Presented by:JJ Edmunds CPA, CIA, CISA, Audit and Assurance ManagerAntonina McAvoy CISA, Cyber and Control Risk Services Manager

Don’t be a Target!

Peace of mind is a matter of choice.

E-Auditing Pitfalls to Avoid

Business Disruption

GLOBAL CYBER WARFARE

Intellectual Property

Trade Secrets Infrastructure

Designs Confidential Project Data

Financial Data

Personal Data

Data Is The New Oil

Cybercrime Annual Revenues

Key Cyber Trends

Root Cause of Cyber Attacks

Source: Ponemon Report

Types of Cyber Attacks

Source: Ponemon Report

Data at Risk

Source: Ponemon Report

Reduce Your Risk Vector

How Can You Minimize Being a Statistic?

• What are your assets?

• What are your threats?

• What are your vulnerabilities?

• Impact vs Likelihood

Risk Management Programand E-Auditing Considerations

Member Identification

• Strong authentication questions• Call backs• OFAC Scans• Multi-factor authentication• Exception monitoring• Frequent and Constant Employee training

NCUA Wire Internal Controls

• Training• Physical and Logical Controls• Segregation of Duties• Exposure limits• Defined roles• Member identification• User access monitoring• Call back/dual authentication

NCUA ACH Internal Controls

• HR Policies and Procedures• Physical Security• Data Security • Software development and change• Exposure limits• Segregation of duties• User Access

NCUA Remote DepositInternal Controls

• Benchmarking of performance• Board approved policies• Data security• Segregation of Duties• User Access

Cybersecurity Risk Management

User Education and Awareness• Acceptable Use Policy / Agreement• Security awareness and policy

training• Secure Password Construction• Phishing• Whaling Attack

• Social Engineering• Physical Access• Malware• Ransomware• Confidential Data Handling

• Compliance and Monitoring

Home and Mobile Working

• How many organizations have a Virtual Office Policy / Mobile Working Policy, or Agreement?

• Threats: Network Attacks, Viruses, Data Loss, and other remote user hazards

• Protect Data in Transit and at Rest• Secure Baseline Build for all Devices

– i.e. Ensure devices have updated virus protection software and appropriate firewall status before allowing them on VPN

Secure Configuration

• Current System Inventory List• Baseline Build for all Devices• Patch Management Policy/Process

• Are you at risk? Practices to be avoided:– Use of default passwords for systems and devices– Lack of formal configuration management process– Lack of consistent software install process– Unnecessary software installed on networks/servers– Improper file and directory permissions– User accounts with unnecessary access privileges

Removable Media Controls

• What is the Risk?– Loss of sensitive information – Introduction of malware– Reputational damage

• Corporate Removable Media Policy• Best Practices to Implement:

– Limit use of removable media– Scan all media for malware– Formally issue media to users– Encrypt information held on media– Manage reuse/disposal of removable media– Educate users and maintain awareness

Managing User Privileges

• Access Control Policy• User Provisioning

– Formal request and approval– Principle of least privilege (network, app, and db)– Regulate the creation of new accounts, administration of

rights, and the editing of account details

• User Deprovisioning– Access disabled/deleted within 1-3 business days– Admin password change when support leave

• User Access Reviews• Restrict Administrative Access

Incident Management

• Do you have a written plan? • How many times have you

tested it?– Living Process… Update

Regularly!

Business Continuity Planning (BCP) andDisaster Recovery (DR)

Source: Centre Technologies

• BCP: Business function prioritization, Business Impact Analysis, Risk Assessment, Legal and Regulatory Requirements Identified

• DR: Asset/Technology Inventory, Asset Criticality, Disaster Recovery Contracts, Building Plans and System Diagrams

Monitoring

• Monitoring Strategy & Supporting Policies• Continuously Monitor all Systems & Networks• Capture and Analyze Logs for Unusual Activity• Real-Time Monitoring:

– Monitor network performance / availability / traffic– Monitor user activity (i.e. Detect and stop malicious

activity before security is compromised)– Monitor computer operations (key backups / batches)

Malware Protection

• Corporate Malware Policy• Personal Vigilance

– Be wary of emails with attachments, links, or requests to enter your User ID and password

• Protective Tools– Anti-virus security package– Scan for malware across the organization– Automatically filter out malicious attempts– Only compliant machines gain network access

Network Security

• Security Policy• Apply the Principle of Least Privilege• Dual Authentication• Segmented Networks

– Create clear separation of data within network based on security requirements (i.e. isolate cardholder data from the rest of network)

• Network Security Scanner• Vulnerability Scanning• Patch Management

Questions

Presented by:JJ Edmunds CPA, CIA, CISA, Audit and Assurance ManagerAntonina McAvoy CISA, Cyber and Control Risk Services Manager

MANAGING OUTSOURCED TECHNOLOGYAND SERVICE PROVIDERS

Why do I need a vendor management program?

Why do I need a vendor

management program?

THIRD-PARTY VENDORS

59%

THIRD PARTIES PLAY A CRITICAL

ROLE IN BUSINESS

FUNCTIONS

DELOITTE SURVEY

74%

Another threat:

Third Party Vendors

FINANCIAL / ACCOUNTING

SYSTEM

IT SUPPORT NETWORK

PAYROLL

CORPORATE CREDIT UNION

YOUR CREDIT UNION

THIRD-PARTY VENDOR RISK

PONEMON INSTITUTE

59%

DATA BREACHES CAUSED BY A THIRD-PARTY

VENDOR

Source: reuters.com

THIRD PARTY BREACHES IN THE NEWS

Source: reuters.com

THIRD PARTY BREACHES IN THE NEWS

Source: reuters.com

THIRD PARTY BREACHES IN THE NEWS

Can You RateYour Vendors’ Risk Level?

FINANCIAL / ACCOUNTING

SYSTEM

IT SUPPORT NETWORK

PAYROLL

CORPORATE CREDIT UNION

YOUR CREDIT UNION

?

? ?

?

Security Risk Affects YourWhole Organization

EMPLOYEESMEMBERSITOPERATIONS

How can you mitigate risks associated with outsourced service providers?

Do I need aSOC audit for allvendors?

Do I need aSOC audit for allvendors?

Why CUECS are Important

ACCESS DENIED

Key Consideration

97% - Negligent Employees or Third Party Contractor

Who is your weakest link?

The Blame Game

Insurance: Common Problems

Common Business Misconception

I’m not worried… I’ve got insurance!

Yes, but the real question is does your organization have the right cyber insurance?

Key ConsiderationsAre You Being Negligent?

Cyber Insurance… Denied?

• National Bank of Blacksburg v. Everest National Insurance Co.

• Hacked twice in less than a year and suffered total losses of $2.4 million (phishing scam)

• Link to article https://www.businessinsurance.com/article/20180727/NEWS06/912322962?template=printart

Do You Have a Strategic Plan?

Questions

Contact

Antonina K. McAvoy, CISAManager, Cyber & Control Risk Services

150 Boush Street, Suite 400Norfolk, VA 23510Phone: (757) 355-6011amcavoy@pbmares.com

Visit www.pbmares.com to read our blog and learn of upcoming events.

JJ Edmunds, CPA, CIA, CISAManager, Audit and Attestation

3957 Westerre Parkway, Suite 220Richmond, Virginia 23233wedmunds@pbmares.com

About the Speaker

JJ Edmunds, CPA, CIA, CISA• Manager, Audit and Attestation Services• Education:

– BS in Accounting, Christopher Newport University– Masters of Science of Accounting, Old Dominion University

• Experience:– 7 years of public accounting experience– Certified Public Accountant (CPA)– Certified Internal Auditor (CIA)– Certified Information Systems Auditor (CISA)

About the Speaker

Antonina K. McAvoy, CISA• Manager, Cyber and Control Risk Services• Education:

– BS in Business Management & Accounting, Babson College– Pursuing MS in Cybersecurity, Utica College

• Experience:– 10 years in information technology (IT) auditing experience– Certified Information Systems Auditor (CISA)– Focus areas: Cybersecurity, IT General Controls (ITGC), Cyber Risk

Assessments, HIPAA Reviews, SOC Audits, and Internal Audit

About PBMaresCyber & Control Risk Services• PBMares has been specializing in IT and Cyber Security auditing for more

than 15 years. Service include:– Attestation

• IT General Controls Audits (ITGC)• Service Organization Control (SOC) Audits – SOC1, SOC2, SOC3 & SOC for Cybersecurity

– Consulting• Cyber Risk Assessments• Review of Cyber Insurance Coverage• Vulnerability Scans of Network (Internal and External)• Penetration Testing• Incident Response Consulting• Data Classification Process Design and Consulting• Review of Information Security Program Policies and Procedures• Information Security Awareness Training• User Life Cycle Management Consulting