Cybersecurity Audit

Cybersecurity Audit as per CBK Framework

Considering the quantum leap that information technology has made in the business world, it has been associated with the emergence of cyber threats and crimes, which have turned out to be a major challenge to business continuity. This entailed the need to perform periodic audits of the cybersecurity environment within business entities to ensure that adequate cybersecurity controls are in place.

In this context, the Central Bank of Kuwait issued, in February 2020, the Cybersecurity Framework for Kuwaiti Banking Sector, which is intended to establish an integrated framework for improving cyber resilience.

What does cybersecurity mean in the enterprise?

Information Systems Audit and Control Association (ISACA) defines cybersecurity as “the protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.

What is a cybersecurity audit?

The cybersecurity audit is an examination of security controls that are implemented in an entity to ensure the availability, integrity, and confidentiality of information.

The cybersecurity audit universe includes all control sets, management practices, and governance, risk, and compliance (GRC) provisions in force at the enterprise level, as well as third parties bound by a contract containing audit rights.

Who is the cybersecurity audit designed for?

Cybersecurity audits can be conducted for any entity. However, the Central Bank of Kuwait (CBK) requires local banks, including all Kuwaiti banks and foreign bank branches authorized by the Central Bank of Kuwait -, to engage an independent third-party firm to audit the cybersecurity controls, in which they express assurance of compliance with the Framework, which is intended to ensure the effectiveness of cybersecurity controls in place.

What is the objective of engaging an independent third-party auditor?

The objective of engaging a specialized independent third-party auditor is a part of the corporate governance controls.

What are the criteria to be met by the independent third-party auditor?

The independent third-party auditor shall meet the following criteria:

  1. They should be an independent third party (external firm), approved by the Central Bank of Kuwait before entering into the engagement letter; and
  2. They should have an academically and professionally qualified team with previous experience in the field of cybersecurity audits.

It is worth mentioning that Baker Tilly is a registered firm with the Central Bank of Kuwait for providing this service.

What is the permitted term of engagement of the independent third-party auditor to provide Cybersecurity Audit services to local banks?

The permitted term of engagement of the independent third-party auditor to provide Cybersecurity Audit services to the same bank is two years as set forth in the Cybersecurity Framework for Kuwaiti Banking Sector issued by the Central Bank of Kuwait.

What is the frequency of the cybersecurity audit report?

The Cybersecurity audit report shall be submitted on a quarterly basis as set forth in the Cybersecurity Framework for Kuwaiti Banking Sector issued by the Central Bank of Kuwait.

To whom does the independent third-party auditor submit a report on cybersecurity?

The independent third-party auditor’s report on cybersecurity should be presented to the Board of Directors regarding the findings raised therein as set forth in the Cybersecurity Framework for Kuwaiti Banking Sector issued by the Central Bank of Kuwait.

Who is responsible for conducting baseline maturity?

The regulated entities are required to use the Baseline Self-Assessment template and conduct self-assessment to assess the baseline maturity of implemented controls as per the Strategic Cybersecurity Framework for the Kuwaiti Banking Sector that is developed by the Central Bank of Kuwait.

How can a cybersecurity audit help your organization?

  1. Ensure compliance with the regulatory requirements of the Central Bank of Kuwait.
  2. Enhance the stakeholders’ confidence in the reliability of technology systems ensuring the continuity of services.
  3. Ensure maintenance of information confidentiality and privacy of data relating to beneficiaries.
  4. Proactively manage risks associated with cyberattacks enhancing the overall strategies of the entities.

What are the services offered by Baker Tilly Kuwait in the Cybersecurity Audit area?

Baker Tilly provides a set of cybersecurity audit services, including the following:

  • Secure software lifecycle management
  • Security considerations for emerging technologies
  • Mobile banking security
  • Customer self-service machines
  • Contactless technology
  • Access control management
  • Cryptography
  • Change and release management
  • Capacity management
  • Data privacy and security
  • Email security
  • Portable device security
  • Reputation protection
  • Logging, monitoring, and security incident management
  • Vulnerability management
  • Human Resource Security
  • Security awareness and training
  • Physical and environmental security
  • Business continuity and Disaster recovery (BC and DR)
  • Cyber threat intelligence management

Why do you choose Baker Tilly Kuwait to provide this service?

Baker Tilly is distinguished by specialist professional experience and offers the following characteristics carrying added value to our clients as follows:

  • global consulting firm operating in the State of Kuwait.
  • World-class laboratories equipped with state-of-the-art tools are used for vulnerability assessment and cyberattack exposures.
  • Updated databases of automated systems enable the cybersecurity audit of any technology environment that a client adopts.
  • Updated databases of new methods used in cyberattacks and the processes to prevent the same.
  • Local experience under an umbrella of a global network comprising more than 250 cybersecurity experts; and
  • Bilingual team.