Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Transcription

1 Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

2 Agenda Key Risks Incorporating Internal Audit Resources Questions 2

3 San Francisco ISACA Conference Atlanta I Nashville

4 Key Risks 4

5 Key Risks Board and Management: CIO, CAE, organizational leaders agree: Cyberthreats not only and IT problem, but fully fledged business risk Top 10 risk Separate from business interruption; loss of reputation and brand value; theft fraud and corruption % of IT focus increasing 5

6 Key Risks External Stolen credentials Remote access Internal Employees Business partners 6

7 And in this corner Atlanta I Nashville

8 Key Risks Nature of attack: Denial of service attacks (DoS) Data security breaches Focus of attack: Credit card data (e.g. retail) Exploration data (e.g. oil and gas) Intellectual property (e.g. technology, strategic information) 8

9 Key Risks Threats Rapidly evolving Increasingly sophisticated Methods continue to improve 9

10 Cost of Cyber Crime Source: 2015 Ponemon Institute Cost of Cyber Crime Study 10

11 Incorporating Internal Audit 11

12 Incorporating Internal Audit Atlanta I Nashville

13 Incorporating Internal Audit Persistent threat Exposures Security posture Audit procedures Assisting management Resource application 13

14 Incorporating Internal Audit Drive change Be engaged at the strategic level: Understand board s approach to security Better understand the value of businesscritical data Being involved with new IT implementations 14

15 Incorporating Internal Audit Key Elements: Leadership and governance Technical and operational controls Training and awareness Information risk management Response planning Crisis management 15

16 Incorporating Internal Audit Auditing defense mechanisms: Internal education/communication Secure firewalls Up-to-date antivirus software Open communication to ISPs Effective network monitoring Rapid response plans Patch management 16

17 Patch Management Source: Verizon 2015 Data Breach Investigations Report 17

18 Incorporating Internal Audit Auditing defense mechanisms: Password management Data categorization, segregation, access storage, and retention process Suppliers cybersecurity practices; service agreements Cloud services Data security controls Corporate insurance coverage 18

19 Incorporating Internal Audit IT Audit Resources: Perform business and IT impact analysis and risk assessment Cyber Risk assessments External input on threats facing industry Current attack methods Cyber assurance White-hat hacking 19

20 Incorporating Internal Audit IT Audit Resources: People, process and technology controls Incident response program Help optimize controls to prevent or detect cyber issues Ongoing monitoring of changing cyberrisk Working with systems administrators 20

21 Incorporating Internal Audit Atlanta I Nashville

22 Incorporating Internal Audit Internal Audit Resources: Drive discussion around risk and mitigation strategy Independently assess and prioritize cyberrisks against other critical enterprise risks Assess effectiveness of preparation Identify and monitor issues and risk related to emerging technology deployments 22

23 Incorporating Internal Audit Supporting the Audit Committee: Five Principles: 1. Understanding and approach to cybersecurity 2. Legal implications 3. Access to expertise 4. Staffing and budget 5. Risk avoidance 23

24 Incorporating Internal Audit Focus on: Specific types of attacks they face Weaknesses inherent in business practices, culture, IT systems Educating AC/Executive Management: Business risk Risk to data Critical assets Nature of network traffic Prevention, Detection and Response 24

25 Incorporating Internal Audit Questions to ask: 1. Funding for people, processes, technology? 2. Critical Systems Identified? 3. Connections to other systems 4. Who relies on data? 25

26 Incorporating Internal Audit Questions to ask: 4. Who has access? 5. Audit logs maintained/reviewed? 6. Cyber response: 1. Systems prioritized 2. Excercizes documented? 3. Support contracts in place? 7. Does staff receive training? 26

27 Resources 27

28 Where are the Resources? FDIC 60 IT Auditors for 4,000 financial institutions OCC 100 IT Auditors for 1,500 institutions NCUA 50 IT Auditors for 6,200 credit unions Federal Reserve 85 IT Auditors for the 5,500 institutions it monitors Too many threats and too few professionals. 28

29 Where are the Resources? 29

30 Performing Risk Assessments IT Security Architecture Awareness & Education Threat & Vulnerability Management IT Security Management Risk Assessment Areas Privacy & Data Protection Identify high risk areas Incorporate into audit plan Identity & Access Management Atlanta I Nashville

31 Resources U.S. National Institue of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Consistent and effective evaluation of current security: Processes Procedures Technologies Links to other security standards and approaches 31

32 Source: NIST Framework for Improving Critical Infrastructure Cybersecurity 32

33 Source: NIST Framework for Improving Critical Infrastructure Cybersecurity 33

34 Resources Cybercrime Audit/Assurance Program Aligned with the NIST National Initiative for Cybersecurity Education 34

35 35

36 Source: ISACA IT Assurance Framework TM (ITAF TM ) 36

37 Resources Cybersecurity Fundamentals Certificate Knowledge-based certificate offered by ISACA Implementing NIST Cybersecurity Framework Using COBIT 5 Focused on the CSF, goals, implementation steps and application 37

38 ISACA Certifications Atlanta I Nashville

39 39

40 Nymity Framework Comprehensive listing of over 130 privacy management activities Structured in 13 privacy management processes Jurisdiction and industry neutral Atlanta I Nashville

41 Internal Audit Focus Evaluating security risk and threats Data at risk Secure infrastructure Monitoring capability Rapid identification, response, containment and recovery 41

42 Questions?