Information Technology Risk Assessment
|
|
- Clarissa Stokes
- 5 years ago
- Views:
Transcription
1 Information Technology Risk Assessment February 6th, 2013 kpmg.com
2 With you today Brett Luis Advisory Services - IT Audit Director (858) brettluis@kpmg.com 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 1
3 Objectives Provide an overview of IT risk Describe the IT Risk Assessment process and alternative approaches Identify the benefits of conducting an IT Risk Assessment Describe the phases of the IT Risk Assessment Learn about useful tools and frameworks Locate additional resources for continued support Describe the IT internal audit plan development process 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 2
4 What is IT risk IT risk is business risk specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. ISACA RiskIT Framework 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 3
5 What are we trying to protect? Utilities (power supply) Physical environment Network Hardware: Network infrastructure and devices Servers Desktop Computers Laptops Smart phones Other input devices (card readers, scanners, POS terminals etc.) Switches and Routers Backup devices and media Software: Applications Development Tools Websites Data: Source Code Intellectual property Customer information Transaction data 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 4
6 But where is it and who owns it and what are we protecting it from? 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 5
7 Ingram Micro Inc. SAP Project Issues in Australia Timeframe: 2011 Failure to properly undergo a process of migrating operations from proprietary system to SAP on a country-by-country basis, resulted in business disruption in Australia. Issues Results o Connectivity between the new system and those of Ingram s warehouse and partners resulted in order delays and diminished sales and margins. o Customer experience suffered as a result of customer service and order management functionality. o Adverse impact on earnings, market share, and customer relationships in the region. o Net Income in Q2, FY11 was down from $67.7M to $59.7M 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 6
8 Department of Homeland Security Cyber Break-Ins Timeframe: 2005 Unisys Corp s failure to properly install and monitor its network intrusion detection devices resulted in inability to detect 3 months of cyber break-ins at DHS. Issues Results o Insufficiently secured networks in DHS posed significant risks for agencies critical to domestic security, including TSA and Customs and Border Protection o 150 DHS computers, including one in the Office of Procurement Operations which handles contract data, were compromised by hackers and resulted in unknown quantity of information being sent to a Chinese-language Web site that appeared to host hacking tools KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 7
9 Major Brands ERP Performance Issues Timeframe: Mid-2011 Beverage distributor Major Brands contracted Epicor to implement an ERP system. Issues o Latency problems with the software led Epicor to acknowledge that the software was not suitable for Major Brands needs and that it would not perform as previously represented Results o Significant changes to project scope, development of new software, revised implementation date to 2015, and increased costs of $1M KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 8
10 Montclair State University Software Deployment Failure Timeframe: 2009 The university entered into a $20M contract with Oracle for a PeopleSoft suite designed to replace its 25-year-old set of legacy applications. Issues Oracle failed to deliver key implementation services, caused critical deadlines to be missed, refused to make available computer resources that it had promised, and failed to deliver properly tested software 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 9
11 Heartland Payment Systems SQL Injection Timeframe: 2008 Code written eight years ago for a web form allowed access to Heartland s corporate network. Issues Results o This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland s systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. o Using SQL injection, intruders compromised Heartland s corporate network and were able to capture payment card-related data o 134 million credit cards exposed through SQL injection 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 10
12 ACS:Law DDoS Attack Timeframe: 2010 The website of ACS:Law was subjected to a DDoS attack as part of Operation Payback. Issues o When the site came back online, a 350MB file which was a backup of the site was visible to anyone for a short period of time. Results o The backup, which included copies of s sent by the firm, was downloaded and made available onto various peer-to-peer networks o Encrypted Excel spreadsheets listing names and addresses of people that ACS:Law had accused of illegally sharing media were released to the public 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 11
13 Qantas Airlines System Outage Timeframe: 2012 Computer problems with the Amadeus airline reservation system caused long lines and traveler delays at airports across Australia. Issues o The outage was a result of the Leap Second Bug, in which the addition of a single second to the world s atomic clocks caused problems with IT systems. o Three vital elements of the Amadeus system were affected - check-in, reservations and plane loading calculations. o Outages lasted for approximately 1 hour. Results o More than 400 Qantas flights around Australia were delayed by at least two hours as staff switched to manual check-ins KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 12
14 CardSystems Solutions SQL Trojan Attack Timeframe: 2005 Hackers broke into CardSystems' database using an SQL Trojan attack. Issues Code was inserted into the database via the browser page every four days, placing data into a zip file and sending it back through an FTP. Results CardSystems never encrypted users personal information and did not have proper safeguards in place. o 40 million credit card accounts were exposed. o Hackers gained access to names, account numbers, and verification codes. o CSS, one of the top payment processors for Visa, MasterCard, American Express was ultimately forced into acquisition KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 13
15 Pennsylvania Liquor Control Board ERP System Failures Timeframe: PLCB underwent a $66.6M Oracle ERP Software project and underwent significant changes in project scope, inflated costs and staffing issues Issues o A forecasting application went live in September 2009 and by January 2010, managers learned that the system was producing inaccurate inventory levels. Results o Oracle denied PLCB s request for inventory forecasting formulas due to information being proprietary. o PLCB was forced to order excess merchandise to compensate for the system s flaws, resulting in overflowing stocks and high storage costs. o PLCB s sales rose during this period, but net profits from store operations dropped 47 percent KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 14
16 Data breaches Organization Records Year Heartland Payment Systems 130,000, TJX Companies 94,000, TRW, Sears Roebuck 90,000, Sony Corp 77,000, National Archives and Records Admin 76,000, Cardsystems, Visa, Mastercard, AmEx 40,000, US Dept of Veterans Affairs 26,500, HM Revenue and Customs, TNT 25,000, Sony Online Entertainment 24,600, KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 15
17 What s the C Suite and Board really going to care about? $45,000,000 $40,000,000 $35,000,000 REVENUE LOSS $30,000,000 $25,000,000 $20,000,000 $15,000,000 System Outage $10,000,000 $5,000,000 $ TIME (in days) 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 16
18 What concerns the Audit Committee? Q1. From your perspective as an audit committee member, which of the following risks (aside from financial reporting risk) pose the greatest challenges for your company? (select three) Source: KPMG Audit Committee Institute 2013 Global Survey 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 17
19 Example corporate failures Company Description Causes Comet Group Electrical Retail Chain Rapid Expansion Major client loss left company with large supply of obsolete inventory Major rivals (Wal-Mart) made key acquisitions to gain market share Hostess Brands Wholesale Baker Union labor dispute Blockbuster Video Rental Failure to adapt to new competitors and technologies (e.g. Netflix) Borders Book Retailer Failure to adapt to new competitors and technologies (e.g. Amazon) Circuit City Electrical Retail Chain Failure to adapt to new competitors Nortel Telecommunications Slowing demand for legacy telecom equipment Accounting scandal 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 18
20 The Importance of IT Risk Assessment
21 Why Companies Need an IT Risk Assessment Foundation for the IT Audit Plan Organizational changes There are many factors that drive the need for an IT Risk Assessment: Changes in regulatory environment Technology or compliance related incident
22 Where can you find help? ISO/IEC SP An Introduction to Computer Security: The NIST Handbook SP Guide for Developing Security Plans for Information Technology Systems SP Security Self-Assessment Guide for Information Technology Systems SP Risk Management Guide for Information Technology Systems The Risk IT Framework COBIT 21
23 ISO/IEC The ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, (see Systems Development Life Cycle) information security incident management, business continuity management, and regulatory compliance. 22
24 NIST
25 NIST , continued 24
26 ISACA Risk IT Framework Principles 25
27 Conducting an IT Risk Assessment - Phase 1 Strategic Analysis
28 Strategic Analysis Purpose High-Level Approach Understanding the industry Understand the organization s objectives, strategic direction, business model, and the role that technology has in supporting the business Obtain a high-level understanding of the IT environment or IT universe which includes the following: - IT environment - IT organization - Structure of IT - Overall governance of IT Understand the Business Understand The IT Environment & Define the IT Universe
29 Understand the Business 1. Interview leaders and appropriate business professionals 2. Understand the overall business, objectives, strategies, plan, business model and role of technology 3. Request and review information 4. Document and confirm the understanding of the business with key stakeholders
30 Understand the Business, Continued Organization s objectives Strategic direction Business model Technology used in supporting the business
31 Understand the Business, Continued Request and review information: Mission, vision, and value statements Strategic plans Annual business plans Management performance scorecards Stockholder annual reports and supplements Regulatory filings
32 Example Business Understanding Document
33 Understand the IT Environment The IT environment includes: Computing platform Operating system of the computing environment Applications Databases Datacenter locations Type of communications network External network service providers Hardware
34 Understand the IT Environment, Continued Detailed information: IT organization (strategy, products, programs, initiatives, etc.) Structure of IT (size and complexity) Overall governance of IT (operating committees, reporting, policies, procedures, etc.) Understanding the IT environment and current state helps define the potential scope of the risk assessment and planning and scoping of the IT Internal Audit Plan.
35 Define the IT Universe 1. Develop an initial IT Universe questionnaire 2. Prepare a Prepared By Client (PBC) list and conduct interviews 3. Obtain information from industry leaders on current trends and issues 4. Distribute IT Universe questionnaire and the PBC list with instructions to appropriate IT stakeholders and review responses 5. Conduct interviews with IT leadership to confirm understanding
36 IT Universe Questionnaire Example IT Universe questionnaire items: Organizational Uniqueness business and delivery models Degree of system and geographic centralization System architecture diversity Degree of customization within the systems and applications Intellectual Property Privacy International Cross Border Laws and Regulations (Safe Harbor) Mobile Storage/Media Handling Compliance
37 IT Universe Questionnaire, Continued Example IT Universe questionnaire items: Degree of Automation/Manual Activities Governance of IT Governance of 3rd Parties Encryption Data in Transmission and in storage Data Retention Requirements Record Management Degree and Approach to Outsourcing Degree of Operational Standardization Disaster Recovery and Business Continuity Maturity Emerging technologies and/or services
38 Information Requests Information (PBC Prepared by Client) request items: IT Organizational Charts and Structure IT Strategy, Goals, Objectives, and Challenges Management Reports Governance model, risk reporting, tools, practices Key systems, applications, and data Significant organizational projects with an IT component Organization s business and operational processes
39 Information Requests, Continued Information request items: Existing IT and/or business risk assessment models Applicable Internal Audit Reports Applicable External Auditors Reports Internal Audit Plan SOX IT deficiency list and SOX Risk Assessment Business continuity and disaster recovery Other third party audit reports Enterprise Risk Assessments documentation
40 Preliminary Analysis Identify potential areas to inquire about in the fieldwork/interview stage Log initial observations in a risk register for discussion during interviews Perform a preliminary analysis of risk elements relevant to the organization Understand and document the entity s level of dependence on information systems and overall current state
41 Outputs At this point, the project the team should have: An understanding of the business environment that has been reviewed and confirmed An understanding of the IT universe that has been reviewed and confirmed An initial list of risks within a risk register to move into the further detailed analysis phases
42 Review Strategic analysis phase critical to establishing a foundation for Fieldwork and Data Gathering Understanding the business, the industry, and the IT environment leads to better questions Awareness of the business s world builds rapport, insight and competence 41
43 Conducing an IT Risk Assessment - Phase 2 Fieldwork and Data Gathering
44 IT Frameworks and Risk Assessment Criteria Identify IT Risks and Facilitate Discussion Preparing for the Interviews Conducting the Interviews 43
45 Determine Framework for IT Risk Assessment Key Steps Establish the framework with IT business objectives Determine the risk rating criteria Agree with business on framework and risk rating criteria Approach Use industry and business information already gathered Agree on reporting structure Meet with appropriate C-level and IT executives
46 IT Risk Assessment Framework IT Frameworks: COBIT ITIL COSO GTAG NIST Special Publication 800 Series: : Risk Management Guide for Information Technology Systems : Security Self-Assessment Guide for Information Technology Systems : Information Security
47 Establishing the IT Risk Assessment Framework Approaches: Utilize the existing framework, if available Collaborate with IT to determine which industry common framework or standard to utilize (COBIT, ITIL, ISO, COSO, NIST and publications, GTAG, etc.) Develop a customized framework comprised of selected components of the above mentioned industry common frameworks and standards
48 IT Frameworks and Risk Assessment Criteria Identify IT Risks and Facilitate Discussion Preparing for the Interviews Conducting the Interviews
49 Identify IT Risks and Facilitate Discussions Key Steps Identify, document, and evaluate the relevant IT risks that threaten achievement of IT business objectives as defined and agreed to by management Agree with key stakeholders on the approach of the IT Risk Assessment
50 Identify IT Risks and Facilitate Discussions, Continued Approach Step Documents / Methods Purpose Gather information you created while preparing for interviews Agree on approach with the business to determine assessment method Organizations existing IT and Business Understanding document Understanding of the IT Universe IT Risk Assessment Individual Register interviews Questionnaires Workshops Combination of above Use as baseline and to facilitate discussions with IT management Determine appropriate assessment method for the project Perform assessment Same as cell above Determine IT risks that threaten achievement of IT objectives.
51 IT Risk Rating Criteria Purpose: Helps to define the measuring stick that the project team will use with the business to rank and evaluate identified risks Used to assess the significance of risks to the organization via grouping, classifying, and prioritizing risks Approaches: Use existing criteria from business or industry Collaborate with business to develop criteria Introduce example criteria/levels/terminology from other projects Combination of approaches
52 Risk Appetite and Capacity Risk Criteria Definition Expressed as Risk Appetite The level of risk the business is prepared to accept to achieve their objectives How much variability of return the business is prepared to accept in order to achieve a desired level of results Risk Capacity The level of risk the business is not prepared to exceed An estimate of the maximum loss that they believe they can endure in one year without endangering the survival of the company
53 Measuring Risk Appetite and Capacity Time How long will it take to recover from the event? Type of Business What is the impact on the type of business? Less Time More Time Less Time More Time Less Risk More Risk Less Risk More Risk Time is an indicator of how much security and risk avoidance an organization may want or need. For example, an online business will have a greater need to maintain Web applications than a manufacturer might, so the likelihood / impact of network and or Web application attacks may carry more weight.
54 Defining Risk Rating Criteria - Example Risk Prioritization Practice Guide - EXAMPLE * Note this should be agreed to with business prior to starting the IT risk assessment U = Unacceptable, C = Critical, S = Significant, M = Minor, I = Immaterial
55 ISO s Probability of Event Scale Probability of Event Frequency Rating Negligible Unlikely to Occur 0 Very Low 2 to 3 times every 5 years 1 Low Less than or equal to once per year 2 Medium Once every 6 months or less 3 High Once every month or less 4 Very High More than once every month 5 Extreme Once per day or more 6 54
56 ISO s Harm of Event Scale Harm of Event Degree of Harm Rating Insignificant Minimal to no impact 0 Minor No extra effort required to repair 1 Significant Tangible harm, extra effort required to repair 2 Damaging Serious Significant expenditure of resources required; Damage to reputation and confidence Extended outage and/or loss of connectivity; Compromise of large amounts of data or services 3 4 Grave Permanent Shutdown; Complete compromise 5 55
57 IT Frameworks and Risk Assessment Criteria Identify IT Risks and Facilitate Discussion Preparing for the Interviews Conducting the Interviews
58 Preparing for the Interviews Leverage the SMPs you have identified for the project Leverage the project sponsor for suggestions Determine who to interview and where to spend the most time Prepare questionnaires and tailor questions to the audience
59 IT Frameworks and Risk Assessment Criteria Identify IT Risks and Facilitate Discussion Preparing for the Interviews Conducting the Interviews Case Study Conducting Interviews Review
60 Interviewing Guiding Principles Keep your interview audience in mind Send out an overview of the project scope and purpose along with example questions to the interviewee before the meeting Be prepared in case they didn t read what you sent them Be prepared to ask questions in different ways depending on the interviewee Make sure they understand that this is a risk assessment and that their input may not result in specific action items The interviewer should be in a similar position and expertise as the interviewee Let them know that the responses are anonymous Don t interview alone, always have someone to primarily ask and someone to primarily record
61 Digesting Information and Analyzing Risks
62 Analyze, Classify, Prioritize IT Risks and Map to Key IT and Business Processes Activities Analyze, classify, and prioritize risk data gathered in the facilitated discussions phase of the IT Risk Assessment. Document a consolidated list of relevant risks to the organization. Map IT risks to key IT and business processes.
63 Example IT Risks and Maturity Model COBIT4.1 62
64 Key Considerations Risk Consolidation Risk Focus Areas Business Validation Risk Categorization and Rating Good Visual Representation Matrices Charts Linkage to Key IT and Business Processes Residual Risks Key IT Processes versus Loosely Associated IT Processes
65 Mapping IT Risks (1) IT Strategy and Business Integration Business Continuity and Disaster Recovery Regulatory and Compliance Strategic alignment IT cost take-out Acquisitions, Divestiture and JVs Plant/site closures Budget and IT investment Emerging technology Application system portfolio Shared services Disaster recovery plans Leadership and ownership of plans Business involvement Third-party considerations Business continuity plans Roles and responsibilities Backup and recovery capabilities Local country laws/regulatory and statutory reporting Chemical facility antiterrorism standards Registration, Evaluation, and Authorization of Chemicals (REACH) - EMEA only Chemical Assessment and Management Program (ChAMP) U.S. only Sarbanes-Oxley Payment card Government and Military contracting HIPAA e-discovery
66 Mapping IT Risks (1), Continued Data Privacy Resource Management IT Asset Management Protection of sensitive data Unmonitored third party access Ownership of data Encryption Removable storage Intellectual property protection Employee personal identifiable information Customer data IT staff turnover Training and education Succession planning Identification of needed skill sets Institutional knowledge and key person dependency Software asset management Technology obsolescence Data center physical security Application obsolescence IT purchasing Hardware inventory management
67 Mapping IT Risks (2) IT Governance IT Infrastructure IT Security Policies and procedures Demand management Controls governance Infrastructure governance Application governance Business process governance Known deficiency remediation System selection System availability Infrastructure growth System maintenance POS architecture Network architecture Wireless computing System software management Vulnerability patching Virus protection Privileged users Segregation of duties Provisioning and Deprovisioning Application system portfolio Use of encryption Removable storage Manufacturing system access Logical data center security Data and application classification
68 Mapping IT Risks (2), Continued Vendor Management and Sourcing Vendor health Counterparty risk Management of product quality Vendor performance management Abiding by [Company Name] standards Vendor contingency plans Vendor secured environment Appropriate Use of vendors Project and Change Management Project management and execution Controls integration Project portfolio management Significant projects and initiatives System development lifecycle Data Management Business intelligence capability ERP integration Data availability Accuracy and integrity of data
69 Mapping IT Risks (3) Domain Risk Considerations IT Strategy and Business Integration Business Continuity and Disaster Recovery Regulatory and Compliance Strategic alignment Disaster recovery plans Bank Secrecy Act Budget and IT investment Leadership and ownership Sarbanes-Oxley of plans Emerging technology Business involvement GLBA Application system portfolio Third-party considerations Business continuity plans Roles and responsibilities COBIT Process PO1 Define a Strategic IT Plan Backup and recovery capabilities Data availability DS4 Ensure Continuous Service DS11 Manage Data ME3 Ensure Compliance With External Requirements
70 Mapping IT Risks (3), Continued Domain Data Privacy Resource Management IT Asset Management Risk Considerations Protection of sensitive data Unmonitored third party access Ownership of data Encryption Removable storage IT staff turnover Training and education Identification of needed skill sets Technology obsolescence Data center physical security IT purchasing Hardware inventory management Employee personal identifiable information Customer data COBIT Process PO2 Define the Information Architecture PO4 Define the IT Processes, Organization and Relationships AI5 Procure IT Resources DS12 Manage the Physical Environment
71 Mapping IT Risks (4) Domain IT Governance IT Infrastructure IT Security Risk Considerations COBIT Process Policies and System availability Vulnerability patching procedures Controls governance Infrastructure growth Virus protection Infrastructure System maintenance governance Application governance Network architecture Business process governance Known deficiency remediation PO6 Communicate Management Aims and Direction System software management DS8 Manage Service Desk and Incidents DS10 Manage Problems AI3 Acquire and Maintain Technology Infrastructure Privileged users Segregation of duties Provisioning and Deprovisioning Data and application classification DS5 Ensure Systems Security
72 Mapping IT Risks (4), Continued Domain Risk Considerations COBIT Process Vendor Management and Sourcing Vendor Financial health Management of product quality Project and Change Management Project management and execution Controls integration Vendor performance Project portfolio management management Abiding by company's standards Significant projects and initiatives Vendor secured environment Appropriate use of vendors DS2 Manage Third-party Services System development lifecycle PO10 Manage Projects AI2 Acquire and Maintain Application Software AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
73 Sample Heat Map (1)
74 Sample Heat Map (2) High Risk Domains: Regulatory and Compliance Key IT Security Project and Change Management High IT Strategy and Business Integration Business Continuity/ Disaster Recovery Regulatory & Compliance Data Privacy IT Strategy and Business Integration Risk Impact Data Privacy Resource Management IT Asset Management IT Governance Business Continuity and Disaster Recovery IT Infrastructure Note: Each domain was weighed according to number of high risks present in the domain Low Low Likelihood of Risk Occurrence High IT Infrastructure IT Security Sourcing/Vendor Management Project and Change Management Data Management Risks High Moderate Low
75 Potential Outputs IT Risk Register IT Risk Prioritization IT Risk Heat Map IT and Business Process Linkage Matrix (map IT projects to their representative business purpose/area)
76 Develop IT Internal Audit Plan Develop Basis for IT Internal Audit Plan Validate risk outcomes Integrate with non-it audit activities Develop Draft IT Internal Audit Plan Consider scope, budget, resources Present plan to client and revise Maintain and Update IT Internal Audit Plan Update IT Internal Audit Plan Periodically Align with strategic direction Review evolving risks
77 Developing the IT Internal Audit Plan Mapping Methodologies IT Domain Internal Audit Project Anticipated Scope Hours Data Privacy Employee Personal Identifiable Data Perform an assessment of the processes and controls that protect employee data and benchmark those controls against better practices IT Strategy and Business Integration Joint Venture Agreements Conduct an audit of the Joint Venture agreement to help ensure environments are appropriately segregated, access to proprietary data is appropriately restricted and that IT is adhering to the terms of the agreement IT Security Segregation of Duties Perform an assessment of the SAP application system to determine what segregation of duties conflicts exist as compared against better practice
78 Developing the IT Internal Audit Plan Mapping Methodologies, Continued IT Domain Internal Audit Project Anticipated Scope Hours Business Continuity and Disaster Recovery Business Continuity Perform an assessment of the documented business continuity plans and identify potential gaps, help ensure continuity plans are appropriately scaled according to risk, and that plans are periodically tested Data Management End-user Computing Conduct an audit of the establishment and use of end-user computing environments to determine controls are effectively designed and operating effectively around the establishment and on-going governance of the environment Project and Change Management POS Implementation Conduct a post-implementation audit of the planned POS solution implementation to help ensure that supporting processes and controls are in-place and operating effectively and that the system and supporting architecture are working as designed
79 IT Internal Audit Framework IT Audit Plan
80 Questions?
No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationUSING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES
WHITE PAPER USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES Table of Contents I. Overview II. COSO to CobIT III. CobIT / COSO Objectives met by using QualysGuard 2 3 4 Using QualysGuard
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationBetter together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com
Better together KPMG LLP s GRC Advisory Services for IBM OpenPages implementations kpmg.com KPMG A leader in GRC services KPMG LLP (KPMG) is the U.S. member firm of the KPMG global network of professional
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationInformation Security Risk Strategies. By
Information Security Risk Strategies By Larry.Boettger@Berbee.com Meeting Agenda Challenges Faced By IT Importance of ISO-17799 & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationBUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW
BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW EXECUTIVE SUMMARY CenturyLink is committed to ensuring business resiliency and survivability during an incident or business disruption. Our Corporate Business
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationIT Attestation in the Cloud Era
IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationHEALTH CARE AND CYBER SECURITY:
HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities kpmg.com 1 HEALTH CARE AND CYBER SECURITY EXECUTIVE SUMMARY Four-fifths of executives at healthcare providers and payers
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More informationAT FIRST VIEW C U R R I C U L U M V I T A E. Diplom-Betriebswirt (FH) Peter Konrad. Executive Partner Senior Consultant
Our Contact Details IT-SCAN GMBH c/o: DOCK3 Hafenstrasse 25-27 68159 Mannheim E: info@it-scan.de W: www.it-scan.de Nationalität Berufserfahrung C U R R I C U L U M V I T A E Diplom-Betriebswirt (FH) Peter
More informationSymantec Data Center Transformation
Symantec Data Center Transformation A holistic framework for IT evolution As enterprises become increasingly dependent on information technology, the complexity, cost, and performance of IT environments
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More information354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2
Index Accounts Payable Process Review Procedures Assessments, 191 Actions to Resolve Risks COSO ERM Control Activities, 97 Activity Management COSO ERM Control Activities, 81 AICPA SAS No. 1 Internal Controls
More informationGlobal Security Consulting Services, compliancy and risk asessment services
Global Security Consulting Services, compliancy and risk asessment services Introduced by Nadine Dereza Presented by Suheil Shahryar Director of Global Security Consulting Today s Business Environment
More informationLeveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference
Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference April 11, 2016 kpmg.com Agenda 1. Survey said 2. Leveraging ediscovery technology to audit risk a. IP threat assessment
More informationBuilding a Complete Program around Data Loss Prevention
To download today s materials (depending on your browser): www.experis.us/materials1108 or www.experis.us/materials1108.pdf Building a Complete Program around Data Loss Prevention Tuesday, November 8,
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationTable of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING
Table of Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 3 1.1 Internal Auditing History and Background
More informationREVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More informationHow to Conduct a Business Impact Analysis and Risk Assessment
How to Conduct a Business Impact Analysis and Risk Assessment By Larry Pedrazoli Business Recovery Analyst Miller Brewing Company February 2006 Project Management Institute, La Crosse, WI Chapter Agenda
More informationA sharper focus on internal controls
A sharper focus on internal controls A benchmark study of technology companies kpmg.com Contents 1 Introduction 4 Detailed findings 20 Controls by business processes 30 Respondent demographics 33 About
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust
More informationExam Requirements v4.1
COBIT Foundation Exam Exam Requirements v4.1 The purpose of this document is to provide information to those interested in participating in the COBIT Foundation Exam. The document provides information
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationInformation for entity management. April 2018
Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed
More informationBusiness Continuity & Disaster Recovery
knowledge partner MARKET INSIGHT Business Continuity & Disaster Recovery Considerations for Saudi Organizations /mobily @MobilyBusiness 056 010 0901 I business.sales@mobily.com.sa About Us Mobily; the
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management
More informationCOBIT 5 With COSO 2013
Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder
More informationRisk Assessment. The Heart of Information Security
Risk Assessment The Heart of Information Security Overview Warm-up Quiz Why do we perform risk assessments? The language of risk - definitions The process of risk assessment Risk Mitigation Triangle Lessons
More informationCybersecurity, safety and resilience - Airline perspective
Arab Civil Aviation Commission - ACAC/ICAO MID GNSS Workshop Cybersecurity, safety and resilience - Airline perspective Rabat, November, 2017 Presented by Adlen LOUKIL, Ph.D CEO, Resys-consultants Advisory,
More informationVulnerability Assessments and Penetration Testing
CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze
More informationBusiness Continuity Planning
Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationAvanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationInterpreting the FFIEC Cybersecurity Assessment Tool
Interpreting the FFIEC Cybersecurity Assessment Tool Wayne H. Trout, CISA, CRISC, CBCA, CBRA, CBRITP NCUA Supervisor, Critical Infrastructure and Cybersecurity What We ll Cover Cyber risk management Cybersecurity
More informationBusiness Continuity Management Program Overview
Business Continuity Management Program Overview Improving the lives of our customers by connecting them to the power of the digital world CenturyLink Key Objective CenturyLink may modify or terminate this
More informationBusiness Assurance for the 21st Century
14/07/2011 Navigating the Information Assurance landscape AUTHORS Niall Browne NAME AFFILIATION Shared Assessments Program Michael de Crespigny (CEO) Jim Reavis Kurt Roemer Raj Samani Information Security
More informationADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT
ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT 1 BY HUSSEIN K. ISINGOMA CISA,FCCA,CIA, CPA, MSC,BBS AG. ASSISTANT COMMISSIONER/INTERNAL AUDIT MINISTRY OF FINANCE, PLANNING AND ECONOMIC
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationCybersecurity and Examinations
Tim Segerson, Deputy Director NCUA E&I Cybersecurity and Examinations October 6, 2016 Chicago, IL Connected Devices Declining costs + increased bandwidth + powerful algorithms will spur a new information
More informationGain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services
Solution Overview Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services OPTIMIZE YOUR CLOUD SERVICES TO DRIVE BETTER BUSINESS OUTCOMES Reduce Cloud Business Risks and Costs
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationTIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE
TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,
More informationIT Audit Auditing IT General Controls
IT Audit Auditing IT General Controls Agenda Introduction IT Audit IT General Controls Overview Access to Programs and Data Program Change & Development Computer Operations Lessons Learned from Regulatory
More informationExam : Title : ASAM Advanced Security for Account Managers Exam. Version : Demo
Exam : 646-578 Title : ASAM Advanced Security for Account Managers Exam Version : Demo 1. When do you align customer business requirements with the needed solution functionality? A. when preparing for
More informationHealthcare Security Success Story
Regional Forum on Cybersecurity in the Era of Emerging Technologies & the Second Meeting of the Successful Administrative Practices -2017 Cairo, Egypt 28-29 November 2017 Healthcare Security Success Story
More informationTSC Business Continuity & Disaster Recovery Session
TSC Business Continuity & Disaster Recovery Session Mohamed Ashmawy Infrastructure Consulting Pursuit Hewlett-Packard Enterprise Saudi Arabia Mohamed.ashmawy@hpe.com Session Objectives and Outcomes Objectives
More informationGlobal Statement of Business Continuity
Business Continuity Management Version 1.0-2017 Date January 25, 2017 Status Author Business Continuity Management (BCM) Table of Contents 1. Credit Suisse Business Continuity Statement 3 2. BCM Program
More informationInformation Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan
Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan 1 Introduction IT Risk and Compliance Officer in Information Management and Technology
More informationCloud Computing. January 2012 CONTENT COMMUNITY CONVERSATION CONVERSION
Cloud Computing January 2012 CONTENT COMMUNITY CONVERSATION CONVERSION Purpose and Methodology Survey Sample Field Work December 20, 2011 January 9, 2012 Total Respondents 554 Margin of Error +/- 4.2%
More informationPredstavenie štandardu ISO/IEC 27005
PERFORMANCE & TECHNOLOGY - IT ADVISORY Predstavenie štandardu ISO/IEC 27005 ISMS Risk Management 16.02.2011 ADVISORY KPMG details KPMG is a global network of professional services firms providing audit,
More informationCitation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.
Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation
More informationIT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)
DESIGNATION Reporting to Division Office Location IT MANAGER PERMANENT SALARY SCALE: P07 (R806 593.00) Ref:AgriS042/2019 Information Technology Manager CEO Information Technology (IT) Head office JOB PURPOSE
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationWHITE PAPER. Title. Managed Services for SAS Technology
WHITE PAPER Hosted Title Managed Services for SAS Technology ii Contents Performance... 1 Optimal storage and sizing...1 Secure, no-hassle access...2 Dedicated computing infrastructure...2 Early and pre-emptive
More informationCompetency Definition
Adult Children's Outreach Technical Teen Acquisition Adaptability The ability to effectively process library material orders; knowledge of vendor software, processes, products, and updates x x The ability
More informationHow to avoid storms in the cloud. The Australian experience and global trends
How to avoid storms in the cloud The Australian experience and global trends Discussion Topics 1. Understanding Cloud and Benefits 2. KPMG research The Australian Experience and Global Trends 3. Considerations
More informationA Global Look at IT Audit Best Practices
A Global Look at IT Audit Best Practices 2015 IT Audit Benchmarking Survey March 2015 Speakers Kevin McCreary is a Senior Manager in Protiviti s IT Risk practice. He has extensive IT audit and regulatory
More informationNavigating the Clouds Fortifying ITIL for Cloud Governance
Navigating the Clouds Fortifying ITIL for Cloud Governance DECEMBER 2011 Cloud adoption promises to be an interesting journey for an enterprise with its luring benefits of on-demand models enabling faster
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationPave the way: Build a value driven SAP GRC roadmap March 2015
www.pwc.be/erp Pave the way: Build a value driven SAP GRC roadmap March 2015 Agenda Introduction Measuring GRC Progression & Benchmarking GRC Program Roadmap Building a Business Case 2 Introduction Pave
More informationThe CIA Challenge Exam. August 2018
The CIA Challenge Exam August 2018 The IIA is committed to providing a clearly defined, professionally relevant suite of global certifications to support internal auditors as they progress through their
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationDell helps you simplify IT
Dell helps you simplify IT Workshops the first step. Reduce desktop and data center complexity. Improve productivity. Innovate. Dell IT Consulting Services New Edition 2011 Introduction Are you spending
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More information