Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Similar documents
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Cyber Risks in the Boardroom Conference

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Rethinking Information Security Risk Management CRM002

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Security and Privacy Governance Program Guidelines

Cybersecurity. Securely enabling transformation and change

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Certified Information Security Manager (CISM) Course Overview

locuz.com SOC Services

Continuous protection to reduce risk and maintain production availability

Table of Contents. Sample

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cyber Security Incident Response Fighting Fire with Fire

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Cybersecurity Session IIA Conference 2018

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Cyber Fraud What can you do about it?

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

FDIC InTREx What Documentation Are You Expected to Have?

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Combating Cyber Risk in the Supply Chain

INTELLIGENCE DRIVEN GRC FOR SECURITY

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Leveraging Best Practices to Determine your Cyber Insurance Needs. Sector Conference, Toronto November 2017

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

CISO as Change Agent: Getting to Yes

Why you should adopt the NIST Cybersecurity Framework

Healthcare HIPAA and Cybersecurity Update

External Supplier Control Obligations. Cyber Security

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Defense in Depth Security in the Enterprise

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

GLBA, information security and incident response a compliance perspective

MITIGATE CYBER ATTACK RISK

To Audit Your IAM Program

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cyber Security Program

FOR FINANCIAL SERVICES ORGANIZATIONS

Altius IT Policy Collection Compliance and Standards Matrix

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Effective Cyber Incident Response in Insurance Companies

Uncovering the Risk of SAP Cyber Breaches

Internet of Things Toolkit for Small and Medium Businesses

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

CYBER INSURANCE: MANAGING THE RISK

The Evolving Threat to Corporate Cyber & Data Security

Risk Advisory Academy Training Brochure

Cyber Risk in the Marine Transportation System

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

THE POWER OF TECH-SAVVY BOARDS:

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Altius IT Policy Collection Compliance and Standards Matrix

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

NCSF Foundation Certification

CCISO Blueprint v1. EC-Council

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Information Security Risk Strategies. By

Cybersecurity Auditing in an Unsecure World

The University of Queensland

What It Takes to be a CISO in 2017

Best Practices in ICS Security for System Operators

Cybersecurity, safety and resilience - Airline perspective

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

TAN Jenny Partner PwC Singapore

What is Penetration Testing?

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Cybersecurity for Health Care Providers

Certified Information Systems Auditor (CISA)

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Security

Cybersecurity Overview

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

NW NATURAL CYBER SECURITY 2016.JUNE.16

From Russia With Love

Building a Resilient Security Posture for Effective Breach Prevention

CALIFORNIA CYBERSECURITY TASK FORCE

Green Treatment Center

Cyber-Threats and Countermeasures in Financial Sector

BHConsulting. Your trusted cybersecurity partner

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Transcription:

Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Agenda Key Risks Incorporating Internal Audit Resources Questions 2

San Francisco ISACA Conference Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 3

Key Risks 4

Key Risks Board and Management: CIO, CAE, organizational leaders agree: Cyberthreats not only and IT problem, but fully fledged business risk Top 10 risk Separate from business interruption; loss of reputation and brand value; theft fraud and corruption % of IT focus increasing 5

Key Risks External Stolen credentials Remote access Internal Employees Business partners 6

And in this corner Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 7

Key Risks Nature of attack: Denial of service attacks (DoS) Data security breaches Focus of attack: Credit card data (e.g. retail) Exploration data (e.g. oil and gas) Intellectual property (e.g. technology, strategic information) 8

Key Risks Threats Rapidly evolving Increasingly sophisticated Methods continue to improve 9

Cost of Cyber Crime Source: 2015 Ponemon Institute Cost of Cyber Crime Study 10

Incorporating Internal Audit 11

Incorporating Internal Audit Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 12

Incorporating Internal Audit Persistent threat Exposures Security posture Audit procedures Assisting management Resource application 13

Incorporating Internal Audit Drive change Be engaged at the strategic level: Understand board s approach to security Better understand the value of businesscritical data Being involved with new IT implementations 14

Incorporating Internal Audit Key Elements: Leadership and governance Technical and operational controls Training and awareness Information risk management Response planning Crisis management 15

Incorporating Internal Audit Auditing defense mechanisms: Internal education/communication Secure firewalls Up-to-date antivirus software Open communication to ISPs Effective network monitoring Rapid response plans Patch management 16

Patch Management Source: Verizon 2015 Data Breach Investigations Report 17

Incorporating Internal Audit Auditing defense mechanisms: Password management Data categorization, segregation, access storage, and retention process Suppliers cybersecurity practices; service agreements Cloud services Data security controls Corporate insurance coverage 18

Incorporating Internal Audit IT Audit Resources: Perform business and IT impact analysis and risk assessment Cyber Risk assessments External input on threats facing industry Current attack methods Cyber assurance White-hat hacking 19

Incorporating Internal Audit IT Audit Resources: People, process and technology controls Incident response program Help optimize controls to prevent or detect cyber issues Ongoing monitoring of changing cyberrisk Working with systems administrators 20

Incorporating Internal Audit Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 21

Incorporating Internal Audit Internal Audit Resources: Drive discussion around risk and mitigation strategy Independently assess and prioritize cyberrisks against other critical enterprise risks Assess effectiveness of preparation Identify and monitor issues and risk related to emerging technology deployments 22

Incorporating Internal Audit Supporting the Audit Committee: Five Principles: 1. Understanding and approach to cybersecurity 2. Legal implications 3. Access to expertise 4. Staffing and budget 5. Risk avoidance 23

Incorporating Internal Audit Focus on: Specific types of attacks they face Weaknesses inherent in business practices, culture, IT systems Educating AC/Executive Management: Business risk Risk to data Critical assets Nature of network traffic Prevention, Detection and Response 24

Incorporating Internal Audit Questions to ask: 1. Funding for people, processes, technology? 2. Critical Systems Identified? 3. Connections to other systems 4. Who relies on data? 25

Incorporating Internal Audit Questions to ask: 4. Who has access? 5. Audit logs maintained/reviewed? 6. Cyber response: 1. Systems prioritized 2. Excercizes documented? 3. Support contracts in place? 7. Does staff receive training? 26

Resources 27

Where are the Resources? FDIC 60 IT Auditors for 4,000 financial institutions OCC 100 IT Auditors for 1,500 institutions NCUA 50 IT Auditors for 6,200 credit unions Federal Reserve 85 IT Auditors for the 5,500 institutions it monitors Too many threats and too few professionals. www.frazierdeeter.com 28

Where are the Resources? www.frazierdeeter.com 29

Performing Risk Assessments IT Security Architecture Awareness & Education Threat & Vulnerability Management IT Security Management Risk Assessment Areas Privacy & Data Protection Identify high risk areas Incorporate into audit plan Identity & Access Management Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 30

Resources U.S. National Institue of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Consistent and effective evaluation of current security: Processes Procedures Technologies Links to other security standards and approaches 31

Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/# 32

Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/# 33

Resources Cybercrime Audit/Assurance Program Aligned with the NIST National Initiative for Cybersecurity Education http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cybercrime-audit-assurance-program.aspx 34

35

Source: ISACA IT Assurance Framework TM (ITAF TM ) 36

Resources Cybersecurity Fundamentals Certificate Knowledge-based certificate offered by ISACA Implementing NIST Cybersecurity Framework Using COBIT 5 Focused on the CSF, goals, implementation steps and application 37

ISACA Certifications Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 38

39

Nymity Framework Comprehensive listing of over 130 privacy management activities Structured in 13 privacy management processes Jurisdiction and industry neutral Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 40

Internal Audit Focus Evaluating security risk and threats Data at risk Secure infrastructure Monitoring capability Rapid identification, response, containment and recovery 41

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback