Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Agenda Key Risks Incorporating Internal Audit Resources Questions 2
San Francisco ISACA Conference Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 3
Key Risks 4
Key Risks Board and Management: CIO, CAE, organizational leaders agree: Cyberthreats not only and IT problem, but fully fledged business risk Top 10 risk Separate from business interruption; loss of reputation and brand value; theft fraud and corruption % of IT focus increasing 5
Key Risks External Stolen credentials Remote access Internal Employees Business partners 6
And in this corner Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 7
Key Risks Nature of attack: Denial of service attacks (DoS) Data security breaches Focus of attack: Credit card data (e.g. retail) Exploration data (e.g. oil and gas) Intellectual property (e.g. technology, strategic information) 8
Key Risks Threats Rapidly evolving Increasingly sophisticated Methods continue to improve 9
Cost of Cyber Crime Source: 2015 Ponemon Institute Cost of Cyber Crime Study 10
Incorporating Internal Audit 11
Incorporating Internal Audit Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 12
Incorporating Internal Audit Persistent threat Exposures Security posture Audit procedures Assisting management Resource application 13
Incorporating Internal Audit Drive change Be engaged at the strategic level: Understand board s approach to security Better understand the value of businesscritical data Being involved with new IT implementations 14
Incorporating Internal Audit Key Elements: Leadership and governance Technical and operational controls Training and awareness Information risk management Response planning Crisis management 15
Incorporating Internal Audit Auditing defense mechanisms: Internal education/communication Secure firewalls Up-to-date antivirus software Open communication to ISPs Effective network monitoring Rapid response plans Patch management 16
Patch Management Source: Verizon 2015 Data Breach Investigations Report 17
Incorporating Internal Audit Auditing defense mechanisms: Password management Data categorization, segregation, access storage, and retention process Suppliers cybersecurity practices; service agreements Cloud services Data security controls Corporate insurance coverage 18
Incorporating Internal Audit IT Audit Resources: Perform business and IT impact analysis and risk assessment Cyber Risk assessments External input on threats facing industry Current attack methods Cyber assurance White-hat hacking 19
Incorporating Internal Audit IT Audit Resources: People, process and technology controls Incident response program Help optimize controls to prevent or detect cyber issues Ongoing monitoring of changing cyberrisk Working with systems administrators 20
Incorporating Internal Audit Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 21
Incorporating Internal Audit Internal Audit Resources: Drive discussion around risk and mitigation strategy Independently assess and prioritize cyberrisks against other critical enterprise risks Assess effectiveness of preparation Identify and monitor issues and risk related to emerging technology deployments 22
Incorporating Internal Audit Supporting the Audit Committee: Five Principles: 1. Understanding and approach to cybersecurity 2. Legal implications 3. Access to expertise 4. Staffing and budget 5. Risk avoidance 23
Incorporating Internal Audit Focus on: Specific types of attacks they face Weaknesses inherent in business practices, culture, IT systems Educating AC/Executive Management: Business risk Risk to data Critical assets Nature of network traffic Prevention, Detection and Response 24
Incorporating Internal Audit Questions to ask: 1. Funding for people, processes, technology? 2. Critical Systems Identified? 3. Connections to other systems 4. Who relies on data? 25
Incorporating Internal Audit Questions to ask: 4. Who has access? 5. Audit logs maintained/reviewed? 6. Cyber response: 1. Systems prioritized 2. Excercizes documented? 3. Support contracts in place? 7. Does staff receive training? 26
Resources 27
Where are the Resources? FDIC 60 IT Auditors for 4,000 financial institutions OCC 100 IT Auditors for 1,500 institutions NCUA 50 IT Auditors for 6,200 credit unions Federal Reserve 85 IT Auditors for the 5,500 institutions it monitors Too many threats and too few professionals. www.frazierdeeter.com 28
Where are the Resources? www.frazierdeeter.com 29
Performing Risk Assessments IT Security Architecture Awareness & Education Threat & Vulnerability Management IT Security Management Risk Assessment Areas Privacy & Data Protection Identify high risk areas Incorporate into audit plan Identity & Access Management Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 30
Resources U.S. National Institue of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Consistent and effective evaluation of current security: Processes Procedures Technologies Links to other security standards and approaches 31
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/# 32
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/# 33
Resources Cybercrime Audit/Assurance Program Aligned with the NIST National Initiative for Cybersecurity Education http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cybercrime-audit-assurance-program.aspx 34
35
Source: ISACA IT Assurance Framework TM (ITAF TM ) 36
Resources Cybersecurity Fundamentals Certificate Knowledge-based certificate offered by ISACA Implementing NIST Cybersecurity Framework Using COBIT 5 Focused on the CSF, goals, implementation steps and application 37
ISACA Certifications Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 38
39
Nymity Framework Comprehensive listing of over 130 privacy management activities Structured in 13 privacy management processes Jurisdiction and industry neutral Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 40
Internal Audit Focus Evaluating security risk and threats Data at risk Secure infrastructure Monitoring capability Rapid identification, response, containment and recovery 41
Questions?