Office of Management and Budget (OMB) identified cybersecurity as a Cross Agency Priority (CAP) Goal. OMB M-14-03 requires all departments and agencies to manage information security risk on a continuous basis and monitor security controls in Federal information systems and the environments based on NIST RMF.This allows agencies to maintain ongoing awareness and assurance of information security, vulnerabilities, and threats to support enterprise-wide risk management decisions.
Cyber Risk Assurance workshop introduces participants to the frameworks, principles, and application of process risk management and risk assurance based on GAO Generally Accepted Government Auditing Standards (GAGAS). This workshop is a risk-based methodology for managing, planning, conducting, and reporting audits. U.S. Department of Homeland Security (DHS) has designated Value Added Auditing® under the Safety Act as a Critical Infrastructure Protection: Forensics, Assurance, Analytics® technology. Cyber Risk Assurance incorporates: 1. Follows a risk-based approach; 2. Is compliant and harmonized to critical federal and state statutes; 3. Can be used to offer a professional opinion and/or attestation; 4. Can be used as basis for ISO 17021 conformity assessment and certification of management systems; and 5. Integrates DOE cyber process management approach (see figure to the right)
- Identify cyber risk and determine when to use a risk based, process approach to monitor and conduct a cyber audit to determine compliance.
- Determine drivers for cyber risk- based, operational and supply chain process assessments.
- Learn how to conduct cyber risk-based audits that comply with federal requirements and demonstrate requisite levels of assurance.
- Use GAO GAGAS standards to design, deploy, and assure suitable cyber-risk controls.
- Apply a step-by-step approach to plan a risk-based cyber audit.
- Learn how-to conduct a successful cyber risk based audit and report findings.
Auditing, Assurance (Value Added Auditing) and Process Management Fundamentals.
Planning the Audit/Assurance (Value Added Audit):
- Step 1: Understand Audit and Business Objectives.
- Step 2: Notify/Visit Auditee.
- Step 3: Understand Auditee’s System, Process, and Product Documentation.
- Step 4: Develop Audit Plan.
- Step 5: Develop Audit Survey.
Conducting the Audit/Assurance Fieldwork (Value Added Audit):
- Step 1: Assess Organizational Maturity.
- Step 2: Assess Process Capabilities.
- Step 3: Assess System/Process Risks.
- Step 4: Evaluate Control Effectiveness.
- Step 5: Assess Evidence.
- Step 6: Issue Opinion if Required.
- Step 7: Conduct Exit Meeting
Reporting the Audit/Assurance Results (Value Added Audit):
- Step 1: Communicate Audit Results.
- Step 2: Maintain Audit File.