Part 1 of my ‘How to mitigate the risk of cyber security breaches’ blog post focused on mitigating cyber risks with the employees and organisation culture forming the initial line of defence.
This blog post covers the risk mitigation of the Three Lines of Defence (3LoD) model, technology and disaster recovery.
The three lines of defence are:
Information technology (IT) and security controls
Risk management and compliance
Internal audit.
The IT and security controls will vary depending on the organisation IT landscape, technologies and level of outsourcing and can be broadly split into business IT (the applications and services needed to run the organisation’s business) and security IT (the tools and technologies used to provide a line of defence around the business IT to keep it secure). To keep an organisation secure additional security IT technologies need to be added to deal with new cyber threats and minimise risks.
For both business and security IT, an organisation should use a software inventory/asset tool to provide a detailed inventory of all software – name, version/release/maintenance (VRM) level and end of service tracking. To combat security threats it is important that software is in service and at the current patch level, so organisations should have software upgrade/patching strategy and plan.
Organisations need to implement a comprehensive set of security tools that are appropriate to their business. It is important to identify the most valuable and confidential data and ensure that appropriate security tools and controls are used to minimise risks. IT security tools have become more sophisticated over the years from the early days of anti-virus tools (which are still important) and now include technologies such as penetration testing, code vulnerability scanning, network zones, end point monitoring, distributed denial of service monitoring, encryption key management, identity and access management and multifactor authentication.
IT security tools should prevent and detect cyber attacks, however organisations also need a set of security controls to ensure the security tools are used with a set of procedures and administration controls to handle any security incidents. Many organisations have in-house security teams to architect, implement and operate the overall security solution who are on hand 24x7 to monitor alerts and deal with security incidents.
Cloud computing and outsourcing contracts can increase the potential cyber attack surface area and security risks so the organisation needs to take responsibility for the overall IT risk management. It needs to understand the security roles and responsibilities of each service provider in relation to security to ensure that the organisation has a full end to end security solution. Otherwise there is a risk that a service provider is a weak link in the overall security chain.
The risk management and compliance line of defence is part of the overall organisation’s risk governance and supports management to help ensure risk and controls are effectively managed. Security risks need to be identified, assessed, monitored and reported along with other risks in the organisation. The risk management and compliance functions should monitor the security first-line-of-defence controls to ensure they are properly designed, in place, and operating as intended. The second line of defence serves an important purpose but because of its management function, it cannot be completely independent.
Regular internal audits evaluate the effectiveness of governance, risk management and control processes. They should be performed by a team that are independent of the first two lines of defence and who have a separate management reporting line. It is also worth considering having external auditors to perform a security audit to provide a fresh pair of eyes and provide a fully independent assessment of the overall security solution and controls. In both cases it is important that the management organisation fully supports audits and acts on any recommendations.
Even with all of the security technologies and controls in place there is a risk that an attack (possibly from some new cyber attack weapon) can impact an organisation’s IT solution. In a worst-case scenario this may require a rebuild of IT systems. It is therefore important that organisations have a disaster recovery plan in place which is tested to ensure that systems can be restored from backups and rebuilt with the full software stack, applications and data in a reasonable period of time. Some organisations have multi-site premises running active-standby or active-active systems which can help as long as an incident does not infect multiple sites.
With well designed and implemented lines of defence organisations can minimise the risks of cyber attacks however they also need to continually review and enhance their defences to deal with new threats.
The Three Lines of Defence Model for risk management and control was published by the Institute of Internal Auditors. Further information is available from online sources, including organisations that have expanded/updated the model for IT security.
Jim Watson is a Management Consultant with over 30 years’ experience at IBM UK who is currently working as an independent member of the Audit and Risk Assurance Committee at the Department of Business and Trade