Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President, ISACA vandeke@gmail.com 1
2012-2013 Board of Directors International President Greg Grocholski Member at Large Past International President Kenneth Vander Wal Chicago Chapter Past International President Emil D Angelo NY Metropolitan Chapter Vice Presidents Allan Boardman London Chapter Juan Luis Carselle Mexico City Chapter Christos Dimitriadis Athens Chapter Ramses Gallego Barcelona Chapter Tony Hayes Brisbane Chapter Jeff Spivey Charlotte Chapter Marc Vael Belgium Chapter Appointed directors: John Ho Chi, Singapore Chapter; Krysten McCabe, Atlanta Chapter; Jo Stewart-Rattray, Adelaide
Agenda IT Changing Landscape IT Value, Trust and Assurance Impact on Assurance Profession Questions and Discussion 3
Pace of Change of Digital Infrastructure Digital power = Computing x Communication x Storage x Content Moore s law Fiber law Disk law Community law Doubles every 18 months Doubles every 9 months Doubles every 12 months x x x 2 n, where n is number of people Source: John Seely Brown 4
Worldwide IT Spending Forecast (Billions of US Dollars) 5
Other Gartner Predictions Technology spend outside IT will become almost 90% by end of the decade 4.4M IT jobs globally will be created to support Big Data, 1.9 M in the US $34B of IT spending in 2013 In 2016 > 1.6B smart mobile devices purchases globally Security investments to increase by 56% in five years Driver: Regulatory compliance 6
Trends Sure to Impact CIOs in 2013 1. The increasing importance of smartphones 2. Tablets will make inroads 3. The Cloud is here to stay 4. BYOD (or is it IBMOD) 5. Big Data 6. The increasing role of Windows 8 7. Social networking security 8. Small, lighter hardware 9. Increasing employee knowledge 10. Apple love Source: CIO Insight 7
Speaking of Big Data We no longer speak using terms like bytes or kilobyte (KB) or gigabytes (GB) How many bytes in a Terabyte (TB)? 10 12 (or 2 40 ) Equivalent to roughly 1,610 CDs worth of data Anyone heard of a Petabyte? Or an Exabyte? 1 Petabyte (PB) is 1,024TB 1 Exabyte (EB) is 1,024PB 1 Zettabyte (ZB) is 1,024EB 1 Yottabyte (YB) is 1,024ZB 8
2012 ISACA. Used by permission. 9
What Does It mean? Information systems environments are continuing to increase in complexity and impact, bringing unprecedented value opportunities along with significant risk. This requires: active governance and management of information advanced auditing practices 10
What is the Impact on the Audit Profession? Need to provide more value to the stakeholders of an organization by focusing more on business and information. Silos being removed: business, IT internal audit, finance internal audit, fraud investigators, security, governance, external audit, SLA managers. Era of diverse framework integration and central management. New technologies introduce new skill requirements for auditors not solely technical ones. 11
Example Securing and Auditing the Cloud requires good understanding of: Technologies (web services, virtualization) Related control frameworks Business requirements (linking IT with the business) Legal requirements (data transfer, retention, protection) Contractual agreements (e.g. impeding factors from moving to other providers) ISACA Cloud Computing Management Audit/Assurance Program 12
IT Value Factors Alignment IT and business processes Organization structure Organization strategy which responds to Business Requirements drive the investment in Integration Enterprise architecture Business architecture Process design Organization design Performance metrics Enterprise Information to deliver IT Processes IT Resources that are used by 13
Value Defined (Val IT) IT is not an end to itself but a means of enabling business outcomes. IT is not about implementing technology. It is about unlocking value through IT-enabled organizational change. Value is the total life-cycle benefits net of related costs, adjusted for risk and (in the case of financial value) for the time value of money. The concept of value relies on the relationship between meeting the expectations of stakeholders and the resources used to do so. 14
Trust Defined Definition 1: Trust is the ability to predict what a system will do in various situations. Definition 2: Trust is using an information system without having full knowledge about it. Definition 3: Trust is giving something now (credit card) with an expectation of some future return or benefit (on line purchase). Trust that: Private and sensitive information will remain confidential Process integrity is maintained Essential business processes are available or recoverable Definition 4: Trust is being vulnerable (entering private and sensitive information) while expecting that the vulnerabilities will not be exploited (identity theft). 15
Trust in an Information Society Systems should give minimum and, as much as possible, measurable guarantees and information on related risks concerning quality of service, security and resilience, transparency of actions and the protection of users data and users privacy, in accordance with predefined, acknowledged policies. Systems should provide tools and mechanisms (or allow third-party service providers to do so) that enable the user to assess the risks and audit the qualities it is claimed to possess. A bona fide trustworthy system must also entail quantifiable and auditable technical and organizational aspects of delivery (policies, architectures, service level agreements, etc.), as well as the user s perceptions on its operation. 16
Trustworthy Computing Security Privacy Reliability Integrity Investment in expertise & technology Responsible leadership and partnering Guidance and engagement through best practices & education Design, development and testing Standards and policies User sense of control over personal information Resilient continues in the face of internal or external disruption Recoverable restorable to a previously known state Controlled accurate and timely service Undisruptable changes and upgrades do not disrupt service Production ready minimal bugs or fixes Predictable - works as expected or promised Acceptance or responsibility for problems and takes action to correct them 17
Trust and Value Relationship T R U S T ASSURANCE V A L U E Trust creates the opportunity for Value Value is based on an expectation of Trust Assurance binds Trust and Value together 18
Governance Information systems are integral enablers that: Achieve an organization s strategy and business objectives Provide the confidentiality, integrity, availability and reliability of information assets Ensure compliance with applicable laws and regulations Info Security Their criticality brings to the enterprise unprecedented potential for both value creation and risk (creating the need for trust). Audit/Assurance Risk Management 19
What does all this mean for ISACA and IIA members? Learn Faster Share Knowledge Engage 20
LEARN FASTER White papers IT audit/assurance programs Survey results Other research Journal articles 21
Examples of Resources ISACA Information Technology Assurance Framework Audit programs (downloadable) IT Risk/Reward Barometer Survey elibrary White papers COBIT IIA International Professional Practices Framework Global Technology Audit Guides GAIN annual benchmarking study Chief audit executive resources 22
COBIT 5 Principles 2012 ISACA. Used by permission. 23
COBIT 5 Enablers 2012 ISACA. Used by permission. 24
COBIT 5 Enabling Processes 2012 ISACA. Used by permission. 25
SHARE KNOWLEDGE Networking at chapter, regional and international levels Use of knowledge centers and collaboration Communicate 26
ENGAGE Volunteer Share knowledge Attend Get a certification Comment on exposure drafts 27
Certifications ISACA IIA CISA CISM CGEIT CRISC CIA CGAP CFSA CCSA CRMA 28
THANK YOU 29