TAN Jenny Partner PwC Singapore

Similar documents
Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

IT risks and controls

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity Auditing in an Unsecure World

_isms_27001_fnd_en_sample_set01_v2, Group A

Building a Resilient Security Posture for Effective Breach Prevention

Cyber Threat Landscape April 2013

Information for entity management. April 2018

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Disaster Recovery and Business Continuity Planning (Mile2)

Cybersecurity, safety and resilience - Airline perspective

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Certified Information Systems Auditor (CISA)

What is ISO ISMS? Business Beam

FDIC InTREx What Documentation Are You Expected to Have?

IoT & SCADA Cyber Security Services

Cybersecurity Session IIA Conference 2018

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

GDPR Update and ENISA guidelines

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

NW NATURAL CYBER SECURITY 2016.JUNE.16

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Canada Life Cyber Security Statement 2018

LESSOR Group CVR no.:

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Security and Privacy Governance Program Guidelines

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Making trust evident Reporting on controls at Service Organizations

Changing the Game: An HPR Approach to Cyber CRM007

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Improving Cybersecurity through the use of the Cybersecurity Framework

SOC for cybersecurity

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Governance Ideas Exchange

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

CCISO Blueprint v1. EC-Council

Business continuity management and cyber resiliency

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

The Business Value of including Cybersecurity and Vendor Risk in ERM

Why you should adopt the NIST Cybersecurity Framework

2017 RIMS CYBER SURVEY

Cyber Resilience. Think18. Felicity March IBM Corporation

Altius IT Policy Collection Compliance and Standards Matrix

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Vendor Risk Management. How to Confront Third-Party Cyber Risk in Your Supply Chain

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Security by Default: Enabling Transformation Through Cyber Resilience

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

Cyber Insurance: What is your bank doing to manage risk? presented by

Intelligent Building and Cybersecurity 2016

THE POWER OF TECH-SAVVY BOARDS:

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

GUIDANCE NOTE ON CYBERSECURITY

Industrial Control System Cyber Security

Altius IT Policy Collection Compliance and Standards Matrix

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

An Overview of ISO/IEC family of Information Security Management System Standards

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

CITADEL INFORMATION GROUP, INC.

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

ISAE 3402-II. LESSOR Group. April 2016

Keys to a more secure data environment

Designing and Building a Cybersecurity Program

Cyber Resilience - Protecting your Business 1

Cybersecurity Checklist Business Action Items

The Impact of Cybersecurity, Data Privacy and Social Media

Digital Health Cyber Security Centre

Background FAST FACTS

SECURITY & PRIVACY DOCUMENTATION

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Defensible and Beyond

Cyber Risk Having better conversations on cyber

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

LESSOR Group CVR no.:

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Innovation policy for Industry 4.0

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Bring Your Own Device (BYOD)

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

The NIS Directive and Cybersecurity in

RSA NetWitness Suite Respond in Minutes, Not Months

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Emerging Issues: Cybersecurity. Directors College 2015

Information Security Management System

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Transcription:

1

Topic: Cybersecurity Risks An Essential Audit Consideration TAN Jenny Partner PwC Singapore

PwC Singapore is honoured to be invited to contribute to the development of this guideline.

Cybersecurity Risks An essential audit consideration 4

Then and Now Then Now - Manual controls - Stand-alone, simple applications - Hardcopy source documents - IT dependent controls - More than simple applications sitting on network - Integrated & automated controls - Integrated &/or complex applications - Complex network - Mobile computing

What Now? So, what is CYBERSECURITY? Cybersecurity represents many things to different people

What is Cybersecurity? The process of protecting information by preventing, detecting, and responding to attacks. ~ NIST The preservation of confidentiality, integrity and availability of information in the Cyberspace. ~ ISO27032 The security of a computer or computer system against unauthorised access or attack, to preserve the availability and integrity of the computer or computer system, or the confidentiality of information stored or processed therein ~ Singapore Cybersecurity Bill

We are in the Cyber Age 40% CEOs fastest-growing concern 40% of CEO s around the globe are concerned about cyber threats. Up by 6 positions from 2017. Current employees emerged as organisations top likely source of security incidents Protecting Intellectual Property 70% 59% 70% of organisationsexpressedconcern about their inability to protect intellectual property or confidential customer data 59% of respondents cited compromise of sensitive data as the biggest consequence of a cyberattack Sou rces: PwC21 st A nnual Global CEO Survey 2018 Gl obal State of Information Security

Environmental The Cyber Challenges Global Business Ecosystem Economic Industry/ Competitors Customer Suppliers Enterprise Co nsumer Service Pro viders JV/ Partners Technology

Relevance of Cybersecurity Risk and Cyber Attacks to Financial Statements Audits Cybersecurity risk is relevant to every entity consider as part of risk assessment i.e. an entity s business risks in a financial statements audit Cybersecurity risk is an essential consideration in every financial statements audit consider and assess the impact of such risk to the financial statements audit and where necessary, the extent of audit response required to address the risk Auditor only needs to consider those risks that could impact the financial statements and an entity s assets 2 10 cyber incidents per year per org E.g. Cyber attacks at your POS

Cybersecurity Risk Consideration and Assessment Entity s risk assessment process Technology risk management framework (in addition to ERM) Cybersecurity policy Risk register Roles & responsibilities IT IT (Cyber) Security Right competency On Board agenda Safeguarding assets IT asset list Data protection policy & strategy Backup strategy BCP/ IT-DRP Employee awareness Security breaches Incident response plan/ management Crisis management & communications plan

Evolving business risks impacting brand, competitive advantage, and shareholder value Highlights of activities impacting risk: Advancements in and evolving use of technology adoption of cloud-enabled services; Internet ofthings ( IoT ) security implications; BYOD usage Value chain collaboration and information sharing persistent third party integration; tiered partner access requirements; usage and storage of critical assets throughout ecosystem Operational fragility Real-time operations; product manufacturing; service delivery; customer experience Business objectives and initiatives M&A transactions; emerging market expansion; sensitive activities of interest to adversaries Unmanaged risks with potential longterm, strategic implications Historical headlines have primarily been driven by compliance and disclosure requirements However, the real impact is often not recognized, appreciated, or reported Cybersecurity must be viewed as a strategic business imperative in order to protect brand, competitive advantage, and shareholder value

Scope of cybersecurity Technology types Information Technology Operational Technology Consumer (Products and Services) Technology Computing resources and connectivity for processing and managing data to support organizational functions and transactions Systems and related automation assets for the purpose of monitoring and controlling physical processes and events or supporting the creation and delivery of products and services Computing resources and connectivity integrated with or supporting external end-user focused products and services Cybersecurity encompasses all three technology types 10

Consideration Areas ITGC Assessment User access management IT change management System development management Computer operation Data residency and sovereignty Network Compliance Key System Assessment Application security Data encryption Operating system security Database configuration Interface security Network and remote access System integration Cyber Security Risk Assessment Physical Security Assessment Physical access Security management Asset protection Personnel security Transport security Physical environmental protection systems Infrastructure Assessment Application inventory Hardware inventory External vendor list Licence inventory list Standard configuration Network topology Entity Needs Re-Assessing Cybersecurity Risk Every Year PwC 11

Audit Responses to Identified Cybersecurity Risk Design and implement audit responses to address the assessed risks of material misstatement at both the financial statement and assertion level May include assigning more experienced staff or those with special skills such as IT specialists to the engagement When ITGCs are tested in the financial statements audit, the auditor will assess whether the operating effectiveness of relevant IT dependencies controls can be relied upon Where deficiencies are identified, consider compensating controls that the entity has in place to reduce the impact of the ITGCs deficiencies Obtain more extensive audit evidence from substantive procedures when IT controls fail 15

Audit Responses to Cyber Attacks Understand the nature and cause of the incident Consider the costs and any adverse consequences arising from the cyber incident Evaluate the impact to the financial statements audit 1. Understanding management s review process of its patented technology. 6. Assessment of whether the breach may indicate going concern issues for the entity 1 6 2. Critical assessment of the assumptions in the impairment of I.A. 2 5 5. Assessment of the impact of the attack on the entity s future and potential assets 3. Sensitivity analysis of possible changes that have material impact to FS 3 4 4. Consideration of the impact to the company s other assets

Auditor Vigilance towards Undetected Cyber Attacks Auditor should still maintain his professional skepticism when carrying out his audit Auditor should inquire management regularly about whether management has knowledge of any cyber incident or suspected cyber incident affecting the entity Auditor should be more vigilant when the auditor is aware that the entity does not have robust IT systems and controls in place or when a higher cybersecurity risk has been identified

Finally, Back to Basics Cyber incident Examples of ITGCs/ Good practice Ransomware Good backup strategy & policy Phishing DDoS Employee awareness Anti-phishing software Locate servers at different data centers Segregate network MITM Intrusion detection system

Thank You! For a deeper conversation on your IT audit approach, please contact: Jenny Tan, Partner, Risk Assurance PwC Singapore jenny.tj.tan@sg.pwc.com Office: +65 6236 7738 Mobile: +65 9751 7434

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback