This guide provides guidelines and illustrative examples of audit procedures that can be used to perform a review of relevant components of a U.S. federal government agency’s cybersecurity program. Other audit organizations may also find this guide helpful. As a guide, the CPAG is not a required auditing standard such as the Yellow Book. Therefore, the use of “should” statements in this guide do not indicate a requirement unless explicitly stated in criteria. The guidelines are resource intensive and, as such, it is likely not feasible or necessary to assess the effectiveness of all cybersecurity controls within an IT system for each audit. In addition, the control techniques sufficient to achieve a particular objective will vary depending on the risk and the audit objectives. The CPAG is not intended to list every possible control objective and audit procedure that may be appropriate. Therefore, an auditor should apply professional judgment to determine the extent that additional and more detailed audit steps and tailored control activities are needed based on the organization being audited, the audit objectives, and key areas of audit interest.
This guide contains control activities that are consistent with those in NIST SP 800-53 Revision 5 and other NIST and OMB cybersecurity control-related policies and guidance.
Additional nongovernmental sources are available for use in conducting cybersecurity audits.17 Further, if an engagement is focused on national security systems, auditors should also use the specific criteria that apply to those systems. We suggest users review the Committee on National Security Systems Instruction, which may be accessed at https://www.cnss.gov/cnss/, for more information.
The chapters in this guide are organized as follows: Chapter 1 is a general guide to the audit process and the main phases of a performance audit focused on cybersecurity. Chapters 2 to 7 provide details on the six main components to consider when conducting a comprehensive cybersecurity audit.
Chapter 2 covers asset and risk management—developing an organizational understanding of the cyber risks to assets, systems, information, and operational capabilities.
- Chapter 3 addresses configuration management—identifying and managing security features for system hardware, software, and firmware; and controlling changes to the configuration.
- Chapter 4 deals with identity and access management—protecting computer resources from modification, loss, and disclosure by limiting authorized access and detecting unauthorized access.
- Chapter 5 covers continuous monitoring and logging—maintaining ongoing awareness of cybersecurity vulnerabilities and threats to an organization’s systems and networks.
- Chapter 6 addresses incident response—taking action when actual or potential security incidents occur.
- Chapter 7 discusses contingency planning and recovery—developing contingency plans and executing successful restoration of capabilities.
Chapters 2 through 7 each contain a list of key criteria to consider. The criteria listed are not an exhaustive or all-inclusive list of possible criteria. Further, the criteria listed are current as of the time of this guide’s publication. Prior to using the criteria, auditors should make sure they are using the most current version and consider use of additional criteria as appropriate.
Views: 14
