Top 7 IT Audit Findings for 2018

January 2, 2019 | Views: 4872

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Human factor remains one of the weakest links in maintaining proper cyber-hygiene in an enterprise. Unfortunately addressing risks posed by humans via training and retraining is often sacrificed on the altar of acquiring fancy security tools… don’t get me wrong, there is nothing wrong with acquiring security tools excepting that they cannot by themselves atone for the information security risk a business is exposed to if it fails to train and retrain its personnel.

So, I took a survey amongst IT Risk/Audit practitioners with the objective of identifying 7 common IT Audit findings in 2018 which will shape perspectives in 2019.

See what the exercise revealed…

1.Weak Logical Access Control Management

It takes different forms – excessive privileges granted users, unrevoked privileges from users who no longer require such access, use of weak/convenient passwords, prevalent use of generic accounts which impairs user accountability, password sharing etc.

Asides having policies or procedural documents around access control, institutions must move to ensure the enforcement of these policies. Enforcing the principles of “need to know” and “least privilege” will go a long way in addressing this risk.

2.Poor Management of Third Party Risks

Enterprises continue to ignore the impact a breach from a third-party service provider could have on the enterprise. As dangerous as it was in 2013 during the Target hack so it is now.

Asides the implementation of Service Level Agreements with Third parties, Interfaces extended to Third-Parties should be developed in a manner that ensures that they only access services they need and nothing more. We cannot also overemphasize the need for monitoring of these vendor activities for out of order signals. Monitoring ensures that services are delivered as agreed and that third-party service providers do not exploit the relationship to offer services not within the confines of the agreement.

3.Weak Configuration Management

This has been traced to the absence of documented configuration baseline standards; where such baseline exists, its contents are either willfully or ignorantly flouted due to the convenience non-adherence to the document may offer. Either way, such actions leave the IT infrastructure vulnerable.

When it comes to Cybersecurity “Ignorance is not bliss”, Management should therefore commit to effective configuration management.

4.Non-Compliance with Regulatory Requirements

Regulators from time to time come up with policies and regulations to govern either digital products or cybersecurity based on the peculiarities of the localized environment enterprises operate in.

Most regulatory requirements are poorly implemented due to a minimal understanding of the intents of the regulation. Institutions should seek clarification when in doubt or seek deviations where compensating controls exist to address the intent of the regulation.

5.Inadequate Patch Management

Patch Management remains a burning concern. The “Wannacry” ransomware attack of 2017 is a case in point; however, justifications like “if it’s not broken why fix it?” amongst IT practitioners implies that a lot of enlightenment needs to be done in this area. The article in the link below helps to shed more light on this issue

Poor Patch Management

6.Inadequate Vulnerability Management program

One of the major issues noted with vulnerability management is in the scoping, critical assets are often missed out because a complete inventory of information systems assets are either not properly maintained or not maintained at all; as the saying goes “you cannot protect what you do not know exist”

Then there are the issues regarding the delays in remediating identified vulnerabilities either due to internal organizational bureaucracies or the absence of skilled manpower.

Management should demonstrate a commitment to the effectiveness of its Vulnerability management program.

7.Inadequate Staff Training

The Cyberspace is constantly evolving, to remain relevant you must be willing to learn and unlearn Management must understand that not training staff is not a cost-cutting measure; It harms the institution.

“CFO: What happens if we train them and they leave?

CEO: What happens if we don’t and they stay?”

At the heart of all identified findings is the weakness in the human factor and not necessarily a failure in technology. These human issues stem from people not knowing the WHAT, HOW, WHY and WHEN certain activities should be performed.

If we must make progress in enhancing cybersecurity, a lot of emphases must be placed in strengthening the human factor.

 

Tony Ayaunor is an Information Systems Auditor and a Cyber Security enthusiast.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
2 Comments
  1. thank you for the information, it really help me pay attention and ready for 2019 audit

  2. Good laundry list. One more that I can not recommend enough is “Gaps or inadequate risk assessment during project phase”.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel