Design of a Risk-Based Auditing Program
Pages in Design Document
Cybersecurity Auditing Frameworks Leveraged
Total Time in Months to Design
Customer was executing compliance inspections and was looking for an innovative way to transform their service to quantify risk, take into account business operations, increase security posture and provide value added to its customers. Compliance inspections are limited in nature and thus did not provide the holistic assessment in which the client warranted.
Context / Action
We Designed a Risk-Based Auditing Program labeled as cybersecurity assessment (People, Processes and Technologies) which not only covered their previous compliance inspection items but also enhanced the program to cover NIST’s 14 families of Security Controls.
In the DoD, the Command Cyber Readiness Inspection (CCRI) managed by the Defense Information Systems Agency (DISA) is being utilized to assess the readiness of DoD agencies’ networks and systems. Compliance inspections are limited in nature and thus our design built upon the current limitations. Our design was for the client but the client also intended to inform the DoD CCRI program of these changes.
Understanding the customer requirements and end state, we knew shifting from compliance inspections to a risk-based auditing approach was necessary. A risk-based audit encompasses compliance testing but compliance testing does not encompass a risk-based audit.
As technology rapidly changes, the auditing program also needed to be adaptable to this ever-changing landscape. In knowing so, we ensured that our program encompassed a dynamic design. Our diverse program intent was to be able to audit anything in this world within the Cyber domain. In doing so, we baked in many various cybersecurity frameworks to customize from NIST SP 800-53, ISO/IEC 27002:2015, PCI DSS, SCADA, NERC Critical Infrastructure Protection (CIP) and other types.
Lastly, a key component of our program was to incorporate the practice of performing Root Cause Analysis (RCA). Often, when vulnerabilities and weaknesses are identified, system and process owners tend to only address them at the surface level. In other words, they only mitigate the symptoms of a greater issue. This causes the weakness to reoccur and potentially increase risk to the environment. In order to effectively remediate weaknesses, an RCA needs to be performed. RCAs can reveal deeper underlying and potentially systemic issues that led to material risk.
This practice enabled the organization to implement effective corrective actions to permanently resolve and / or prevent the problem, and possibly others, from occurring or reoccurring. Furthermore, it ensures that decision makers have the necessary information needed to commit resources for a resolution.
Are You A Government Contracting Company?
We are a Minority and Veteran-Owned Small Business. And we are always happy to take on Joint Venture Partnerships with other Government Contracting Companies. Let's Talk!
Are You A Government Civilian or Military Leader?
As a former Government, GS-15, Civilian, United States Marine and Pentagon's Security Architect. I understand the struggles of protecting Web Applications within vast Enterprise Architectures. Let's Talk!
3 Steps to Better Protections, Better Solutions & Better Sleep
Schedule A Call
If you have a Government Web Application (Websites) that you NEED protecting then schedule a call. It is Free and in place so that we can better understand your mission and goals.
Get Your Plan
During your call, we will talk about your current situation, your desired situation, and weather or not we are a good fit to work together or not. And if we do work together then we will tell you how we can best protect your web application.
Protect Your Mission
Move forward with your mission and sleep easy by knowing that light will soon illuminate your Cyber world!