it audit and security compliance
play

IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR - PowerPoint PPT Presentation

Jun 29, 2023 •190 likes •848 views

O'Connor & Drew, P.C. www.ocd.com @ocdcpa 1 IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR 2014-15 IT Audit and Security OConnor & Drew, P.C. www.ocd.com @ocdcpa Jake McAleer @johnjakem March 2014

  1. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 1 IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR 2014-15 IT Audit and Security O’Connor & Drew, P.C. www.ocd.com @ocdcpa Jake McAleer @johnjakem March 2014

  2. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 2 Jake McAleer, CISA jmcaleer@ocd.com @johnjakem Professional Profile • Senior IT Audit and Security Manager, O’Connor & Drew, P.C. • Director of Operations, Dyn • Senior IT Auditor, State Street Bank • Network and Systems Engineer, Raytheon Company Industry Expertise • Internet Services and Infrastructure (IaaS, PaaS, SaaS, Colocation, Data Center) • Financial Services • Manufacturing • Government • Not-for-Profit Organizations • Family-Owned Businesses

  3. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 3 INFORMATION SECURITY PROGRAM An Overview Of A Security Program and Review of IT Control Terminology

  6. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 6 Risk Rating • Many people confuse the risk event for the risk rating • Risk Event = The description of the risk • Risk Rating = Likelihood + Impact Prioritizing your audit program by risk is called a “Risk-Based Audit Approach”

  8. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 8 Security Programs Vary By Business • Every business is different • No one framework or law will completely protect you • Vendors can help, but don’t rely entirely on them You know your business better than anyone, so your input is key! • Internal owners manage and enforce the process • Employees must be provided direction and training • All programs need proper ownership, employee education, and enforcement

  11. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 11 • The password must be exactly 8 characters long. • It must contain at least one letter, one number, and one special character. • The only special characters allowed are: @ # $ • A special character must not be located in the first or last position. • Two of the same characters sitting next to each other are considered to be a “set.” No “sets” are allowed. • Avoid using names, such as your name, user ID, or the name of your company or employer. • Other words that cannot be used are Texas, child, and the months of the year. • A new password cannot be too similar to the previous password. • Example: previous password - abc#1234, acceptable new password - acb$1243 • Characters in the first, second, and third positions cannot be identical. (abc*****) • Characters in the second, third, and fourth positions cannot be identical. (*bc#****) • Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234) • A password can be changed voluntarily (no Help Desk assistance needed) once in a 15-day period. If needed, the Help Desk can reset the password at any time. • The previous 8 passwords cannot be reused. http://portal.cs.oag.state.tx.us/OAGStaticContent/portal/login/help/listPasswordRules.htm

  13. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 13 Focus On The Objective • Prevent guessing • 8+ Characters and some basic variation (upper and lower case, number, special character, etc.) to prevent just a word as the password • Prevent brute force • Lock out after 5-10 attempts and lock out across the organization! • Protect the encrypted/hashed values • Prevent reuse • Check against DB of old passwords • Prevent compromise • User education (don’t reuse passwords, don’t write them on your laptop, etc.) • Force a change every 90-180 days • Enforce use • Automatic password/PIN enforcement on devices • Automatic screen locks after 10 minutes • Review how password resets are managed

  15. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 15 IT AUDITING IN 2014-2015 Focusing on the three inputs: Business Needs Legal and Regulatory Customers and Partners

  17. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 17 Legal And Regulatory Requirements • Focuses on a specific: • Industry • Consumer • Type of data • Geographic region • Often: • Long and complex • Cross-references other sections or laws • Subjective and broadly worded • Reference dated (now outdated) terms Intended to protect someone else, not your business

  18. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 18 Regulatory Examples • Credit card account information Payment Card Industry (PCI) • Electronic patient health information Health Insurance Portability and Accountability Act (HIPAA) • Consumers private banking information Gramm–Leach–Bliley Act (GLBA) • Government data and systems Federal Information Security Management Act (FISMA) • Public company accounting Sarbanes-Oxley Act (SOX)

  19. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 19 Legal, Regulatory, Industry-Specific • What laws must the business comply with? • Is there a legal/compliance group to rely on? • Do you have an international presence? International customers? What laws apply? • Are these areas being reviewed for changes? • Are there periodic requirements? • Example: PCI – Quarterly Scans, Yearly Attestation • Can the work be done by another group or external resource?

  20. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 20 PCI-DSS v3.0 Enforcement Date • Version 3.0 will introduce more changes than Version 2.0. The core 12 security areas remain the same, but the updates will include several new sub-requirements that did not exist previously. Recognizing that additional time may be necessary to implement some of these sub-requirements, the Council will introduce future implementation dates accordingly. This means until 1 July 2015 some of these sub-requirements will be best practices only , to allow organizations more flexibility in planning for and adapting to these changes. Additionally, while entities are encouraged to begin implementation of the new version of the Standards as soon as possible, to ensure adequate time for the transition, Version 2.0 will remain active until 31 December 2014. https://www.pcisecuritystandards.org/documents/DSS and PA-DSS Change Highlights.pdf

  21. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 21 Examples - PCI v3.0 Requirements • 2.4 - New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards. • 9.3 - New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination. • 11.3 - New requirement to implement a methodology for penetration testing • Perhaps use a standard such as NIST SP 800-115. • 12.9 - New requirement for service providers to provide the written agreement/acknowledgment to their customers. https://www.pcisecuritystandards.org/documents/PCI DSS v3 Summary of Changes.pdf

  24. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 24 M.G.L. c. 93H and MA 201 CMR 17 • Requires: • Designated program owner/maintainer • Identifying where PII might be within the organization • Encryption • Monitoring and effectiveness testing • Anti-virus and patching • Employee training • 3 rd party service provider compliance • Timely disclosure of a breach • Written Information Security Program (WISP) • Documents your methodologies, processes, procedures, technologies, PII data types, etc

  25. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 25 MA 201 CMR 17 – Definition of PII • Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number , with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly.

  26. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 26 HR Rep: “Welcome To The Company!” We need an ID for your I-9 Form. We need your routing number so we can pay you. http://www.theonion.com/articles/manny-being-manny-during-massachusetts-state-drive,9801/ http://www.psdgraphics.com/psd/blue-check-psd-template/

  28. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 28 Computer Access Nearly every employee has access to a PC at work • Lawyer’s Office • Doctor’s Office • Accountant • Car Repair Shop • Retail • Banks • Restaurants • Grocery Store • Non-profit • Call Center http://www.blogcdn.com/jobs.aol.com/articles/media/2009/04/ptw12target.jpg

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Subpart F Income: Critical Tax Compliance and Audit Issues Compliance and Audit Issues Mastering

Subpart F Income: Critical Tax Compliance and Audit Issues Compliance and Audit Issues Mastering

Presenting a live 110 minute teleconference with interactive Q&A Subpart F Income: Critical Tax Compliance and Audit Issues Compliance and Audit Issues Mastering Income Calculation, Tax Rates, Audit Preparation and Other Complexities WEDNES

1.42k views • 73 slides
CHECKLISTS CHECKLISTS FOR FINANCIAL AND COMPLIANCE AUDIT FOR FINANCIAL AND COMPLIANCE AUDIT OF

CHECKLISTS CHECKLISTS FOR FINANCIAL AND COMPLIANCE AUDIT FOR FINANCIAL AND COMPLIANCE AUDIT OF

CHECKLISTS CHECKLISTS FOR FINANCIAL AND COMPLIANCE AUDIT FOR FINANCIAL AND COMPLIANCE AUDIT OF PUBLIC PROCUREMENT OF PUBLIC PROCUREMENT CRISTINA BREDEN Director Directorate for Public Procurement Audit, Methodology and Training Audit,

619 views • 38 slides
Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars Jason Sechrist Director of Audit and Compliance Solutions AuditBoard Former Head IT Compliance and Internal Audit Volunteer Board/Audit

427 views • 30 slides
PRE-AUDIT REPORT TO THE AUDIT & COMPLIANCE COMMITTEE MAY 2, 2017 BKD, LLP MARY MCKINLEY,

PRE-AUDIT REPORT TO THE AUDIT & COMPLIANCE COMMITTEE MAY 2, 2017 BKD, LLP MARY MCKINLEY,

PRE-AUDIT REPORT TO THE AUDIT & COMPLIANCE COMMITTEE MAY 2, 2017 BKD, LLP MARY MCKINLEY, PARTNER JOANIE DUCKWORTH, DIRECTOR 1 // experience access PRE-AUDIT REPORT SUMMARY Auditors Responsibility Obtain reasonable, but not absolute,

177 views • 7 slides
OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and Compliance Committee President Kimberly Fearney Associate Vice President & Chief Compliance Officer Liz Vitullo Executive Assistant Omar

127 views • 8 slides
Board of Visitors Audit, Compliance, and Risk Committee June 2018 1 Action Items: 1. Audit

Board of Visitors Audit, Compliance, and Risk Committee June 2018 1 Action Items: 1. Audit

Board of Visitors Audit, Compliance, and Risk Committee June 2018 1 Action Items: 1. Audit Plan FY2019-FY2020 2. Revised Audit and Compliance Charters Audit Plan: FY2019-FY2020 Sense and Respond: Moving Toward Real-Time Assurance

297 views • 19 slides
Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May

Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May

Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May 23, 2017 Audit Responsibilities Overview An annual financial statement and compliance audit of California Community College Districts is

295 views • 28 slides
Compliance Program Presentation to the MHBE Board of Trustees Presented by Caterina Pagilinan

Compliance Program Presentation to the MHBE Board of Trustees Presented by Caterina Pagilinan

Compliance Program Presentation to the MHBE Board of Trustees Presented by Caterina Pagilinan May 18, 2020 Q3 FY2020 Privacy, Audit And Compliance Activities Independent Financial and Programmatic Audit Annual Privacy, IT Security

97 views • 9 slides
EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA,

EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA,

EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA, CISM, CRISC, CISSP Director, IT Security & Compliance 13 March 2014 AGENDA 1. Introduction 2. Evolution of the CISO: Past, Present & Future

200 views • 18 slides
Audit and Compliance Committee Internal Audit Proposed Internal Audit Charter March 15, 2019

Audit and Compliance Committee Internal Audit Proposed Internal Audit Charter March 15, 2019

Audit and Compliance Committee Internal Audit Proposed Internal Audit Charter March 15, 2019 Internal Audit Open Meeting Internal Audit Charter Internal Audit Charter (The following 3 slides are excerpts from the Institute of Internal

205 views • 6 slides
Why have a Human Resources Compliance Audit? WHICH APPLY TO YOUR COMPANY? ARE YOU IN COMPLIANCE?

Why have a Human Resources Compliance Audit? WHICH APPLY TO YOUR COMPANY? ARE YOU IN COMPLIANCE?

Why have a Human Resources Compliance Audit? WHICH APPLY TO YOUR COMPANY? ARE YOU IN COMPLIANCE? Sometimes You dont know What you dont know. This is where our expertise can help you! WHY HAVE A HR AUDIT? Analyze & minimize

186 views • 16 slides
Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan One of the core requirements from the Compliance Resource Group (CRG) was that Compliance should develop a 3-5 year strategic plan to model the

793 views • 13 slides
Office of Internal Compliance Audit Committee Meeting June 20, 2019 2:00 PM Presented by:

Office of Internal Compliance Audit Committee Meeting June 20, 2019 2:00 PM Presented by:

Office of Internal Compliance Audit Committee Meeting June 20, 2019 2:00 PM Presented by: Connie Brown, Executive Director Internal Compliance Content OIC Update Audit Report Discussions Infinite Campus Monitoring Access Review

480 views • 26 slides
Internal Audit and Compliance Blurred Lines of Responsibility Tim Robinson April 24, 2014

Internal Audit and Compliance Blurred Lines of Responsibility Tim Robinson April 24, 2014

Internal Audit and Compliance Blurred Lines of Responsibility Tim Robinson April 24, 2014 Understanding the audience Do you have an established compliance function within your company? Have you performed a compliance function audit?

275 views • 23 slides
Board of Visitors Audit, Compliance, and Risk Committee March 2, 2017 1 Audit Department

Board of Visitors Audit, Compliance, and Risk Committee March 2, 2017 1 Audit Department

Board of Visitors Audit, Compliance, and Risk Committee March 2, 2017 1 Audit Department Activities 2 Program Project Change People Process Technology Governance Management Management Future State Design & Executive Sponsorship

368 views • 15 slides
Cathy Bakk Lead Compliance Program Coordinator Notice of Audit Packet January 28, 2013

Cathy Bakk Lead Compliance Program Coordinator Notice of Audit Packet January 28, 2013

Cathy Bakk Lead Compliance Program Coordinator Notice of Audit Packet January 28, 2013 Compliance User Group (CUG) Meeting Mesa, AZ Audit Frequency 3 year cycle o Entities registered as a Balancing Authority (BA) or Transmission Operator

422 views • 28 slides
SECURITY POLICY Confidential Focal3 Softw are Pvt Ltd F3 _ Doc_ 0 0 6 VER4 .0 Page 2 of 2

SECURITY POLICY Confidential Focal3 Softw are Pvt Ltd F3 _ Doc_ 0 0 6 VER4 .0 Page 2 of 2

F3 _ Doc_ 0 0 6 VER4 .0 Page 1 of 1 SECURITY POLICY Confidential Focal3 Softw are Pvt Ltd F3 _ Doc_ 0 0 6 VER4 .0 Page 2 of 2 Background Focal3 and its Customers provide Focal3 Agents with Confidential and Proprietary information

279 views • 13 slides
Wha hat t are the e the cha hanges? nges? Presented by: Dineo Mphahlele Executive Manager:

Wha hat t are the e the cha hanges? nges? Presented by: Dineo Mphahlele Executive Manager:

FIC Amendment Act Wha hat t are the e the cha hanges? nges? Presented by: Dineo Mphahlele Executive Manager: Inspectorate FIC Amendment Act 1. Introduction 2. Risk-based approach 3. Risk Management and Compliance Programme(RMCP) 4. 7

608 views • 36 slides
Developing Secure Applications for IBM i Introductions Design and Documentation

Developing Secure Applications for IBM i Introductions Design and Documentation

Developing Secure Applications for IBM i Introductions Design and Documentation Application Ownership and Authority A Simple Security Model Integrity Considerations Resources for Security Officers Questions & Answers

1.06k views • 93 slides
H3C S3600 Series Switches Agenda Market Trends S3600 Overview S3600 Key Features V1. V1.5 New

H3C S3600 Series Switches Agenda Market Trends S3600 Overview S3600 Key Features V1. V1.5 New

H3C S3600 Series Switches Agenda Market Trends S3600 Overview S3600 Key Features V1. V1.5 New New Feat Feature IRF IRF RPS10 S1000 00-A Featu ature S re Summar mary End-to-End Intelligent Solution Summary www.h3c.com.cn 2

502 views • 48 slides
WATCOM SOLUTIONS MEGA MALL www.watcom.ru AGENDA 1 5 ABOUT COMPANY SHOPPING INDEX 6 2

WATCOM SOLUTIONS MEGA MALL www.watcom.ru AGENDA 1 5 ABOUT COMPANY SHOPPING INDEX 6 2

WATCOM SOLUTIONS MEGA MALL www.watcom.ru AGENDA 1 5 ABOUT COMPANY SHOPPING INDEX 6 2 PEOPLE COUNTING SYSTEM FOCUS SYSTEM 7 3 PROJECT IMPLEMENTATION SHOPSTER 8 TRENDS AND ROADMAP 4 SALES FLOW SYSTEM www.watcom.ru ABOUT WATCOM 6

1.18k views • 72 slides
GFO-20-601 Pre-Application Workshop Blueprints for MD/HD ZEVs and ZEV Infrastructure Fuels and

GFO-20-601 Pre-Application Workshop Blueprints for MD/HD ZEVs and ZEV Infrastructure Fuels and

GFO-20-601 Pre-Application Workshop Blueprints for MD/HD ZEVs and ZEV Infrastructure Fuels and Transportation Division Katie Herter July 28, 2020 California Energy Commission 1 Housekeeping Muting on Zoom Zoom recording Questions

547 views • 39 slides
Winter Marketing Tune-Up Meet Your Enrollment Marketing Team Kurt Lewis , Director of

Winter Marketing Tune-Up Meet Your Enrollment Marketing Team Kurt Lewis , Director of

Winter Marketing Tune-Up Meet Your Enrollment Marketing Team Kurt Lewis , Director of Enrollment Marketing klewis@archchicago.org Noreen Walton-Valle, Marketing and Enrollment Manager, Vicariates 1 and 2 nwalton@archchicago.org

650 views • 63 slides
A PARENTS GUIDE TO INSTAGRAM AUSTRALIAN EDITION 2019 In partnership with 1 A Parents

A PARENTS GUIDE TO INSTAGRAM AUSTRALIAN EDITION 2019 In partnership with 1 A Parents

A PARENTS GUIDE TO INSTAGRAM AUSTRALIAN EDITION 2019 In partnership with 1 A Parents Guide to Instagram A LETTER FROM REACHOUT An introduction to supporting your teen on Instagram ReachOut is Australias leading mental health and

669 views • 44 slides

More recommend