Manage Cybersecurity Risk with the CIS Controls

The Federal Reserve internal audit community consists of individually chartered audit functions representing each of the 12 regional Reserve Banks. In recognizing the unique and pervasive nature of cybersecurity risk, the collective of Fed internal auditors uses a highly coordinated approach to audit coverage that leverages the CIS Controls framework. The approach allows for the prioritization of audit coverage as well as the consideration of control effectiveness as demonstrated in previous audits, organized by the CIS Controls, in business and IT areas across the Fed. The prioritized nature of the CIS Controls is also useful to Fed management, informing cybersecurity and risk management activities.

The Fed’s structure consists of individually chartered and incorporated regional banks, with oversight provided by the Board of Governors, which is a federal agency. Each bank reports to its board of directors and each bank’s Chief Audit Executive (CAE) reports directly to an audit subcommittee of its board. The interconnection of businesses across the banks requires highly coordinated audit coverage to ensure comprehensive risk-based coverage while minimizing duplication of effort. The audit approach provides a balance of coordinated direction and local conditions that are best understood by the respective bank’s CAE. The coordinated direction is provided in the form of audit objectives, focused on a prioritized subset of the CSCs for a given year, that each bank’s auditors complete throughout the year. Flexibility is provided by completing the audit procedures throughout the year in various business and IT audits at the discretion of the regional CAEs. Results are discussed and assembled throughout the year. In addition, results are provided to local Reserve Bank management throughout the year as part of local business and IT audit reports, as well as two enterprise level reports provided to the Fed’s CISO.

Cybersecurity risk applies across all business and IT areas and risks for individual Reserve Banks may vary. Since the CIS Controls are set forth in essentially priority order, they provide a strong starting point for prioritizing audit coverage. The varying levels of control effectiveness in business and IT areas are best known by the local CAEs and information security officers. This combination of prioritization and local risk knowledge supports an effective balance of cybersecurity audit coverage applied throughout the Reserve Banks. As part of management’s layered control framework, Fed management assigns an overall maturity score of Fed controls organized by the CIS Controls. Lower assigned maturity scores drive stronger investment and management attention. This aligns cybersecurity risk focus between management and internal audit and improves organizational conversations about relative control effectiveness. It is increasingly apparent that cybersecurity risk isn’t just an IT risk — it is an enterprise-wide business risk that requires broad awareness and coordination. The CIS Controls provide a useful framework for both management and auditors for the assessment and management of cybersecurity risk.

About the Author

Greg Johnson is Vice President and Assistant General Auditor, Federal Reserve Bank of Richmond and a member of the CIS Controls community.