Page: 619
Risks and Related Projects Not Covered in the Proposed Plan
IT Risks
Risk
- Remote administration & IT Support Capacity Increased use of remote working arrangements
- New or elevated cyber security risks Potential exposure due to new tools and increased use
- Privacy & Data Protection Potential exposure of customer personal information
- Managing rapid infrastructure change Pressure to implement major infrastructure changes in a short period.
Internal Audit response
- Remote worker readiness assessment: Review organisational readiness for staff and other workers to continue operations from locations outside of office sites. Consider clarity and consistency of technology protocols and communications to staff.
- Access and communication readiness: Consider suitable capacity of remote technology, IT support and self-service arrangements, secure remote access via VPN, communications and capacity.
- Cyber hygiene assessment: Review organisation’s general cyber hygiene such as vulnerability management, patching, security awareness, anti-phishing and DLP
- Incident monitoring and response: Support ongoing governance arrangements remain in place (security monitoring) with appropriate investigation and action performed as issues are identified.
- Revisiting data breach policy and practices: Restricting teams (incl third parties) with remote access to personal information on an ‘as needs’ basis and reiterating privacy obligations for employees, especially during business continuity invocation.
- Revisiting policies impacts by Crisis Management: Internal Audit should consider the interplay between accelerated change processes while ensuring system integrity and security. Auditors will need to determine the acceptability and effectiveness of any temporary or emergency changes to approvals.