Nfp Seminar Series Danny November 18 Emerging Technology Challenges And Solutions For Internal Audit Final2

• 1. Emerging Technology Challenges and Solutionsfor Internal Audit and ComplianceA Focus on Cloud Computing and Mobile PlatformsGrant Thornton Breakfast Seminar SeriesThe Union League Philadelphia, PANovember 2011Presented by:Danny Miller, CGEIT, CISA, ITIL, CRISC, QSAPrincipal, Business Advisory ServicesNational Solutions Lead - Cyber Security & Privacy Grant Thornton. All rights reserved.

2. Topics Emerging Technology Cloud computing Mobile computing Cybersecurity trends Potential IA Complexities Risks and Mitigating Risk (strategies) Whats Next? Grant Thornton. All rights reserved. 3. Emerging Technology Trends Spending on public IT cloud services will grow at more than five times the rate of the IT industry in 2011-2012 Enterprise IT planners begin to include cloud-computing expertise in some of their job searches to be prepared for the projects of the short-term and mid-term future Hosted private clouds will outnumber internal clouds 3:1 But service providers have been incrementally ready. Cloud management and monitoring will fuel enterprise cloud adoption 32% of CIOs expect virtualization to be their top investment in 2011 Grant Thornton. All rights reserved. 4. Cloud computing overview Grant Thorntons CAE Survey More than 300 CAEs surveyed responded that 77% are at least somewhat familiar with cloud computing 69% use cloud computing; many expect cloud computing useto increase (45%) or stay the same (55%) in the next 12months When asked to describe their view as to the security, governance,risk and controls implications in moving to a cloud environment,43% responded "I havent really given it much thought." 64% of respondents do not include cloud computing in their auditplan Grant Thornton. All rights reserved. 5. Cloud computing overview Global Public Cloud Market Size Grant Thornton. All rights reserved. 6. Emerging Technology Cloud computing Saas, PaaS, IaaS, DaaS Mobile computing Mobile platforms that are blurring the line between a hand-held andcomplex computing Risks and Strategies for Cloud Computing Cybersecurity Trends Grant Thornton. All rights reserved. 7. Emerging Technology Platforms (cont.) Types of CloudsModels of Cloud: Public Software as a Service (SaaS)-Shared computer resources provided -Software applications delivered over by an off-site third-party provider the Internet Private Platform as a Service (PaaS)-Dedicated computer resources - Full or partial operating provided by an off-site third-party orsystem/development environment use of Cloud technologies on a privatedelivered over the Internet internal network Infrastructure as a Service (IaaS) Hybrid- Computer infrastructure delivered over-Consisting of multiple public and the Internet private Clouds Desktop as a Service (DaaS)- Virtualization of desktop systems serving thin clients, delivered over the Internet or a private Cloud Grant Thornton. All rights reserved. 8. Emerging Technology Platforms (cont.) Public CloudPrivate Cloud Grant Thornton. All rights reserved. 9. Emerging Technology Platforms (cont.) Mobile computing is: Wireless Utilizes tablet platforms and smartphones Internet-based Communication via 3G/4G and WiFi Scaled applications Grant Thornton. All rights reserved. 10. Potential New IA Complexity Cloud computing Availability & performance Business continuity Cybersecurity Data encryption Privacy (especially in Healthcare & Life Sciences) Grant Thornton. All rights reserved. 11. Potential New IA Complexity (cont.) Cloud computing (cont.) Compliance FISMA HIPAA SOX PCI DSS (card payments) EU Data Protection Directive, et al. Grant Thornton. All rights reserved. 12. Potential New IA Complexity (cont.) Mobile computing Security (physical and virtual) Data ownership Service interruption and recovery Data archiving Availability Grant Thornton. All rights reserved. 13. Potential New IA Complexity (cont.) Mobile computing WiFi/3G/4G security Surveillance and access control Availability Data ownership and recovery Auditability Bluetooth hijacking AIDC Grant Thornton. All rights reserved. 14. Risks and audit strategies for the Cloud Six risk areas Security Multi-tenancy Data location Reliability Sustainability Scalability Grant Thornton. All rights reserved. 15. Risks and audit strategies 1. Security - risks The cloud providers security policies are not as strong as the organizations data security requirements (mis-alignment) Cloud systems (servers, other devices) which store organization data are not updated or patched when necessary (vulnerability) Security vulnerability assessments or penetration tests are not performed on a regular basis to ensure logical and physical security controls are in place The physical location of company data is not properly secured Grant Thornton. All rights reserved. 16. Risks and audit strategies 1. Security audit strategy Determine if the cloud provider meets or exceeds the Organizations security requirements Determine if the cloud providers security posture is based on a security standard (i.e., ISO27001, Cloud Security Alliance, PCI DSS, etc.) Determine if the cloud provider has a security assessment performed For your organization, have a baseline security assessment done. Determine if the cloud providers Service Organization Report (i.e., SSAE 16, SOC Reports) addresses specific security controls Grant Thornton. All rights reserved. 17. Risks and audit strategies 2. Multi-tenancy risks Organization data is not appropriately segregated on shared hardware resulting in Company data being inappropriately accessed by third parties The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit The cloud service provider cannot determine the specific location of the organizations data on its systems Organization data resides on shared server space which might conflict with regulatory compliance requirements for the organization Grant Thornton. All rights reserved. 18. Risks and audit strategies 2. Multi-tenancy audit strategy Inquire of the cloud service providers method used to secure the Companys data from being accessed by other customers/third parties Review the cloud service providers SLA to determine if the SLA addresses security of the organizations data Review independent audit report(s) related to the Cloud providers security posture (i.e., security settings, data encryption methods, etc.) and/or exercise the organizations "right-to-audit" clause Gain access to cloud system(s) and perform limited auditing procedures from the Companys location Grant Thornton. All rights reserved. 19. Risks and audit strategies 3. Data location risks Organization is not aware of all of the cloud service providers physical location(s) Organization does not know where their data is physically or virtually stored implies potential issue with sensitive data being stored outside the country, violating certain laws and regulations The Cloud service provider moves organization data to another location without informing the Organization or gaining its consent Organization data is stored in international locations and falls under foreign business or national laws/regulations (Data Protection Directive EU 95/46/EC, Mass Data Privacy Law 201 CMR 17, state Breach Laws and there is some additional U.S. national proposed legislation coming soon) Grant Thornton. All rights reserved. 20. Risks and audit strategies 3. Data location audit strategy Inquire of the cloud provider the specificphysical and virtual location of theorganizations data Work with the organizations legal group tofully understand the impact and potential risksof the organizations data residing in a foreigncountry Ensure regulatory compliance is maintainedif data resides in multiple locations Grant Thornton. All rights reserved. 21. Risks and audit strategies 4. Reliability risks The cloud service provider has quality of service standards which conflict with business requirements (do you have an SLA/OLA?) During peak system activity times, the cloud service provider experiences system performance issues that result in the following:- Organization employees cannot accessthe organizations data when needed- Customers are unable to use theorganizations systems (such as placing anorder on the organizations web site)because of performance problems with thecloud provider Grant Thornton. All rights reserved. 22. Risks and audit strategies 4. Reliability audit strategy Inquire of the cloud service provider to determinethe controls in place to ensure the reliability ofthe cloud solution Obtain an SLA/contract from the cloud serviceprovider which details the specific reliabilityagreement for the organization. Compare thisinformation to actual performance Determine the times that the cloud providerperforms system upgrades and/or patches toensure data availability during peak business hoursis not affected Review the organizations business continuityplan and determine if the plan addressesinterruptions with the cloud systems used by theCompany Grant Thornton. All rights reserved. 23. Risks and audit strategies 5. Sustainability risks In the event the cloud service provider goes out of business, the organization might not be able to retrieve the organizations data. In addition, another third party might gain access/control of the organizations data The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster The organizations business continuity plan does not address the clouds service offering being unavailable Organization data is compromised as a result of a disaster Grant Thornton. All rights reserved. 24. Risks and audit strategies 5. Sustainability audit strategy Inquire of the cloud service provider to determine if they have adequate controls in place to recover and protect the organizations data even in the event of a disaster Review the organizations business continuity plan and determine if the plan addresses interruptions with the cloud solution Inquire of the cloud service provider to determine how the organization would gain access to its data in the event the cloud service provider goes out of business Grant Thornton. All rights reserved. 25. Risks and audit strategies 6. Scalability risks The cloud service providers systems cannot scale to meet the organizations anticipated growth, both for a short-term spike and/or to meet a long-term strategy If the organization decides to migrate all or part of the organizations system and/or data back in-house (or to another provider), the cloud service provider cannot (or will not) provide the data Grant Thornton. All rights reserved. 26. Risks and audit strategies 6. Scalability audit strategy Determine if the cloud providers system can scale to meet the organizations expected short-term spikes and/or growth over the next five years Determine if the organization has a contingency plan in the event the cloud providers systems cannot scale to meet the organizations needs Determine who is the owner of the organizations data Determine if the cloud provider would allow the organization to move data back in house and/or to another provider. Determine the specific procedures and associated costs needed to perform this task Grant Thornton. All rights reserved. 27. Cybersecurity Trends (Whats Next?) Distributed computing (the Cloud) Cybersecurity & Privacy focus Virtualization Advanced IA tools Analytics Provenance engines Enhanced hardware firewalls Advanced encryption technology New data segregation and security standards Secure digital communications Standards such as ITIL, COBIT and PCI are integrating and are now complimentary Grant Thornton. All rights reserved. 28. Questions? Grant Thornton. All rights reserved. 29. Emerging Technology Challenges for Internal Audit and Compliance Danny Miller, CISA, CGEIT, CRISC, ITIL, QSA National Solutions Lead CybersecurityRegional Solutions Lead Business ConsultingPrincipal, Grant Thornton LLP [email protected]://grantthornton.com/ Grant Thornton. All rights reserved.