Post on 16-Jul-2020
INTERNAL AUDIT’S ROLE IN
INFORMATION SECURITY
VULNERABILITY MANAGEMENT &
BREACH PREVENTION
CHRISTY DECKER
VP OF INTERNAL AUDIT
SHARP HEALTHCARE
BRIAN LONG
IT INTERNAL AUDIT DIRECTOR
PWC
AHIA 34th Annual Conference – August 30 – September 2, 2015 – Portland, Oregon
www.ahia.org
1
Agenda
Introduction
Cyber Security Overview
Threat and Vulnerability Management (TVM)
Overview
TVM Case Study
Questions
2
Recent Security Incidents 3
Key Internet operator hit by hackers
Passwords of 250,000 accounts on a social networking site hacked
50 million customers hit in an electronic commerce company hack
A security company’s security breach may cost bank customers $100 million
Health insurance company that somehow allowed hackers to gain access to information it held on as many as 80M Americans…
A large technology company network data breach compromises 77 million user accounts…
Computer network had been hacked at least twice through criminal cyber attacks…
Cybersecurity Transformation
Sources: 1 - PwC 17th Annual Global CEO Survey 2 - 2015 Global State of Information Security 3 - PwC 6th Annual Digital IQ Survey 4 – Marc Goodman, Future Crimes
Technology Advances
81% of CEO’s believe technological advances will transform their business 81%
Cyber attacks a serious global concern
69% of CEOs in US are somewhat or extremely concerned by cyber attacks
69% Investing in cybersecurity
40% of CEO’s are investing in cybersecurity with budgets up in FY ‘13 and expected to show an increase again in FY ‘14
40% Days to detect security breaches
Average company takes about 211 days to detect a breach after cybersecurity threats have already occurred
211
4
Is IA doing enough?
Evolution of Threats
5
Heavy focus on identity management – right people, right place, right access
Focus on enhanced layers of security, adoption of incremental security solutions
Focus on security technology for the perimeter
Tech
nolo
gy R
eliance
/Com
ple
xity
Time
“Resilient Cyber Security”
“Inclusion &
Exclusion Security”
“Layered
Security”
“Perimeter
Security”
Assumed state of compromise
Security Market Paradigm Shift:
2010+ 2000s 1990s 1980s
Significant and evolving cyber threats unlike ever before
Highly skilled/motivated, and yet patient adversaries, including nation states
Increasing speed of business, digital transformation, and hyper connectivity across supply chain and to customers
Massive consumerization of IT and reliance on mobile technologies
Increasing regulatory compliance requirements (e.g., SEC Cyber Guidance)
How mature is your
organization?
Attention at the Board and Audit Committee level…
Increase in the Security and Privacy regulatory mandates in recent years, as well as
expected changes in upcoming years.
Emerging technologies and reliance on third parties have created a borderless
infrastructure.
Growing demand by business leaders to understand how privacy (“what” data is sensitive
to the business) and security (“how” to protect the data deemed sensitive) is integrated.
Increase in threats and vulnerabilities to sensitive data and corporate assets.
Even companies that place great emphasis on securing their business processes can
become the victim of cybercrime. Cybercrime can manifest in many ways from theft of
payment card information to the theft of intellectual property or other highly sensitive
business information.
While the financial statement audit would not normally address the operational risks
associated with cybercrime, such risks may nevertheless fall within the scope of
responsibility of a company's audit committee.
Having a documented, demonstrated and regularly tested program helps in the event of
regulatory oversight.
6
Information Security Program Maturity
7
Information Security Program Maturity
Framework (ISPMF)
Innovation and Agility Shareholder Value Brand Protection Customer Loyalty Legal and Regulatory
Commitments
People
The ability of the people that support the
information security program to successfully
execute the requisite activities
Technology
The ability of the technology infrastructure to
support the operational processes that
comprise the information security program
Process
The ability of the operational processes that
comprise the information security program to
meet the anticipated expectations of
stakeholders
Information Security Program Strategy
The ability of the Information Security Program’s long-term plan to meet the anticipated expectations of stakeholders
Third Party Security
Management
Security Strategy,
Governance and
Management
Risk, Compliance and Policy
Management
Identity and Access
Management
Security Architecture and
Operations
Information Privacy and Protection Threat Intelligence and Vulnerability
Management Physical and Environment Security Incident and Crisis Management
Information
Security
Program
Execution
Business
Drivers
Cloud Computing & Vendor Risk Management
8
01
02
03
04
Text to go here go here go here go here go here go here go here
Text to go here go here go here go here go here go here go here
Text to go here go here go here go here go here go here go here
Text to go here go here go here go here go here go here go here
Value Add and Impactful Internal Audits
Audit Key Focus Areas
Cloud Computing
Advisory Review /
Assessment
• Comprehensive review of organization’s cloud computing strategy and approach
spanning key areas, including Strategy & Governance, Architecture, Risk &
Security, and Cloud Operating Model
• Evaluate the organization’s strategy for cloud solution adoption and utilizing
cloud technologies
Vendor Risk
Management Program
Assessment
• Perform assessment of an organization’s VRM function, identifying gaps against
leading practices and regulatory requirements
• Assessment areas include vendor risk profiling and stratification, program
governance and oversight, vendor intake and due-diligence processes, and
ongoing assessment and monitoring activities
Vendor Audits and
Assessments
• Performance of on-site, remote, or self-assessments as deemed appropriate for
specified vendors, using the Global Network of Firms and Service Delivery
Centers
• Risk assessments to determine risk of services being outsourced, and vendors
providing services to determine a risk score and drive appropriate response by
the organization
Web Application Security Assessment (WASA)
9
Value Add and Impactful Internal Audits
Audit Key Focus Areas
Web Application
Security Assessment
• Evaluate the security of web applications using a combination of manual and
automated testing techniques. Our testing approach works to identify insecure
web server and portal software configuration settings and their susceptibility to
both common and custom application level attacks.
Threat and Vulnerability Management (TVM)
10
01
02
03
04
Text to go here go here go here go here go here go here go here
Text to go here go here go here go here go here go here go here
Text to go here go here go here go here go here go here go here
Text to go here go here go here go here go here go here go here
Value Add and Impactful Internal Audits
Audit Key Focus Areas
Attack & Penetration
Testing
• Focuses on analyzing the risks posed from an external or internal threat actor
attempting to gain access to an organization’s “crown jewels”
• Demonstrate impact by leveraging a wide range of manual and automated
scanning methods and tools to survey, identify, and exploit potential
vulnerabilities in a client’s IT environment
Infrastructure Security
Assessments (Network,
Operating Systems,
Databases,
Virtualization)
• Deep-dive diagnostic reviews and assessments of network and technology
infrastructure
• Comprehensive network security assessments, focusing on the architecture,
technology safeguards, operation, and monitoring of the network environment –
networking perimeter, internal network segmentation, global wide area networks,
and wireless networks
Threat & Vulnerability
Management Program
Assessment
• Perform assessment of an organization’s TVM function, identifying gaps against
leading practices and the industry specific risk landscape
• Assess whether internal practices relevant to identification, evaluation, and
remediation of security threats and vulnerabilities are conducive to a secure and
effective IT environment
Threat and Vulnerability Management (TVM)
Program 11
Defining program ownership,
policies/procedures and integration with
enterprise risk management program
Evaluating threats and vulnerabilities and
establishing communication and tracking
mechanisms
Defining program ownership,
policies/procedures and and
integration with enterprise risk
management program
Actively identifying asset
weaknesses before they can be
exploited by an attack
Actively monitoring and enhancing
the TVM program
Isolating and resolving asset
security issues once identified
Threat and vulnerability management
program
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
TVM Security Strategy & Planning Assessment
12
Program ownership
Assess the governance structure and the designated roles and responsibilities
Policy and procedure assessment
Assess management’s intent and directives as documented in the relevant policies and procedures
Integration with risk management
Assess the integration of the TVM program into the overall enterprise information security risk management program
Threat and vulnerability management
program
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
Defining program ownership,
policies/procedures and integration
with enterprise
risk management program
Threat Detection Capabilities Analysis
13
Intrusion monitoring
Assess the effectiveness of the intrusion monitoring
Malicious program detection
Assess the capabilities and configuration of the malicious program management tools
Rogue technology discovery
Assess tools, controls and procedures to detect, prevent and control rogue technologies in the environment
Log activity analysis
Assess log monitoring and anomaly detection capabilities and the organization’s technology audit capabilities
Breach indicator analysis
Assess capabilities in place to identify indicators of a security breach
Threat and vulnerability management
program
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
Actively identifying and isolating
threats to minimize their impact upon
assets
Vulnerability Detection Analysis
14
Compliance testing
Evaluate conformance with established security guidelines and policies and compliance monitoring techniques
Vulnerability scanning
Evaluate vulnerability scanning capabilities by assessing factors such as tools, techniques, scope and frequency
Penetration testing
Evaluate penetration testing capabilities by assessing factors such as methodology, attack scenarios, scope and frequency
Intelligence analysis
Evaluate the process of gathering security intelligence from multiple sources and the effective use of intelligence tools
Threat and vulnerability management
program
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
Actively identifying asset weaknesses
before they can be exploited by an
attack
Threat and Vulnerability Evaluation Analysis
15
Security intelligence
Assess the process of assimilation and correlation of security information and the process of responding to the identified issues
Communication and tracking
Assess the process of communicating the identified threats and vulnerabilities and tracking them until closure
Controls effectiveness evaluation
Assess the process of evaluating the controls and mitigating mechanisms
Threat and vulnerability management
program
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
Evaluating threats and vulnerabilities
and establishing communication and
tracking mechanism
Threat and Vulnerability Remediation and
Response Analysis 16
Security infrastructure implementation
Assess the process to check if infrastructure and controls are implemented consistently with the company’s security standards, such that they achieve the desired benefits and functionality
Security remediation
Assess the security remediation of the vulnerabilities detected and the process of verification
Incident response
Assess the process of evaluating the controls and mitigating mechanisms
Threat and vulnerability management
program
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
Isolating and resolving asset security
issues once identified
Security Information Management and
Sustenance Analysis 17
Program maturity enhancement
Assess the process to continually monitor and enhance the program’s maturity
Threat awareness
Assess the organization’s security awareness activities to educate relevant users on threats
Reporting
Assess the procedures to report the status of the TVM program and the actions taken in response improve the current capabilities
Threat and vulnerability management
program
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
Actively monitoring and enhancing
the TVM program
TVM Audit Case Study 18
Scope:
External IP scope-100 IPs and A&P testing on
15%
Internal IP scope -300 IPs and A&P testing on
15%
Web Application Security Assessment (WASA) –
production or test environment
Internal Testing Requirements:
VPN account that will allow connectivity from
testing center
Internal host with appropriate requirements for
testing team to install applications
Privileged account (Admin or SA) to install testing
tools to internal host
Have you scoped your
audit differently?
TVM Audit Case Study (continued)
Timing
Rules of Engagement
Frequency and method of status updates
Reporting
Technical
Management
Audit Committee
19
Audit Planning – Key Players
Given the wide span of a network security review, there are many key players that need to be involved and aware of testing and timing.
Key Players
IT Security team
IT Infrastructure team
IT Applications team (depending on scoping)
Compliance
Operations
20
Scoping Definitions
Vulnerability Assessment Identify an organization’s technical vulnerabilities,
misconfigurations and weaknesses utilizing automated and manual techniques to scan a company’s network.
Attack & Penetration (A&P) A vulnerability is like leaving a window open in your home. It
is a weakness that can be exploited, but until a thief attempts to enter the home through the window, the risk may not be fully appreciated. An Attack & Penetration assessment attempts to exploit the vulnerabilities discovered during the vulnerability assessment to demonstrate the potential impact on the organization.
21
Scoping Considerations
External Assessment
Wireless Security Assessment
Web Application Security Assessment
Data Center(s)
Internal Assessment
Social Engineering Attacks
22
Scoping Considerations
Testing Times
Should consider support staff and what is being tested
Onshore or Offshore resources
BioMed devices – security vs. patient safety
Risk Based Approach
How homogenous is the environment?
23
Audit Planning - Timeline
With multiple key players, potential connectivity problems during testing and sensitivity of results, this is not a typical audit and can take longer than expected.
Example Timeline
Scoping - 1-2 weeks
Access Setup/Prep - 1-2 weeks
Testing – varies based on testing windows and scoping/samples
Want to consider support staff during non-business hours
Validation of Results by IT 2-3 weeks
Reporting – 1-2 weeks
24
Internal Scan/Assessment
Why perform an internal scan?
All security environments are only as strong as their weakest
link and ill-informed and untrained employees are often the
weakest link in the IT Security environment.
Internal A&P testing focuses on evaluating risks you might
encounter from a contractor or disgruntled employee who
has access to the internal network with the goal of gaining
unauthorized access to customer, employee or proprietary
data.
Hosting Providers/Cloud Services
Don’t forget hosting providers and SaaS/IaaS
25
Audit Testing Process
Establish rules under which scanning will be performed
Tools to be used (e.g., Nessus, Qualys, etc.)
Systems or user accounts to be leveraged (for internal
scanning)
Testing windows
Escalation protocols if high priority issues identified or
system downtime
26
Reporting/Presenting to Audit
Committee
Education & Communication
Provide a high-level overview of the IT network
Appropriate level of detail
Summarize results in a way that can be understood by audit committee
Include actionable remediation items for processes
Benchmark to other organizations and the industry
27
Lessons Learned
Timeline may require flexibility – recommend
building in buffer time
Large number of people involved and coordination
of all personnel
Frequency and participation of key players for
status updates
Confirm the test environment (if applicable) is an
exact replica of the production environment before
testing
28
Lessons Learned
Difficult to summarize findings for Audit Committee
Educate and provide a high-level overview of the IT
network
Provide IT with detail that maps to summarized findings so
all parties are aligned, but IT can remediate detailed issues
Remediation of issues
Truly evaluate root cause of issues and remediate process,
not specific issues
Make sure the right people are involved at the right
levels to make remediation decisions and take action
29
Other/Reminders 30
Results are incredibly sensitive
Always encrypt when sending detailed results and or
reports
Based on initial results, scope may expand based
on risk of findings – be prepared to discuss this
potential
Questions? 31
Thank you! Christy Decker
VP Internal Audit, Sharp HealthCare
(858)499-5508
christy.decker@sharp.com
Brian Long
Health Industries Internal Audit Director, PwC
(859)552-4816
brian.m.long@us.pwc.com
Save the Date September
11-14, 2016
35th Annual Conference Atlanta, Georgia