SİBER HİJYENİN SAĞLANMASINDA İÇ DENETİMİN ROLÜ

Yıl 2019, Sayı: 19, 17 - 40, 14.06.2019

Alptuğ Güler Ali Kasım Arkın

Öz

Dünya tarihinde en yıkıcı savaşlar olarak 1. ve 2. Dünya Savaşları kabul edilmektedir. Ancak bu durum artık değişmektedir. Siber dünyadaki siber savaşların siber saldırganları, kendilerini 7 gün / 24 saat hazırlamakta ve çok uzun olmayan bir gelecekte bir ameliyathanenin enerji sistemlerini kesintiye uğratma, metro hattındaki trenleri çarpıştırma, fabrikaların üretim hatlarını durdurma gibi teknolojik saldırı potansiyeline sahip olma yolunda ilerlemektedirler. Ülke, kurum ve kişisel kullanıcı olarak, teknolojik araçların sahip olduğu siber riskler göz önünde bulundurulduğunda bu risklerin kontrolü için siber güvenlik ve siber güvenlik risk yönetimi temelli yaklaşım önem kazanmaktadır. Siber hijyen, siber bilgi güvenliği ile ilgili temel bir ilkedir ve kişisel hijyenle benzerlik gösterdiği gibi, siber tehditlerden kaynaklanan riskleri en aza indirgemek için basit rutin önlemler almanın eşdeğeridir. Bu bağlamda, bir olgunluk modeli olarak siber hijyen, kişisel hijyen ile aynı önemde görülmeli ve bir kuruma düzgün şekilde entegre edildiğinde, kurumsal siber bağışıklık sistemleri ve sağlıklarının en iyi durumda olacağı göz önünde bulundurulmalıdır. Günümüz kurumları için bu denli kritik olan risk yönetimi ve siber güvenlik sitemleri için gerekli bağımsız güvence, iç denetim tarafından benzersiz bir şekilde sağlanabilir. İç denetçiler bu süreçte önemli danışmanlar olabilir. Bu bakımdan, siber güvenliğin oluşturulması sürecinde siber hijyenden başlayarak üçüncü savunma hattına kadar iç denetim faaliyetinin siber rolü her geçen gün artmaktadır.

Bu makalede, siber güvenlik ve siber hijyen bağlamında iç denetçilerin ve iç denetimin siber rolü değerlendirilmektedir.

Anahtar Kelimeler

Siber Güvenlik, Siber Hijyen, İç Denetim, Siber Güvenlik Yönetişimi, Siber Güvenlik Ol- gunluk Modeli

THE ROLE OF INTERNAL AUDITING IN PROVIDING CYBER HYGIENE

Öz

The most destructive wars in the history of the world are accepted as the first and second world wars. However, this situation is changing now. The cyber attackers of cyber wars in the cyber world prepare themselves for 7 days / 24 hours, and in the not too long future, they are on the way to interrupt the energy systems of an operating room, collide the trains in the subway line, and have the potential of technological attacks such as stopping the production lines of the factories. As a country, organization and personal user, the cyber security and cyber security risk management based approach is important for controlling these risks when the cyber risks of technological tools are taken into consideration. Cyber hygiene is a fundamental principle of cyber information security and is equivalent to personal hygiene and is equivalent to taking simple routine measures to minimize the risks associated with cyber threats. In this context, cyber hygiene as a model of maturity should be seen as of the same importance as personal hygiene, and when integrated properly into an organization, it should be considered that organizational cyber immune systems and health are in the best condition. The independent assurance for risk management and cyber security systems that are so critical for today’s organizations can be uniquely provided by internal audit. Internal auditors may be important consultants in this process. In this respect, starting from cyber hygiene in the process of cyber security creation the cyber role of internal audit activity is increasing day by day until the third line of defense.

In this article, the cyber role of internal auditors and internal audit is evaluated in the context of cyber security and cyber hygiene

Anahtar Kelimeler

Cyber Security, Cyber Hygiene, Internal Au- diting, Cyber Security Governance, Cyber Security Matu- rity Model

Kaynakça

• Ahıa ve Protıvıtı, (2016) Cybersecurity, IT Transformation and Analytics - Addressing Priorities for Internal Auditors in U.S. Healthcare Provider Organizations, Ahia and Protiviti.
• Ahıa ve Protıvıtı, (2017) Cybersecurity, Data Analytics and Other Priorities for Internal Auditors in U.S. Healthcare Providers, Ahia and Protiviti.
• AICPA, (2017) Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, American Institute ofCertified Public Accountants Inc.
• Antonuccı D,, (2017) “Internal Organization Context”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, JohnWiley & Sons, Inc.: Hoboken, New Jersey.
• Antonuccı D. ve Verstıchel D., (2017) “Epilogue”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• Bayuk J. L., Healey J., Rohmeyer P., Sachs M. H., Schmıdt J. ve Weıss J., (2012) Cyber Security Policy Guidebook, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• BSI, (2008) Information Security Audit (IS audit): - A Guideline for IS Audits Based on IT-Grundschutz, German Federal Office for Information Security.
• Caravellı J. ve JONES N., (2019) Cyber Security: Threats and Responses for Government and Business, Praeger Security International.
• CBN, (2018) Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers, Central Bank of Nigeria.
• CMM, (2016) Cybersecurity Capacity Maturity Model for Nations (CMM) Revised Edition, Global Cyber Security Capacity Centre University of Oxford.
• DELOITTE, (2015) Cybersecurity: The Role of Internal Audit, Deloitte.
• DELOITTE, (2017) Cybersecurity and the Role of Internal Audit: An Urgent Call to Action, Deloitte.
• ENISA, (2016) Review of Cyber Hygiene practices, European Union Agency For Network and Information Security.
• EY, (2011) The Evolving IT Risk Landscape: The Why and How of IT Risk Management Today, Ernst & Young.
• FFIEC, (2015) FFIEC Cybersecurity Assessment Tool, Federal Financial Institutions Examination Council.
• FINRA, (2018) Report on Selected Cybersecurity Practices - 2018, Financial Industry Regulatory Authority https://www.finra.org/sites/default/files/Cybersecurity_Report_2018.pdf Erişim Tarihi: 12.02.2019.
• Fountaın L., (2019, February) “Internal Audit’s Evolving Cybersecurity Role”, Internal Auditor, 19-21.
• Frazıer & Deeter, (2015) Cybersecurity: Considerations for Internal Audit, IIA Atlanta Chapter Meeting, Frazier & Deeter.
• GAC 16, (2016) Global Agenda Council on Cybersecurity, White Paper, World Economic Forum: Geneva.
• GTAG, (2016) Assessing Cybersecurity Risk: Roles of the Three Lines of Defense, The Institute of Internal Auditors.
• Hale r., (2017) “Foreword The State of Cybersecurity”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• Hermans J. ve Dıemont T., (2017) “Treating Cyber Risks”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• Holmes C. ve Phıllıppe J., (2017) “Cybersecurity for Operations and Communications”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• IIAC, (2015) IIAC Cybersecurity Guidebook, Investment Industry Association of Canada.
• ISACA, (2016) Information Systems Auditing: Tools and Techniques- Creating Audit Programs, ISACA.
• ISACA, (2017) Auditing Cyber Security: Evaluating Risk and Auditing Controls, ISACA.
• ISPG-SM01, (2017) Information Security: Practice Guide for Security Risk Assessment & Audit, Office of the Government Chief Information Officer-The Government of the Hong Kong Special Administrative Region.
• ITGI, (2003) Board Briefing on IT Governance, 2nd ed., IT Governance Institute.
• ITGI, (2006) Information Security Govenance for Board of Directors and Executive Management, 2nd ed., IT Governance Institute.
• ITRC, (2017) Data Breach Reports: 2016 End of Year Report, Identity Theft Resource Center.
• ITRC, (2019) Data Breach Report: 2018 End of Year Report, Identity Theft Resource Center.
• ITU-T X.1208, (2014) Series X: Data Networks, Open System Communıcations and Security: Cyberspace Security – Cybersecurity, International Telecommunication Union.
• Jamıson J., Morrıs L. ve Wılkınson C., (2018) The Future of Cybersecurıty in Internal Audit, The Internal Audit Foundation.
• KPMG, (2018) Siber Güvenlik Olgunluk Değerlendirmesi, KPMG.
• Lı K. C., Chen X. ve SusılO W., (2019a) “Foreword I-II”, Advances in Cyber Security: Principles, Techniques, and Applications, Ed.: Kuan-Ching Li, Xiaofeng Chen, Willy Susilo, Springer Nature Singapore Pte Ltd.: Singapore.
• Lıng C., (2017) “Information Asset Management for Cyber”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• Lınkov I., Eısenberg D. A., Plourde K., Seager T. P, Allen, J. ve Kott A., (2013) “Resilience Metrics for Cyber Systems”, Environment Systems and Decisions, 33(4), 471-476.
• Keys B. ve Shapıro S., (2019) “Frameworks and Best Practices”, Cyber Resilience of Systems and Networks, Ed.: Alexander Kott, Igor Linkov, Springer International Publishing AG, part of Springer Nature: Switzerland.
• Mccarthy Tétrault, (2017) Cybersecurity Risk Management: A Practical Guide for Businesses, McCarthy Tétrault.
• NACD, (2017) Cyber-Risk Oversight, Director’s Handbook, National Association of Corporate Directors.
• Nhede N., (2017) “Grid Automation Drives Increase in Utility Cybersecurity Investments: Report”. Smart Energy International. 10 August 2017, https://www.smart-energy.com/industry-sectors/smart-grid/cybersecurity-technologies-navigant-research/, Erişim Tarihi: 19.02.2019.
• ONG-C2M2, (2014) Oil and Natural Gas Subsector Cybersecurity Capabılity Maturity Model, U.S.Department of Homeland Security-Department of Energy.
• Protıvıtı, (2016) Cybersecurity, IT Transformation and Analytics – Addressing Priorities for Internal Auditors in U.S. Healthcare Provider Organizations, Assoc. of Internal Auditors.
• Rodrıguez A,, (2017) “Monitoring and Review Using Key Risk Indicators (KRIs)”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• Sadek K. ve CLOSE C., (2015) The Changing IT Risk Landscape: Understanding and Managing Existing and Emerging Risks, Deloitte.
• SAMA, (2017) Cyber Security Framework, Saudi Arabian Monetary Authority.
• Souppaya M., Stıne K., Sımos M., Sweeney S. ve Scarfone K., (2018) Critical Cybersecurity Hygiene: Patching The Enterprise, National Institute of Standards and Technology.
• Sunde S. J., (2017) “Assurance and Cyber Risk Management”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• Totade A. ve Godbole S., (2017) “Culture and Human Factors”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• VAndıjck I. ve Lerberghe P. V., (2017) “Physical Security”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• Vıllıers S., (2017) “Access Control”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.
• WEF, (2018) Cyber Resilience Playbook for Public-Private Collaboration, World Economic Forum: Geneva.
• Whıt G. B., (2011) “The community cyber security maturity model”, 2011 IEEE International Conference on Technologies for Homeland Security (HST), 173-178.
• Wyatt M., (2017) “Cybersecurity Systems: Acquisition, Development, and Maintenance”, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, Ed.: Domenic Antonucci, John Wiley & Sons, Inc.: Hoboken, New Jersey.