Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Similar documents
Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

THE POWER OF TECH-SAVVY BOARDS:

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Larry Clinton President & CEO (703)

The Deloitte-NASCIO Cybersecurity Study Insights from

ISO 27001:2013 certification

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

Larry Clinton President & CEO Internet Security Alliance

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Cybersecurity Session IIA Conference 2018

CYBER RISK MANAGEMENT

A Global Look at IT Audit Best Practices

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cybersecurity Protecting your crown jewels

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

The Fine Art of Creating A Transformational Cyber Security Strategy

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Cyber Risks in the Boardroom Conference

CYBERSECURITY RESILIENCE

Rethinking Information Security Risk Management CRM002

Clarity on Cyber Security. Media conference 29 May 2018

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Cybersecurity. Securely enabling transformation and change

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

Mid-Market Data Center Purchasing Drivers, Priorities and Barriers

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

NYDFS Cybersecurity Regulations

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Bored with Your Board s Involvement with Privacy/Security Program?

How your board can be effective in overseeing cyber risk

Leading our discussion today

2017 RIMS CYBER SURVEY

Skybox Security Vulnerability Management Survey 2012

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Pave the way: Build a value driven SAP GRC roadmap March 2015

The value of visibility. Cybersecurity risk management examination

Cybersecurity and the Board of Directors

Building a Threat Intelligence Program

Security and Privacy Governance Program Guidelines

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

NERC Staff Organization Chart Budget 2018

NERC Staff Organization Chart Budget 2019

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

SOC for cybersecurity

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Cyber Risk Having better conversations on cyber

Turning Risk into Advantage

CYNERGISTEK NYSE AMERICAN: CTEK

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

M&A Cyber Security Due Diligence

Cyber Security: It s all about TRUST

Reducing Cybersecurity Costs & Risk through Automation Technologies

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

DeMystifying Data Breaches and Information Security Compliance

State of the Cyber Training Market January 2018

Must Have Items for Your Cybersecurity or IT Budget in 2018

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Security Leaders: Manage the Forest Not the Trees. Presented by: Adam Stone Secure Digital Solutions, LLC 15 March :50 pm

GDPR COMPLIANCE REPORT

ISACA Cincinnati Chapter March Meeting

Larry Clinton President & CEO (703)

RSA Cybersecurity Poverty Index

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Cyber Risks, Coverage, and the Board of Directors.

Protecting your next investment: The importance of cybersecurity due diligence

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Sage Data Security Services Directory

PULSE TAKING THE PHYSICIAN S

Cyber Risk Market Survey 2019 Sneak Preview

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

2018 MANAGED SECURITY SERVICE PROVIDER (MSSP): BENCHMARK SURVEY Insights That Inform Decision-Making for Retail Industry Outsourcing

NERC Staff Organization Chart Budget 2019

What It Takes to be a CISO in 2017

CYBERSECURITY PREPAREDNESS AND RESPONSE

Convergence of BCM and Information Security at Direct Energy

The Evolving Threat to Corporate Cyber & Data Security

HEALTH CARE AND CYBER SECURITY:

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

IAB internet advertising revenue report 2017 first six-months results

Why you should adopt the NIST Cybersecurity Framework

Putting It All Together:

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

Cyber risk Getting the boardroom focus right

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

The State of Cybersecurity and Digital Trust 2016

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Transcription:

Discussion on: Evaluating Cybersecurity Coverage A Maturity Model Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium By: Eric C. Lovell PricewaterhouseCoopers LLP ( PwC ) March 24, 2015

Quest for IT Audit Enlightenment Are we covering the right things the right way? 2

Questions Answered by the Model Risk Identification Audit Universe Risk Assessment Coverage Strategy Testing Strategy Have the right risks been identified at the right level of the firm? Have appropriate auditable units been defined to encompass the identified risks? Have risks been appropriately assessed and prioritized? Has an appropriate coverage strategy been defined and implemented? Have appropriate test strategies been developed on individual audit engagements and executed by skilled staff? 3

Survey Says Key Findings from 2015 Global State of Information Security Survey (GSISS) Incidents and financial impacts continue to soar: The total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% from 2013. 4

Survey Says Key Findings from 2015 Global State of Information Security Survey (GSISS) Declines in fundamental security practices: As security risks rise, organizations should seek to implement the necessary processes and technologies to prevent, protect, detect, and respond to elevated threats. 5

Survey Says Key Findings from 2015 Global State of Information Security Survey (GSISS) As incidents rise, security spending falls: Information security spending is not keeping pace with increases in the frequency and costs of security incidents, despite elevated concerns about cyber risks. In fact, investments in information security budgets declined 4% over 2013. 6

Survey Says GSISS 2015 - Snapshot of Consumer and Retail Segment Impacts: General impacts of security incidents 7

Survey Says GSISS 2015 - Snapshot of Consumer and Retail Segment Impacts: Estimated financial losses due to security incidents 8

Survey Says GSISS 2015 - Snapshot of Consumer and Retail Segment Impacts: Total downtime over past 12 months due to security incidents 9

Survey Says GSISS 2015 - Snapshot of Consumer and Retail Segment Safeguards: Preventative measures in place 10

Survey Says GSISS 2015 - Snapshot of Consumer and Retail Segment Safeguards: Preventative measures in place 11

Survey Says GSISS 2015 - Snapshot of Consumer and Retail Segment Safeguards: Detective measures in place 12

Survey Says GSISS 2015 - Snapshot of Consumer and Retail Segment Safeguards: Response measures in place 13

Survey Says Nearly 7 in 10 respondents viewed cyberattacks and other security threats as a high or critical priority. More than half of the chief audit executives (CAEs) and directors who responded consider the identification of emerging risks to be their biggest challenge. Yet only about one-third expressed a high degree of confidence in their ability to identify such concerns. - The IIA Audit Executive Center s North American Pulse of Internal Audit survey (2014) CEOs see cyber security technologies as a top-three most strategically important type of digital technology for their organization. And 53% think it s very important strategically a higher proportion than for any other type of digital technology we asked about. - 18th Annual Global CEO Survey PwC (2015) 14

Internal Audit s critical role in cybersecurity IA provides a critical line of defense in providing assurance to the board and executive management that company information security practices aren t becoming inadequate and obsolete. However, there are four typical barriers we find to internal audit playing an effective role in security: 1. Apathy - A mindset that believes adequate controls are already in place - We have firewalls, we do SOX and we comply with PCI. The fact is that many disastrous security breaches have occurred in companies that had strong firewalls, seemingly tight access controls, and in compliance with regulation. Since exposures are changing constantly, policies and controls need to change alongside them. 2.Budgets - Management considers the money and effort to build and maintain Information Security assurance programs too high. Often leaders don t realize the magnitude of the potential downside. 3.Competence - Many audit committees and top management view the IA function as competent in assessing financial controls and sometimes information security controls, but often do not trust their ability to assess information security holistically. IA departments need to have the right people either hire and train in this area or outsource as needed to experts. 4.Distributed responsibilities - Often split between various functional groups within IT. When that happens, it s almost certain that some things will fall through the cracks. Auditing across functional groups is hard make sure someone is responsible, has access to the right resources to assess the risks, and the authority to address them. 15

Food for Thought The National Association of Corporate Directors (NACD), in conjunction with the American International Group (AIG) and the Internet Security Alliance (ISA), published a report outlining the five principles that all corporate boards should consider as they seek to enhance their oversight of cyber risks. The first principle is: Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue. The NACD then made the following recommendation: The board must assume the role of the fourth line of defense against cyber risks within the entire organization. In this capacity, the board must require internal audit to provide an annual health check report of the organization s cybersecurity program. This comprehensive report must cover all domains of the cybersecurity and be conducted by either the internal audit staff or an external security organization. 16

The Model 17

Maturity Model Cybersecurity Audit Coverage 18

Risk Identification 19

Audit Universe 20

Risk Assessment 21

Coverage Strategy 22

Engagement Test Strategy 23

Level One 24

Level Two 25

Level Three 26

Level Four 27

Level Five 28

Moving the Dial 29

Moving the Dial 30

Moving the Dial Risk Identification: Let business risk help drive how you approach cybersecurity 31

Moving the Dial Audit Universe: Know in detail what processes are included in Audit Entities 32

Moving the Dial Risk Assessment: Look for cyber related risks outside of traditional IT Audit Entities 33

Moving the Dial Coverage Strategy: Don t be afraid of auditing a process across multiple functions Bonus!!! Identify/track a couple key cybersecurity metrics 34

Moving the Dial Engagement Test Strategy: Don t shirk going deep on the technical testing Bonus!!! Don t be afraid of auditing the CISO s strategy 35

Thank You! 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback