Internal Audit’s Role in Incident Response

As technology continues to change and develop, organizations are met with increasing cyber threats and, as a result, the need for better incident response practices and compliance with appropriate regulations. Ensuring that organizations have strong defenses against cyber threats while also complying with requirements has become even more crucial. Internal audit plays an important role in incident response capabilities by aiding IT security teams in ensuring that incidents are handled effectively, compliance with appropriate regulations is maintained, and any lessons learned are used to bolster the organization’s security posture post-incident. Internal audit can contribute to incident response capabilities before incidents occur, while organizations handle incidents, and after incidents have been handled.

Pre-Incident: Assessing IR Readiness and Evaluating Incident Handling and Response

Internal auditors can contribute to pre-incident preparation through various activities. One activity is risk assessment. During risk assessments, internal auditors evaluate the organization’s incident response plan, which includes the risk management practices that exist within the organization. While evaluating the incident response plan, internal auditors identify and assess IT-related risks, especially as they relate to incidents, and whether those risks have been prioritized and mitigated properly.

Another activity is the review of incident response policies and procedures. Through this review, internal auditors verify whether the incident response policies and procedures are maintained, up-to-date, and aligned with the best practices of their respective industry. This would, ideally, include a clear process for escalating IT-related incidents.

Internal auditors may also contribute to incident response capabilities by evaluating the overall incident handling and response of the organization. There are a few ways this can be done. Internal auditors can review incident documentation and report to ensure that incidents are documented properly and reported in a timely manner. This review verifies whether all the required steps have been followed according to the policies and procedures outlined within the organization, as well as regulatory and legal requirements. Along with reviewing documentation and reporting, internal auditors can also review incident response communication protocols to verify whether there are appropriate communication lines and standards during incidents. This ensures that all necessary stakeholders are kept up to date as the incident is handled.

Internal auditors also assess whether the organization complies with necessary laws, regulations, and/or industry standards during the incident response process. A few examples of industry regulations and standards include HIPAA and PCI-DSS.

During An Incident: Ensuring Proper Incident Containment and Recovery

Auditors evaluate whether the organization took the appropriate steps to contain the incident and prevent more damage. The review of an organization’s actual incident containment helps determine whether the correct tools and resources were used during incidents to help minimize any negative impact.

While reviewing the organization’s incident containment capability, internal auditors can also evaluate the organization’s recovery process when an incident occurs. This helps to ensure that the organization follows the established and implemented procedures to help restore breached systems and data to a safe and secure point. Through this evaluation, internal auditors also assess whether the organization’s business continuity plan or disaster recovery plan were activated if necessary.

Post-Incident: Post-Incident Analysis and Continuous Monitoring and Reporting

Activities that take place after incidents occur can as benefit from review by internal audit because this review can contribute to increasing the strength of the organization’s incident response process. One aspect of post-incident analysis is evaluating the root-cause analysis to verify that a thorough analysis was conducted. A root-cause analysis can be very helpful to identify weaknesses and gaps in systems, policies, and controls that might have contributed to the security breach. Identifying these weaknesses and taking lessons learned to formulate improvement plans is another area where internal audit can contribute to incident response activities by evaluating what the organization has done. They can identify where the organization has made updates, whether that be policies, training, security measures, etc. After incidents occur, organizations should create an action plan for following up on incidents. Internal audit should review these action plans to ensure that corrective and preventive actions are implemented appropriately and monitored over time.

An organization’s continuous monitoring and reporting on incidents is very helpful for preventing and detecting issues in the future. Internal auditors should assess whether regular incident response testing, such as tabletop exercises and simulated attacks, are completed to evaluate how well the incident response plan will work in the event of a breach. Auditors may also review various incident response metrics, such as response time, recovery time, number of incidents, etc., to measure how well the organization responds to incidents. This can help ensure that incidents are reported to management appropriately, the organization works to improve post-incident decision-making, and resource allocation.

To learn more about McKonly & Asbury’s Internal Audit services, contact Elaine Nissley, Director, or Victor Kong, Senior Manager, who have been providing internal audit services for over twenty years. We would love to discuss how we can assist you with your challenges.

About the Author