Auditors Can Assess and Advance Their Zero Trust Model with New ISACA Audit Program

Zero Trust Model

For organizations that adopt a Zero Trust approach for their cybersecurity program—adhering to the principles of “never trust, always verify”—it is important to periodically review, test and adjust their model to ensure that all users have the least amount of access to perform their jobs in order to better protect assets and systems. A new audit program from ISACA supports IT auditors in assessing these controls and processes to ensure their Zero Trust models are effective.

A subpar Zero Trust program can lead to major impacts, such as unplanned costs associated with incident response, significant impact resulting from regulatory censure, missed performance targets, system downtime, loss of business-critical data and/or systems, and reputational damage.

ISACA’s Zero Trust Audit Program guides auditors in examining the core focus areas that can reduce the impact of a cyberincident. The program can be used to assess an organization’s ability to secure itself based on Zero Trust policies and procedures, as well as to evaluate related controls and their effectiveness in reducing the likelihood of a cybersecurity incident. The program also hones in on shortcomings pertaining to personnel, processes, technologies and governance, as well as various types of operational risk that could have a reputational impact.

“Organizations are not static, and so their Zero Trust model for their cybersecurity programs should not be either,” says Sampa David Sampa, regional senior IT auditor at World Vision, member of the ISACA Emerging Trends Working Group and a developer of the paper. “When an enterprise’s roles, responsibilities, vendors or infrastructure change, or updates are made to policies, data classification or incident response processes, they also need to adjust their Zero Trust model accordingly to address these and reduce risk.”

Also Read: Is Storing Passwords Online Safe?

The audit program—which includes an Excel file with testing steps—also outlines the specific processes that auditors should consider when assessing the maturity level of a Zero Trust program, including:

  • Continuous authentication validation and risk analysis processes
  • Microperimeter implementations built around and between all critical applications, systems and data stores
  • Just-in-time (JIT) and proportionate access controls
  • Advanced attack protections integrated into application workflows

“Only through a concerted effort involving rigorous testing of controls and monitoring of a range of processes can organizations really have a clear picture of where they stand with their Zero Trust program and how they can continue to strengthen it,” says Paul Phillips, ISACA director, event content development. “ISACA is committed to providing auditors with the support and resources they need to continue refining and advancing their Zero Trust approach to ultimately reduce their risk of and impact from cyberincidents.”

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.