Understanding IT Audit and Risk Management
Presentation overview Understanding different types of Assessments Risk Assessments IT Audits Security Assessments Key Areas of Focus Steps to Mitigation
We need Our board said we need to do an IT Audit To be in compliance with XYZ, we need to do a Risk Assessment
Types of Risk Assessments and Audits Risk Assessment Enterprise Risk Assessment IT Risk Assessment Compliance Risk Assessment IT Audits Process Audits (i.e., ACH) IT Compliance Audits Security Assessment Vulnerability Assessments Penetration Testing Social Engineering
Audit Philosophy and Approach Philosophy: People, Rules and Tools People Rules Approach: Understand Test Assess Tools `
Risk Assessment ID Assets Define Threats and Vulnerabilities Classify the likelihood of bad things Quantify the impact Stop here: Residual Risk Continue: Test Effectiveness of Controls (audits)
Risk Assessment Theory Inherent Risk Likelihood vs Impact Control Risk Total Risk IR X CR = TR
Types of IT Audit Broad audits IT General Controls Review Specific/focused audits DRP/IR/BCP audits and testing SDLC and Change Management audits User and group permission audits Vendor management
Details... IT General Controls Review Broad, high level coverage of IT management, information security program, and compliance requirements Addresses adequacy of standards Effectiveness testing tends to be light Does not really test the systems
General Controls Review- Key Control Areas Organization Administration Vendor Administration User Account Administration Application Administration Workstation Administration Server Administration Physical Environment Administration Data Backup & Storage Administration Disaster Recovery & Business Continuity Planning
IT Audit - Focused Audits Common Examples: DRP/IR/BCP audit and testing; User access reviews; SDLC and Change Management; ACH or other application audits Deep dive into the details Focus on the process and perhaps application level controls More thorough effectiveness testing, with sampling
Vulnerability Assessment Port Scans and Vulnerability Scans They are like Radar Pros/Cons External and Internal Scanning What are the benefits? Example Monthly scanning for local municipality July nothing new/unusual August nothing new/unusual September - SSH open, and
Penetration Testing Goals and Objectives: Understand, Test, and Assess Validate things behave as expected Find/Identify new things
Penetration Testing External Network Applications Internal Network Wireless Facilities (social engineering)
Social Engineering The fine art of People Hacking What is it? Social Engineering uses non-technical attacks to gain information or access to technical systems Pre-text telephone calls Building penetration Email attacks
Key Actions: Determine Enough Test the Key Controls (from the risk assessments) Penetration Testing (Breach Simulation) Vulnerability Assessment (collaborative, comprehensive) General Controls Review (BCP, Vendor, Change, Board)
Testing Controls: Penetration Testing Definition: Breach Simulation. What would happen if an attacker targeted my Financial Institution? Can this question be answered if those responsible for breach detection and response are aware of the timing of testing?
Penetration Testing: Vendor Misrepresentation What if your vendor s penetration testing has no penetration testing? Symptoms of REAL Pen-Testing: Starts with Social Engineering Performed Covertly Same Methods as Actual Attacks Persists until compromise and/or DA
Testing Controls: Vulnerability Assessment Definition: Collaborative, comprehensive exercise to identify vulnerable systems and misconfigurations What systems are susceptible to compromise? Can this question be answered if only a subset of systems are evaluated? Internal vs External Sampling
Testing Controls: General Controls Review Definition: Collaborative evaluation of compliance with guidance and best practices Are my policies and practices compliant? Exam Focus: Vendor Management, Risk Assessment, BCP, Board Oversight, Incident Response
Key Areas of Focus
What Should Auditors Focus On? User Account Administration End user - End users should be granted access to data within the database via application software logins Administrators IT staff should have a separate, privileged account, to be used only for administrative duties Service providers - Vendors that support software systems must use a unique user name and password.
What Should Auditors Focus On? Authentication Unique User ID Password complexity should be enabled Password policy should exceed best practice standards
What Should Auditors Focus On? Provisioning Process New Users New hire checklist documenting specific logical and physical access requirements Access approved and signed off by hiring manager Access Changes for Existing Users Periodic access reviews
What Should Auditors Focus On? Terminated Users Access disabled immediately User IDs should be deleted as soon as possible User Account Validation Periodic access reviews to ensure terminated employees are removed Remove inactive user accounts
What Should Auditors Focus On? Data Storage and Backup Controls Types of Data Storage? Tape, Disk, Storage Area Network Frequency of backups What and when? Retention of information How long should it be maintained? Location On site versus off site Transportation
What Should Auditors Focus On? Physical Security Facilities and assets (alarm and/or video) Building and data room security Laptops, desktops, server room Storage of Information, destruction of information Onsite storage vs. offsite storage Physical access provisioning
What Should Auditors Focus On? Workstation Administration Workstation Access Controls Screensaver timeout and password Controls to restrict workstation access to only authorized employees Workstation Security Software Encryption
What Should Auditors Focus On? Vendor Management Designate responsibility for vendor oversight Assess the risks of the relationship Proper due diligence Establish SLAs Monitor agreement and performance
Next steps to Mitigation
Now what... I ve had the IT Audit done and now what do we do with all of these issues... Audit reports can be lengthy and filled with technical details Uncertainty as to who is responsible
Develop Audit Response Plan Meet with the Auditors Get clarification on findings when necessary Ask for advice on viable solutions Clear up any miscommunication Prioritize Tasks Course of action for remediation efforts Determine responsibility for remediation Identify Corrective Actions Cost benefit anaylsis of new technologies to remediate risks Solutions that may be multi-purposeful
Audit Response Plan, cont d Develop an Implementation Schedule Set realistic timelines for remediation and new technologies Identify temporary solutions to support overall objective Confirm with Senior Management and Regulatory Authorities Understand, explain and support the risks identified Review and approval by senior management and regulators
Audit Response Plan, cont d Deliver on the Plan Remediate timely! Keep everyone on task Prepare for future audits We learn from failure, not from success! Keep communication lines open with auditors
Questions? Thank you! Laura Faulkner, Principal Information Security Services Group CliftonLarsonAllen 267-419-1165 laura.faulkner@claconnect.com