This audit will be an assessment of the design and operating effectiveness of controls specific to maintaining the integrity/confidentiality of an organization’s information and protection of IT assets.
To better understand the state of IT Security controls at your organization, PRA will assess the maturity of controls using the maturity model defined within COBIT (Control Objectives for Information and related Technology, version 5.0) for the “Ensure Systems Security” sub-domain. Specifically, control objectives included in the scope of this audit are as follows:
Ensure that all users (internal, external and temporary) and their activity on the IT network (Windows) and on critical systems are uniquely identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person.
IT Security Plan
Your organization has translated business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. The organization ensures that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware.
User Account Management
Ensure appropriate controls in place to address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges on critical systems with a set of user account management procedures.
Malicious Software Prevention, Detection and Correction
Ensure your organization has a preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the Organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam), where such measures are required
Ensure your organization uses security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.
Recognizing that IT governance is both a business requirement and a business enabler, the COBIT framework establishes control standards for the IT governance life cycle around the areas of strategic alignment, value delivery, risk management, resource management, and performance management. Each IT governance focus area plays a role in the formation and sustainment of IT governance within an organization. This internal audit will evaluate the design and implementation of IT governance controls as well as policies and management practices within the Information Systems department. This audit will assess the adequacy of controls over strategic planning, risk management and value delivery from IT initiatives.
IT Social Engineering
Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data.
Email phishing is on the rise and more sophisticated than ever. While phishing attacks are primarily used to separate victims from their money, they are also used as part of the first wave of more sophisticated attacks.
Types of email phishing attacks include but are not limited to:
Embedding a link in an email that redirects your employee to an un-secure website that requests sensitive information
Installing a Trojan via a malicious email attachment or an ad that will allow the intruder to exploit loopholes and obtain sensitive information
Spoofing the sender address in an email to appear as a reputable source and request sensitive information
COBIT and other
IT Control Frameworks
Our audits are conducted using industry-leading practice standards and guidance including:
Information Systems Audit and Control Association & Foundation (“ISACA”) standards known as Control Objectives for Information and Related Technologies or ‘COBIT’.
CIS Critical Security Controls – Top 20
OSFI Cyber Security Self-Assessment
ISO/IEC (International Organization for Standardization and the International Electrotechnical Commission) 27001:2013 Information Technology Security Techniques and Information Management Systems Requirements
Cyber Security Assessment
PRA will perform an assessment of conformance with a recognized cyber security framework (OSFI, ISO, NIST or SANS).
System Conversion Assistance
Review of the project charter and conversion risk assessment; review of user acceptance testing and data clean-up prior to conversion; post-conversion review of key General Ledger accounts, data samples and other evidence of correct data conversions.