Information Technology Risk Assessment

Transcription

1 Information Technology Risk Assessment February 6th, 2013 kpmg.com

2 With you today Brett Luis Advisory Services - IT Audit Director (858) brettluis@kpmg.com 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 1

3 Objectives Provide an overview of IT risk Describe the IT Risk Assessment process and alternative approaches Identify the benefits of conducting an IT Risk Assessment Describe the phases of the IT Risk Assessment Learn about useful tools and frameworks Locate additional resources for continued support Describe the IT internal audit plan development process 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 2

4 What is IT risk IT risk is business risk specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. ISACA RiskIT Framework 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 3

5 What are we trying to protect? Utilities (power supply) Physical environment Network Hardware: Network infrastructure and devices Servers Desktop Computers Laptops Smart phones Other input devices (card readers, scanners, POS terminals etc.) Switches and Routers Backup devices and media Software: Applications Development Tools Websites Data: Source Code Intellectual property Customer information Transaction data 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 4

6 But where is it and who owns it and what are we protecting it from? 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 5

7 Ingram Micro Inc. SAP Project Issues in Australia Timeframe: 2011 Failure to properly undergo a process of migrating operations from proprietary system to SAP on a country-by-country basis, resulted in business disruption in Australia. Issues Results o Connectivity between the new system and those of Ingram s warehouse and partners resulted in order delays and diminished sales and margins. o Customer experience suffered as a result of customer service and order management functionality. o Adverse impact on earnings, market share, and customer relationships in the region. o Net Income in Q2, FY11 was down from $67.7M to $59.7M 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 6

8 Department of Homeland Security Cyber Break-Ins Timeframe: 2005 Unisys Corp s failure to properly install and monitor its network intrusion detection devices resulted in inability to detect 3 months of cyber break-ins at DHS. Issues Results o Insufficiently secured networks in DHS posed significant risks for agencies critical to domestic security, including TSA and Customs and Border Protection o 150 DHS computers, including one in the Office of Procurement Operations which handles contract data, were compromised by hackers and resulted in unknown quantity of information being sent to a Chinese-language Web site that appeared to host hacking tools KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 7

9 Major Brands ERP Performance Issues Timeframe: Mid-2011 Beverage distributor Major Brands contracted Epicor to implement an ERP system. Issues o Latency problems with the software led Epicor to acknowledge that the software was not suitable for Major Brands needs and that it would not perform as previously represented Results o Significant changes to project scope, development of new software, revised implementation date to 2015, and increased costs of $1M KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 8

10 Montclair State University Software Deployment Failure Timeframe: 2009 The university entered into a $20M contract with Oracle for a PeopleSoft suite designed to replace its 25-year-old set of legacy applications. Issues Oracle failed to deliver key implementation services, caused critical deadlines to be missed, refused to make available computer resources that it had promised, and failed to deliver properly tested software 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 9

11 Heartland Payment Systems SQL Injection Timeframe: 2008 Code written eight years ago for a web form allowed access to Heartland s corporate network. Issues Results o This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland s systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. o Using SQL injection, intruders compromised Heartland s corporate network and were able to capture payment card-related data o 134 million credit cards exposed through SQL injection 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 10

12 ACS:Law DDoS Attack Timeframe: 2010 The website of ACS:Law was subjected to a DDoS attack as part of Operation Payback. Issues o When the site came back online, a 350MB file which was a backup of the site was visible to anyone for a short period of time. Results o The backup, which included copies of s sent by the firm, was downloaded and made available onto various peer-to-peer networks o Encrypted Excel spreadsheets listing names and addresses of people that ACS:Law had accused of illegally sharing media were released to the public 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 11

13 Qantas Airlines System Outage Timeframe: 2012 Computer problems with the Amadeus airline reservation system caused long lines and traveler delays at airports across Australia. Issues o The outage was a result of the Leap Second Bug, in which the addition of a single second to the world s atomic clocks caused problems with IT systems. o Three vital elements of the Amadeus system were affected - check-in, reservations and plane loading calculations. o Outages lasted for approximately 1 hour. Results o More than 400 Qantas flights around Australia were delayed by at least two hours as staff switched to manual check-ins KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 12

14 CardSystems Solutions SQL Trojan Attack Timeframe: 2005 Hackers broke into CardSystems' database using an SQL Trojan attack. Issues Code was inserted into the database via the browser page every four days, placing data into a zip file and sending it back through an FTP. Results CardSystems never encrypted users personal information and did not have proper safeguards in place. o 40 million credit card accounts were exposed. o Hackers gained access to names, account numbers, and verification codes. o CSS, one of the top payment processors for Visa, MasterCard, American Express was ultimately forced into acquisition KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 13

15 Pennsylvania Liquor Control Board ERP System Failures Timeframe: PLCB underwent a $66.6M Oracle ERP Software project and underwent significant changes in project scope, inflated costs and staffing issues Issues o A forecasting application went live in September 2009 and by January 2010, managers learned that the system was producing inaccurate inventory levels. Results o Oracle denied PLCB s request for inventory forecasting formulas due to information being proprietary. o PLCB was forced to order excess merchandise to compensate for the system s flaws, resulting in overflowing stocks and high storage costs. o PLCB s sales rose during this period, but net profits from store operations dropped 47 percent KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 14

16 Data breaches Organization Records Year Heartland Payment Systems 130,000, TJX Companies 94,000, TRW, Sears Roebuck 90,000, Sony Corp 77,000, National Archives and Records Admin 76,000, Cardsystems, Visa, Mastercard, AmEx 40,000, US Dept of Veterans Affairs 26,500, HM Revenue and Customs, TNT 25,000, Sony Online Entertainment 24,600, KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 15

17 What s the C Suite and Board really going to care about? $45,000,000 $40,000,000 $35,000,000 REVENUE LOSS $30,000,000 $25,000,000 $20,000,000 $15,000,000 System Outage $10,000,000 $5,000,000 $ TIME (in days) 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 16

18 What concerns the Audit Committee? Q1. From your perspective as an audit committee member, which of the following risks (aside from financial reporting risk) pose the greatest challenges for your company? (select three) Source: KPMG Audit Committee Institute 2013 Global Survey 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 17

19 Example corporate failures Company Description Causes Comet Group Electrical Retail Chain Rapid Expansion Major client loss left company with large supply of obsolete inventory Major rivals (Wal-Mart) made key acquisitions to gain market share Hostess Brands Wholesale Baker Union labor dispute Blockbuster Video Rental Failure to adapt to new competitors and technologies (e.g. Netflix) Borders Book Retailer Failure to adapt to new competitors and technologies (e.g. Amazon) Circuit City Electrical Retail Chain Failure to adapt to new competitors Nortel Telecommunications Slowing demand for legacy telecom equipment Accounting scandal 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 18

20 The Importance of IT Risk Assessment

21 Why Companies Need an IT Risk Assessment Foundation for the IT Audit Plan Organizational changes There are many factors that drive the need for an IT Risk Assessment: Changes in regulatory environment Technology or compliance related incident

22 Where can you find help? ISO/IEC SP An Introduction to Computer Security: The NIST Handbook SP Guide for Developing Security Plans for Information Technology Systems SP Security Self-Assessment Guide for Information Technology Systems SP Risk Management Guide for Information Technology Systems The Risk IT Framework COBIT 21

23 ISO/IEC The ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, (see Systems Development Life Cycle) information security incident management, business continuity management, and regulatory compliance. 22

24 NIST

25 NIST , continued 24

26 ISACA Risk IT Framework Principles 25

27 Conducting an IT Risk Assessment - Phase 1 Strategic Analysis

28 Strategic Analysis Purpose High-Level Approach Understanding the industry Understand the organization s objectives, strategic direction, business model, and the role that technology has in supporting the business Obtain a high-level understanding of the IT environment or IT universe which includes the following: - IT environment - IT organization - Structure of IT - Overall governance of IT Understand the Business Understand The IT Environment & Define the IT Universe

29 Understand the Business 1. Interview leaders and appropriate business professionals 2. Understand the overall business, objectives, strategies, plan, business model and role of technology 3. Request and review information 4. Document and confirm the understanding of the business with key stakeholders

30 Understand the Business, Continued Organization s objectives Strategic direction Business model Technology used in supporting the business

31 Understand the Business, Continued Request and review information: Mission, vision, and value statements Strategic plans Annual business plans Management performance scorecards Stockholder annual reports and supplements Regulatory filings

32 Example Business Understanding Document

33 Understand the IT Environment The IT environment includes: Computing platform Operating system of the computing environment Applications Databases Datacenter locations Type of communications network External network service providers Hardware

34 Understand the IT Environment, Continued Detailed information: IT organization (strategy, products, programs, initiatives, etc.) Structure of IT (size and complexity) Overall governance of IT (operating committees, reporting, policies, procedures, etc.) Understanding the IT environment and current state helps define the potential scope of the risk assessment and planning and scoping of the IT Internal Audit Plan.

35 Define the IT Universe 1. Develop an initial IT Universe questionnaire 2. Prepare a Prepared By Client (PBC) list and conduct interviews 3. Obtain information from industry leaders on current trends and issues 4. Distribute IT Universe questionnaire and the PBC list with instructions to appropriate IT stakeholders and review responses 5. Conduct interviews with IT leadership to confirm understanding

36 IT Universe Questionnaire Example IT Universe questionnaire items: Organizational Uniqueness business and delivery models Degree of system and geographic centralization System architecture diversity Degree of customization within the systems and applications Intellectual Property Privacy International Cross Border Laws and Regulations (Safe Harbor) Mobile Storage/Media Handling Compliance

37 IT Universe Questionnaire, Continued Example IT Universe questionnaire items: Degree of Automation/Manual Activities Governance of IT Governance of 3rd Parties Encryption Data in Transmission and in storage Data Retention Requirements Record Management Degree and Approach to Outsourcing Degree of Operational Standardization Disaster Recovery and Business Continuity Maturity Emerging technologies and/or services

38 Information Requests Information (PBC Prepared by Client) request items: IT Organizational Charts and Structure IT Strategy, Goals, Objectives, and Challenges Management Reports Governance model, risk reporting, tools, practices Key systems, applications, and data Significant organizational projects with an IT component Organization s business and operational processes

39 Information Requests, Continued Information request items: Existing IT and/or business risk assessment models Applicable Internal Audit Reports Applicable External Auditors Reports Internal Audit Plan SOX IT deficiency list and SOX Risk Assessment Business continuity and disaster recovery Other third party audit reports Enterprise Risk Assessments documentation

40 Preliminary Analysis Identify potential areas to inquire about in the fieldwork/interview stage Log initial observations in a risk register for discussion during interviews Perform a preliminary analysis of risk elements relevant to the organization Understand and document the entity s level of dependence on information systems and overall current state

41 Outputs At this point, the project the team should have: An understanding of the business environment that has been reviewed and confirmed An understanding of the IT universe that has been reviewed and confirmed An initial list of risks within a risk register to move into the further detailed analysis phases

42 Review Strategic analysis phase critical to establishing a foundation for Fieldwork and Data Gathering Understanding the business, the industry, and the IT environment leads to better questions Awareness of the business s world builds rapport, insight and competence 41

43 Conducing an IT Risk Assessment - Phase 2 Fieldwork and Data Gathering

44 IT Frameworks and Risk Assessment Criteria Identify IT Risks and Facilitate Discussion Preparing for the Interviews Conducting the Interviews 43

45 Determine Framework for IT Risk Assessment Key Steps Establish the framework with IT business objectives Determine the risk rating criteria Agree with business on framework and risk rating criteria Approach Use industry and business information already gathered Agree on reporting structure Meet with appropriate C-level and IT executives

46 IT Risk Assessment Framework IT Frameworks: COBIT ITIL COSO GTAG NIST Special Publication 800 Series: : Risk Management Guide for Information Technology Systems : Security Self-Assessment Guide for Information Technology Systems : Information Security

47 Establishing the IT Risk Assessment Framework Approaches: Utilize the existing framework, if available Collaborate with IT to determine which industry common framework or standard to utilize (COBIT, ITIL, ISO, COSO, NIST and publications, GTAG, etc.) Develop a customized framework comprised of selected components of the above mentioned industry common frameworks and standards

48 IT Frameworks and Risk Assessment Criteria Identify IT Risks and Facilitate Discussion Preparing for the Interviews Conducting the Interviews

49 Identify IT Risks and Facilitate Discussions Key Steps Identify, document, and evaluate the relevant IT risks that threaten achievement of IT business objectives as defined and agreed to by management Agree with key stakeholders on the approach of the IT Risk Assessment

50 Identify IT Risks and Facilitate Discussions, Continued Approach Step Documents / Methods Purpose Gather information you created while preparing for interviews Agree on approach with the business to determine assessment method Organizations existing IT and Business Understanding document Understanding of the IT Universe IT Risk Assessment Individual Register interviews Questionnaires Workshops Combination of above Use as baseline and to facilitate discussions with IT management Determine appropriate assessment method for the project Perform assessment Same as cell above Determine IT risks that threaten achievement of IT objectives.

51 IT Risk Rating Criteria Purpose: Helps to define the measuring stick that the project team will use with the business to rank and evaluate identified risks Used to assess the significance of risks to the organization via grouping, classifying, and prioritizing risks Approaches: Use existing criteria from business or industry Collaborate with business to develop criteria Introduce example criteria/levels/terminology from other projects Combination of approaches

52 Risk Appetite and Capacity Risk Criteria Definition Expressed as Risk Appetite The level of risk the business is prepared to accept to achieve their objectives How much variability of return the business is prepared to accept in order to achieve a desired level of results Risk Capacity The level of risk the business is not prepared to exceed An estimate of the maximum loss that they believe they can endure in one year without endangering the survival of the company

53 Measuring Risk Appetite and Capacity Time How long will it take to recover from the event? Type of Business What is the impact on the type of business? Less Time More Time Less Time More Time Less Risk More Risk Less Risk More Risk Time is an indicator of how much security and risk avoidance an organization may want or need. For example, an online business will have a greater need to maintain Web applications than a manufacturer might, so the likelihood / impact of network and or Web application attacks may carry more weight.

54 Defining Risk Rating Criteria - Example Risk Prioritization Practice Guide - EXAMPLE * Note this should be agreed to with business prior to starting the IT risk assessment U = Unacceptable, C = Critical, S = Significant, M = Minor, I = Immaterial

55 ISO s Probability of Event Scale Probability of Event Frequency Rating Negligible Unlikely to Occur 0 Very Low 2 to 3 times every 5 years 1 Low Less than or equal to once per year 2 Medium Once every 6 months or less 3 High Once every month or less 4 Very High More than once every month 5 Extreme Once per day or more 6 54

56 ISO s Harm of Event Scale Harm of Event Degree of Harm Rating Insignificant Minimal to no impact 0 Minor No extra effort required to repair 1 Significant Tangible harm, extra effort required to repair 2 Damaging Serious Significant expenditure of resources required; Damage to reputation and confidence Extended outage and/or loss of connectivity; Compromise of large amounts of data or services 3 4 Grave Permanent Shutdown; Complete compromise 5 55

57 IT Frameworks and Risk Assessment Criteria Identify IT Risks and Facilitate Discussion Preparing for the Interviews Conducting the Interviews

58 Preparing for the Interviews Leverage the SMPs you have identified for the project Leverage the project sponsor for suggestions Determine who to interview and where to spend the most time Prepare questionnaires and tailor questions to the audience

59 IT Frameworks and Risk Assessment Criteria Identify IT Risks and Facilitate Discussion Preparing for the Interviews Conducting the Interviews Case Study Conducting Interviews Review

60 Interviewing Guiding Principles Keep your interview audience in mind Send out an overview of the project scope and purpose along with example questions to the interviewee before the meeting Be prepared in case they didn t read what you sent them Be prepared to ask questions in different ways depending on the interviewee Make sure they understand that this is a risk assessment and that their input may not result in specific action items The interviewer should be in a similar position and expertise as the interviewee Let them know that the responses are anonymous Don t interview alone, always have someone to primarily ask and someone to primarily record

61 Digesting Information and Analyzing Risks

62 Analyze, Classify, Prioritize IT Risks and Map to Key IT and Business Processes Activities Analyze, classify, and prioritize risk data gathered in the facilitated discussions phase of the IT Risk Assessment. Document a consolidated list of relevant risks to the organization. Map IT risks to key IT and business processes.

63 Example IT Risks and Maturity Model COBIT4.1 62

64 Key Considerations Risk Consolidation Risk Focus Areas Business Validation Risk Categorization and Rating Good Visual Representation Matrices Charts Linkage to Key IT and Business Processes Residual Risks Key IT Processes versus Loosely Associated IT Processes

65 Mapping IT Risks (1) IT Strategy and Business Integration Business Continuity and Disaster Recovery Regulatory and Compliance Strategic alignment IT cost take-out Acquisitions, Divestiture and JVs Plant/site closures Budget and IT investment Emerging technology Application system portfolio Shared services Disaster recovery plans Leadership and ownership of plans Business involvement Third-party considerations Business continuity plans Roles and responsibilities Backup and recovery capabilities Local country laws/regulatory and statutory reporting Chemical facility antiterrorism standards Registration, Evaluation, and Authorization of Chemicals (REACH) - EMEA only Chemical Assessment and Management Program (ChAMP) U.S. only Sarbanes-Oxley Payment card Government and Military contracting HIPAA e-discovery

66 Mapping IT Risks (1), Continued Data Privacy Resource Management IT Asset Management Protection of sensitive data Unmonitored third party access Ownership of data Encryption Removable storage Intellectual property protection Employee personal identifiable information Customer data IT staff turnover Training and education Succession planning Identification of needed skill sets Institutional knowledge and key person dependency Software asset management Technology obsolescence Data center physical security Application obsolescence IT purchasing Hardware inventory management

67 Mapping IT Risks (2) IT Governance IT Infrastructure IT Security Policies and procedures Demand management Controls governance Infrastructure governance Application governance Business process governance Known deficiency remediation System selection System availability Infrastructure growth System maintenance POS architecture Network architecture Wireless computing System software management Vulnerability patching Virus protection Privileged users Segregation of duties Provisioning and Deprovisioning Application system portfolio Use of encryption Removable storage Manufacturing system access Logical data center security Data and application classification

68 Mapping IT Risks (2), Continued Vendor Management and Sourcing Vendor health Counterparty risk Management of product quality Vendor performance management Abiding by [Company Name] standards Vendor contingency plans Vendor secured environment Appropriate Use of vendors Project and Change Management Project management and execution Controls integration Project portfolio management Significant projects and initiatives System development lifecycle Data Management Business intelligence capability ERP integration Data availability Accuracy and integrity of data

69 Mapping IT Risks (3) Domain Risk Considerations IT Strategy and Business Integration Business Continuity and Disaster Recovery Regulatory and Compliance Strategic alignment Disaster recovery plans Bank Secrecy Act Budget and IT investment Leadership and ownership Sarbanes-Oxley of plans Emerging technology Business involvement GLBA Application system portfolio Third-party considerations Business continuity plans Roles and responsibilities COBIT Process PO1 Define a Strategic IT Plan Backup and recovery capabilities Data availability DS4 Ensure Continuous Service DS11 Manage Data ME3 Ensure Compliance With External Requirements

70 Mapping IT Risks (3), Continued Domain Data Privacy Resource Management IT Asset Management Risk Considerations Protection of sensitive data Unmonitored third party access Ownership of data Encryption Removable storage IT staff turnover Training and education Identification of needed skill sets Technology obsolescence Data center physical security IT purchasing Hardware inventory management Employee personal identifiable information Customer data COBIT Process PO2 Define the Information Architecture PO4 Define the IT Processes, Organization and Relationships AI5 Procure IT Resources DS12 Manage the Physical Environment

71 Mapping IT Risks (4) Domain IT Governance IT Infrastructure IT Security Risk Considerations COBIT Process Policies and System availability Vulnerability patching procedures Controls governance Infrastructure growth Virus protection Infrastructure System maintenance governance Application governance Network architecture Business process governance Known deficiency remediation PO6 Communicate Management Aims and Direction System software management DS8 Manage Service Desk and Incidents DS10 Manage Problems AI3 Acquire and Maintain Technology Infrastructure Privileged users Segregation of duties Provisioning and Deprovisioning Data and application classification DS5 Ensure Systems Security

72 Mapping IT Risks (4), Continued Domain Risk Considerations COBIT Process Vendor Management and Sourcing Vendor Financial health Management of product quality Project and Change Management Project management and execution Controls integration Vendor performance Project portfolio management management Abiding by company's standards Significant projects and initiatives Vendor secured environment Appropriate use of vendors DS2 Manage Third-party Services System development lifecycle PO10 Manage Projects AI2 Acquire and Maintain Application Software AI6 Manage Changes AI7 Install and Accredit Solutions and Changes

73 Sample Heat Map (1)

74 Sample Heat Map (2) High Risk Domains: Regulatory and Compliance Key IT Security Project and Change Management High IT Strategy and Business Integration Business Continuity/ Disaster Recovery Regulatory & Compliance Data Privacy IT Strategy and Business Integration Risk Impact Data Privacy Resource Management IT Asset Management IT Governance Business Continuity and Disaster Recovery IT Infrastructure Note: Each domain was weighed according to number of high risks present in the domain Low Low Likelihood of Risk Occurrence High IT Infrastructure IT Security Sourcing/Vendor Management Project and Change Management Data Management Risks High Moderate Low

75 Potential Outputs IT Risk Register IT Risk Prioritization IT Risk Heat Map IT and Business Process Linkage Matrix (map IT projects to their representative business purpose/area)

76 Develop IT Internal Audit Plan Develop Basis for IT Internal Audit Plan Validate risk outcomes Integrate with non-it audit activities Develop Draft IT Internal Audit Plan Consider scope, budget, resources Present plan to client and revise Maintain and Update IT Internal Audit Plan Update IT Internal Audit Plan Periodically Align with strategic direction Review evolving risks

77 Developing the IT Internal Audit Plan Mapping Methodologies IT Domain Internal Audit Project Anticipated Scope Hours Data Privacy Employee Personal Identifiable Data Perform an assessment of the processes and controls that protect employee data and benchmark those controls against better practices IT Strategy and Business Integration Joint Venture Agreements Conduct an audit of the Joint Venture agreement to help ensure environments are appropriately segregated, access to proprietary data is appropriately restricted and that IT is adhering to the terms of the agreement IT Security Segregation of Duties Perform an assessment of the SAP application system to determine what segregation of duties conflicts exist as compared against better practice

78 Developing the IT Internal Audit Plan Mapping Methodologies, Continued IT Domain Internal Audit Project Anticipated Scope Hours Business Continuity and Disaster Recovery Business Continuity Perform an assessment of the documented business continuity plans and identify potential gaps, help ensure continuity plans are appropriately scaled according to risk, and that plans are periodically tested Data Management End-user Computing Conduct an audit of the establishment and use of end-user computing environments to determine controls are effectively designed and operating effectively around the establishment and on-going governance of the environment Project and Change Management POS Implementation Conduct a post-implementation audit of the planned POS solution implementation to help ensure that supporting processes and controls are in-place and operating effectively and that the system and supporting architecture are working as designed

79 IT Internal Audit Framework IT Audit Plan

80 Questions?