This audit will be an assessment of the design and operating effectiveness of controls specific to maintaining the integrity/ confidentiality of an organization’s information and protection of IT assets.
To better understand the state of IT Security controls at your organization, PRA will assess the maturity of controls using the maturity model defined within COBIT (Control Objectives for Information and related Technology, version 5.0) for the “Ensure Systems Security” sub-domain. Specifically, control objectives included in the scope of this audit are as follows:
|IT Security Plan||Your organization has translated business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Organization ensures that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware.|
|Identity Management|| Ensure that all users (internal, external and temporary) and their activity on the IT network (Windows) and on critical systems are uniquely identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person.
|User Account Management||Ensure appropriate controls in place to address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges on critical systems with a set of user account management procedures.|
|Malicious Software Prevention, Detection and Correction||Ensure your organization has preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the Organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam), where such measures are required.|
|Network Security||Ensure your organization uses security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.|
Recognizing that IT governance is both a business requirement and a business enabler, the COBIT framework establishes control standards for the IT governance life cycle around the areas of strategic alignment, value delivery, risk management, resource management, and performance management. Each IT governance focus area plays a role in the formation and sustainment of IT governance within an organization. This internal audit will evaluate the design and implementation of IT governance controls as well as policies and management practices within the Information Systems department. This audit will assess the adequacy of controls over strategic planning, risk management and value delivery from IT initiatives.
Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data.
Email phishing is on the rise and more sophisticated than ever. While phishing attacks are primarily used to separate victims from their money, they are also used as part of the first wave of more sophisticated attacks.
Types of email phishing attacks include but are not limited to:
Our audits are conducted using industry leading practice standards and guidance including:
PRA will perform an assessment of conformance with a recognized cyber security framework (OSFI, ISO, NIST or SANS).
Review of project charter and conversion risk assessment; review of user acceptance testing and data clean-up prior to conversion; post-conversion review of key General Ledger accounts, data samples and other evidence of correct data conversions.