Internal audit can help mitigate Q-day quantum risks

“Q-day is the day when quantum computers will break through encryption and render traditional security applications useless, unless they have adopted a strategy of post-quantum cryptography and newer encryption standards,” Rai said.

Post-quantum cryptography (PQC) is a set of algorithms designed to be secure against both classical and quantum computing attacks. Organizations need to replace existing asymmetric encryption with PQC, deprecating methodologies and processes that rely on classical encryption. This requires a shift in business processes as well as technology, and it is part of a larger quantum resilience strategy. A quantum resilience strategy needs to address quantum computing risks across the business and technology aspects of an organization’s governance model, compliance with potential laws and regulations, alignment with know-your-data requirements, and comprehensive data protection. It also needs to track the deadlines to get it all done.

Right now, many organizations need to ensure that they’ve addressed the pressing priorities of data security and regulatory compliance:

• Data security: Organizations must identify whether they have data (including system access credentials) only protected by classical encryption methods like Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC). If so, that data is at risk of being harvested now for decryption later. These organizations should immediately employ additional security measures to ensure classical encryption is never the only means of data protection. Organizations with unique data dependencies also need to consider the potential risks associated with cyberattacks that may target third parties, governmental databases or others in their data infrastructure.
• Regulatory compliance: National and regional governments have begun reviewing their critical infrastructure and data protection for quantum readiness, so organizations need to review the standards that have been published and design solutions that align with likely enforcement.

“Governance and regulatory bodies are preparing post-quantum security standards, so work with legal and compliance to really understand where you need to be in the next three to 10 years, and update policies appropriately,” Hinkebein said. “The most significant step that companies can take is defining their data protection strategies. As we understand the laws and regulations, look to define your data strategy in terms of a roadmap to where you want to be.”

Rai and Hinkebein led a recent webinar about quantum resilience, where most respondents indicated that they had not formed a quantum resilience strategy.

Quantum resilience strategy

To achieve long-term quantum resilience, organizations need to research, develop and test quantum resilience strategies that dynamically identify and manage their operational risks. “A quantum resilience strategy will require you to think through governance models and look at laws and regulations,” Rai said. “Then, take steps to protect your data — know your data and apply the appropriate encryption mechanisms that are quantum safe. This can take some time.”

1. Research
   

   Governments and regulatory bodies like NIST, the International Organization for Standardization and the European Union are developing and publishing post-quantum security standards (like NIST FIPS 203, 204 and 205). “In 2015, NIST began selecting standards and standardizing quantum-resistant algorithms,” Rai said. “These were converted into standards. Three of them are aligned with Q-safe algorithms and, as part of the quantum resilience strategy, we need to consider where to apply Q-safe algorithms to datasets that need to be protected against the quantum computing risks of the future.” As organizations analyze post-quantum standards, they should consider how the standards apply to their unique data, business processes and third-party dependencies.

2. Development
   Evaluate and enhance encryption policies, purge obsolete data and adopt new encryption methods:
   1. Establish any required deadlines for meeting quantum readiness standards and requirements, along with mechanisms to track progress.
   2. If needed, perform an updated assessment and index of your data architecture to identify data protection priorities and responsibilities.
   3. Identify third-party suppliers and vendors that can possibly handle sensitive data. Ensure that any current or future loss of sensitive data (even if encrypted) will be reported to address HNDL.
   4. Purge any unnecessary or expired data to reduce risk areas.
   5. Build an inventory of your data encryption methods to create a cryptographic metadata database.
   6. Assess the encryption policies and governance within your organization and its data supply chain, replacing classical cryptography with PQC.
   7. Enhance any other data protection strategies to make them quantum-safe (Q-safe) by employing security that goes beyond classical encryption.
   8. Ensure that any application development processes will use and apply Q-safe methods moving forward.

3. Testing
   Review revised encryption controls, policies and algorithms:
   1. Apply technical testing for PQC and Q-safe algorithms.
   2. Enforce PQC encryption policies and regulatory compliance for sensitive data.
   3. Perform lifeboat testing exercises for data, including functional, dynamic, static and dynamic testing.

“Organizations need to develop a testing plan to really understand the true nature of the resilience in place,” Hinkebein said. “Look at conducting penetration testing exercises, for example, leveraging models that can bypass the current encryption mechanisms to highlight vulnerabilities,” Rai said.

“Internal audit's role is going to be critical in this,” Rai said. “Internal audit has the ability to look at controls from an independent perspective — sometimes even a broader perspective — so it’s able to connect the dots in ways that other functions might not.”

Areas of focus

For internal audit, the areas of focus include the particular domains that could be impacted by quantum computing. Auditors can begin by checking factors across primary areas:

1. Encryption governance
   1. Evaluate the policies and procedures for encryption methods.
   2. Review the current encryption metadata database and application of Q-Safe algorithms (like NIST FIPS 203, 204, 205).
      1. What data does the organization have, and what is encrypted?
      2. Is data encrypted in a way that would be protected against current and future threats?
      3. Is the organization tracking encrypted data that may be at risk in the future?
      4. Is the organization employing any necessary PQC transition plans?

2. Data protection controls
   1. Ensure that management reviews and oversees data protection controls, including policies, procedures, risk-based planning for data inventory, data classification, security controls, backup, storage and encryption requirements.
   2. Ensure compliance with all relevant standards and regulations, along with legal, contractual and statutory requirements.
   3. Ensure risk-based corrective action planning and risk remediation.
   4. Establish fully defined and operationally tested controls with technical testing methods.
3. Data security and management
   1. Evaluate the organization’s data inventory, classification, storage and flow documentation, including the data processed, stored or transmitted.
   2. Establish data ownership, stewardship and location for all relevant protected data.
   3. Identify data protection controls during storage and transmission, along with data access, reversal, rectification, deletion, disclosure, use limitation, retention and disclosure.
      1. Do current policies identify and protect long-life sensitive data, like personally identifiable information, intellectual property, financial records and trade secrets?
      2. Are retention policies aligned with emerging cryptographic risks?
4. Application security
   1. Ensure secure application design and development, including assessment of code, logic and secure coding practices.
   2. Assess API security and key management, including key generation, revocation, restoration and destruction.
   3. Ensure application security testing with vulnerability management, vulnerability scanning, risk remediation, safe coding and encryption methods.
5. Identity and access management
   1. Assess policies and procedures for identity and access management, including identity inventory and password policies.
   2. Evaluate how access levels are managed, stored and reviewed in line with segregation of duties, least privilege and access provisioning standards.
   3. Evaluate the organization’s access change reviews, management of privileged access reviews and entitlement reviews.
   4. Assess safeguards for access logs, authentication, password management and authorization mechanisms.
6. Third-party and supply chain risks
   1. Review third-party contracts policies, procedures, roles and responsibilities.
      1. Are vendors assessed for quantum readiness and encryption resilience?
      2. Are contracts updated to require future-proof encryption measures?
   2. Evaluate network security issues, including threat identification, current vulnerabilities, operating system management and patch management.
   3. Evaluate data storage with third parties, load balancers and security for containers, virtualization and platforms. 

Internal auditors need to work with multiple enterprise teams as they look across the spectrum of issues for data protection controls, encryption standards, access logs, application security, data inventory and data classification, including data that is hosted or managed by third parties.

“One priority is to talk with teams about PQC transition plans,” Hinkebein said. “As you understand more about your environment of data, have they thought through post-quantum cryptography? Are there plans to transition methodologies, as needed, to protect data?”

These assessments and discussions can lead to clear guidelines that help the organization take the necessary actions for quantum resilience.

Actions for quantum resilience

The internal audit team’s independence and objectivity can play a critical role in evaluating and sharing insights into the organization’s quantum resilience. The team can present a clear evaluation of the strategy’s operating effectiveness, identify improvement strategies driven by leading practices and provide transparency to executive management. This can be especially important if an organization needs to make large changes quickly to achieve quantum resilience.

Quantum resilience must ultimately find a place in every organization’s strategy for managing risks — especially as technology risks continue to grow. “Cybersecurity risks are here to stay, and they're going to increase in terms of scope,” Hinkebein said. “As we pair innovation with AI models, more data is developed and stored in our environment. When we store more data in our environment, we need to make sure that we protect it, understand the data privacy implications around it and refine a strategy to address that.”