an evaluation of security policies and procedures. It illustrates security policy issues and leading practices regarding controls and responsibilities that could be incorporated into a review, and provides a useful format for reporting the results.
Security Policy Review Audit Work Program
The purpose of this work program is to determine whether the right security policies exist and determine if existing policies cover the necessary issues and are disseminated to the right people.
Security, Data Analytics, Smart Leadership: The Trifecta in Consumer Products and Services
This article discusses how consumer demands are increasing as technology and competition foster expectations of a consistent and fluid shopping experience across multiple channels.
Sensitive Data Handling Policy
The purpose of this policy is to ensure that all sensitively classified data is properly handled whether being transmitted within the organization or to a trusted third party.
Server Configuration Policy
This policy defines the standard security settings utilized on a company's servers.
Setting the 2016 Audit Committee Agenda
Interesting challenges are in store for audit committees in the coming year and in this issue of The Bulletin, we deliver the top risk issues warranting consideration by audit committees for inclusion on the 2016 agenda.
Setting the Audit Committee Agenda: Your Questions Answered
The February 10th Setting the 2015 Audit Committee Agenda webinar tackled a hot topic, and during the webinar, participants submitted insightful questions. We wanted to share some of those questions and their answers because they address critical topics that may be relevant for you.
Siebel/Oracle Information Security Audit Work Program
This audit program outlines procedures to evaluate six system control objectives.
So Long, Windows XP: FFIEC Warns Institutions, Providers and Third Parties of Potential Operational Risks
Information technology (IT) system migrations are a tremendous undertaking. In this article, we stress the importance of developing the necessary support structure to deal with the inevitable issues that will arise with this migration.
Software Licensure Compliance Audit Work Program
This sample work program can be modified for scope considerations that will depend on the extent of the software agreement under review.
Software Quality Perspectives
This article defines software quality and its characteristics, scope and integral relationship with other entities.
Strategic BYOD: "D" Is NOT for Doom
In this article, we set out clearly what the challenges are and explains how a BYOD program and strategy can help firms solve those challenges and seize those all-important benefits of BYOD.
System Backup Review Audit Work Program
The purpose of this audit program is to review an organization’s system backup procedures. This includes identifying all applications key to the organization, identifying the responsible person for the back-up procedure, analyzing actual procedures performed, and determining the appropriateness of handling related media. A key step in this work program is to identify all key applications in use at the company. In this list, include all SOX-related applications as well as any other applications deemed critical to company operations.
System Intrusion Audit Work Program
The objective of this audit work program is to evaluate a business’s ability to detect unauthorized system access attempts.
System Management Risk Assessment and Control Audit Work Program
Since most financial transactions are processed and maintained in the IT environment, the IT function is critical for all financial audits performed. This work program will assist audit teams with identifying risks and related controls for logical security administration and monitoring, physical security, change management, problem management, and system availability.
Systems Development Life Cycle (SDLC) and Change Management Policy
This sample outlines a set of policies and procedures designed to provide an orderly process in which changes to a company's IT infrastructure are requested and approved prior to the installation or implementation of a change.
T
Tackling Healthcare’s Growing Cybersecurity Crisis Starts With a Proper Risk Assessment
As electronic medical records continue to evolve into the de facto standard, healthcare organizations are reaping the cost reduction and business and economic benefits. But this progress has its downside, in the form of heightened attention from cyber criminals.
Technical Safeguards Questionnaire
Technical safeguards enforce the security policies and procedures throughout the network infrastructure. This self-assessment questionnaire is the starting point for a technical safeguards assessment.
Technology, Privacy and Cybersecurity Among Top Risks for Healthcare
This article by Susan Haseley, Protiviti managing director, outlines the responses of healthcare survey participants from the Executive Perspectives on Top Risks for 2016 survey.
Telecommunications Security Questionnaire
Enterprises must take precautions to protect their information when being transmitted via various telecom processes. This questionnaire is the starting point for a telecom security assessment.
Ten Cybersecurity Action Items for CAEs and Internal Audit Departments
As detailed in this article, cybersecurity risk is a growing concern—not only for internal stakeholders, but for customers and insurers.
The Dark Side of Social Engineering
By plying on the human need for trust and acceptance, social engineers utilize influence tactics to gain information and access, which can be devastating for financial losses, stolen intellectual property and an irreparable reputation.
The NICE Framework: Why You Need to Understand This Important Initiative
The National Initiative for Cybersecurity Education (NICE) represents a body of knowledge for the emerging field of cybersecurity, and in that respect it defines the concepts and practices that are legitimate areas of professional work and workforce education and training. The rationale and the detailed structure of this groundbreaking model are presented here along with how it fits with substantive efforts to ensure the U.S. critical infrastructure.
The PCI Security Standards Council Releases PCI DSS Version 3.2
As with every prior version or release of PCI DSS, many clarifications have been made, along with clerical changes.
The Road to Renewal: Modernizing Aging Core Systems at Financial Institutions
In this white paper, Protiviti examines the need for IT renewal in financial services institutions, assesses the risks and benefits of core modernization, and identifies five approaches to this undertaking.
The U.S. Securities and Exchange Commission and The Many Faces of Cybersecurity Liability
This article details recent actions by the U.S. Securities and Exchange Commission and addresses how various entities can be better prepared to deal with compliance, attacks and breaches.
Third-Party Access Policy
The purpose of this policy is to define security policies that apply to temporaries, contractors, consultants, and third parties, when such connectivity is necessary for business purposes. This policy covers both the physical and administrative requirements needed to manage secure network connectivity between an organization and any third party requiring access to the organization’s computing resources.
Today’s Enterprise—Cyberthreats Lurk Amid Major Transformation
In this report, we share our key findings from this year’s Internal Audit Capabilities and Needs Survey.
Today’s Financial Services IT Organization: Delivering Security, Value and Performance Amid Major Transformation
In this report, we outline the results from our more than 1,100 participants, who indicate IT functions have scores of significant priorities and likely are being pulled in multiple directions to address countless critical challenges. Among the most notable challenges for 2014 are: Enhancing and protecting business value; Strengthening data privacy and security; Managing and classifying data; Strengthening IT asset and data management; Improving mobile commerce and social media management.
2014 IT Priorities Survey
Protiviti’s 2014 IT Priorities Survey confirms that IT transformation has become the new normal for companies. More than 1,100 respondents indicate IT functions have scores of significant priorities and likely are being pulled in multiple directions to address countless critical challenges.
Today's Big Trends in Robotics
This article looks at the global robotics ecosystem as a whole, including current trends in industrial robotics.
Top Risks in 2015: Are You Asking the Right Questions?
Companies need useful information to stay abreast, if not ahead, of critical issues looming on the horizon and to prepare for potential opportunities and adverse scenarios. Top issues? Regulatory scrutiny, economic uncertainty, and cyberthreats—not a great surprise.
Top Risks in Financial Services: Ever the Same, Always Changing
Protiviti Managing Director Cory Gunderson provides insight into executive perspectives and the evolution of risks within the financial services industry.
U
Understanding the FFIEC Cybersecurity Assessment Tool: An Internal Audit Perspective
This white paper discusses the FFIEC Assessment Tool, which supplements the popular NIST framework with guidance specific to federally supervised financial institutions.
UNIX Security Audit Work Program
This audit program outlines steps for reviewing the security of systems running the UNIX operating system.
User Access Security Process Flow
This sample process flow outlines the steps to manage user access changes to company IT systems.
User Information Security Policy
This sample policy provides guidelines for securing user information.
User Malicious Software Policy
The purpose of this security policy is to outline the user’s responsibilities in ensuring updates and maintenance of anti-virus computer software.
V
Views on AML Technology, Volume II
This Protiviti publication includes specific guidance regarding various aspects of deploying and leveraging AML transaction monitoring systems.
Virtual Private Network (VPN) Administration Audit Work Program
This audit work program includes test steps in the areas of documentation, logging, monitoring and user pool for VPN administration.
Virus Awareness Policy: Employee Responsibilities
This policy highlights an employee's responsibility with regard to keeping their workstation virus free. The document describes tasks that an employee should undertake on a routine basis to identify and remove infected files.
Virus Protection Policy
This sample policy outlines procedures for preventing virus infestation from electronic mail attachments and external disks and software.
W
Watch What You Say: Auditing Cybersecurity Disclosures
In the face of data breaches, corporate assurances to the security of information are rightfully met with investor and regulatory skepticism. And while companies have rushed to inoculate themselves against potential damage by purchasing cyber insurance, regulators—and insurers—are reviewing published cybersecurity disclosures carefully to determine whether the companies’ claims regarding their cybersecurity programs—people, processes and technology—are consistent with reality. The price for failing to adequately assess and disclose cyber risks could be regulatory sanction and/or a denied insurance claim. In this article, we stress the importance of having a strong cyber risk control and governance framework, such as the one developed by the National Institute of Standards and Technology (NIST), in place.
Website Privacy Policy
This sample can be used to create an information privacy policy for a company website.
Y
You Can’t Protect Intellectual Property and Sensitive Data Unless You Know What You are Trying to Protect
In this article, we discuss the critically important information that those who are charged with the responsibility of assessing the effectiveness of network security should be aware of.