Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Similar documents
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Security and Privacy Governance Program Guidelines

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

SOC for cybersecurity

2017 RIMS CYBER SURVEY

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

A Global Look at IT Audit Best Practices

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

M&A Cyber Security Due Diligence

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Bringing Cybersecurity to the Boardroom Bret Arsenault

Cybersecurity and the Board of Directors

Larry Clinton President & CEO Internet Security Alliance

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

Combating Cyber Risk in the Supply Chain

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Cybersecurity in Higher Ed

InfoSec Risks from the Front Lines

Cyber Risks in the Boardroom Conference

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

CYBERSECURITY AND THE BOARD OF DIRECTORS TIPS FOR SECURING SUPPORT FOR YOUR CYBER RISK MANAGEMENT PROGRAM

CYBER RISK MANAGEMENT

Designing and Building a Cybersecurity Program

NERC Staff Organization Chart Budget 2019

Larry Clinton President & CEO (703)

FDIC InTREx What Documentation Are You Expected to Have?

CYBERSECURITY AND THE MIDDLE MARKET

Sage Data Security Services Directory

Rethinking Information Security Risk Management CRM002

Cybersecurity. Securely enabling transformation and change

How to get the Enterprise to Understand the Value of Security

Effective Cyber Incident Response in Insurance Companies

Why you should adopt the NIST Cybersecurity Framework

Department of Management Services REQUEST FOR INFORMATION

Information Technology Branch Organization of Cyber Security Technical Standard

Securing Your Digital Transformation

Cybersecurity & Privacy Enhancements

Managing Cybersecurity Risk

The Evolving Threat to Corporate Cyber & Data Security

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

NERC Staff Organization Chart Budget 2018

Cyber Security. It s not just about technology. May 2017

NERC Staff Organization Chart Budget 2019

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Background FAST FACTS

THE POWER OF TECH-SAVVY BOARDS:

COBIT 5 With COSO 2013

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date

Cybersecurity Session IIA Conference 2018

Security Awareness Training Courses

Changing the Game: An HPR Approach to Cyber CRM007

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

Defensible and Beyond

BRING EXPERT TRAINING TO YOUR WORKPLACE.

How Secure is Blockchain? June 6 th, 2017

NERC Staff Organization Chart

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Assurance over Cybersecurity using COBIT 5

Headline Verdana Bold

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Your CONNECTION to the CREDENTIALING COMMUNITY JOIN TODAY

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Developing a Model for Cyber Security Maturity Assessment

Turning Risk into Advantage

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Building a Threat Intelligence Program

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

NERC Staff Organization Chart Budget

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Real estate predictions 2017 What changes lie ahead?

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

INTELLIGENCE DRIVEN GRC FOR SECURITY

TAN Jenny Partner PwC Singapore

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

RSA Cybersecurity Poverty Index

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Business Continuity An Integral Part of Risk Management At Constellation Energy

THE CYBERSECURITY LITERACY CONFIDENCE GAP

The Deloitte-NASCIO Cybersecurity Study Insights from

Could the BIGGEST Threat to Your Business be INSIDE Your Company?

Framework for Improving Critical Infrastructure Cybersecurity

Operations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ

Vice President and Chief Information Security Officer FINRA Technology, Cyber & Information Security

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

How to Assess the Financial Impact of Cyber Risk

CYBER INSURANCE: MANAGING THE RISK

NERC Staff Organization Chart Budget 2017

Transcription:

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 1

CAE Communications and Common Audit Committee Questions about Cybersecurity YULIA GURMAN DIRECTOR, INTERNAL AUDIT& CORPORATE SECURITY RYAN HOPKINS ASSISTANT DIRECTOR, INTERNAL AUDIT PACKAGING CORPORATION OF AMERICA (PCA) Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 2

BIOS Yulia Gurman Director, Internal Audit and Corporate Security Packaging Corporation of America Yulia has over 17 years of work experience in internal audit and compliance in the US. She also serves on the Board of Governors (Chicago Chapter) and Committee of Research and Education Advisors for the IIA. She specializes in internal audit, compliance, risk and control advisory, project management as well as financial and operational audits. She has worked in real estate, manufacturing and retail sectors. Yulia has considerable experience in managing business risks and improving operational efficiencies. She is known for providing forward-thinking insights to management ensuring challenges are tackled. Ryan Hopkins Assistant Director, Internal Audit Packaging Corporation of America Ryan is an Assistant Director of Internal Audit with over 13 years of audit and consulting experience. Ryan began his career in public accounting at Grant Thornton where he provided audit and consulting services to more than 35 national and multi-national clients. Ryan s previous work experience also includes Accenture s Internal Audit team where he supervised and executed operational and compliance audits of emerging areas of risk, IT controls, and pre-implementation and post-implementation reviews of multi-million dollar ERP and custom application projects. Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 3

Discussion Topics Current Cybersecurity Trends Understanding the Needs Reporting Educating Boards and Audit Committees Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 4

Polling Question What's your current role within your organization? a. CAE or Internal Audit (IA) Department Head b. IA Manager or Sr. Manager c. Staff or Senior Auditor d. Other role outside of Internal Audit Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 5

Packaging Corporation of America (PCA) PCA: Domestic company headquartered in Lake Forest, IL One of the largest manufacturers of containerboard and corrugated packaging 2018 revenue $7 billion Decentralized environment with facilities located across the United States Audit Committee: 5 seasoned members Industry and IT expertise All independent Board member Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 6

Current Cybersecurity Trends Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 7

Polling Question Does your Audit Committee include members with IT/Cybersecurity expertise? a. Yes b. No Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 8

Audit Committee Questions About Cybersecurity and Director Survey Results Only 50% of directors* are confident that their companies are properly secured against cyberattacks. To gain confidence, boards are asking questions about Resource Allocation, Vulnerabilities & Risk, and Cyber Risk Management Approaches. In what areas of the cybersecurity program are investments being made? Only 30% of directors surveyed* indicated that their organizations evaluate security of mergers, acquisitions and new product development, yet the What Cyber Risk Management Approaches are in use today? What percentage of your** cybersecurity budget is devoted to the five key cybersecurity functions identified by NIST? Please estimate for each time period. Which areas of your** organization s IT infrastructure do you believe are most vulnerable to risk? Which of the following statements apply to your** organization s cyber risk management approach? Source: (*) NACD 2018 2019 Public Company Governance Survey; (**) Wall Street Journal The Cybersecurity Imperative Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 9

Recent Security Incidents Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 10

HTTPS://YOUTU.BE/0_ZFUMLNJK8 Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 11

Discussion How do you react to the news? Do you provide comments on the breaches in the news to your Audit Committees (ACs)? Do you update the AC on controls in place to prevent and detect a similar breach? Breach response protocol? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 12

Understanding the Needs of the Audit Committee Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 13

Understanding the Needs Talk to Management and the Audit Committee and seek feedback on the areas of most interest Understand the level of detail needed Too much vs. too little Frequency of updates Deliverables, reporting and metrics Examples: Number of system vulnerabilities Length of time to identify and respond to a breach Formal and/or informal communication Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 14

What are your Crown Jewels? Questions to consider when identifying your organizations crown jewels: What are our company s most critical data assets? Where do they reside? Are they located on one or multiple systems? How are they accessed? Who has permission to access them? Cyber criminals target companies of all sizes and from every industry, seeking anything that might be of value, including: Sensitive consumer data, such as credit card numbers or medical information Sensitive employee data Social Security Numbers, drivers' license numbers, and bank account numbers Business plans, including merger or acquisition strategies Contracts with customers, suppliers, distributors, joint venture partners Product designs Source code Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 15

Common Questions Asked About Cybersecurity Are we adequately protected? Do we know our biggest threats? Do we have sufficient and effective IT resources? Are cybersecurity disclosures sufficient? Do we have the right resources to address our concerns? Are roles & responsibilities clear? How do we identify new threats? What is Internal Audit s role? What is the level of External Auditor oversight? Is an incident response plan in place and tested periodically? What are the breach costs and impact? What is our cybersecurity insurance coverage? Common exclusions? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 16

Reporting Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 17

Polling Question Who is responsible on updating the Audit Committee on Cybersecurity matters? a. Internal Audit only b. IA and Management (IT) Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 18

How and What to Report? Each organization is unique and we should consider cybersecurity risk and maturity with context in the following areas: Senior Management perspectives: Risk tolerance Maturity goals Peer organizations maturity benchmarking: Industry peers Peers with similar organizational structure Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 19

NIST Cybersecurity Framework In 2014, the National Institute of Standards and Technology (NIST) released a framework for improving the cybersecurity of critical infrastructure in response to the President s 2013 executive order on cybersecurity. The NIST framework is a voluntary, risk-based approach that companies can use to assess their cybersecurity exposure and respond to cyber risk. The current framework version includes a set of cybersecurity activities expressed through five functions that provide a high-level, strategic view of the management of cybersecurity. These five functions are further divided into 23 categories and 108 subcategories that describe the cybersecurity activities and desired outcomes in more granularity. Each of the NIST CSF functions, categories, and subcategories can be assigned implementation tier ratings designating the maturity level in each area. The tiers range from tier 1 (least mature) to tier 4 (most mature) and describe the extent to which cybersecurity risk management is guided by business needs and its integration into an organization s overall risk management practices. Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 20

Roles and Responsibilities Are reporting roles and responsibilities clearly defined for reporting: Cybersecurity breaches Maturity assessment results Network security assessment results Cybersecurity awareness training and results What else are you reporting on? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 21

Example Communications/Deliverables Cybersecurity maturity assessment results (using a framework) Enhancements to cybersecurity practices Compared to prior year? Network security assessment Employee cybersecurity training and awareness Social Engineering test results Other? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 22

Educating Boards and Audit Committees Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 23

What Can CAEs Do? Educate Management and the Board about trends and emerging risks and share innovative practices on how to mitigate certain cyber risks As Internal Auditors, we know our organization's environment and also know what our peers are facing and we can help the Audit Committees and Management understand which risks are more predominant for our industry We should also be able to explain which risks are critical and relevant vs. some that are remote to your organization Not everyone is created equally in terms of cyber risk vulnerabilities! Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 24

Resources A lot of information available!!! SEC: Interpretive Guidance on Public Company Cybersecurity Disclosures IIA: Internal Audit s Growing Engagement in Cyber Management Internal Auditors: More Than Cybersecurity Police And much more NACD: Resource Center: Cyber-Risk Oversight Consulting firms: white papers, newsletters, webinars, etc. Your PEERS! Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 25

Questions and Answers? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 26

Thank you for your time and attention! IIA CHAPTER CHICAGO 59 TH ANNUAL SEMINAR Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback