AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

Similar documents
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Information Technology General Control Review

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Cyber Security Program

REPORT 2015/010 INTERNAL AUDIT DIVISION

April Appendix 3. IA System Security. Sida 1 (8)

SECURITY & PRIVACY DOCUMENTATION

External Supplier Control Obligations. Cyber Security

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Financial Regulations, Enforcement & Cybersecurity

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Understanding IT Audit and Risk Management

FDIC InTREx What Documentation Are You Expected to Have?

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Information Security Controls Policy

Business continuity management and cyber resiliency

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Cyber Risks in the Boardroom Conference

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

NYDFS Cybersecurity Regulations

Rethinking Information Security Risk Management CRM002

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Cybersecurity & Privacy Enhancements

Canada Life Cyber Security Statement 2018

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Apex Information Security Policy

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

NERC Staff Organization Chart Budget 2018

Checklist: Credit Union Information Security and Privacy Policies

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Cyber Security Strategy

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

NERC Staff Organization Chart Budget 2019

The Impact of Cybersecurity, Data Privacy and Social Media

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

Vulnerability Assessments and Penetration Testing

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

From Russia With Love

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Department of Public Health O F S A N F R A N C I S C O

Incident Response and Cybersecurity: A View from the Boardroom

NERC Staff Organization Chart Budget 2019

Keys to a more secure data environment

Cyber Protections: First Step, Risk Assessment

REPORT 2015/149 INTERNAL AUDIT DIVISION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Protecting your data. EY s approach to data privacy and information security

Bringing Cybersecurity to the Boardroom Bret Arsenault

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

An ICS Whitepaper Choosing the Right Security Assessment

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Oracle Data Cloud ( ODC ) Inbound Security Policies

CYBER SECURITY AND MITIGATING RISKS

Avanade s Approach to Client Data Protection

M&A Cyber Security Due Diligence

A company built on security

Cyber Hygiene: A Baseline Set of Practices

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Express Monitoring 2019

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

University of Sunderland Business Assurance PCI Security Policy

The Cyber War on Small Business

Jeff Wilbur VP Marketing Iconix

NERC Staff Organization Chart

Security and Privacy Governance Program Guidelines

Must Have Items for Your Cybersecurity or IT Budget in 2018

Changing the Game: An HPR Approach to Cyber CRM007

Information Technology Branch Organization of Cyber Security Technical Standard

CCISO Blueprint v1. EC-Council

Turning Risk into Advantage

Level Access Information Security Policy

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

MIS5206-Section Protecting Information Assets-Exam 1

Department of Management Services REQUEST FOR INFORMATION

ISACA Cincinnati Chapter March Meeting

The Business Value of including Cybersecurity and Vendor Risk in ERM

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

SOC for cybersecurity

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Combating Cyber Risk in the Supply Chain

What is Penetration Testing?

Transcription:

AUDIT REPORT Network Assessment Audit Audit Opinion: Needs Improvement Date: December 15, 2014 Report Number: 2014-IT-03

Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope 1 Audit Opinion 2 Appendix Definitions 3 Issue Classifications 4 Distribution 6 Audit Performed By 6

Executive Summary Background The Office of the Internal Auditor (OIA) requested that Citizens Legal Counsel engage a third party firm to perform a network assessment as a proactive approach to assess potential cyber risks associated with Citizens IT environment. News reports routinely portray susceptibility to cyber threats across all corporate industries and government entities. Recent Verizon study statistics show that hacking and malware comprise the most common attack methods with servers and user devices as the primary targets. Companies look to technology investments, process and monitoring improvements, people assets and more recently, cyber insurance as part of their risk mitigation efforts. However, there is a need to think beyond the traditional security protection mechanisms to remain vigilant and constantly view system vulnerabilities through the lens of a cyber-criminal. To this end, penetration testing provides a proactive approach to understanding local threats and specific risks not always depicted in results sets created by standardized vulnerability management tools. Penetration testing is the process of evaluating computer network security by simulating malicious external/internal attacks. This process involves the active analysis of potential vulnerabilities that, if exploited, could result in business disruption. Penetration testing of Citizens network perimeter has been conducted periodically by various third-party firms. The Information Security department headed by the Director of IT Security and Risk is normally responsible for the performance and/or coordination of the internal and external penetration tests. The third party network test objectives were shared with a small subset of IT management during the engagement process to ensure a collaborative plan was developed and certain key IT individuals were involved during the testing to assure that Citizens network and business functions were not impacted. Internal, external and wireless penetration testing was performed to assure that a comprehensive view of risks was obtained. The work product of the third party firm is protected under Attorney Client Privilege, ensuring that vulnerabilities remain confidential within the organization. Although the audit primarily focused on the impact of a cyber event within the organization, there was a need to improve the data incident management process as well. Accordingly, the development of an organization-wide data incident response plan was included in the project. The plan provides for all stages of data incident response as well as intersections to other existing enterprise processes as needed and ondemand reference materials such as risk assessments, external resource lists and other required documentation. Audit Objectives and Scope The objective of this audit was to evaluate the adequacy and effectiveness of vulnerability management processes implemented to safeguard Citizens computer network and ensure that network security and availability adequately support the objectives of the business. The focus areas included the following: Page 1

Executive Summary Internal and External Penetration Testing o Attack simulation processes were employed to evaluate computer and network security and identify vulnerabilities that may be difficult to detect with only automated network or application vulnerability scanning processes. Web Application Security Review o Targeted browser-based application security controls testing was performed, referencing discovered vulnerabilities to industry standard web application security frameworks such as the SANS Top 25 and Open Web Application Security Project (OWASP). Wireless Penetration Testing o A wireless security assessment was completed including a review of encryption and authentication technologies as well as detection of rogue access points and wireless network adapters. This was a targeted review of one location. Audit Opinion Following completion of the third party network assessment, we are of the opinion that overall effectiveness of the processes and controls associated with the vulnerability management program is rated as Needs Improvement. Security enhancements have been made in the cyber security realm over the past two years. A Director of IT Security and Risk was hired to oversee all IT security risks and processes. A greater focus has been placed on privacy and security risks with the implementation of a privacy framework comprised of a Privacy Policy, an Information Security Policy and an Information Classification and Handling Policy. Emphasis has also been placed on enhancements and tools associated with vulnerability management and penetration testing processes. However, our work identified some areas of improvement required in network security risk mitigation. Management is working on a corrective action plan which will include enhancement of the organization s understanding of the impact of cyber risks, best practices required to protect Citizens data and continuous improvements essential to the vulnerability management program maturity. We would like to thank management and staff for their cooperation and professional courtesy throughout the course of this audit. Page 2

Appendix 1 Definitions Audit Ratings Satisfactory: Critical internal control systems are functioning in an acceptable manner. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Corrective action to address the issues identified, although not serious, remains an area of focus. Needs Improvement: Internal control systems are not functioning in an acceptable manner and the control environment will require some enhancement before it can be considered as fully effective. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some significant areas of weakness. Overall exposure (existing or potential) requires corrective action plan with priority. Unsatisfactory: One or more critical control deficiencies exist which would have a significant adverse effect on loss potential, customer satisfaction or management information. Or the number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. As a result the control environment is not considered to be appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. Overall exposure (existing or potential) is unacceptable and requires immediate corrective action plan with highest priority. Page 3

Appendix 2 Issue Classifications Control Category High Medium Low Financial Controls (Reliability of financial reporting) Operational Controls (Effectiveness and efficiency of operations) financial statement misstatements >USD 5 million Control issue that could have a pervasive impact on control effectiveness in business or financial processes at the business unit level A control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in the financial reporting process losses >USD 2.5 million Achievement of principal business objectives in jeopardy Customer service failure (e.g., excessive processing backlogs, unit pricing errors, call center non responsiveness for more than a day) impacting 10,000 policyholders or more or negatively impacting a number of key corporate accounts prolonged IT service failure impacts one or more applications and/or one or more business units negative publicity related to an operational control issue An operational control issue relating to any fraud committed by any member of senior management or any manager who plays a financial statement misstatements between USD 2.5 million to 5 million Control issue that could have an important impact on control effectiveness in business or financial processes at the business unit level losses between USD 0.5 to 2.5 million Achievement of principal business objectives may be affected Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting 1,000 policyholders to 10,000 or negatively impacting a key corporate account IT service failure impacts more than one application for a short period of time Any operational issue leading to injury of an employee or customer financial statement misstatements below USD 2.5 million Control issue that does not impact on control effectiveness in business or financial processes at the business unit level losses below USD 0.5 million Achievement of principal business objectives not in doubt Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting less than 1,000 policyholders IT service failure impacts one application for a short period of time Page 4

Appendix 2 Control Category High Medium Low significant role in operations Any operational issue leading to death of an employee or customer Compliance Controls (Compliance with applicable laws and regulations) Remediation timeline for public censure, fines or enforcement action (including requirement to take corrective actions) by any regulatory body which could have a significant financial and/or reputational impact on the Group Any risk of loss of license or regulatory approval to do business Areas of non-compliance identified which could ultimately lead to the above outcomes A control issue relating to any fraud committed by any member of senior management which could have an important compliance or regulatory impact Such an issue would be expected to receive immediate attention from senior management, but must not exceed 60 days to remedy for public censure, fines or enforcement action (including requirement to take corrective action) by any regulatory body Areas of noncompliance identified which could ultimately lead to the above outcomes Such an issue would be expected to receive corrective action from senior management within 1 month, but must be completed within 90 days of final Audit Report date for non-public action (including routine fines) by any regulatory body Areas of noncompliance identified which could ultimately lead the above outcome Such an issue does not warrant immediate attention but there should be an agreed program for resolution. This would be expected to complete within 4 months, but in every case must not exceed 180 days Page 5

Appendix 3 Distribution Addressees: Copies: Mitch Brockbank, Director, IT Security and Risk Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief of Systems and Operations Curt Overpeck, Chief Information Officer John Rollins, Chief Risk Officer Dan Sumner, General Counsel and Chief Legal Officer Bruce Meeks, Inspector General Johnson Lambert, LLP (External Auditors) Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives Audit Performed By Audit Director Under the Direction of Karen Wittlinger Joe Martins, Chief of Internal Audit Page 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback