Modelo Auditori Ac I Ber Seguridad
Modelo Auditori Ac I Ber Seguridad
Modelo Auditori Ac I Ber Seguridad
Resumen:
En la actualidad, las organizaciones se enfrentan continuamente a ser blanco de ciberataques
y amenazas cibernéticas; la sofisticación y complejidad de los ciberataques modernos y el
modus operandi de los ciberdelincuentes, incluidas las Técnicas, Tácticas y Procedimientos
(TTP), continúan creciendo a un ritmo sin precedentes. Los ciberdelincuentes siempre están
adoptando nuevas estrategias para planificar y lanzar ataques cibernéticos basados en las
vulnerabilidades de ciberseguridad existentes y explotar a los usuarios finales mediante el
uso de técnicas de ingeniería social. Este artículo presenta un modelo de auditoría de
ciberseguridad innovador e integral. El Modelo de Auditoría de Ciberseguridad (CSAM) se
puede implementar para realizar auditorías de ciberseguridad internas o externas. Este
modelo se puede usar para efectuar auditorías únicas de ciberseguridad o puede ser parte
de cualquier programa de auditoría corporativa para mejorar los controles de ciberseguridad.
Cualquier equipo de auditoría de seguridad de la información o ciberseguridad tiene la opción
de aplicar una auditoría completa para todos los dominios de ciberseguridad o seleccionando
dominios específicos para auditar ciertas áreas que necesitan verificación y fortalecimiento
del control. El CSAM tiene 18 dominios; el Dominio 1 es específico para Estados y los
dominios 2-18 se pueden implementar en cualquier organización. La organización puede ser
cualquier empresa pequeña, mediana o grande, el modelo también es aplicable a cualquier
organización sin fines de lucro (OSFL).
Abstract:
These days organizations are continually facing being targets of cyberattacks and
cyberthreats; the sophistication and complexity of modern cyberattacks and the modus
operandi of cybercriminals including Techniques, Tactics and Procedures (TTP) keep growing
at unprecedented rates. Cybercriminals are always adopting new strategies to plan and launch
cyberattacks based on existing cybersecurity vulnerabilities and exploiting end users by using
social engineering techniques. Cybersecurity audits are extremely important to verify that
information security controls are in place and to detect weaknesses of inexistent cybersecurity
or obsolete controls. This article presents an innovative and comprehensive cybersecurity
audit model. The CyberSecurity Audit Model (CSAM) can be implemented to perform internal
or external cybersecurity audits. This model can be used to perform single cybersecurity audits
or can be part of any corporate audit program to improve cybersecurity controls. Any
information security or cybersecurity audit team has either the options to perform a full audit
for all cybersecurity domains or by selecting specific domains to audit certain areas that need
control verification and hardening. The CSAM has 18 domains; Domain 1 is specific for Nation
States and Domains 2-18 can be implemented at any organization. The organization can be
any small, medium or large enterprise, the model is also applicable to any Non-Profit
Organization (NPO).
1. Introduction
This article is an extended version of the paper entitled “A Comprehensive
Cybersecurity Audit Model to Improve Cybersecurity Assurance: The CyberSecurity Audit
Model (CSAM)”, that was presented at the “2nd. International Conference on Information
Systems and Computer Science - INCISCOS 2017” on November 24, 2017.
The initial paper introduced the CyberSecurity Audit Model (CSAM) and its design to
the global scientific community. Furthermore, we now present the methodology of our case
study research and the results from our Canadian post-secondary institution case study
research.
Organizations are trying to protect cyber assets and implement cybersecurity
measures and programs, but despite this continuing effort it is unavoidable to evade
cybersecurity breaches and cyberattacks.
According to the Information Systems Audit and Control Association (ISACA), the
origin of cybersecurity was published in a journal article in the early eighties, presenting the
first proof of the concepts of self-replicating/self-propagating code linked to a computer
worm. Pursuant to the fundamentals of the discipline defined by ISACA, cybersecurity is
“The protection of information assets by addressing threats to information processed, stored
and transported by internetworked information systems” – cybersecurity and information
security are often mentioned interchangeably but cybersecurity is a component of
information security. Proaño et al. (2017) highlight that IT auditors deal with subjectivity
issues involved with emotions, technical skills or abilities in order to report audit findings
and recommend the future implementation of knowledge-based systems for computer
audits.
Our proposed CyberSecurity Audit Model (CSAM) has been designed to address the
limitations and inexistence of cybersecurity controls to conduct comprehensive
cybersecurity or domain-specific cybersecurity audits.
2. Methodology
The CyberSecurity Audit Model (CSAM) proposed in this article, is a new exhaustive
model that encloses the optimal assurance assessment of cybersecurity in any organization
and it can verify specific guidelines for Nation States that are planning to implement a
Enfoque UTE, V.9-N.1, Mar.2018, pp. 127 - 137
129
National Cybersecurity Strategy (NCS) or want to evaluate the effectiveness of its National
Cybersecurity Strategy or Policy already in place. The CSAM can be implemented to
conduct internal or external cybersecurity audits, this model can be used to perform single
cybersecurity audits or can be part of any corporate audit program to improve cybersecurity
controls. Any audit team has either the options to perform a full audit for all cybersecurity
domains or by selecting specific domains to audit certain areas that need control verification
and hardening. The CSAM has 18 domains; domain 1 is specific for Nation States and
domains 2-18 can be implemented at any organization. The organization can be any small,
medium or large enterprise, the model is also applicable to any Non-Profit Organization
(NPO).
The CyberSecurity Audit Model (CSAM) contains overview, resources, 18 domains,
26 sub-domains, 87 checklists, 169 controls, 429 sub-controls, 80 guideline assessments
and an evaluation scorecard.
Overview
This section introduces the model organization, the working methodology and the
possible options for implementation.
Resources
This component provides links to additional resources to help understanding some of
the cybersecurity topics:
Cybersecurity: NIST Computer Security Resource Center, Financial Industry
Regulatory Authority (FINRA) cybersecurity practices and Homeland Security
cybersecurity.
National Cybersecurity Strategy (NCS): North Atlantic Treaty Organization (NATO)
cybersecurity strategy, European Union Agency for Network and Information
Security (ENISA) cybersecurity strategy and Organisation for Economic Co-
operation and Development (OECD) comparative analysis of national cybersecurity
strategies.
Governance: PricewaterhouseCoopers Board cybersecurity governance and
MITRE cybersecurity governance.
Cyber Assets: NERC critical cyber assets.
Frameworks: Foresite common cybersecurity frameworks, United States Computer
Emergency Readiness Team (US-CERT) framework and ISACA’s implementing the
NIST cybersecurity framework.
Architecture: Trusted Computer Group (TCG) architect’s guide and US Department
of Energy’s IT security architecture.
Vulnerability Management: SANS vulnerability assessment and Homeland Security
vulnerability assessment and management.
Cyber Threat Intelligence: SANS – Who’s using cyberthreat intelligence and how?
Incident Response: Computer Security Incident Response Team (CSIRT) frequent
asked questions.
Digital Forensics: SANS forensics whitepapers.
Awareness: National Cyber Security Alliance – Stay safe online and PCI DSS -Best
practices for implementing security awareness program.
Cyber Defense: SANS- The sliding scale of cybersecurity.
Disaster Recovery: Financial Executives International (FEI) Canada – Cybersecurity
and business continuity.
Personnel: Kaspersky – Top 10 tips for educating employees about cybersecurity.
Domains
The CSAM contains 18 domains. Domain 1 has been designed specifically for Nations
States and domains 2-18 are applicable to any organization.
Enfoque UTE, V.9-N.1, Mar.2018, pp. 127 - 137
130
Sub-domains
All domains have at least one sub-domain but in certain cases there might be several
sub-domains per domain.
The sub-domains are:
Cyberspace
Governance
Strategy
Legal and Compliance
Cyber Asset Management
Cyber Risks
Frameworks and Regulations
Architecture
Networks
Information
Systems
Applications
Vulnerability Management
Threat Intelligence
Incident Management
Digital Forensics
Awareness Education
Cyber Insurance
Active Cyber Defense
Evolving Technologies
Disaster Recovery
Onboarding
Hiring
Skills
Training
Offboarding
Controls
Each domain has sub-domains that are assigned a reference number. Controls are
identified by clause numbers and an assigned checklist. In order to verify the control
evaluation, the cybersecurity control is either in place or inexistent.
Checklists
Each checklist is linked to a specific domain and the subordinated sub-domain. The
checklist verifies the validity of the cybersecurity sub-controls in alignment with a control
clause. The cybersecurity auditors have the option to collect evidence to verify the sub-
control compliance.
Sub-Controls
The Sub-Controls are evaluated using the checklists.
The assessment of each sub-control can be in compliance, with a minor
nonconformity or with a major nonconformity:
-Compliant: The cybersecurity sub-control is active and aligned with the specific
requirements.
-Minor Nonconformity: The cybersecurity sub-control has not been fulfilled and it
represents a minor risk.
-Major Nonconformity: The cybersecurity sub-control does not exist or it is a complete
failure and it represents an unacceptable risk.
Guideline Assessment
The guideline assessment only applies to the Nation States domain. The guidelines
are evaluated for cybersecurity culture, National Cybersecurity Strategy (NCS), cyber
operations, critical infrastructure, cyber intelligence, cyber warfare, cybercrime and cyber
diplomacy.
Evaluation Scorecard
The control, guideline and sub-control evaluation is calculated after the audit has been
completed. The evaluation consists in assigning scores and ratings for each control,
guideline and sub-control.
We calculate the final cybersecurity maturity rating of the Nation States domain by
using the following criteria. The score can be mapped to a specific maturity level:
And for domains 2-18, we calculate the final cybersecurity maturity rating of any
organization by using the following criteria. The score can be mapped to a specific maturity
level:
4. Results
The research results were measured based on the implementation outcome of the
CSAM and CATRAM models in our target institution. The organizational cybersecurity audit
results are presented as an overall cybersecurity rating classified by the model’s domains.
The organization is starting to focus on cybersecurity matters. If technologies are in
place, the organization needs to focus on key areas to protect cyber assets. Attention must
be focused towards staff, processes, controls and regulations. The final cybersecurity
maturity rating is positioned at the “Developing” level with a score of 51% (Table 1).
In addition, the radar chart (Figure 1) presents the domain evaluation results in order
to provide the overall organizational cybersecurity readiness.
5. Discussion
This study presents the design of the CyberSecurity Audit Model (CSAM). The aim
of this model is to introduce a cybersecurity audit model that includes all functional areas,
in order to guarantee an effective cybersecurity assurance, maturity and cyber readiness in
any organization or any Nation State that is auditing its National Cybersecurity Strategy
(NCS). This model was envisioned as a seamless and integrated cybersecurity audit model
to assess and measure the level of cybersecurity maturity and cyber readiness in any type
of organization, no matter in what industry or sector the organization is positioned.
Moreover, by adding guidelines assessment for the integration of a national cybersecurity
policy, program or strategy at the country level.
I D M A
2 Governance and Strategy ☐ ☒ ☐ ☐ 35%
3 Legal and Compliance ☐ ☐ ☒ ☐ 90%
4 Cyber Assets ☒ ☐ ☐ ☐ 30%
5 Cyber Risks ☐ ☒ ☐ ☐ 60%
6 Frameworks and Regulations ☒ ☐ ☐ ☐ 30%
7 Architecture and Networks ☐ ☒ ☐ ☐ 67%
8 Information, Systems and Apps. ☐ ☒ ☐ ☐ 55%
9 Vulnerability Identification ☒ ☐ ☐ ☐ 30%
10 Threat Intelligence ☐ ☒ ☐ ☐ 60%
11 Incident Management ☒ ☐ ☐ ☐ 10%
12 Digital Forensics ☒ ☐ ☐ ☐ 30%
13 Awareness Education ☐ ☒ ☐ ☐ 60%
14 Cyber Insurance ☐ ☐ ☒ ☐ 90%
15 Active Cyber Defense ☒ ☐ ☐ ☐ 5%
16 Evolving Technologies ☐ ☐ ☐ ☒ 100%
17 Disaster Recovery ☒ ☐ ☐ ☐ 30%
18 Personnel ☐ ☐ ☒ ☐ 77%
Final Cybersecurity Maturity Rating ☐ ☒ ☐ ☐ 51%
Governance and
Strategy
90%
Personnel Legal and Compliance
77%
Disaster Recovery Cyber Assets
100% 35%
Evolving Technologies Cyber Risks
30% 30% 60%
Frameworks and
Active Cyber Defense
5% 30% Regulations
Many cybersecurity frameworks are mostly oriented towards a specific industry like
the “PCI DSS” for credit card security, the “NERC CIP Cyber Security” for the bulk power
system or the “NIST Cybersecurity Framework” for protecting national critical infrastructure.
But, all the existing frameworks do not provide a one-size fits all for planning and conducting
cybersecurity audits. The necessity to mapping against specific cybersecurity frameworks
is because of regulatory requirements, to satisfy the demands of industry regulators, to
comply with internal or external audits, to satisfy business purposes and customer
requirements or simply by improving the enterprise cybersecurity strategy.
We compared our model in Table 2 to highlight the main features against “The
Cybersecurity Framework (CSF) Version 1.1: NIST (2017)” and “The Audit First
Methodology: Donaldson et al. (2015)”. The CSAM is not for a specific industry, sector or
organization – On the contrary, the model can be utilized to plan, conduct and verify
cybersecurity audits everywhere. The CSAM has been designed to conduct partial or
complete cybersecurity audits either by a specific domain, several domains or the
comprehensive audit for all domains.
6. Conclusions
This study introduces the CyberSecurity Audit Model (CSAM) design and all its
components, the aim of this model is to evaluate and measure the cybersecurity assurance,
maturity and cyber readiness in any organization. In addition, the model can evaluate the
effectiveness of cybersecurity guidelines for any Nation State linked to its national
cybersecurity strategy or policy.
The CSAM was tested, implemented and validated along with the Cybersecurity
Awareness TRAining Model (CATRAM) in a Canadian higher education institution. A
research case study is being conducted to validate both models and the findings will be
published accordingly.
Since there aren’t universal acceptance or standardization in terms of defining
cybersecurity audit scopes, aims and domains, further research is required and encouraged
in the cybersecurity areas of assurance and audits.
References
Bodeau, D., Boyle, S., Fabius-Greene, J., and Graubart R. (2010). “Cyber Security
Governance”, MITRE. Retrieved January 24, 2018, from
https://www.mitre.org/sites/default/files/pdf/10_3710.pdf.
Boyce, R. (2001). “Vulnerability Assessment: The Pro-Active Steps to Secure your
Organization”, SANS Institute. Retrieved January 24, 2018, from
https://www.sans.org/reading-room/whitepapers/threats/vulnerability-assessments-
pro-active-steps-secure-organization-453.
CERT Division. (2017). “CSIRT Frequently Asked Questions”, Carnegie Mellon University.
Retrieved January 24, 2018, from https://www.cert.org/incident-management/csirt-
development/csirt-faq.cfm.
Department of Homeland Security. (2012). “Vulnerability Assessment and Management”,
NICSS. Retrieved January 24, 2018, from https://niccs.us-cert.gov/workforce-
development/cyber-security-workforce-framework/vulnerability-assessment-and-
management.
Donaldson, S., Siegel, S., Williams, C., and Aslam, A. (2015). “Enterprise Cybersecurity:
How to Build a Successful Cyberdefense Program Against Advanced Threats”. New
York: Apress, pp. 201-204.
Financial Executives International – FEI. (2014). “Financial Executives, Cyber Security &
Business Continuity”, Canadian Executives Research Foundation (CFERF).
Retrieved January 24, 2018, from
https://www.feicanada.org/enews/file/CFERF%20studies/2013-
2014/IBM%20Cyber%20Security%20final3%202014.pdf.
Financial Industry Regulatory Authority – FINRA. (2015). “Report on Cybersecurity
Practices”, pp 1- 46. Retrieved January 24, 2018, from
https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity
%20Practices_0.pdf.
Foresite. (2016). “Quick guide to common Cybersecurity Frameworks”. Retrieved January
24, 2018, from https://www.foresite.com/blog/quick-guide-to-common-cybersecurity-
frameworks/.
Enfoque UTE, V.9-N.1, Mar.2018, pp. 127 - 137
136