The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

Transcription

1 The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation

2 Tichaona Zororo CIA, CISA, CISM, CRISC, CRMA, CGEIT, COBIT 5 Certified Assessor B.Sc. Honours Information Systems, PGD Computer Auditing Accredited COBIT 5 & Certifications Trainer

3 Emerging & Merging Technologies - The 4 th Industrial Revolution

4 Internet of Threats Artificial Intelligence Predictive Analytics Social Media Mobility Cloud Computing Blockchain Drones & Robotics DevOps Augmented Reality Cybersecurity Smart Cities

5

6

7

8 2017 Internet Users 3.78 Billion 2018 Global Internet Users Billion 2018 Global Active Mobile Social Users Billion 218 Million Unique Mobile Users increase from 2017 to Active Social Media Users Billion 2017 Active Social Media Users Billion 2018 Unique Mobile Users Billion

9 28.66 Million South Africans are active Internet Users. 1.8 Million Increase from Million South Africans are active Social Media Users. 2 Million Increase from 2016 There are Mobile Subscriptions in South Africa out of South Africans

10 2018 South Africa Unique Mobile Devices 38 Million 2016 Active Social Media Users in South Africa 18 Million 2018 South Africa Internet Users Million 2018 Active Mobile Social Users 16 Million 2018 Monthly Active Facebook users in South Africa 18 Million

11

12 Perpetual development and improvement model Central to a company s ability to test new digital business capabilities and bring them to market rapidly Integration of product development with IT operations Moving code to production every 12 sections DevOps Improved IT operations, improve business efficiency to meet market demands IT operations staffers work closely to test and launch new software features quickly - Breaking traditional barriers Teams would no longer have to wait for signoffs, handoffs, and preparation of test environments when writing code. Those tasks would be managed within the team, with immediate input from development and operations specialists.

13 Stakeholders Development Operations DevOps Quality Assurance Security

14 Stakeholders The Business benefits of DevOps: Reduced time to market Faster return on investment High performance Amazon, Google Increased quality Customer satisfaction Reduced IT waste Improved supplier and business partner performance Human errors

15 Stakeholders Risks Conflicting roles leading to loss of segregation of duties and authentication Release rates faster than business established business metrics Non compliance with some regulations e.g., PCI DSS, HIPAA, Shadow adoption Lack of skills Resistance Traditional assurance providers

16 King IV TM on Digital Transformation Governance & Cybersecurity

17 Governing Body Responsibilities Strategy Policy Oversight Accountability 17 Principles & 214 Recommended Practices Governing Body Responsibilities Ethical Culture Good Performance Effective Control Legitimacy

18 Governance and Cybersecurity of Information and Technology has become critical issues Technology is no longer simply an enabler, the system created by an enterprise provide the platform to deliver its strategic (integrated development plan) and performance (service delivery and budget implementation plan) objectives Information and technology is now the source of many enterprise s future opportunities and potential disruption - Risk and Opportunity are increasingly two sides of the same coin Information and Technology Governance and Cybersecurity should become a recurring item on Audit and Risk Committees agenda

19 Principle Number 12: The governing body should governance technology and information in a way that supports the organisation setting and achieving its strategic objectives.

20 8 Practices

21 Exercise ongoing oversight of information & technology management Assume responsibility for the governance of information and technology Exercise ongoing oversight of the management of information Delegate to Management the responsibility to implement and execute effective information and technology management

22 Assume responsibility for the governance of information and technology by setting the direction for how information and technology should be approached and addressed in the organisation Related disclosures Consider the need to receive periodic independent assurance on the effectiveness of the organisation s information and technology arrangements including outsourced services Exercise ongoing oversight of the management of technology

23 King III on IT Governance 9 Chapters and 75 Principles

24 Chapter 2 Boards & Directors 27 Principles Chapter 3 Audit Committees 10 Principles Chapter 4 The Governance of Risk 10 Principles Chapter 1 Ethical Leadership & Corporate Citizenship 3 Principles Chapter 9 Integrated Reporting & Disclosure 3 Principles Chapter 8 Governing Stakeholder Relationships 6 Principles Chapter 5 The Governance of Enterprise IT 7 Principles Chapter 6 Compliance with Laws, Rules, Codes and Standards 4 Principles Chapter 7 Internal Audit 5 Principles

25 Principle 5.4: The board should monitor and evaluate significant IT investments and expenditure Principle 5.1: The board should be responsible for information technology (IT) governance Principle 5.5: IT should form an integral part of the company s risk management Principle 5.2: IT should be aligned with the performance and sustainability objectives of the company Principle 5.3: The board should delegate to management the responsibility for the implementation of an IT governance framework The Governance of Enterprise IT Principle 5.7: Principle 5.6: The board should ensure that information assets are managed effectively A risk committee and audit committee should assist the board in carrying out its IT responsibilities

26 The 10 Core Principles for the Professional Practice of Internal Auditing

27 Is objective and free from undue influence (independent) Demonstrates quality and continuous improvement Demonstrates integrity Demonstrates competence and due professional care Is appropriately positioned and adequately resourced

28 Promotes organisational improvement Provides riskbased assurance Aligns with the strategies, objectives, and risks of the organisation Is insightful, proactive, and future-focused Communicates effectively

29 Cultural Shift

30 Questions

31 +27 (0) tichaona.zororo Tichaona Zororo tichaonazororo Tichaona Tichaona Zororo +27 (0) EGIT Enterprise Governance of IT (Pty) Ltd

32 Thank you