Bridging The Gap Between Information Security IT Audit
Bridging The Gap Between Information Security & IT Audit
Agenda ▸ Introductions ▸ Objectives ▸ Understand the Information Security Perspective ▸ Information Security Trends and Business Insights ▸ Bridging the Gap between I. T. Audit and Information Security ▸ Case Study Examples ▸ Takeaways 2
Introductions 3 Raj Sawhney Cory Steinbicker Director Focal Point Data Risk Los Angeles, CA M. S. , M. B. A. , CISA, CRISC Senior Manager Focal Point Data Risk Phoenix, AZ CISSP, CISA, ITIL
Objectives After completing this session, you will be able to: ▸ Understand key areas of Information Security (“IS”) and impacts to the business ▸ Discuss ‘hot topic’ IS audit initiatives with stakeholders ▸ Build a beneficial relationship with IS while maintaining independence ▸ Identify and apply frameworks to help build internal IS audits ▸ Provide recommendations for the IS program 4
Fraud in Information Security ▸ $6. 3 B fraud losses in 2017 due to Information Security ▸ Profile hacking / spear phishing ▸ Distributed denial-of-service (DDo. S) ▸ Data breaches ▸ Ransomware ▸ Average cost of data breach $3. 62 M ▸ Additionally, it now takes 24 days to fully recover from such an attack, up from 18 days which is a 42% increase in lost productivity, lost or hampered sales, and general downtime. ▸ IBM 2017 Survey: 42% of banking executives believe that their fraud operations are in need of an overhaul. 5
Board of Directors Oversight on Cybersecurity 2017 National Survey of Board Directors: ▸ ▸ ▸ Cybersecurity noted as leading risks to large organizations 54% reported that the Audit Committee has primary responsibility 79% reported that the Board is more involved with cybersecurity than 12 months ago 78% say company has increased investment in cybersecurity in the last year Only 15% of Directors said that they are very satisfied with the quality of cybersecurity information they received (better collaboration with I. T. Audit) *Board Oversight and National Association of Corporate Directors survey 6
Definition of Information Security “Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. ” 1 1 https: //www. sans. org/information-security/ 7
Top Audit Initiatives for 2018 1. Cybersecurity programs 2. Privacy and data management 3. IT governance, risk, and strategic change 4. Business continuity and disaster recovery 5. Third party and vendor management 6. Cloud security 7. Identity and access management 8. Incident management and response 9. Security awareness and training 10. Digital and mobile risk 8
Goals of Information Security 1 Confidentiality 2 Integrity 9 INFORMATION SECURITY 3 Availability
Risk Management Framework Step 1 CATEGORIZE Information System Step 6 MONITOR Security Controls Step 2 SELECT Security Controls Step 5 AUTHORIZE Information Systems Step 3 IMPLEMENT Security Controls Step 4 ASSESS Security Controls 10
Defense-in-Depth Controls 11 Physical Controls Prevent, monitor, and detect sensitive areas (e. g. Guards, fences, locks, cameras, alarms, and lights) Logical / Technical Controls Hardware or software to manage access (e. g. Authentication methods, IDS/IPS, and firewalls) Administrative Controls Management controls defined by the organization (e. g. Policies and procedures, background checks, and training)
Threat Classifications ▸ Sources: Internal or External ▸ Agents: Human, environmental, or technological ▸ Motivations: Goals of the attack (e. g. political, profit, sabotage) ▸ Accidental or Intentional ▸ Impacts: Destruction, corruption, theft/loss, disclosure, and illegal use 12
Exposure and Impacts to the Business ▸ ▸ ▸ ▸ ▸ Unauthorized access Theft of non-public or private information Insider theft IT costs to remediate systems Business income loss Regulatory Reputational injury Stock price impact Legal SANS - https: //www. sans. org/reading-room/whitepapers/infosec/information-risks-risk-management-34210 13
3 Lines of Defense ROLES AND RESPONSIBILITIES 1 st Line: Business (IT Operations and IS) • Manages the data, processes, controls, and risk. • Implement corrective actions to address processes, gaps, and deficiencies. 2 nd Line: Compliance & Risk Management • Assessing the risks and exposures related to IS and determining whether they are in alignment with the organization’s risk appetite. • Monitoring current and emerging risks and changes to laws and regulations. • Collaborating with the first-line functions to ensure appropriate control design. 3 rd Line: Audit • • • Assess overall effectiveness of activates of 1 st and 2 nd lines of defense. Prioritizing responses and control activities. Auditing for IS risk mitigation across all relevant facets of the organization. Assurance in remediation activities. Raising risk awareness and coordinating with IS risk management. Global Technology Audit Guide (GTAG): Assessing Cyber Security Risk: Roles of the Three Lines of Defense: (https: //na. theiia. org/standards-guidance/recommended-guidance/practiceguides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense. aspx) 14
Where Do We Start? ▸ Asset Inventory and Classification ▸ Where are the crown jewels (i. e. the data)? ▸ What types of data do we possess and what is the level of sensitivity and criticality? ▸ Are other assets (e. g. connections, hardware, software) inventoried, maintained, and classified? ▸ Information Security Risk Assessment ▸ Does the RA leverage a formal framework or blend of frameworks? ▸ Does the RA identify threats, vulnerabilities, likelihoods, and potential impacts? ▸ Does the RA identify compliance requirements? ▸ Does the RA identify gaps, enhancements, and/or map internal control activities? 15
Building the Relationship with IA and IS ▸ Engage and understand each other’s overall objectives and strategies ▸ Demonstrate basic understanding of cyber risks, controls, and threats ▸ Discuss business strategy, regulations, compliance, and trends ▸ Become a trusted advisor while maintaining independence ▸ Collaboration and continuous involvement on projects and status meetings ▸ Start with a single point-of-contact for both teams 16
Building the Relationship of IA and IS IA can play an integral role with the IS function, including: ▸ Independent internal departments or third parties typically perform audits; ▸ Comprehensive review of the information security program, including the environment in which the program runs and outputs of the program; ▸ Not a one-size-fits-all audit approach - audit program dependent to the industry, organization and relevant risk profile; ▸ IA reports on information security activity, identify root cause(s) and provide recommendations to address deficiencies 17
Relationship Benefits ▸ Board can gain comfort that communications are consistent ▸ Provide Management and IS an independent assessment of: ▸ Investments ▸ Risks ▸ Security Posture ▸ Consistent communication reduces “surprises” ▸ Perform ‘health checks’ and continuous monitoring ▸ Proactive vs. Reactive 18
Partnering for a stronger IS Program ▸ Assess security models ▸ Review policies and procedures around the management of technology, governance and privacy ▸ Review the organization’s cybersecurity risk assessment, processes and controls ▸ Review existing and emerging technology systems against best practices and regulatory guidelines 19
Partnering for a stronger IS Program ▸ Champion a robust training and education program ▸ Assess third-party security providers ▸ Conduct periodic cyber “fire drills” ▸ Evaluate changes in the business model, technologies supporting them and related changes in the control structure 20
Tips for an Effective IS Audit Scope Recommendations: ▸ Consider internal/external systems, 3 rd party connections, and hosted systems ▸ Operating systems, databases, network devices, applications (COTS and developed) ▸ Scope based on risk level but include relevant aspects of people, processes, technology, and physical/environmental security ▸ Interview different lines of business outside of IS 21
Tips for an Effective IS Audit Report ▸ Periodically review with management to avoid “surprises” ▸ Simplify the impact to the business, level of risk, and gaps or ineffective controls ▸ Focus on the Root Cause ▸ Risk rank and prioritize the order of severity ▸ Design the report to keep the stakeholders accountable (e. g. include details on remediation efforts and dates to completion) 22
Case Study: Cybersecurity Risk Assessment Issue: The organization struggled to effectively develop, measure, and communicate their IS Program. Approach and Benefits: ▸ IA reviewed control mappings (frameworks to internal controls) ▸ Workshops with CISO and team to understand how risk ratings and control effectiveness were determined ▸ Reviewed Management’s risk assessment results ▸ Assessment led to the CISO modifying message to Bo. D and increasing the risk levels in certain areas ▸ Resulted in better reporting and corporate governance 23
Case Study: IS Program Effectiveness Issue: Management struggled to improve the maturity level and effectiveness of the IS Program. Approach and Benefits: ▸ IA became a partner to IS cultural change ▸ Knowledge transfer and coordination of skill sets ▸ Positive outcomes for internal and external audit assessments ▸ Cost reduction in development and maintenance of IS Program ▸ Lower risk profile for the company ▸ Increased visibility and assurance for executive management 24
Culture of Information Security ▸ Culture - A significant yet, intangible element of IS ▸ Responsibility of the organization, not just IS ▸ Governance gaps can arise from lack of business unit coordination ▸ Driving factors are due to increased governance oversight, regulatory guidelines, and accountability expectations from the various stakeholders 25
Integrated Approach to Information Security ▸ Aligned approach to information security and fraud management models focused on: ▸ Governance ▸ Education ▸ Awareness ▸ Business Process ▸ Technical Controls - fraud and security solutions ▸ Develop a common view of risk ▸ ‘Set and Forget’ approaches do not work. Continuously evolving threats require evolving Information Security. 26
Growing Threats for Mobile Security ▸ Information Security in the Mobile Age ▸ 113 mobile phones lost/stolen every minute in the U. S. ▸ Symantec placed 50 “lost” smartphones throughout U. S. cities ▸ 96% were accessed by finders ▸ 80% of finders tried to access “sensitive” data on phone 27
Takeaways ▸ Perspectives of IS goals, risks, and threats ▸ Build a stronger IS Program through collaboration, trust, and independence ▸ Starting points for auditable areas and risk assessments ▸ Audit scope and report recommendations ▸ Partnering to develop a stronger IS Program ▸ Soft skill recommendations and company culture ▸ Frameworks and additional resources 28
Frameworks and Resources ▸ COBIT 5 for Information Security (http: //www. isaca. org/cobit/pages/infosec. aspx) ▸ ISO/IEC 27000 series (https: //www. iso. org/isoiec-27001 -informationsecurity. html) ▸ NIST 800 series and Cybersecurity Framework (CSF) (https: //www. nist. gov) ▸ SANS CIS - Critical Security Controls (CSC) (https: //www. sans. org/) ▸ OWASP (http: //www. owasp. org) ▸ Open Source Security Testing Methodology (http: //www. isecom. org/) ▸ NIST Vulnerability Database (http: //nvd. nist. gov) 29
NIST Cybersecurity Framework 30
SANS Critical Security Controls (CSC) 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software 4. Continuous Vulnerability Assessment and Remediation 11. Secure Configurations for Network Devices 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 5. Controlled Use of Administrative Privileges 16. Account Monitoring and Control 6. Maintenance, Monitoring, and Analysis of Audit Logs 17. Email and Web Browser Protections Security Skills Assessment and Appropriate Training to Fill Gaps 8. Malware Defenses 18. Application Software Security 9. Limitation and Control of Network Ports 19. Incident Response and Management 10. Data Recovery Capability 20. Penetration Tests and Red Team Exercises 31
OWASP Top 10 Security Vulnerabilities 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access 32
About Focal Point WHAT WE DO We measure, improve, and manage your data risk – protecting your most important assets and helping you achieve your business goals. HOW WE DO IT Top experts from the most in-demand fields are embedded into each engagement and build deliverables that have a meaningful impact on your business. WHO USES FOCAL POINT Many of the most innovative organizations in the world, including 5 of the 10 largest companies in the U. S. , rely on Focal Point to manage their data risks. 33 CORE SERVICE AREAS Cyber Security Internal and IT Audit Identity Governance Data Privacy Project Advisory Workforce Development Data Analytics
- Slides: 33
