What Is Always The First Line Of Defense In Protecting Data And Information?

Features

Roles of Iii Lines of Defence for Information Security and Governance

While the three lines of defense covering assurance, governance, risk, compliance, information security and cybersecurity functions can all be working in one way or another on information security and governance, one can examine the objectives, roles and activities of these functions to explore means to optimize outputs. Optimized outputs means the combined outputs of the various parties working on information security are maximized, which allows resources to be better deployed with increased productivity by reducing duplication.

Roles and Responsibilities of Various Functions

Organizations aim to reach their objectives while managing run a risk within their gamble appetites. A expert governance structure for managing risk is to institute three lines of defence force. Briefly, the first line of defense is the function that owns and manages risk. Within the kickoff line of defence force, businesses tin fix control functions (east.g., Information technology command, which reports to the Information technology department) to facilitate the management of take a chance. The second line of defense is the independent control role (e.thou., IT risk, IT compliance) that oversees risk and monitors the first-line-of-defence force controls. It can challenge the effectiveness of controls and direction of hazard across the organization. The 3rd line of defence is internal inspect, which provides contained assurance. Figure i provides examples of the functions under the three lines of defense.

Various concern functions aim to ensure organizations are managing risk inside their gamble appetites. In item, It governance provides the consistency, processes, standards and repeatability needed for effective IT operations while monitoring the budget and compliance with regulatory and/ or organization requirements. IT risk direction must function as part of the enterprise risk management framework and address various types of risk and the challenges and opportunities the risk presents. It helps focus It governance, security and privacy investments in the areas most critical to the accomplishment of organizational objectives. Information security aims to protect information and data systems from inappropriate access, manipulation, modification and destruction, thus ensuring systems/data confidentiality, integrity and availability. Cybersecurity, which includes technology, processes, policies and people, focuses on using concern drivers to guide security activities while ensuring that cybersecurity risk factors are included in the system's risk management processes.¹

The assurance function is internal audit, whose mission tin can be defined to heighten and protect organizational value by providing gamble-based and objective assurance to evaluate the effectiveness of governance, gamble direction and control processes.²

Organization Structure of Diverse Functions

Different teams can exist organized in diverse ways, as shown in figures 2 and three. Figure 2 illustrates how the Information technology risk, data security and cybersecurity teams can be organized in a hierarchical style. Under this organizational structure, there is less chance that their tasks/activities are duplicated because cybersecurity is within data security, which means the latter is fully enlightened of the former's activities and role. Figure iii, on the other paw, is an instance of IT chance, data security and cybersecurity teams organized in a flat structure, as counterparts of each other. With this kind of organizational structure, there is a higher chance that their activities will overlap considering the dissimilar teams may not be aware of what each other is doing. For instance, the information security team tin be reviewing data security settings and controls over all operating systems, whereas the cybersecurity team tin can be reviewing spider web server settings and controls that may encompass the same server. Another example may be information security being responsible for disaster recovery planning or service level management, while the cybersecurity squad is responsible for addressing denial-of-service (DoS) risk; whereas, disaster recovery and service level management are controls to address DoS risk.

Activities of Diverse Functions and/or Three Lines of Defense

To achieve the organization'southward ultimate goal of managing risk (due east.g., information and technology run a risk) within its take chances ambition, various business functions and/or the three lines of defense have to perform activities such as information gathering, adventure assessment, reviews, analysis, reporting and monitoring of risk that may be mutual amidst the three lines. I style to discover out these commonalities is through frequent communication, which facilitates information sharing. To facilitate communication and word of take a chance within an system, unlike business organisation functions tin can use the same set of risk categories and taxonomy.

Sharing of Inputs

Various business functions working on It adventure can share useful internal data such as source information (east.m., transaction data), take chances information (eastward.g., trends or statistics such as web application availability percentage) and internal loss information (due east.thou., IT security incidents including details and/or nature of incidents). Through the sharing of internal information, business functions tin fulfill their duties past conducting corresponding analysis, chance assessment and monitoring, and control review planning (e.1000., compliance or audit planning).

Also, information can be shared within the industry through an external loss database, just every bit ORX stores loss information for the banking and insurance industry. Through the sharing of external chance information, various business functions can be better informed on how to detect and foreclose like risk. For example, in 2016, at that place was an unauthorized money transfer request through Bangladesh Bank,^three detected by ane of the routing banks that flagged the transaction for farther review solely considering of the misspelled give-and-take "fandation," which resulted in the transfer being stopped.

Information can too be shared within a state. For instance, Cyber Security Information Sharing Partnership (CiSP)⁴ of the United kingdom of great britain and northern ireland is a joint industry/government initiative gear up to exchange cyberthreat information in real time in a secure, confidential and dynamic environs, increasing situational awareness and reducing the impact on United kingdom organizations. Information can besides be shared among countries. For instance, there is intercountry sharing such as the Asia Pacific Computer Emergency Response Team (APCERT) to encourage and back up cooperation among national CERTs in the Asia Pacific (APAC) region. APCERT maintains a trusted network of computer security experts in the APAC region to improve the region'due south awareness and competency in relation to reckoner security incidents.⁵

Sharing of Processing

Likewise sharing of inputs, processing tin as well be shared. Different functions may be using tools to develop monitoring measures for preventive and/or detective purposes. Sharing these tools can reduce duplication of work amidst diverse teams. For instance, either the offset or second line of defense may be adopting regtech (an application of technology to ensure compliance with the latest requirements from regulators and/or the company) or using automobile learning to detect distributed DoS (DDoS) attacks based on detection of similar past patterns of DDoS. Tools developed by the first line can be used by the 2nd line and vice versa. Internal audit can develop automated scripts to perform testing or continuous auditing (east.g., employ of bots to go to service providers' websites to check whether the latest system patches or virus signatures are used by the organization), which can besides exist used by the start or 2nd line of defence force for continuous monitoring purposes.

Sharing of Outputs

Results of reviews conducted by one party tin can exist shared. For instance, the first line of defense force can behave a self-check of adherence to the Hong Kong regulators' (Hong Kong Monetary Association) e-banking guidelines for compliance management; the 2nd line of defence force can utilise this cocky-bank check for regulatory reporting.

Some other example is the governance role. The second and third lines of defence can use the first line's exception reporting and/or third-party (e.g., regulator or external auditor) control review results for identification of systemic issues. The tertiary line tin also use the first or 2d line'southward control review results for assessing the effectiveness of the first and second lines of defense.

Work of the Assurance Part

While the reviews performed by the assurance function tin can exist similar to those conducted by the first or second lines of defence force, merely the internal audit department or external service providers tin can provide the required balls because they are functionally independent from the business and have reporting lines and a mandate that differs from those of the first and second lines of defence force. Hence, audit teams demand to acquit certain work to evaluate the effectiveness of governance, risk management and command processes.

There are various reviews that can be conducted by inspect teams. If the inspect teams deport re-performance, it is not economical because it duplicates efforts past re-performing a control such as checking extracting sampled emails to identify any unencrypted customers' personally identifiable data (PII) or independently checking the accuracy of processing by the company's application. Even if the audit squad re-performs a control, such as application control, for the kickoff year, inspect tin nonetheless reduce the extensive control re-performance work in a subsequent year (hence saving time and try while achieving the desired assurance) past performing other tests such as change direction controls or a check of the terminal appointment of change to see if any modify has been applied since the terminal audit, when the re-operation exam was conducted to confirm accurate processing of the company's application.

Audit can too perform continuous auditing to provide assurance on a more timely basis, based on a bigger data population being tested. However, the scope of continuous auditing can potentially be reduced if management has implemented similar and effective continuous monitoring. There is an inverse relationship betwixt the adequacy of management'due south monitoring and risk management activities and the extent to which auditors must perform detailed testing of controls and assessment of risk. The audit function's approach to, and amount of, continuous auditing depends on the extent to which management has implemented continuous monitoring⁶ and its effectiveness.

Economic Allocation of Resources

If a business concern role lacks the resources to perform the required tasks, it tin consider obtaining the resources internally. For instance, IT'due south Sarbanes-Oxley Deed (SOX) testing tin can be conducted by internal resources such every bit the internal inspect/compliance/run a risk team, depending on which team has the required resources, as all functions encounter the requirements for performing SOX testing.

For regulator-mandated reviews that require an contained party to conduct, an organization can cull internal resources with adequate skills for fulfilling the requirement because internal resources are ordinarily less costly than external resource. If internal resources do not have the requisite skills/tools (e.chiliad., penetration tests or ethical hacking) and cannot provide the required assurance, then external resources should exist hired, irrespective of the relatively college costs involved.

Determination

When examining the roles and objectives of the three lines of defense covering balls, governance, risk, compliance, information security and cybersecurity, there can be mutual or overlapped activities. A hierarchical organization construction tin reduce the chance of duplicated tasks/activities amid functions or teams because each team is more aware of the role and activities of the other teams within the hierarchical construction. Another way to optimize outputs and save resources and costs for the arrangement is to share inputs, processing and outputs of various business functions and teams (including output of industrywide and countrywide public or nonprofit organizations), which can be used to streamline each role'due south activities.

The assurance role, however, can be delivered simply by independent parties such equally the internal audit squad and external providers. Internal resources would exist less costly than external resources, but the former may not take the required resource to conduct certain tasks. For these cases, external service providers may be required despite the relatively higher costs involved to ensure the required assurance is provided.

Author'south Note

Opinions expressed in this article are the author'due south and practice not necessarily represent the views of Citibank.

Endnotes

¹ Lainhart, J Westward.; Z. Fu; C. Ballister; "Holistic It Governance, Risk Management, Security and Privacy: Needed for Effective Implementation and Continuous Improvement," ISACA Periodical, vol. five, 2016, world wide web.isaca.org/resources/isaca-journal/problems
² The Constitute of Internal Auditors, "Supplemental Guidance, Model Internal Audit Activeness Lease," 2017
³ Schwartz, M.; "People's republic of bangladesh Banking company Hackers Steal $100 Meg," Banking company Info Security, 10 March 2016, https://www.bankinfosecurity.com/bangladesh-banking concern-hacers-steal-100-million-a-8958
⁴ National Cyber Security Centre, Cyber Security Information Sharing Partnership, twenty March 2018, https://www.ncsc.gov.uk/cisp
⁵ Asia Pacific Figurer Emergency Response Team, https://www.apcert.org
⁶ Coderre, D.; "Continuous Auditing: Implications for Assurance, Monitoring, and Take chances Cess," The Institute of Internal Auditors, 2005, https://www.iia.nl/SiteFiles/IIA_leden/Praktijkgidsen/GTAG3.pdf

Amelia Ho, CISA, CISM, CA, CFE, CIA, CISSP, FRM, PMP
Is a senior vice president with Citibank and has more than 20 years of experience in the financial services industry in a number of internal audit, risk management and compliance roles. She has contributed to ISACA equally an article writer and expert reviewer of ISACA publications. She is the recipient of the 2013 Ted Keys Honorable Mention Award for her article "Emerging Take chances Audits" in Internal Accountant published by The Institute of Internal Auditors.