Cybersecurity: Considerations for Internal Audit Considerations for Internal Audit Gina Gondron...
Transcript of Cybersecurity: Considerations for Internal Audit Considerations for Internal Audit Gina Gondron...
Cybersecurity:
Considerations for
Internal Audit
Gina Gondron
Senior Manager
Frazier & Deeter
Geek Week
August 10, 2016
San Francisco ISACA Conference
Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 3
Key Risks
• Board and Management:
– CIO, CAE, organizational leaders agree: Cyberthreats not only and IT problem, but fully
fledged business risk
– Top 10 risk Separate from business interruption; loss of
reputation and brand value; theft fraud and corruption
% of IT focus increasing
5
Key Risks
• External
– Stolen credentials
– Remote access
• Internal
– Employees
– Business partners
6
Key Risks
• Nature of attack:
– Denial of service attacks (DoS)
– Data security breaches
• Focus of attack:
– Credit card data (e.g. retail)
– Exploration data (e.g. oil and gas)
– Intellectual property (e.g. technology, strategic information)
8
Incorporating Internal Audit
Persistent threat
Exposures
Security posture
Audit procedures
Assisting management
Resource application
13
Incorporating Internal Audit
Drive change
Be engaged at the strategic level:
– Understand board’s approach to security
– Better understand the value of business-
critical data
– Being involved with new IT implementations
14
Incorporating Internal Audit
Key Elements:
– Leadership and governance
– Technical and operational controls
– Training and awareness
– Information risk management
– Response planning
– Crisis management
15
Incorporating Internal Audit
Auditing defense mechanisms:
– Internal education/communication
– Secure firewalls
– Up-to-date antivirus software
– Open communication to ISPs
– Effective network monitoring
– Rapid response plans
– Patch management
16
Incorporating Internal Audit
Auditing defense mechanisms:
– Password management
– Data categorization, segregation, access storage, and retention process
– Suppliers’ cybersecurity practices; service agreements
– Cloud services
– Data security controls
– Corporate insurance coverage
18
Incorporating Internal Audit
IT Audit Resources:
– Perform business and IT impact
analysis and risk assessment
– Cyber Risk assessments
External input on threats facing industry
Current attack methods
Cyber “assurance”
White-hat hacking
19
Incorporating Internal Audit
IT Audit Resources:
– People, process and technology controls
– Incident response program
– Help optimize controls to prevent or
detect cyber issues
– Ongoing monitoring of changing cyberrisk
– Working with systems administrators
20
Incorporating Internal Audit
Internal Audit Resources:
– Drive discussion around risk and mitigation strategy
– Independently assess and prioritize cyberrisks
against other critical enterprise risks
– Assess effectiveness of preparation
– Identify and monitor issues and risk related to
emerging technology deployments
22
Incorporating Internal Audit
Supporting the Audit Committee:
– Five Principles:
1. Understanding and approach to cybersecurity
2. Legal implications
3. Access to expertise
4. Staffing and budget
5. Risk avoidance
23
Incorporating Internal Audit
Focus on: – Specific types of attacks they face
– Weaknesses inherent in business practices, culture, IT systems
– Educating AC/Executive Management: Business risk
Risk to data
Critical assets
Nature of network traffic
– Prevention, Detection and Response
24
Incorporating Internal Audit
Questions to ask: 1. Funding for people, processes, technology?
2. Critical Systems Identified?
3. Connections to other systems
4. Who relies on data?
25
Incorporating Internal Audit
Questions to ask: 4. Who has access?
5. Audit logs maintained/reviewed?
6. Cyber response: 1. Systems prioritized
2. Excercizes documented?
3. Support contracts in place?
7. Does staff receive training?
26
Where are the Resources?
• FDIC – 60 IT Auditors for 4,000 financial
institutions
• OCC – 100 IT Auditors for 1,500 institutions
• NCUA – 50 IT Auditors for 6,200 credit unions
• Federal Reserve – 85 IT Auditors for the
5,500 institutions it monitors
“Too many threats and too few
professionals.”
www.frazierdeeter.com 28
Performing Risk Assessments
Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 30
IT Security Architecture
Threat & Vulnerability Management
Privacy & Data
Protection
Identity & Access
Management
IT Security Management
Awareness & Education
Risk
Assessment
Areas
• Identify high
risk areas
• Incorporate into
audit plan
Resources
• U.S. National Institue of Standards and Technology (NIST) – Framework for Improving Critical Infrastructure
Cybersecurity
– Consistent and effective evaluation of current security: Processes
Procedures
Technologies
– Links to other security standards and approaches
31
32
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/#
33
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/#
Resources
Cybercrime
Audit/Assurance Program
• Aligned with the NIST
National Initiative for
Cybersecurity Education
34
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cybercrime-Audit-Assurance-Program.aspx
Resources
Cybersecurity Fundamentals
Certificate
• Knowledge-based
certificate offered by ISACA
Implementing NIST
Cybersecurity Framework
Using COBIT 5
• Focused on the CSF, goals,
implementation steps and
application
37
Nymity Framework
Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 40
Comprehensive listing of over 130 privacy
management activities
Structured in 13 privacy management
processes
Jurisdiction and industry neutral
Internal Audit Focus
Evaluating security risk and threats
Data at risk
Secure infrastructure
Monitoring capability
Rapid identification, response,
containment and recovery
41