This guide provides guidelines and illustrative examples of audit procedures that can be used to perform a review of relevant components of a U.S. federal government agency’s cybersecurity program. Other audit organizations may also find this guide helpful. As a guide, the CPAG is not a required auditing standard such as the Yellow Book. Therefore, the use of “should” statements in this guide do not indicate a requirement unless explicitly stated in criteria. The guidelines are resource intensive and, as such, it is likely not feasible or necessary to assess the effectiveness of all cybersecurity controls within an IT system for each audit. In addition, the control techniques sufficient to achieve a particular objective will vary depending on the risk and the audit objectives. The CPAG is not intended to list every possible control objective and audit procedure that may be appropriate. Therefore, an auditor should apply professional judgment to determine the extent that additional and more detailed audit steps and tailored control activities are needed based on the organization being audited, the audit objectives, and key areas of audit interest.
This guide contains control activities that are consistent with those in NIST SP 800-53 Revision 5 and other NIST and OMB cybersecurity control-related policies and guidance.
Additional nongovernmental sources are available for use in conducting cybersecurity audits.17 Further, if an engagement is focused on national security systems, auditors should also use the specific criteria that apply to those systems. We suggest users review the Committee on National Security Systems Instruction, which may be accessed at https://www.cnss.gov/cnss/, for more information.
The chapters in this guide are organized as follows: Chapter 1 is a general guide to the audit process and the main phases of a performance audit focused on cybersecurity. Chapters 2 to 7 provide details on the six main components to consider when conducting a comprehensive cybersecurity audit.
Views: 0
