Bridging the GAP between Information Security & IT Audit

Bridging The Gap Between Information Security

& IT Audit

Agenda

▸ Introductions▸ Objectives▸ Understand the Information Security Perspective▸ Information Security Trends and Business Insights▸ Bridging the Gap between I.T. Audit and Information Security▸ Case Study Examples▸ Takeaways

2

Introductions

3

Cory Steinbicker

Senior Manager Focal Point Data RiskPhoenix, AZCISSP, CISA, ITIL

Raj Sawhney

Director Focal Point Data RiskLos Angeles, CAM.S., M.B.A., CISA, CRISC

Objectives

After completing this session, you will be able to:▸ Understand key areas of Information Security (“IS”) and impacts to the

business▸ Discuss ‘hot topic’ IS audit initiatives with stakeholders ▸ Build a beneficial relationship with IS while maintaining independence▸ Identify and apply frameworks to help build internal IS audits ▸ Provide recommendations for the IS program

4

Fraud in Information Security▸ $6.3B fraud losses in 2017 due to Information Security

▸ Profile hacking / spear phishing▸ Distributed denial-of-service (DDoS)▸ Data breaches▸ Ransomware

▸ Average cost of data breach $3.62M▸ Additionally, it now takes 24 days to fully recover from such an attack, up from

18 days which is a 42% increase in lost productivity, lost or hampered sales, and general downtime.

▸ IBM 2017 Survey: 42% of banking executives believe that their fraud operations are in need of an overhaul.

5

Board of Directors Oversight on Cybersecurity

2017 National Survey of Board Directors:

▸ Cybersecurity noted as leading risks to large organizations▸ 54% reported that the Audit Committee has primary responsibility ▸ 79% reported that the Board is more involved with cybersecurity than 12

months ago▸ 78% say company has increased investment in cybersecurity in the last year▸ Only 15% of Directors said that they are very satisfied with the quality of

cybersecurity information they received (better collaboration with I.T. Audit)

6

*Board Oversight and National Association of Corporate Directors survey

Definition of Information Security

“Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.” 1

7

1 https://www.sans.org/information-security/

Top Audit Initiatives for 2018

1. Cybersecurity programs2. Privacy and data management3. IT governance, risk, and strategic change4. Business continuity and disaster recovery 5. Third party and vendor management 6. Cloud security 7. Identity and access management 8. Incident management and response 9. Security awareness and training10.Digital and mobile risk

8

Goals of Information Security

9

INFORMATION SECURITY

Integrity

2Availability

3

Confidentiality

1

Risk Management Framework

10

Step 1CATEGORIZE

Information System

Step 2SELECT

Security Controls

Step 3IMPLEMENT

Security Controls

Step 4ASSESS

Security Controls

Step 5AUTHORIZE

Information Systems

Step 6MONITOR

Security Controls

Defense-in-Depth Controls

11

Physical Controls

Logical / Technical Controls

Administrative Controls

Prevent, monitor, and detect sensitive areas (e.g. Guards, fences, locks, cameras, alarms, and lights)

Hardware or software to manage access (e.g. Authentication methods, IDS/IPS, and firewalls)

Management controls defined by the organization (e.g. Policies and procedures, background checks, and training)

Threat Classifications

▸Sources: Internal or External▸Agents: Human, environmental, or technological▸Motivations: Goals of the attack (e.g. political, profit,

sabotage)▸ Accidental or Intentional

▸ Impacts: Destruction, corruption, theft/loss, disclosure, and illegal use

12

Exposure and Impacts to the Business

▸ Unauthorized access ▸ Theft of non-public or private information▸ Insider theft▸ IT costs to remediate systems▸ Business income loss▸ Regulatory ▸ Reputational injury▸ Stock price impact▸ Legal

13

SANS - https://www.sans.org/reading-room/whitepapers/infosec/information-risks-risk-management-34210

3 Lines of Defense

14

ROLES AND RESPONSIBILITIES1st Line: Business (IT Operations and IS)

• Manages the data, processes, controls, and risk.• Implement corrective actions to address processes, gaps, and deficiencies.

2nd Line: Compliance & Risk Management

• Assessing the risks and exposures related to IS and determining whether they are in alignment with the organization’s risk appetite.

• Monitoring current and emerging risks and changes to laws and regulations.• Collaborating with the first-line functions to ensure appropriate control design.

3rd Line: Audit • Assess overall effectiveness of activates of 1st and 2nd lines of defense.• Prioritizing responses and control activities.• Auditing for IS risk mitigation across all relevant facets of the organization.• Assurance in remediation activities.• Raising risk awareness and coordinating with IS risk management.

Global Technology Audit Guide (GTAG): Assessing Cyber Security Risk: Roles of the Three Lines of Defense: (https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx)

Where Do We Start?

▸Asset Inventory and Classification▸ Where are the crown jewels (i.e. the data)?▸ What types of data do we possess and what is the level of sensitivity and criticality?▸ Are other assets (e.g. connections, hardware, software) inventoried, maintained,

and classified? ▸ Information Security Risk Assessment

▸ Does the RA leverage a formal framework or blend of frameworks?▸ Does the RA identify threats, vulnerabilities, likelihoods, and potential impacts?▸ Does the RA identify compliance requirements?▸ Does the RA identify gaps, enhancements, and/or map internal control activities?

15

▸ Engage and understand each other’s overall objectives and strategies

▸ Demonstrate basic understanding of cyber risks, controls, and threats

▸ Discuss business strategy, regulations, compliance, and trends

▸ Become a trusted advisor while maintaining independence

▸ Collaboration and continuous involvement on projects and status meetings

▸ Start with a single point-of-contact for both teams

16

Building the Relationship with IA and IS

Building the Relationship of IA and IS

IA can play an integral role with the IS function, including:▸ Independent internal departments or third parties typically perform

audits;▸ Comprehensive review of the information security program,

including the environment in which the program runs and outputs of the program;

▸ Not a one-size-fits-all audit approach - audit program dependent to the industry, organization and relevant risk profile;

▸ IA reports on information security activity, identify root cause(s) and provide recommendations to address deficiencies

17

Relationship Benefits▸ Board can gain comfort that communications are consistent▸ Provide Management and IS an independent assessment

of:▸ Investments ▸ Risks▸ Security Posture

▸ Consistent communication reduces “surprises”▸ Perform ‘health checks’ and continuous monitoring▸ Proactive vs. Reactive

18

▸ Assess security models▸ Review policies and procedures around the management of

technology, governance and privacy ▸ Review the organization’s cybersecurity risk assessment,

processes and controls▸ Review existing and emerging technology systems against

best practices and regulatory guidelines

19

Partnering for a stronger IS Program

Partnering for a stronger IS Program

▸ Champion a robust training and education program▸ Assess third-party security providers ▸ Conduct periodic cyber “fire drills”▸ Evaluate changes in the business model, technologies

supporting them and related changes in the control structure

20

Tips for an Effective IS Audit Scope

Recommendations: ▸ Consider internal/external systems, 3rd party connections, and

hosted systems ▸ Operating systems, databases, network devices, applications

(COTS and developed)▸ Scope based on risk level but include relevant aspects of people,

processes, technology, and physical/environmental security▸ Interview different lines of business outside of IS

21

Tips for an Effective IS Audit Report

▸ Periodically review with management to avoid “surprises” ▸ Simplify the impact to the business, level of risk, and gaps or

ineffective controls▸ Focus on the Root Cause ▸ Risk rank and prioritize the order of severity▸ Design the report to keep the stakeholders accountable (e.g. include details on remediation efforts and dates to completion)

22

Case Study: Cybersecurity Risk AssessmentIssue: The organization struggled to effectively develop, measure, and communicate their IS Program.

Approach and Benefits: ▸ IA reviewed control mappings (frameworks to internal controls)▸ Workshops with CISO and team to understand how risk ratings and

control effectiveness were determined ▸ Reviewed Management’s risk assessment results ▸ Assessment led to the CISO modifying message to BoD and increasing

the risk levels in certain areas ▸ Resulted in better reporting and corporate governance

23

Case Study: IS Program EffectivenessIssue: Management struggled to improve the maturity level and effectiveness of the IS Program.

Approach and Benefits: ▸ IA became a partner to IS cultural change

▸ Knowledge transfer and coordination of skill sets ▸ Positive outcomes for internal and external audit assessments▸ Cost reduction in development and maintenance of IS Program▸ Lower risk profile for the company▸ Increased visibility and assurance for executive management

24

Culture of Information Security

▸ Culture - A significant yet, intangible element of IS▸ Responsibility of the organization, not just IS▸ Governance gaps can arise from lack of business unit

coordination▸ Driving factors are due to increased governance oversight,

regulatory guidelines, and accountability expectations from the various stakeholders

25

Integrated Approach to Information Security

▸ Aligned approach to information security and fraud management models focused on: ▸ Governance▸ Education▸ Awareness▸ Business Process▸ Technical Controls - fraud and security solutions

▸ Develop a common view of risk▸ ‘Set and Forget’ approaches do not work. Continuously evolving

threats require evolving Information Security.

26

▸ Information Security in the Mobile Age▸ 113 mobile phones lost/stolen every minute in the U.S. ▸ Symantec placed 50 “lost” smartphones throughout U.S.

cities▸ 96% were accessed by finders▸ 80% of finders tried to access “sensitive” data on

phone

27

Growing Threats for Mobile Security

Takeaways

▸ Perspectives of IS goals, risks, and threats▸ Build a stronger IS Program through collaboration, trust, and

independence ▸ Starting points for auditable areas and risk assessments▸ Audit scope and report recommendations▸ Partnering to develop a stronger IS Program▸ Soft skill recommendations and company culture▸ Frameworks and additional resources

28

Frameworks and Resources

29

▸ COBIT 5 for Information Security (http://www.isaca.org/cobit/pages/info-sec.aspx)

▸ ISO/IEC 27000 series (https://www.iso.org/isoiec-27001-information-security.html)

▸ NIST 800 series and Cybersecurity Framework (CSF) (https://www.nist.gov)

▸ SANS CIS - Critical Security Controls (CSC) (https://www.sans.org/)▸ OWASP (http://www.owasp.org)▸ Open Source Security Testing Methodology (http://www.isecom.org/)▸ NIST Vulnerability Database (http://nvd.nist.gov)

NIST Cybersecurity Framework

30

SANS Critical Security Controls (CSC)

31

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software

4. Continuous Vulnerability Assessment and Remediation

5. Controlled Use of Administrative Privileges

6. Maintenance, Monitoring, and Analysis of Audit Logs

7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports

10. Data Recovery Capability

11. Secure Configurations for Network Devices

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control

17. Security Skills Assessment and Appropriate Training to Fill Gaps

18. Application Software Security

19. Incident Response and Management

20. Penetration Tests and Red Team Exercises

OWASP Top 10 Security Vulnerabilities

1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access

32

WHAT WE DOWe measure, improve, and manage your data risk –protecting your most important assets and helping you achieve your business goals.

HOW WE DO ITTop experts from the most in-demand fields are embedded into each engagement and build deliverables that have a meaningful impact on your business.

WHO USES FOCAL POINTMany of the most innovative organizations in the world, including 5 of the 10 largest companies in the U.S., rely on Focal Point to manage their data risks.

Cyber Security

Internal and IT Audit

Identity Governance

Data Privacy

Project Advisory

Workforce Development

Data Analytics

33

CORE SERVICE AREAS

About Focal Point