Bridging The Gap Between Information Security & IT Audit
Agenda ▸ Introductions ▸ Objectives ▸ Understand the Information Security Perspective ▸ Information Security Trends and Business Insights ▸ Bridging the Gap between I.T. Audit and Information Security ▸ Case Study Examples ▸ Takeaways 2
Introductions Raj Sawhney Cory Steinbicker Director Senior Manager Focal Point Data Risk Focal Point Data Risk Los Angeles, CA Phoenix, AZ M.S., M.B.A., CISA, CRISC CISSP, CISA, ITIL 3
Objectives After completing this session, you will be able to: ▸ Understand key areas of Information Security (“IS”) and impacts to the business ▸ Discuss ‘hot topic’ IS audit initiatives with stakeholders ▸ Build a beneficial relationship with IS while maintaining independence ▸ Identify and apply frameworks to help build internal IS audits ▸ Provide recommendations for the IS program 4
Fraud in Information Security ▸ $6.3B fraud losses in 2017 due to Information Security ▸ Profile hacking / spear phishing ▸ Distributed denial-of-service (DDoS) ▸ Data breaches ▸ Ransomware ▸ Average cost of data breach $3.62M ▸ Additionally, it now takes 24 days to fully recover from such an attack, up from 18 days which is a 42% increase in lost productivity, lost or hampered sales, and general downtime. ▸ IBM 2017 Survey: 42% of banking executives believe that their fraud operations are in need of an overhaul. 5
Board of Directors Oversight on Cybersecurity 2017 National Survey of Board Directors: ▸ Cybersecurity noted as leading risks to large organizations ▸ 54% reported that the Audit Committee has primary responsibility ▸ 79% reported that the Board is more involved with cybersecurity than 12 months ago ▸ 78% say company has increased investment in cybersecurity in the last year ▸ Only 15% of Directors said that they are very satisfied with the quality of cybersecurity information they received (better collaboration with I.T. Audit) *Board Oversight and National Association of Corporate Directors survey 6
Definition of Information Security “Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.” 1 1 https://www.sans.org/information-security/ 7
Top Audit Initiatives for 2018 1. Cybersecurity programs 2. Privacy and data management 3. IT governance, risk, and strategic change 4. Business continuity and disaster recovery 5. Third party and vendor management 6. Cloud security 7. Identity and access management 8. Incident management and response 9. Security awareness and training 10.Digital and mobile risk 8
Goals of Information Security 1 Confidentiality INFORMATION 2 3 SECURITY Availability Integrity 9
Risk Management Framework Step 1 CATEGORIZE Information System Step 6 Step 2 MONITOR SELECT Security Controls Security Controls Step 5 Step 3 AUTHORIZE IMPLEMENT Information Systems Security Controls Step 4 ASSESS Security Controls 10
Defense-in-Depth Controls Prevent, monitor, and detect sensitive areas (e.g. Guards, Physical Controls fences, locks, cameras, alarms, and lights) Hardware or software to manage Logical / Technical Controls access (e.g. Authentication methods, IDS/IPS, and firewalls) Management controls defined by the organization (e.g. Policies and Administrative Controls procedures, background checks, and training) 11
Threat Classifications ▸ Sources: Internal or External ▸ Agents: Human, environmental, or technological ▸ Motivations: Goals of the attack (e.g. political, profit, sabotage) ▸ Accidental or Intentional ▸ Impacts: Destruction, corruption, theft/loss, disclosure, and illegal use 12
Exposure and Impacts to the Business Unauthorized access ▸ Theft of non-public or private information ▸ Insider theft ▸ IT costs to remediate systems ▸ Business income loss ▸ Regulatory ▸ Reputational injury ▸ Stock price impact ▸ Legal ▸ SANS - https://www.sans.org/reading-room/whitepapers/infosec/information-risks-risk-management-34210 13
3 Lines of Defense ROLES AND RESPONSIBILITIES 1 st Line: Business (IT • Manages the data, processes, controls, and risk. • Implement corrective actions to address processes, gaps, and deficiencies. Operations and IS) 2 nd Line: Compliance & Risk • Assessing the risks and exposures related to IS and determining whether they are in alignment with the organization’s risk appetite. Management • Monitoring current and emerging risks and changes to laws and regulations. • Collaborating with the first-line functions to ensure appropriate control design. 3 rd Line: Audit • Assess overall effectiveness of activates of 1 st and 2 nd lines of defense. • Prioritizing responses and control activities. • Auditing for IS risk mitigation across all relevant facets of the organization. • Assurance in remediation activities. • Raising risk awareness and coordinating with IS risk management. Global Technology Audit Guide (GTAG): Assessing Cyber Security Risk: Roles of the Three Lines of Defense: (https://na.theiia.org/standards-guidance/recommended-guidance/practice- guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx) 14
Where Do We Start? ▸ Asset Inventory and Classification ▸ Where are the crown jewels (i.e. the data)? ▸ What types of data do we possess and what is the level of sensitivity and criticality? ▸ Are other assets (e.g. connections, hardware, software) inventoried, maintained, and classified? ▸ Information Security Risk Assessment ▸ Does the RA leverage a formal framework or blend of frameworks? ▸ Does the RA identify threats, vulnerabilities, likelihoods, and potential impacts? ▸ Does the RA identify compliance requirements? ▸ Does the RA identify gaps, enhancements, and/or map internal control activities? 15
Building the Relationship with IA and IS ▸ Engage and understand each other’s overall objectives and strategies ▸ Demonstrate basic understanding of cyber risks, controls, and threats ▸ Discuss business strategy, regulations, compliance, and trends ▸ Become a trusted advisor while maintaining independence ▸ Collaboration and continuous involvement on projects and status meetings ▸ Start with a single point-of-contact for both teams 16
Building the Relationship of IA and IS IA can play an integral role with the IS function, including: ▸ Independent internal departments or third parties typically perform audits; ▸ Comprehensive review of the information security program, including the environment in which the program runs and outputs of the program; ▸ Not a one-size-fits-all audit approach - audit program dependent to the industry, organization and relevant risk profile; ▸ IA reports on information security activity, identify root cause(s) and provide recommendations to address deficiencies 17
Relationship Benefits ▸ Board can gain comfort that communications are consistent ▸ Provide Management and IS an independent assessment of: ▸ Investments ▸ Risks ▸ Security Posture ▸ Consistent communication reduces “surprises” ▸ Perform ‘health checks’ and continuous monitoring ▸ Proactive vs. Reactive 18
Partnering for a stronger IS Program ▸ Assess security models ▸ Review policies and procedures around the management of technology, governance and privacy ▸ Review the organization’s cybersecurity risk assessment, processes and controls ▸ Review existing and emerging technology systems against best practices and regulatory guidelines 19
Partnering for a stronger IS Program ▸ Champion a robust training and education program ▸ Assess third-party security providers ▸ Conduct periodic cyber “fire drills” ▸ Evaluate changes in the business model, technologies supporting them and related changes in the control structure 20
Tips for an Effective IS Audit Scope Recommendations: ▸ Consider internal/external systems, 3rd party connections, and hosted systems ▸ Operating systems, databases, network devices, applications (COTS and developed) ▸ Scope based on risk level but include relevant aspects of people, processes, technology, and physical/environmental security ▸ Interview different lines of business outside of IS 21
Tips for an Effective IS Audit Report ▸ Periodically review with management to avoid “surprises” ▸ Simplify the impact to the business, level of risk, and gaps or ineffective controls ▸ Focus on the Root Cause ▸ Risk rank and prioritize the order of severity ▸ Design the report to keep the stakeholders accountable (e.g. include details on remediation efforts and dates to completion) 22
Case Study: Cybersecurity Risk Assessment Issue : The organization struggled to effectively develop, measure, and communicate their IS Program. Approach and Benefits : ▸ IA reviewed control mappings (frameworks to internal controls) ▸ Workshops with CISO and team to understand how risk ratings and control effectiveness were determined ▸ Reviewed Management’s risk assessment results ▸ Assessment led to the CISO modifying message to BoD and increasing the risk levels in certain areas ▸ Resulted in better reporting and corporate governance 23
Recommend
More recommend
