Cybersecurity: Considerations for Internal Audit Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda •Key Risks •Incorporating

Cybersecurity:

Considerations for

Internal Audit

Gina Gondron

Senior Manager

Frazier & Deeter

Geek Week

August 10, 2016

Agenda

• Key Risks

• Incorporating Internal Audit

• Resources

• Questions

2

San Francisco ISACA Conference

Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com 3

Key Risks

4

Key Risks

• Board and Management:

– CIO, CAE, organizational leaders agree: Cyberthreats not only and IT problem, but fully

fledged business risk

– Top 10 risk Separate from business interruption; loss of

reputation and brand value; theft fraud and corruption

% of IT focus increasing

5

Key Risks

• External

– Stolen credentials

– Remote access

• Internal

– Employees

– Business partners

6

And in this corner…


Key Risks

• Nature of attack:

– Denial of service attacks (DoS)

– Data security breaches

• Focus of attack:

– Credit card data (e.g. retail)

– Exploration data (e.g. oil and gas)

– Intellectual property (e.g. technology, strategic information)

8

Key Risks

• Threats

– Rapidly evolving

– Increasingly sophisticated

– Methods continue to improve

9

Cost of Cyber Crime

10

Source: 2015 Ponemon Institute Cost of Cyber Crime Study

Incorporating Internal Audit

11




Persistent threat

Exposures

Security posture

Audit procedures

Assisting management

Resource application

13


Drive change

Be engaged at the strategic level:

– Understand board’s approach to security

– Better understand the value of business-

critical data

– Being involved with new IT implementations

14


Key Elements:

– Leadership and governance

– Technical and operational controls

– Training and awareness

– Information risk management

– Response planning

– Crisis management

15


Auditing defense mechanisms:

– Internal education/communication

– Secure firewalls

– Up-to-date antivirus software

– Open communication to ISPs

– Effective network monitoring

– Rapid response plans

– Patch management

16

Patch Management

17

Source: Verizon 2015 Data Breach Investigations Report


Auditing defense mechanisms:

– Password management

– Data categorization, segregation, access storage, and retention process

– Suppliers’ cybersecurity practices; service agreements

– Cloud services

– Data security controls

– Corporate insurance coverage

18


IT Audit Resources:

– Perform business and IT impact

analysis and risk assessment

– Cyber Risk assessments

External input on threats facing industry

Current attack methods

Cyber “assurance”

White-hat hacking

19


IT Audit Resources:

– People, process and technology controls

– Incident response program

– Help optimize controls to prevent or

detect cyber issues

– Ongoing monitoring of changing cyberrisk

– Working with systems administrators

20




Internal Audit Resources:

– Drive discussion around risk and mitigation strategy

– Independently assess and prioritize cyberrisks

against other critical enterprise risks

– Assess effectiveness of preparation

– Identify and monitor issues and risk related to

emerging technology deployments

22


Supporting the Audit Committee:

– Five Principles:

1. Understanding and approach to cybersecurity

2. Legal implications

3. Access to expertise

4. Staffing and budget

5. Risk avoidance

23


Focus on: – Specific types of attacks they face

– Weaknesses inherent in business practices, culture, IT systems

– Educating AC/Executive Management: Business risk

Risk to data

Critical assets

Nature of network traffic

– Prevention, Detection and Response

24


Questions to ask: 1. Funding for people, processes, technology?

2. Critical Systems Identified?

3. Connections to other systems

4. Who relies on data?

25


Questions to ask: 4. Who has access?

5. Audit logs maintained/reviewed?

6. Cyber response: 1. Systems prioritized

2. Excercizes documented?

3. Support contracts in place?

7. Does staff receive training?

26

Resources

27

Where are the Resources?

• FDIC – 60 IT Auditors for 4,000 financial

institutions

• OCC – 100 IT Auditors for 1,500 institutions

• NCUA – 50 IT Auditors for 6,200 credit unions

• Federal Reserve – 85 IT Auditors for the

5,500 institutions it monitors

“Too many threats and too few

professionals.”

www.frazierdeeter.com 28

Where are the Resources?

www.frazierdeeter.com 29

Performing Risk Assessments


IT Security Architecture

Threat & Vulnerability Management

Privacy & Data

Protection

Identity & Access

Management

IT Security Management

Awareness & Education

Risk

Assessment

Areas

• Identify high

risk areas

• Incorporate into

audit plan

Resources

• U.S. National Institue of Standards and Technology (NIST) – Framework for Improving Critical Infrastructure

Cybersecurity

– Consistent and effective evaluation of current security: Processes

Procedures

Technologies

– Links to other security standards and approaches

31

32

Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/#

33

Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/#

Resources

Cybercrime

Audit/Assurance Program

• Aligned with the NIST

National Initiative for

Cybersecurity Education

34

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cybercrime-Audit-Assurance-Program.aspx

35

36

Source: ISACA IT Assurance FrameworkTM (ITAFTM)

Resources

Cybersecurity Fundamentals

Certificate

• Knowledge-based

certificate offered by ISACA

Implementing NIST

Cybersecurity Framework

Using COBIT 5

• Focused on the CSF, goals,

implementation steps and

application

37

ISACA Certifications

Atlanta 404.253.7500 I Nashville 615.259.7600 www.frazierdeeter.com

38

39

Nymity Framework


Comprehensive listing of over 130 privacy

management activities

Structured in 13 privacy management

processes

Jurisdiction and industry neutral

Internal Audit Focus

Evaluating security risk and threats

Data at risk

Secure infrastructure

Monitoring capability

Rapid identification, response,

containment and recovery

41

Questions?

Cybersecurity: Considerations for Internal Audit Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda •Key Risks •Incorporating

Documents