IT risks and controls

Similar documents
TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TAN Jenny Partner PwC Singapore

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

ROLE DESCRIPTION IT SPECIALIST

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Checklist: Credit Union Information Security and Privacy Policies

ADIENT VENDOR SECURITY STANDARD

Altius IT Policy Collection Compliance and Standards Matrix

Advent IM Ltd ISO/IEC 27001:2013 vs

Security Policies and Procedures Principles and Practices

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Information Security Incident

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Nebraska CERT Conference

WELCOME ISO/IEC 27001:2017 Information Briefing

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

Version 1/2018. GDPR Processor Security Controls

Manchester Metropolitan University Information Security Strategy

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Certified Information Systems Auditor (CISA)

The Business Value of including Cybersecurity and Vendor Risk in ERM

General Data Protection Regulation

COBIT 5 With COSO 2013

Information Security Policy

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Data Protection Policy

A practical guide to IT security

Cyber Resilience - Protecting your Business 1

ISO/IEC Information technology Security techniques Code of practice for information security management

Information Security Controls Policy

Element Finance Solutions Ltd Data Protection Policy

Sparta Systems TrackWise Solution

Business continuity management and cyber resiliency

Altius IT Policy Collection Compliance and Standards Matrix

CCISO Blueprint v1. EC-Council

April Appendix 3. IA System Security. Sida 1 (8)

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Information Technology General Control Review

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Eco Web Hosting Security and Data Processing Agreement

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

Mapping Cyber-Protections to Regulatory Requirements for Fintech

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Senior Manager Information Technology (India) Duration of job

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cybersecurity in Higher Ed

Assurance over Cybersecurity using COBIT 5

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

ECSA Assessment Report

The Role of the Data Protection Officer

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Sparta Systems TrackWise Digital Solution

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Building a Resilient Security Posture for Effective Breach Prevention

Creative Funding Solutions Limited Data Protection Policy

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

THE POWER OF TECH-SAVVY BOARDS:

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Introduction to Business continuity Planning

Cyber Security for Process Control Systems ABB's view

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

The ITIL v.3. Foundation Examination

Cybersecurity Considerations for GDPR

External Supplier Control Obligations. Cyber Security

REPORT 2015/149 INTERNAL AUDIT DIVISION

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Canada Life Cyber Security Statement 2018

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Information Security Strategy

Information Security Management System

Objectives of the Security Policy Project for the University of Cyprus

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Information Security Policy

Critical Information Infrastructure Protection Law

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

The NIS Directive and Cybersecurity in

ISO/ IEC (ITSM) Certification Roadmap

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

A1 Information Security Supplier / Provider Requirements

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Data Processing Amendment to Google Apps Enterprise Agreement

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

INFORMATION ASSET MANAGEMENT POLICY

Data Protection and GDPR

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Transcription:

Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018

Agenda I IT GOVERNANCE IT evolution, objectives, roles and process model of an IT governance framework II IT RISK MANAGEMENT Risk context, key elements of an IT Risk management framework, risk and measure examples DISCUSSION about risk identification III IT AUDIT CASE STUDY Approach, planning and results of a real IT audit activity 2

Section I IT GOVERNANCE 1. Main references adopted 2. IT evolution 3. IT governance definition and objectives 4. Governance enablers 5. Governance roles 6. Process reference model 3

IT governance Main references adopted 4

BUSINESS ENABLEMENT IT governance IT evolution 1 2 3 5

IT governance Why IT Governance? 1. High-quality information 2. Business value 3. Operational excellence 4. IT-related risk 5. Cost of IT 6. Compliance 6

IT governance the responsibility of the board of directors and executive management. It is an integral part of entrprise governance and consist of the leadership and organisational structures and processes that ensure that the organisation s IT sustains and extends the organisation s strategies and objectives.» 7

IT governance Drivers for IT Governance Activities ITGI - Global Status Report on the Governance of Enterprise IT 8

IT governance Governance objective 1 3 2 9

IT governance Governance enablers 10

IT governance Governance roles 11

IT governance Process reference model 1 2 3 4 12

IT governance 13

IT governance 14

Section II IT RISK MANAGEMENT 1. Key points of context 2. Risk / IT risk definitions 3. IT risk categories 4. IT risk evaluation 5. IT risk and organisational structures 6. Information items and risk management 7. Risk management process 8. Risk scenario structure and risk factors 9. Risk scenario and response examples 15

IT risk management Key points of context 1. IT as a key element for creating value 2. Regulations govern information technology 3. Growing need to manage risks related to IT 4. IT risk management requires to address the full scope of strategic impacts 16

IT risk management Risk / IT risk definitions RISK Risk is the combination of the probability of an event and its consequence. Consequences are that enterprise objectives are not met. INFORMATION and related Technologies (IT) RISK IT risk is a business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. 17

IT risk management IT risk and business value BUSINESS VALUE Fail to Gain / Lose Gain / Preserve 18

More in particular, what is an IT Risk? IT Building Blocks IT Risk 1. People, skills and competencies 2. Processes Impact Business 3. Information 4. Services, Infrastructure and Applications 19

IT risk management IT risk categories 1. IT Benefit / Value Enablement 2. IT Programme and Project Delivery 3. IT Operations and Service Delivery 20

IT-related Issues Experienced in the Past 12 Months IT risk management ITGI - Global Status Report on the Governance of Enterprise IT 21

IT risk management IT risk evaluation 1 2 22

IT risk management IT risk and organisational structures RISK 23

IT risk management IT risk and organisational structures Business process owners IT process / service owners 1. Risk evaluation 2. Risk ownership Risk owner - Person or entity with the accountability and authority to manage a risk ISO 31000 Risk management Principles and guidelines 24

Information items and risk management IT risk management 7. Risk profile 3. Risk universe 1. Risk scenarios 2. Risk analysis results 4. Risk action plan 6. Risk factors 5. Loss events 25

IT risk management Risk management process Practices 1. Collect data 2. Analyse risk Main outputs Data on the operating environment relating to risk Data on risk events and contributing factors IT risk scenarios Risk analysis results 3. Mantain a risk profile Aggregated risk profile, including status of risk management actions 4. Articulate risk Risk analysis and risk profile reports for stakeholders 5. Define an action portfolio Project proposals for reducing risk 6. Respond to risk Risk-related incident response plans 26

IT risk management Risk scenario structure 3 2 4 1 5 27

IT risk management Risk factors Risk factors 1. Internal context 2. External context 28

IT risk management Risk factors Category 1. Internal context Risk factor 1. Enterprise goals and objectives 2. Strategic importance of IT for the business 3. Complexity of IT 4. Complexity of the entity 5. Degree of change 6. Change management capability 7. Operating model 8. Strategic priorities 9. Culture of the enterprise 10. Financial capacity 11. Risk management capability 12. IT-related capabilities 29

IT risk management Risk factors Category 1. External context Risk factor 1. Market and economic factors 2. Rate of change in the market/product life cycle 3. Industry and competition 4. Geopolitical situation 5. Regulatory environment 6. Technology status and evolution 30

IT risk management Risk scenario examples from COBIT Risk Category Risk scenario Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management 3. IT investment decision making 4. IT expertise and skills 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) There is duplication between initiatives. 0102 There is an IT project budget overrun. 0202 The wrong software, in terms of cost, performance, features, compatibility, etc., is selected for implementation. There is a lack of or mismatched IT-related skills within IT, e.g., due to new technologies. 0302 0401 Hardware components were configured erroneously. 0508 Portable media containing sensitive data (CD, USB drives, portable disks, etc.) is lost/disclosed. The enterprise architecture is complex and inflexible, obstructing further evolution and expansion leading to missed business opportunities. 8. Infrastructure The systems cannot handle transaction volumes when user volumes increase. 0802 9. Software Intentional modification of software leading to wrong data or fraudulent actions. 0906 0603 0701 31

IT risk management Risk scenario examples from COBIT Risk Category Risk scenario Cobit Ref 10. Business ownership of IT 11. Supplier selection/performance, contractual compliance, termination of service and transfer 12. Regulatory compliance 13. Infrastructure theft or destruction Business does not assume accountability over those IT areas it should, e.g., functional requirements, development priorities, assessing opportunities through new technologies. Support and services delivered by vendors are inadequate and not in line with the SLA. There is non-compliance with regulations, e.g., privacy, accounting, manufacturing. 1001 1103 1201 Destruction of the data centre (sabotage, etc.) occurs. 1403 14. Malware Regularly, there is infection of laptops with malware. 1502 15. Logical attacks There is a service interruption due to denial-of-service attack. 1602 16. Industrial action Facilities and building are not accessible because of a labour union strike. 1701 17. Acts of nature There is flooding 1905 32

IT risk management Risk scenarios by category IT Programme and Project Delivery 15% IT Operations and Service Delivery IT Benefit / Value Enablement 36% RISK SCENARIOS 50% 13% Cybersecurity 87% Others 33

IT risk management Risk response examples from COBIT Risk Category Risk responses (Cobit Processes) Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management Prioritise resource allocation. Maintain a standard approach for programme and project management. APO06.02 BAI01.01 3. IT investment decision making Manage stakeholder engagement. BAI01.03 4. IT expertise and skills Plan and track the usage of IT and business human resources. APO07.05 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) Manage contract staff. Ensure traceability of Information events and accountabilities. Define reference architecture. APO07.06 DSS06.05 APO03.02 8. Infrastructure Monitor and scan the technology environment. APO04.03 9. Software Evaluate, prioritise and authorise change requests. BAI06.01 34

IT risk management Risk response examples from COBIT Risk Category Risk responses (Cobit Processes) Cobit Ref 10. Business ownership of IT Monitor and report service levels. APO09.04 11. Supplier selection/performance, contractual compliance, termination of service and transfer Monitor supplier performance and compliance. APO10.05 12. Regulatory compliance Identify external compliance requirements. MEA03.01 13. Infrastructure theft or destruction Manage physical access to IT assets. DSS05.05 14. Malware Monitor the infrastructure for security-related events. DSS05.07 15. Logical attacks Monitor IT infrastructure. DSS01.03 16. Industrial action Identify key IT personnel. APO07.02 17. Acts of nature Exercise, test and review the Business Continuity Plan. DSS04.04 35

DISCUSSION Risk identification 36

Discussion Assessing the risk connected to personal data security see a statement of the EU General Data Protection Regulation below which are the risk scenarios to consider among the ones detailed in the following slide? GDPR In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 37

Discussion Risk Category Risk scenario Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management 3. IT investment decision making 4. IT expertise and skills 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) 8. Infrastructure 38

Discussion Risk Category Risk scenario Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management There is duplication between initiatives. 0102 There is occasional late IT project delivery by an internal development department. 3. IT investment decision making Redundant software is purchased. 0304 4. IT expertise and skills 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) There is a lack of or mismatched IT-related skills within IT, e.g., due to new technologies. 0203 0401 Hardware components were configured erroneously. 0508 Portable media containing sensitive data (CD, USB drives, portable disks, etc.) is lost/disclosed. 0603 There is a failure to adopt and exploit new infrastructure in a timely manner. 0703 8. Infrastructure The systems cannot handle transaction volumes when user volumes increase. 0802 39

Section III IT AUDIT CASE STUDY 1. IT audit approach 2. Needs of the key players 3. Audit scope and planning 4. Risk assessment 5. Audit areas 6. Methods adopted 7. Audit report and improvement points 8. Key points 40

IT audit Case study IT audit approach 1. Overall analysis 2. Effective checks 3. Search of logic vulnerabilities 41

IT audit Case study Needs of the key players 1. Management 2. Audit and control functions 3. IT department 42

IT audit Case study Audit scope 1. Main foreign branches of a leading company in the industrial sector 2. Company has 20 foreign branches on several continents 43

IT audit Case study Information system audited Audited branches Applications: Tenders Design Production Support processes Headquarter 44

IT audit Case study Audit planning 1. Preliminary survey 2. Risk assessment 3. Audit plan Documentation analysis Interviews IT systems IT management processes Audit areas Checks 45

IT audit Case study Risk assessment PURPOSE 1. Identify and assess IT risk 2. Define the audit program 46

IT audit Case study Risk assessment Taylor-made check-list IT Risk assessment process Audit support Real-time results 47

IT audit Case study Risk assessment Category Risks L M H IT Architecture The enterprise architecture is complex, obstructing further evolution and not supporting the business priorities There is a lack in IT staff recruiting process There are insufficient IT HR to cover the business requirements. IT expertise and skills There is an overreliance on key IT staff There are insufficient skills to cover the business requirements. Software Information management There is extensive use of end-user computing for important information (ex. Excel), leading to security deficiencies, inaccurate data or increasing costs There is a lack in IT training/support/user's guide for new application software or software release Data are lost, inaccessible or corrupted (e.g. backup media is lost or backups are not checked for effectiveness; data are modified intentionally). IT Project Portfolio Management There is a failure/overbudget/delay in IT project delivery Competing resources are allocated and managed inefficiently and are misaligned to business priorities 48

IT audit Case study Risk assessment IT risk category assessment results IT benefit/value enablement risk IT operations and service delivery risk IT programme and project delivery risk 49

IT audit Case study Audit areas Area Cobit Ref 1. System administrators DSS05.04 2. Management of users and authorisations DSS05.04 3. Software licensing management BAI09.05 4. Security of IT workstations DSS05.03 5. Electronic signature DSS05.06 50

IT audit Case study Audit area 1 - System Administrators Audits Population / Sample 1 - Identification of administrators Contract documents 2 - Name-registered administrator accounts List of users in the administrators authentication group 3 - Rules of minimum complexity of passwords Settings for authentication of administrator accounts 51

IT audit Case study Audit area 2 - Management of User Accounts Audits 1 - Correspondence between user accounts and the employees 2 - Traceability of the requests relating to user accounts 3 - Minimum complexity of passwords 4 - Name-registered accounts Population / Sample List of user accounts and employees / collaborators Procedure adopted for the traceability of the subjectmatter requests Settings for the authentication of user in the centralized authentication system List of user accounts in the centralized authentication system 52

IT audit Case study Audit area 3 - Management of access authorizations 1 - Use of the folder Public Audits Population / Sample List of the folders and files contained in the shared folder Public 2 - Shared folders in the PCs Sample of PCs 3 - Adequacy of the authorizations List of the authorization and users for a selected sample of shared folders 53

IT audit Case study Audit area 4 - Software Licences Audits Population / Sample 1 - Inventory of software licences - 2 - Archiving of software setup supports - 3 - Software licences Sample of PCs and software licences 54

IT audit Case study Audit area 5 - Cybersecurity of PCs Audits Population / Sample 1 - Update of antivirus software 2 - Security updates Sample of PCs 3 Installing authorizations 55

IT audit Case study Audit area 6 - Electronic signature Audits Population / Sample 1 - Electronic signature devices - 2 - Signature authorizations - 3 - Revocation of the electronic certificate - 56

IT audit Case study Methods adopted 1. Analysis of company regulations 2. Surveying practices and IT systems 3. Process walk-throughs 4. Verifying IT system 57

IT audit Case study Audit report 1. Methods used to plan and carry out the activities 2. Improvement points 3. Suggestions for action 58

IT audit Case study Improvement points 1. Contractual definition of System Administrators 2. Use of shared folders 3. Inventory of software in use 4. Traceability of new user requests 59

IT audit Case study Critical factors 1. Co-existence of local and central IT systems 2. Outsourced IT administration 3. Temporary nature of the production sites 4. Specific needs of each production site 60

IT audit Case study Key points 1. Value of information / dimension of infrastructures 2. IT risk & control policy adoption 61

Thank you! Alessandro Salibra Bove Partner a.salibra@macfin-group.net www.macfin-group.net 62

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback