2013 CliftonLarsonAllen LLP Not All IT Audits Are the Same How to Choose One That Is Right For You CliftonLarsonAllen LLP. CLAconnect.

Transcription

1 Not All IT Audits Are the Same How to Choose One That Is Right For You CLAconnect.com

2 Intro Scott Charleson Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE Hacking for CliftonLarsonAllen

3 Intro Scott Charleson Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE Hacking for CliftonLarsonAllen Paleo Barefoot Runner

4 Presentation overview What is Risk Assessment Governance Frameworks Types of Audits

5 We need Our examiners said we need to do an IT Audit To be in compliance with XYZ, we need to do a Risk Assessment

6 What is not a risk assessment..? Vulnerability Scanning Penetration Test Phishing / Social Engineering

7 Risk Assessment Institute of Internal Auditors (IIA) glossary s definition of risk: The uncertainty of an event occurring that could have an impact on the achievement of objectives. Key terms when evaluating risk in an organization are: Likelihood/Occurrence and Impact/Consequences to the business

8 Risk Assessment Inherent & Residual Risk Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk s likelihood or impact (ie. absent controls/before control effectiveness testing) Residual risk is the risk that remains after management s response to the risk (ie. after control effectiveness testing) Risk assessment is applied first to inherent risks. Once risk responses have been developed, management then considers residual risk. Effective Risk Management requires that risk assessment be done both with respect to inherent risk and also following risk response.

9 Risk Assessment Risk Assessment Process (30K foot view) 1. Identify key assets and processes 2. Define threats & vulnerabilities to assets/processes 3. Quantify/qualify likelihood of occurrence 4. Establish Impact (to the business) This is Inherent Risk

10 Risk Assessment Risk Assessment Process (30K foot view - continued) 1. Perform controls effectiveness testing 2. Analyze control testing results for mitigation effectiveness This result is Residual Risk Build business plans and audit plans based on residual risk. Examiners expect to see Risk Assessment process as basis for business decisions

11 Governance Frameworks Common Frameworks - Matrix Resources:

12 Types of Risk Assessments and Audits Risk Assessment Enterprise Risk Assessment IT Risk Assessment Compliance Risk Assessment IT Audits Process Audits (ie. ACH) IT Compliance Audits Security Assessment Vulnerability Assessments Penetration Testing Social Engineering

13 Audit Philosophy and Approach Philosophy: People, Rules and Tools Approach: Understand Test Assess

14 Enterprise Risk drive the business ENTERPRISE VALUE RISK OVERSIGHT & INSIGHT Board & Executive Management Alternatives, Decisions, Scenarios & Events ENTERPRISE RISKS GOVERNANCE Ethics/Decision Authority Oversight/Independence Compensation/Other STAKEHOLDER VALUE Strategy & Execution Risk Taking STRATEGY Strategic Plan/Acquisitions/ Divestitures Succession Planning Brand/Marketing /Pricing Reputational Revenue Growth Operating Margin Asset Efficiency Expectations Financial Reporting Risk Avoidance People Process Technology Compliance Risk Avoidance Operations Risk Avoidance STAKEHOLDER VALUE Rewarded risk can drive value. Unrewarded risk can destroy value. OPERATIONS Service Delivery Inventory Management Staffing and Employment Quality Standards Cost Management INFRASTRUCTURE Compliance Finance & Accounting Tax Information Technology Insurance BCP Safety/Physical Security Legal/IP/Litigation Environmental / Other EXTERNAL FACTORS Competition/Economic Conditions Geo-political/Regulatory Activism/Public Safety Natural Disasters/Other

15 Enterprise Risk drive the business Conducting an Enterprise-Wide Risk Assessment is similar to sitting down with a financial planner to discuss your investment strategy. You determine your tolerance for risk by deciding whether you want to invest aggressively, preserve capital or take a conservative growth approach. This can be described as a control self assessment of your finances. There is a clear distinction between an Enterprise Risk Assessment and an Enterprise Information Security Risk Assessment. The first type focuses on Financial, Strategic and Operational functions, and the latter is Information Security/Network/Technology driven. Clarify with your examiner which one is being requested if your business is asked to complete an Enterprise Risk Assessment.

16 IT Risk Assessment & Information Security Risk Assessment Focus is on one component of the enterprise: Information Technology and/or Information Security Management Program

17 Types of Risk Assessments and Audits Risk Assessment Enterprise Risk Assessment IT Risk Assessment Compliance Risk Assessment IT Audits Process Audits (ie. ACH) IT Compliance Audits Security Assessment Vulnerability Assessments Penetration Testing Social Engineering

18 Process Specific ACH audits Wire transfer / Fed Line audits Application specific audits Business process specific audits Member authentication procedures These tend to be focused on the operational processes supporting the business process

19 Traditional IT Audit Broad audits IT General Controls Review Specific/focused audits DRP/IR/BCP audits and testing SDLC and Change Management audits User and group permission audits Vendor management

20 Traditional IT Audit IT General Controls Review A mile wide and 10 feet deep

21 Traditional IT Audit IT General Controls Review Good for broad, high level coverage of IT management, member information security program, and compliance requirements Answers the question: Do we have the right standards and are they well documented? Effectiveness testing tends to be light Does not really test the systems or ID exceptions

22 Traditional IT Audit Focused Audits Common Examples include DRP/IR/BCP audit and testing; user access reviews; SDLC and Change Management; ACH or other application audits More focused audits get to the next level of detail; focus on the process and perhaps application level controls (ie. menus); effectiveness testing tends to be more thorough, but likely still based on sampling These can be Design or Compliance focused

23 Vulnerability Assessment Port Scans and Vulnerability Scans They are like Radar Pros Cons External and Internal Scanning What are the benefits? Example Monthly scanning for Business A July nothing new/unusual August nothing new/unusual September - SSH open, and

24 Penetration Testing External Network Applications Internal Network Wireless Facilities (social engineering)

25 External Network Penetration Testing Everything that touches the outside 1. Routing devices 2. Remote access 3. Web/applications* 4. Other*:

26 Application Penetration Testing External Apps or Internal Apps

27 Internal Network Penetration Testing Everything that touches the inside

28 Wireless Network Penetration Testing

29 Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford Confidentiality Integrity Availability 29

30

31 Intro

32 Questions?

33 Thank you! CLAconnect.com Scott Charleson About.me/charleson

34 Sources for Standards and Guidelines FFIEC IT Handbook NIST : Information Security and IT Auditing PCI Requirements