IIA August Briefing_15AUG2015
-
Upload
robert-baldi -
Category
Documents
-
view
93 -
download
0
Transcript of IIA August Briefing_15AUG2015
MEETS THE CHALLENGE OF CHANGE
Robert BaldiDirector of IT Audit, ACI Worldwide
Warren FishManager of IT Audit, ACI Worldwide
Auditing emerging cyber threats and IT controls
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Competency“The trouble with competence is that it is always stale.“*
CDR Chris Hadfield, first Canadian to walk in space
*Quoted from 2015 IIA Conference, Vancouver, British Columbia, Canada
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Agenda
• The state of cybersecurity (IIA perspective)
• Recent breaches
• IIA Standards 1210: Proficiency
• Cutting Edge IT Auditing: IT Skills required, auditing skills second
• Fruit Tree of IT Auditing
• Emerging Cyber Threats
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
The state of cybersecurity (IIA)
The Cybersecurity Imperative: To help organizations lock down security, internal auditors must raise their skills and understand the latest threats, IIA July 31, 2015
• https://iaonline.theiia.org/2015/the-cybersecurity-imperative• The Board is asking questions: This year for the first time, cybersecurity broke into the top
10 risk priorities. Small wonder then that 80 percent of public company board members report their board discusses cybersecurity at most or all board meetings.
• A Common Language: Bridging those gaps is difficult because there is no generally accepted cybersecurity framework. The Board, Management, IT, information security, and internal audit may all have their own points of reference. Recommend establishing a common framework that enables everyone in the organization to speak the same language about cyber risk.
• Recruit Cybersecurity Specialists Internal audit departments that lack IT auditors can gain expertise by hiring cybersecurity experts and then training them in internal audit.
Tim McCollum is Internal Auditor magazine's associate managing editor.
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE 5
• Internal Auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
• Interpretation:• 1210.A1 - The chief audit executive must obtain competent advice and assistance if the internal
auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.
• 1210.A2 - Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
• 1210.A3 - Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.
• 1210.C1 - The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.
IIA (Standards 1210) Proficiency
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Cutting Edge IT Auditing: IT Skills required, auditing skills second
• Maintaining IT competencies: IT Auditors at ACI Worldwide are maintaining their IT skills by maintaining membership in the following organizations, pursing certifications and staying current and connected via social media.• Institute of Internal Auditors• ISACA • Nebraska Computer Emergency Response Team (CERT)• Armed Forces Communications and Electronics Association• InfraGARD (Public-Private Partnership between FBI and US business)• National Cyber Security Alliance (DHS and home, small US business)• International Information Systems Security Certification Consortium (ISC²)• Open Web Application Security Project (OWASP-Omaha) Risk
* 7 Attributes of Highly Effective Internal Auditors, By Chambers, McDonald, IIA, 2013
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Fruit Tree of Internal Auditing
7
High Hanging Fruit- Simulated Breach Exercises (war gaming)- Penetration Testing (In house)- Data Loss Prevention (Insider Threat)- Bring Your Own Device (BYOD)- Database Security- Two-Factor Controls
Medium Hanging Fruit- Data backup processes- Asset Management and/or Identity Management- WiFi Security Assessment- Vulnerability & Patch Management- Configuration Management
Low Hanging Fruit- Credential (Admin) Verification/Appropriateness- Default & weak passwords- Unpatched devices (routers, switches, servers,
workstations)- Poorly configured firewalls, IPS, IDS< SIEM- Applications not working as configured on
workstations (Virus, Web Filtering, etc…)
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Emerging Cyber Threats & IT Controls
• Recent Breaches & Cyber War gaming
• Social Media
• Data Loss Prevention
• Bring (or Wear) Your Own Device
• Penetration Testing
• Incident Response
• Social Engineering
• Phishing
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Cyber Security Breaches – 2014 & 2015
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Cybersecurity: war gaming
10
The cybersecurity imperativeBy: Tim McCollum (Page 27)
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Social Media
• Every employee with a social media account tied to your company e-mail is an ambassador of the company. Possible risks: Reputation/brand, stock prices, or injury/workplace violence.• Example: TD Ameritrade uses a company to monitor Social Media
• List every company-based social media account• Do not limit just to Facebook, Twitter, LinkedIn, etc – imperative that you use GoogleDorks or
obtain an external “objective” subject matter expert to assist you
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Data Loss Prevention (DLP)
• Where are your egress points?• What controls are in place?• What do your policies state?• What training is provided to your staff?• Which of the 45 popular cloud hosting providers (DropBox.com, Cloud.com, etc) are blocked?
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Bring (or Wear) Your Own Device (BYOD)
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Penetration Testing? But we just passed our PCI Audit!
• Vulnerabilities Exist? But we just passed our PCI audit!
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Incident Response
• Yes, you probably have a plan. But do you have a letter vetted through legal for each state / country in which you operate to comply with breach notification laws?
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE 16
Social Engineering
http://www.social-engineer.org/
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
• Phishing still remains the easiest way to compromise a company• Unsuspecting employee in any business unit clicks on a perfectly legitimate looking email which says,
“Please click here to check on the status of your order.”
• Access/Compromise• Once the attacker has compromised the company workstation, they will install a key logger to • collect logins, passwords, etc…
• 23% of recipients now open phishing messages• 11% click on attachments• 50% open e-mails with the first hour• Awareness and training are the most effective defense
Phishing
MEETS THE CHALLENGE OF CHANGEMEETS THE CHALLENGE OF CHANGE
Contact Info
18
Rob BaldiDirector of Information Technology Internal [email protected]
Warren FishManager of Information Technology Internal [email protected]
ACI Worldwide is looking for an IT Audit Intern. Please contact Rob or Warren for more details!