Bridging The Gap Between Information Security & IT Audit - - PowerPoint PPT Presentation
Bridging The Gap Between Information Security & IT Audit Agenda Introductions Objectives Understand the Information Security Perspective Information Security Trends and Business Insights Bridging the Gap between I.T. Audit
▸ Introductions ▸ Objectives ▸ Understand the Information Security Perspective ▸ Information Security Trends and Business Insights ▸ Bridging the Gap between I.T. Audit and Information Security ▸ Case Study Examples ▸ Takeaways
2
3
Cory Steinbicker
Senior Manager Focal Point Data Risk Phoenix, AZ CISSP, CISA, ITIL
Raj Sawhney
Director Focal Point Data Risk Los Angeles, CA M.S., M.B.A., CISA, CRISC
After completing this session, you will be able to: ▸ Understand key areas of Information Security (“IS”) and impacts to the business ▸ Discuss ‘hot topic’ IS audit initiatives with stakeholders ▸ Build a beneficial relationship with IS while maintaining independence ▸ Identify and apply frameworks to help build internal IS audits ▸ Provide recommendations for the IS program
4
▸ $6.3B fraud losses in 2017 due to Information Security ▸ Profile hacking / spear phishing ▸ Distributed denial-of-service (DDoS) ▸ Data breaches ▸ Ransomware ▸ Average cost of data breach $3.62M ▸ Additionally, it now takes 24 days to fully recover from such an attack, up from 18 days which is a 42% increase in lost productivity, lost or hampered sales, and general downtime. ▸ IBM 2017 Survey: 42% of banking executives believe that their fraud operations are in need of an overhaul.
5
2017 National Survey of Board Directors:
Cybersecurity noted as leading risks to large organizations
54% reported that the Audit Committee has primary responsibility
79% reported that the Board is more involved with cybersecurity than 12 months ago
78% say company has increased investment in cybersecurity in the last year
Only 15% of Directors said that they are very satisfied with the quality of cybersecurity information they received (better collaboration with I.T. Audit)
6
*Board Oversight and National Association of Corporate Directors survey
“Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.” 1
7
1 https://www.sans.org/information-security/
10.Digital and mobile risk
8
9
INFORMATION SECURITY
Integrity
Availability
Confidentiality
10
Step 1 CATEGORIZE Information System Step 2 SELECT Security Controls Step 3 IMPLEMENT Security Controls Step 4 ASSESS Security Controls Step 5 AUTHORIZE Information Systems Step 6 MONITOR Security Controls
11
Physical Controls Logical / Technical Controls Administrative Controls
Prevent, monitor, and detect sensitive areas (e.g. Guards, fences, locks, cameras, alarms, and lights) Hardware or software to manage access (e.g. Authentication methods, IDS/IPS, and firewalls) Management controls defined by the organization (e.g. Policies and procedures, background checks, and training)
▸Sources: Internal or External ▸Agents: Human, environmental, or technological ▸Motivations: Goals of the attack (e.g. political, profit,
▸ Accidental or Intentional ▸Impacts: Destruction, corruption, theft/loss, disclosure, and
12
▸
Unauthorized access
▸
Theft of non-public or private information
▸
Insider theft
▸
IT costs to remediate systems
▸
Business income loss
▸
Regulatory
▸
Reputational injury
▸
Stock price impact
▸
Legal
13
SANS - https://www.sans.org/reading-room/whitepapers/infosec/information-risks-risk-management-34210
14
ROLES AND RESPONSIBILITIES 1st Line: Business (IT Operations and IS)
2nd Line: Compliance & Risk Management
are in alignment with the organization’s risk appetite.
3rd Line: Audit
Global Technology Audit Guide (GTAG): Assessing Cyber Security Risk: Roles of the Three Lines of Defense: (https://na.theiia.org/standards-guidance/recommended-guidance/practice- guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx)
▸ Asset Inventory and Classification ▸ Where are the crown jewels (i.e. the data)? ▸ What types of data do we possess and what is the level of sensitivity and criticality? ▸ Are other assets (e.g. connections, hardware, software) inventoried, maintained, and classified? ▸ Information Security Risk Assessment ▸ Does the RA leverage a formal framework or blend of frameworks? ▸ Does the RA identify threats, vulnerabilities, likelihoods, and potential impacts? ▸ Does the RA identify compliance requirements? ▸ Does the RA identify gaps, enhancements, and/or map internal control activities?
15
▸ Engage and understand each other’s overall objectives
and strategies
▸ Demonstrate basic understanding of cyber risks, controls,
and threats
▸ Discuss business strategy, regulations, compliance, and
trends
▸ Become a trusted advisor while maintaining
independence
▸ Collaboration and continuous involvement on projects
and status meetings
▸ Start with a single point-of-contact for both teams
16
IA can play an integral role with the IS function, including: ▸ Independent internal departments or third parties typically perform audits; ▸ Comprehensive review of the information security program, including the environment in which the program runs and outputs of the program; ▸ Not a one-size-fits-all audit approach - audit program dependent to the industry, organization and relevant risk profile; ▸ IA reports on information security activity, identify root cause(s) and provide recommendations to address deficiencies
17
▸ Board can gain comfort that communications are consistent ▸ Provide Management and IS an independent assessment
▸ Investments ▸ Risks ▸ Security Posture ▸ Consistent communication reduces “surprises” ▸ Perform ‘health checks’ and continuous monitoring ▸ Proactive vs. Reactive
18
▸ Assess security models ▸ Review policies and procedures around the management of
▸ Review the organization’s cybersecurity risk assessment,
▸ Review existing and emerging technology systems against
19
▸ Champion a robust training and education program ▸ Assess third-party security providers ▸ Conduct periodic cyber “fire drills” ▸ Evaluate changes in the business model, technologies
20
Recommendations: ▸ Consider internal/external systems, 3rd party connections, and hosted systems ▸ Operating systems, databases, network devices, applications (COTS and developed) ▸ Scope based on risk level but include relevant aspects of people, processes, technology, and physical/environmental security ▸ Interview different lines of business outside of IS
21
▸ Periodically review with management to avoid “surprises” ▸ Simplify the impact to the business, level of risk, and gaps or ineffective controls ▸ Focus on the Root Cause ▸ Risk rank and prioritize the order of severity ▸ Design the report to keep the stakeholders accountable (e.g. include details on remediation efforts and dates to completion)
22
Issue: The organization struggled to effectively develop, measure, and communicate their IS Program. Approach and Benefits: ▸ IA reviewed control mappings (frameworks to internal controls) ▸ Workshops with CISO and team to understand how risk ratings and control effectiveness were determined ▸ Reviewed Management’s risk assessment results ▸ Assessment led to the CISO modifying message to BoD and increasing the risk levels in certain areas ▸ Resulted in better reporting and corporate governance
23
Issue: Management struggled to improve the maturity level and effectiveness of the IS Program. Approach and Benefits: ▸ IA became a partner to IS cultural change ▸ Knowledge transfer and coordination of skill sets ▸ Positive outcomes for internal and external audit assessments ▸ Cost reduction in development and maintenance of IS Program ▸ Lower risk profile for the company ▸ Increased visibility and assurance for executive management
24
▸ Culture - A significant yet, intangible element of IS ▸ Responsibility of the organization, not just IS ▸ Governance gaps can arise from lack of business unit
▸ Driving factors are due to increased governance oversight,
25
▸ Aligned approach to information security and fraud management
models focused on:
▸ Governance ▸ Education ▸ Awareness ▸ Business Process ▸ Technical Controls - fraud and security solutions ▸ Develop a common view of risk ▸ ‘Set and Forget’ approaches do not work. Continuously evolving
threats require evolving Information Security.
26
▸Information Security in the Mobile Age ▸ 113 mobile phones lost/stolen every minute in the U.S. ▸ Symantec placed 50 “lost” smartphones throughout U.S.
▸ 96% were accessed by finders ▸ 80% of finders tried to access “sensitive” data on
27
▸ Perspectives of IS goals, risks, and threats ▸ Build a stronger IS Program through collaboration, trust, and independence ▸ Starting points for auditable areas and risk assessments ▸ Audit scope and report recommendations ▸ Partnering to develop a stronger IS Program ▸ Soft skill recommendations and company culture
▸ Frameworks and additional resources
28
29
▸ COBIT 5 for Information Security (http://www.isaca.org/cobit/pages/info- sec.aspx) ▸ ISO/IEC 27000 series (https://www.iso.org/isoiec-27001-information- security.html) ▸ NIST 800 series and Cybersecurity Framework (CSF) (https://www.nist.gov) ▸ SANS CIS - Critical Security Controls (CSC) (https://www.sans.org/) ▸ OWASP (http://www.owasp.org) ▸ Open Source Security Testing Methodology (http://www.isecom.org/) ▸ NIST Vulnerability Database (http://nvd.nist.gov)
30
31
1.
Inventory of Authorized and Unauthorized Devices
2.
Inventory of Authorized and Unauthorized Software
3.
Secure Configurations for Hardware and Software
4.
Continuous Vulnerability Assessment and Remediation
5.
Controlled Use of Administrative Privileges
6.
Maintenance, Monitoring, and Analysis of Audit Logs
7.
Email and Web Browser Protections
8.
Malware Defenses
9.
Limitation and Control of Network Ports
to Fill Gaps
1.Cross Site Scripting (XSS) 2.Injection Flaws 3.Malicious File Execution 4.Insecure Direct Object Reference 5.Cross Site Request Forgery (CSRF) 6.Information Leakage and Improper Error Handling 7.Broken Authentication and Session Management 8.Insecure Cryptographic Storage 9.Insecure Communications
32
WHAT WE DO
We measure, improve, and manage your data risk – protecting your most important assets and helping you achieve your business goals.
HOW WE DO IT
Top experts from the most in-demand fields are embedded into each engagement and build deliverables that have a meaningful impact on your business.
WHO USES FOCAL POINT
Many of the most innovative organizations in the world, including 5 of the 10 largest companies in the U.S., rely
Cyber Security Internal and IT Audit Identity Governance Data Privacy Project Advisory Workforce Development Data Analytics
33
CORE SERVICE AREAS