In the wake of the financial crisis, the IIA came up with a model for better Risk Management and called it the ‘3 Lines of Defense’ model. This model allows regulators to better assess the risks in the financial industry. Though the model was mainly written for financial services, it is widely accepted in the Cyber Security profession as well. Without further ado, here is an overview of the 3 LoD model and the roles and responsibilities for each of those wrt Cyber Security.
1st line of Defense – This is also called as the Operational Management of an organization. All the front line managers are responsible for implementing the controls, developing the policy, manage the day-to-day risks, and ensuring that the policies are supplemented by appropriate procedures that employees can follow in their BAU processes. For example, while complying the SOX 404 regulation, also called Internal Controls Over Financial Reporting (ICFR) is implemented at the first line of defense. An example of this control includes implementing appropriate Segregation of Duties, information security policies, conduct penetration testing, etc.
2nd Line of Defense – The 2nd LoD is also called as the Risk Monitoring and Oversight. The second line of defense oversees the controls implemented by the first line of defense and performs routine monitoring of the risk. The Information Security and Risk Management typically resides in the 2nd LoD. These monitoring and oversight functions ensure that controls are properly designed and operating effectively.
3rd Line of Defense – The 3rd LoD is the Audit function and ideally should be independent of the influence of the 1st and 2nd LoD. The responsibility of the 3rd LoD is to oversee the functions of both the 1st LoD and the 2nd LoD. Typically, there are 2 audit teams – Internal and External auditors.
Internal auditors assess the control frameworks on a periodic basis and ensure that they are working properly and are applicable to the current risk posture of the organization. These teams are responsible to perform their own independent testing by sampling the population on the basis of size.
Then there are External auditors, which may or may not be a mandatory requirement based on the objective of the audit. This might include SOC audits if you’re providing services to a 3rd party or SOX 404 audit to check the effectiveness of IS controls on a financial application.
To summarize, the Three Lines of Defense framework helps organizations manage and mitigate the risks in a more independent but robust manner. For employees, the 3LoD provides a specific set of roles and responsibilities for each of those roles resulting in a better sense of accountability.
P.S: Simplified version of 3LoD:
Further reading: