Bridging The Gap Between Information Security & IT Audit
Bridging The Gap Between Information Security
& IT Audit
Agenda
▸ Introductions▸ Objectives▸ Understand the Information Security Perspective▸ Information Security Trends and Business Insights▸ Bridging the Gap between I.T. Audit and Information Security▸ Case Study Examples▸ Takeaways
2
Introductions
3
Cory Steinbicker
Senior Manager Focal Point Data RiskPhoenix, AZCISSP, CISA, ITIL
Raj Sawhney
Director Focal Point Data RiskLos Angeles, CAM.S., M.B.A., CISA, CRISC
Objectives
After completing this session, you will be able to:▸ Understand key areas of Information Security (“IS”) and impacts to the
business▸ Discuss ‘hot topic’ IS audit initiatives with stakeholders ▸ Build a beneficial relationship with IS while maintaining independence▸ Identify and apply frameworks to help build internal IS audits ▸ Provide recommendations for the IS program
4
Fraud in Information Security▸ $6.3B fraud losses in 2017 due to Information Security
▸ Profile hacking / spear phishing▸ Distributed denial-of-service (DDoS)▸ Data breaches▸ Ransomware
▸ Average cost of data breach $3.62M▸ Additionally, it now takes 24 days to fully recover from such an attack, up from
18 days which is a 42% increase in lost productivity, lost or hampered sales, and general downtime.
▸ IBM 2017 Survey: 42% of banking executives believe that their fraud operations are in need of an overhaul.
5
Board of Directors Oversight on Cybersecurity
2017 National Survey of Board Directors:
▸ Cybersecurity noted as leading risks to large organizations▸ 54% reported that the Audit Committee has primary responsibility ▸ 79% reported that the Board is more involved with cybersecurity than 12
months ago▸ 78% say company has increased investment in cybersecurity in the last year▸ Only 15% of Directors said that they are very satisfied with the quality of
cybersecurity information they received (better collaboration with I.T. Audit)
6
*Board Oversight and National Association of Corporate Directors survey
Definition of Information Security
“Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.” 1
7
1 https://www.sans.org/information-security/
Top Audit Initiatives for 2018
1. Cybersecurity programs2. Privacy and data management3. IT governance, risk, and strategic change4. Business continuity and disaster recovery 5. Third party and vendor management 6. Cloud security 7. Identity and access management 8. Incident management and response 9. Security awareness and training10.Digital and mobile risk
8
Goals of Information Security
9
INFORMATION SECURITY
Integrity
2Availability
3
Confidentiality
1
Risk Management Framework
10
Step 1CATEGORIZE
Information System
Step 2SELECT
Security Controls
Step 3IMPLEMENT
Security Controls
Step 4ASSESS
Security Controls
Step 5AUTHORIZE
Information Systems
Step 6MONITOR
Security Controls
Defense-in-Depth Controls
11
Physical Controls
Logical / Technical Controls
Administrative Controls
Prevent, monitor, and detect sensitive areas (e.g. Guards, fences, locks, cameras, alarms, and lights)
Hardware or software to manage access (e.g. Authentication methods, IDS/IPS, and firewalls)
Management controls defined by the organization (e.g. Policies and procedures, background checks, and training)
Threat Classifications
▸Sources: Internal or External▸Agents: Human, environmental, or technological▸Motivations: Goals of the attack (e.g. political, profit,
sabotage)▸ Accidental or Intentional
▸ Impacts: Destruction, corruption, theft/loss, disclosure, and illegal use
12
Exposure and Impacts to the Business
▸ Unauthorized access ▸ Theft of non-public or private information▸ Insider theft▸ IT costs to remediate systems▸ Business income loss▸ Regulatory ▸ Reputational injury▸ Stock price impact▸ Legal
13
SANS - https://www.sans.org/reading-room/whitepapers/infosec/information-risks-risk-management-34210
3 Lines of Defense
14
ROLES AND RESPONSIBILITIES1st Line: Business (IT Operations and IS)
• Manages the data, processes, controls, and risk.• Implement corrective actions to address processes, gaps, and deficiencies.
2nd Line: Compliance & Risk Management
• Assessing the risks and exposures related to IS and determining whether they are in alignment with the organization’s risk appetite.
• Monitoring current and emerging risks and changes to laws and regulations.• Collaborating with the first-line functions to ensure appropriate control design.
3rd Line: Audit • Assess overall effectiveness of activates of 1st and 2nd lines of defense.• Prioritizing responses and control activities.• Auditing for IS risk mitigation across all relevant facets of the organization.• Assurance in remediation activities.• Raising risk awareness and coordinating with IS risk management.
Global Technology Audit Guide (GTAG): Assessing Cyber Security Risk: Roles of the Three Lines of Defense: (https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx)
Where Do We Start?
▸Asset Inventory and Classification▸ Where are the crown jewels (i.e. the data)?▸ What types of data do we possess and what is the level of sensitivity and criticality?▸ Are other assets (e.g. connections, hardware, software) inventoried, maintained,
and classified? ▸ Information Security Risk Assessment
▸ Does the RA leverage a formal framework or blend of frameworks?▸ Does the RA identify threats, vulnerabilities, likelihoods, and potential impacts?▸ Does the RA identify compliance requirements?▸ Does the RA identify gaps, enhancements, and/or map internal control activities?
15
▸ Engage and understand each other’s overall objectives and strategies
▸ Demonstrate basic understanding of cyber risks, controls, and threats
▸ Discuss business strategy, regulations, compliance, and trends
▸ Become a trusted advisor while maintaining independence
▸ Collaboration and continuous involvement on projects and status meetings
▸ Start with a single point-of-contact for both teams
16
Building the Relationship with IA and IS
Building the Relationship of IA and IS
IA can play an integral role with the IS function, including:▸ Independent internal departments or third parties typically perform
audits;▸ Comprehensive review of the information security program,
including the environment in which the program runs and outputs of the program;
▸ Not a one-size-fits-all audit approach - audit program dependent to the industry, organization and relevant risk profile;
▸ IA reports on information security activity, identify root cause(s) and provide recommendations to address deficiencies
17
Relationship Benefits▸ Board can gain comfort that communications are consistent▸ Provide Management and IS an independent assessment
of:▸ Investments ▸ Risks▸ Security Posture
▸ Consistent communication reduces “surprises”▸ Perform ‘health checks’ and continuous monitoring▸ Proactive vs. Reactive
18
▸ Assess security models▸ Review policies and procedures around the management of
technology, governance and privacy ▸ Review the organization’s cybersecurity risk assessment,
processes and controls▸ Review existing and emerging technology systems against
best practices and regulatory guidelines
19
Partnering for a stronger IS Program
Partnering for a stronger IS Program
▸ Champion a robust training and education program▸ Assess third-party security providers ▸ Conduct periodic cyber “fire drills”▸ Evaluate changes in the business model, technologies
supporting them and related changes in the control structure
20
Tips for an Effective IS Audit Scope
Recommendations: ▸ Consider internal/external systems, 3rd party connections, and
hosted systems ▸ Operating systems, databases, network devices, applications
(COTS and developed)▸ Scope based on risk level but include relevant aspects of people,
processes, technology, and physical/environmental security▸ Interview different lines of business outside of IS
21
Tips for an Effective IS Audit Report
▸ Periodically review with management to avoid “surprises” ▸ Simplify the impact to the business, level of risk, and gaps or
ineffective controls▸ Focus on the Root Cause ▸ Risk rank and prioritize the order of severity▸ Design the report to keep the stakeholders accountable (e.g. include details on remediation efforts and dates to completion)
22
Case Study: Cybersecurity Risk AssessmentIssue: The organization struggled to effectively develop, measure, and communicate their IS Program.
Approach and Benefits: ▸ IA reviewed control mappings (frameworks to internal controls)▸ Workshops with CISO and team to understand how risk ratings and
control effectiveness were determined ▸ Reviewed Management’s risk assessment results ▸ Assessment led to the CISO modifying message to BoD and increasing
the risk levels in certain areas ▸ Resulted in better reporting and corporate governance
23
Case Study: IS Program EffectivenessIssue: Management struggled to improve the maturity level and effectiveness of the IS Program.
Approach and Benefits: ▸ IA became a partner to IS cultural change
▸ Knowledge transfer and coordination of skill sets ▸ Positive outcomes for internal and external audit assessments▸ Cost reduction in development and maintenance of IS Program▸ Lower risk profile for the company▸ Increased visibility and assurance for executive management
24
Culture of Information Security
▸ Culture - A significant yet, intangible element of IS▸ Responsibility of the organization, not just IS▸ Governance gaps can arise from lack of business unit
coordination▸ Driving factors are due to increased governance oversight,
regulatory guidelines, and accountability expectations from the various stakeholders
25
Integrated Approach to Information Security
▸ Aligned approach to information security and fraud management models focused on: ▸ Governance▸ Education▸ Awareness▸ Business Process▸ Technical Controls - fraud and security solutions
▸ Develop a common view of risk▸ ‘Set and Forget’ approaches do not work. Continuously evolving
threats require evolving Information Security.
26
▸ Information Security in the Mobile Age▸ 113 mobile phones lost/stolen every minute in the U.S. ▸ Symantec placed 50 “lost” smartphones throughout U.S.
cities▸ 96% were accessed by finders▸ 80% of finders tried to access “sensitive” data on
phone
27
Growing Threats for Mobile Security
Takeaways
▸ Perspectives of IS goals, risks, and threats▸ Build a stronger IS Program through collaboration, trust, and
independence ▸ Starting points for auditable areas and risk assessments▸ Audit scope and report recommendations▸ Partnering to develop a stronger IS Program▸ Soft skill recommendations and company culture▸ Frameworks and additional resources
28
Frameworks and Resources
29
▸ COBIT 5 for Information Security (http://www.isaca.org/cobit/pages/info-sec.aspx)
▸ ISO/IEC 27000 series (https://www.iso.org/isoiec-27001-information-security.html)
▸ NIST 800 series and Cybersecurity Framework (CSF) (https://www.nist.gov)
▸ SANS CIS - Critical Security Controls (CSC) (https://www.sans.org/)▸ OWASP (http://www.owasp.org)▸ Open Source Security Testing Methodology (http://www.isecom.org/)▸ NIST Vulnerability Database (http://nvd.nist.gov)
NIST Cybersecurity Framework
30
SANS Critical Security Controls (CSC)
31
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges
6. Maintenance, Monitoring, and Analysis of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports
10. Data Recovery Capability
11. Secure Configurations for Network Devices
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Security Skills Assessment and Appropriate Training to Fill Gaps
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
OWASP Top 10 Security Vulnerabilities
1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access
32
WHAT WE DOWe measure, improve, and manage your data risk –protecting your most important assets and helping you achieve your business goals.
HOW WE DO ITTop experts from the most in-demand fields are embedded into each engagement and build deliverables that have a meaningful impact on your business.
WHO USES FOCAL POINTMany of the most innovative organizations in the world, including 5 of the 10 largest companies in the U.S., rely on Focal Point to manage their data risks.
Cyber Security
Internal and IT Audit
Identity Governance
Data Privacy
Project Advisory
Workforce Development
Data Analytics
33
CORE SERVICE AREAS
About Focal Point