Understanding IT Audit and Risk Management

Similar documents
2013 CliftonLarsonAllen LLP Not All IT Audits Are the Same How to Choose One That Is Right For You CliftonLarsonAllen LLP. CLAconnect.

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Juniper Vendor Security Requirements

Information Technology General Control Review

SECURITY & PRIVACY DOCUMENTATION

QuickBooks Online Security White Paper July 2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

AUTHORITY FOR ELECTRICITY REGULATION

CYBERSECURITY RISK LOWERING CHECKLIST

Checklist: Credit Union Information Security and Privacy Policies

Business continuity management and cyber resiliency

The Common Controls Framework BY ADOBE

A practical guide to IT security

ADIENT VENDOR SECURITY STANDARD

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

HIPAA RISK ADVISOR SAMPLE REPORT

HIPAA Compliance Assessment Module

Healthcare HIPAA and Cybersecurity Update

Trust Services Principles and Criteria

Keys to a more secure data environment

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

FDIC InTREx What Documentation Are You Expected to Have?

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cyber security tips and self-assessment for business

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

WHITE PAPER- Managed Services Security Practices

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

NEN The Education Network

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

Sage Data Security Services Directory

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

K12 Cybersecurity Roadmap

Internal Audit Report DATA CENTER LOGICAL SECURITY

Maher Duessel Not for Profit Training July Agenda

A company built on security

Protecting your data. EY s approach to data privacy and information security

Cloud Customer Architecture for Securing Workloads on Cloud Services

Table of Contents. Sample

Healthcare Privacy and Security:

CCISO Blueprint v1. EC-Council

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Security Policies and Procedures Principles and Practices

Corporate Information Security Policy

INTERNATIONAL SOS. Information Security Policy. Version 2.00

Lakeshore Technical College Official Policy

Cybersecurity The Evolving Landscape

Morningstar ByAllAccounts Service Security & Privacy Overview

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Disaster Recovery Self-Audit

What is Penetration Testing?

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Cyber Protections: First Step, Risk Assessment

EXHIBIT A. - HIPAA Security Assessment Template -

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Information Security Policy

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Information Security Controls Policy

Standard for Security of Information Technology Resources

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

ISE North America Leadership Summit and Awards

Risk Assessment and other Defensive Security Measures

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

CIP Standards Development Overview

INTELLIGENCE DRIVEN GRC FOR SECURITY

Department of Management Services REQUEST FOR INFORMATION

Background FAST FACTS

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Security Audit What Why

Canada Life Cyber Security Statement 2018

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

HIPAA Compliance Checklist

7.16 INFORMATION TECHNOLOGY SECURITY

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Standard CIP Cyber Security Critical Cyber Asset Identification

Security of Information Technology Resources IT-12

Survey: Maritime Cyber Security Survey

MIS5206-Section Protecting Information Assets-Exam 1

Standard CIP Cyber Security Critical Cyber Asset Identification

PCI DSS COMPLIANCE DATA

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

ACM Retreat - Today s Topics:

Transcription:

Understanding IT Audit and Risk Management

Presentation overview Understanding different types of Assessments Risk Assessments IT Audits Security Assessments Key Areas of Focus Steps to Mitigation

We need Our board said we need to do an IT Audit To be in compliance with XYZ, we need to do a Risk Assessment

Types of Risk Assessments and Audits Risk Assessment Enterprise Risk Assessment IT Risk Assessment Compliance Risk Assessment IT Audits Process Audits (i.e., ACH) IT Compliance Audits Security Assessment Vulnerability Assessments Penetration Testing Social Engineering

Audit Philosophy and Approach Philosophy: People, Rules and Tools People Rules Approach: Understand Test Assess Tools `

Risk Assessment ID Assets Define Threats and Vulnerabilities Classify the likelihood of bad things Quantify the impact Stop here: Residual Risk Continue: Test Effectiveness of Controls (audits)

Risk Assessment Theory Inherent Risk Likelihood vs Impact Control Risk Total Risk IR X CR = TR

Types of IT Audit Broad audits IT General Controls Review Specific/focused audits DRP/IR/BCP audits and testing SDLC and Change Management audits User and group permission audits Vendor management

Details... IT General Controls Review Broad, high level coverage of IT management, information security program, and compliance requirements Addresses adequacy of standards Effectiveness testing tends to be light Does not really test the systems

General Controls Review- Key Control Areas Organization Administration Vendor Administration User Account Administration Application Administration Workstation Administration Server Administration Physical Environment Administration Data Backup & Storage Administration Disaster Recovery & Business Continuity Planning

IT Audit - Focused Audits Common Examples: DRP/IR/BCP audit and testing; User access reviews; SDLC and Change Management; ACH or other application audits Deep dive into the details Focus on the process and perhaps application level controls More thorough effectiveness testing, with sampling

Vulnerability Assessment Port Scans and Vulnerability Scans They are like Radar Pros/Cons External and Internal Scanning What are the benefits? Example Monthly scanning for local municipality July nothing new/unusual August nothing new/unusual September - SSH open, and

Penetration Testing Goals and Objectives: Understand, Test, and Assess Validate things behave as expected Find/Identify new things

Penetration Testing External Network Applications Internal Network Wireless Facilities (social engineering)

Social Engineering The fine art of People Hacking What is it? Social Engineering uses non-technical attacks to gain information or access to technical systems Pre-text telephone calls Building penetration Email attacks

Key Actions: Determine Enough Test the Key Controls (from the risk assessments) Penetration Testing (Breach Simulation) Vulnerability Assessment (collaborative, comprehensive) General Controls Review (BCP, Vendor, Change, Board)

Testing Controls: Penetration Testing Definition: Breach Simulation. What would happen if an attacker targeted my Financial Institution? Can this question be answered if those responsible for breach detection and response are aware of the timing of testing?

Penetration Testing: Vendor Misrepresentation What if your vendor s penetration testing has no penetration testing? Symptoms of REAL Pen-Testing: Starts with Social Engineering Performed Covertly Same Methods as Actual Attacks Persists until compromise and/or DA

Testing Controls: Vulnerability Assessment Definition: Collaborative, comprehensive exercise to identify vulnerable systems and misconfigurations What systems are susceptible to compromise? Can this question be answered if only a subset of systems are evaluated? Internal vs External Sampling

Testing Controls: General Controls Review Definition: Collaborative evaluation of compliance with guidance and best practices Are my policies and practices compliant? Exam Focus: Vendor Management, Risk Assessment, BCP, Board Oversight, Incident Response

Key Areas of Focus

What Should Auditors Focus On? User Account Administration End user - End users should be granted access to data within the database via application software logins Administrators IT staff should have a separate, privileged account, to be used only for administrative duties Service providers - Vendors that support software systems must use a unique user name and password.

What Should Auditors Focus On? Authentication Unique User ID Password complexity should be enabled Password policy should exceed best practice standards

What Should Auditors Focus On? Provisioning Process New Users New hire checklist documenting specific logical and physical access requirements Access approved and signed off by hiring manager Access Changes for Existing Users Periodic access reviews

What Should Auditors Focus On? Terminated Users Access disabled immediately User IDs should be deleted as soon as possible User Account Validation Periodic access reviews to ensure terminated employees are removed Remove inactive user accounts

What Should Auditors Focus On? Data Storage and Backup Controls Types of Data Storage? Tape, Disk, Storage Area Network Frequency of backups What and when? Retention of information How long should it be maintained? Location On site versus off site Transportation

What Should Auditors Focus On? Physical Security Facilities and assets (alarm and/or video) Building and data room security Laptops, desktops, server room Storage of Information, destruction of information Onsite storage vs. offsite storage Physical access provisioning

What Should Auditors Focus On? Workstation Administration Workstation Access Controls Screensaver timeout and password Controls to restrict workstation access to only authorized employees Workstation Security Software Encryption

What Should Auditors Focus On? Vendor Management Designate responsibility for vendor oversight Assess the risks of the relationship Proper due diligence Establish SLAs Monitor agreement and performance

Next steps to Mitigation

Now what... I ve had the IT Audit done and now what do we do with all of these issues... Audit reports can be lengthy and filled with technical details Uncertainty as to who is responsible

Develop Audit Response Plan Meet with the Auditors Get clarification on findings when necessary Ask for advice on viable solutions Clear up any miscommunication Prioritize Tasks Course of action for remediation efforts Determine responsibility for remediation Identify Corrective Actions Cost benefit anaylsis of new technologies to remediate risks Solutions that may be multi-purposeful

Audit Response Plan, cont d Develop an Implementation Schedule Set realistic timelines for remediation and new technologies Identify temporary solutions to support overall objective Confirm with Senior Management and Regulatory Authorities Understand, explain and support the risks identified Review and approval by senior management and regulators

Audit Response Plan, cont d Deliver on the Plan Remediate timely! Keep everyone on task Prepare for future audits We learn from failure, not from success! Keep communication lines open with auditors

Questions? Thank you! Laura Faulkner, Principal Information Security Services Group CliftonLarsonAllen 267-419-1165 laura.faulkner@claconnect.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback