IT Vulnerabilities: What an IT Auditor Should be Thinking About

Similar documents
May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Sage Data Security Services Directory

Must Have Items for Your Cybersecurity or IT Budget in 2018

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Cybersecurity Today Avoid Becoming a News Headline

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Chapter 5: Vulnerability Analysis

FDIC InTREx What Documentation Are You Expected to Have?

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

IT-CNP, Inc. Capability Statement

Device Discovery for Vulnerability Assessment: Automating the Handoff

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Designing and Building a Cybersecurity Program

THE POWER OF TECH-SAVVY BOARDS:

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Reinvent Your 2013 Security Management Strategy

Automating the Top 20 CIS Critical Security Controls

Cybersecurity The Evolving Landscape

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Fighting Fraud with Behavioral Biometrics and Cognitive Fraud Detection. IBM Security s Brooke Satti Charles on the Power of These New Capabilities

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Les joies et les peines de la transformation numérique

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

External Supplier Control Obligations. Cyber Security

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Cyber Resilience. Think18. Felicity March IBM Corporation

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Transforming Security from Defense in Depth to Comprehensive Security Assurance

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Turning Risk into Advantage

Introducing Cyber Observer

Ensuring System Protection throughout the Operational Lifecycle

CYBERSECURITY RESILIENCE

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Practical Guide to Securing the SDLC

Protect Your End-of-Life Windows Server 2003 Operating System

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Table of Contents. Sample

Effective Strategies for Managing Cybersecurity Risks

Do You Know Your Organization's Top 10 Security Risks?

Intelligent Security Management. Helping Enterprise Security Teams Improve Resource Efficiency & Reduce Overall Risk Exposure

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

What It Takes to be a CISO in 2017

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

Security and Privacy Governance Program Guidelines

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Effective Cyber Incident Response in Insurance Companies

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Medical device security The transition from patient privacy to patient safety

Keys to a more secure data environment

Protect Your Organization from Cyber Attacks

DUNS CAGE 5T5C3

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Combating Today s Cyber Threats Inside Look at McAfee s Security

Protect Your End-of-Life Windows Server 2003 Operating System

Copyright 2016 EMC Corporation. All rights reserved.

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Think Like an Attacker

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

PROFESSIONAL SERVICES (Solution Brief)

Rethinking Information Security Risk Management CRM002

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

CISO as Change Agent: Getting to Yes

Cyber and Physical Security: An Integrated Approach Tim Rigg Managing Director, Enterprise Protective Services

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Background FAST FACTS

Security Survey Executive Summary October 2008

Cyber Hygiene: A Baseline Set of Practices

Securing Industrial Control Systems

Skybox Security Vulnerability Management Survey 2012

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Compliance and Controls Frameworks. Vishal Gupta

align security instill confidence

locuz.com SOC Services

Transcription:

IT Vulnerabilities: What an IT Auditor Should be Thinking About Evolving in a Changing Landscape OCTOBER 23-25 HOTEL NIKKO - SF

Agenda 1. About the Speaker 2. IT Vulnerability: The Term Defined 3. Identification 4. Prioritization 5. Inventories & Reporting 6. Remediation 7. Sustainable Controls 8. Final Words 2

ABOUT THE SPEAKER Evolving in a Changing Landscape OCTOBER 23-25 HOTEL NIKKO - SF

Marta O Shea, Senior Vice President & IT Audit Director, Wells Fargo Bank CISA & CIA 16 years IT Audit & Risk Management experience Background is primarily financial services: Charles Schwab, Visa, Wells Fargo, IBM 10 years IT experience in large-scale data center operations & change management Dual US/Australian citizen! 4

Wells Fargo Audit Services: Enterprise Technology Audit Group CIO Audit Team Infrastructure Audit Team Cybersecurity Audit Team ~66 FTEs SDLC & Application Development Application-layer controls Integrated Audits Change initiatives ~34 FTEs Data centers Platform Engineering (Mainframe, Midrange, Distributed) Infrastructure/ Production Environment ~29 FTEs NIST-based model Cyber Defense Security Governance 5

Wells Fargo Audit Services: Other Notes Total Audit Division = ~1100 (IT Audit = ~130) Regulatory Agencies: OCC, FRB, FDIC, CFPB 6

IT Vulnerability: The Term Defined Broad definition: ISACA Risk IT framework A weakness in design, implementation, operation or internal control Could apply to pretty much any IT audit finding (for example, data center visitor log not maintained, failure to consistently execute background checks on key personnel) 7

IT Vulnerability: The Term Defined For the purposes of our discussion today, we ll focus on a narrow application of the definition: Weaknesses in software code or code within hardware that could be exploited to compromise an IT environment Audit Considerations: 1. Does your audit plan address this risk? 2. Do you look at it in an Enterprise-wide manner, or platform-by-platform, application-by-application etc.? 3. Could looking at this risk through an alternate lens give you greater insight into the magnitude of risk your organization is faced with? 8

IT Vulnerabilities: Identification Manual Code Reviews Scanning Vendor Code (Qualys) Scanning Internally- Developed Code (Fortify, AppScan) Audit Considerations: 1. Does your organization use automated scanning tools to identify vulnerabilities? If not, why not? 2. If scanning tools are used, how do you gain assurance that they are scanning the entire relevant population? Security Assessments Penetration Tests 9

IT Vulnerabilities: Prioritization Typical Approaches to Prioritization: Assigning numeric risk score Vendor code vulnerabilities NVD - CVSS* score Better practice is to combine this with an organizationspecific asset model that considers the profile of the asset (internet-facing etc.) Audit Considerations: 1. Is your IT organization s approach to assessing vulnerability prioritization appropriate, based on your company s risk profile? Internally-developed code vulnerabilities OWASP** score Also consider risk profile of the application (internet-facing etc.) * National Vulnerability Database - Common Vulnerability Scoring System ** Open Web Application Security Project 10

IT Vulnerabilities: Inventories and Reporting Scanning is great but when you switch it on Some Challenges Organizational Scale Multiple platforms (Mainframe, distributed, O/S s, D/B s, middleware, PC s, mobile etc.) Millions of vulnerabilities? How to Track? How to Report? Audit Considerations: 1. Does your organization have a plan for how they will address scanning results? Once you know about the vulnerabilities, you obviously need a plan to remediate. Has that been thought through before switching on scanning? 2. How does management ensure the integrity and usability of their scanning results database? 11

IT Vulnerabilities: Remediation Typical vulnerability remediation approaches: Vendor code weaknesses - Patches - System upgrades - Configuration setting changes Internally-developed code weaknesses - Re-coding Challenges - Test, test, test for incompatibilities between elements in the stack (O/S, M/W, D/B, App) - Outage windows the business won t give us a downtime window!! Audit Considerations: 1. How does your organization select a remediation solution? Do they defer implementation of a patch in favor of an upgrade in the future? If so, is that an appropriate risk decision? 2. Does your organization have instances where there is endof-life software in a layer of the stack that precludes being able to patch or upgrade other elements of the stack? How should this risk be managed? 12

IT Vulnerabilities: Sustainable Controls Sustainable Controls Not very sexy so Why? $$$, reputation, efficiency, to name a few Scan, identify, fix, build new server based on old vulnerable image, scan, identify, fix etc. Or even worse: Scan, identify, fix, engineer makes a change that reintroduces the vulnerability, scan, identify, fix etc. Key Control Disciplines: Configuration baselines Golden images Drift monitoring Vulnerability remediation timeline standards End-of-Life standards Secure coding requirements Audit Considerations: 1. Does your organization have a strong configuration management foundation? 2. Is your production environment locked down, with changes carefully controlled? 3. Are your asset management processes robust? (Procure, build, deploy, decommission etc.) 13

IT Vulnerabilities: A Few Last Words Influencing Senior Management A real challenge for auditors! This is a pretty technical topic, many C-Suite leaders and Board Members don t have a comfort zone in this area so may not fully understand the risks Try this: Translate your concerns into plain English and give examples of how the business can be impacted This Stuff s Expensive! It s true. Keeping software up-to-date requires continual investment if a company wants to avoid a very costly and complex environment re-engineering effort Try this: Your fellow Enterprise Risk organization could be your friend here, introducing some financial risk models into the discussion could demonstrate that investment now is a more sound financial proposition than unanticipated spend later We ll do this next year Kicking the can down the road, because there s a hard problem to solve. It s a common problem. Try this: Highlight examples of other companies who ve suffered security breaches as a result, or been unable to nimbly respond to business challenges 14

THANK-YOU!! 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback