http://www.enterprisegrc.com
Does Audit Make us Secure?
Presented at ISACA SV Spring ConferenceMay 15th 2015Robin Basham, M.Ed, M.IT, CISA, CRISC, CGEIT, HISP, CRP, VRPFounder EnterpriseGRC Solutions
Companies that passed audit and had a major breach March 18, 2015 “Three weeks before hackers infiltrated
Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate.”
The Heartland intrusion began in May 2008, even though the company had passed multiple audits, including one conducted on Apr. 30. At the time, the Princeton (N.J.) company was in compliance with industry standards for data security, Carr says. Still, shortly afterward, 13 pieces of malware that capitalize on weaknesses in Microsoft (MSFT) software infiltrated one or more network servers.
"We get pinged 200,000 times per day by people trying to hack into our system," Carr says. "You do everything you can to make sure one of those pings doesn't get through, and we thought we had done everything we could do."
Is it just me?
We establish “scope” and imply permission for less secure practices on lower impact systems
We audit what we understand and miss the most important areas of risk
We expose a wide range of people to known areas of weakness
We distract people from their core responsibilitiesWe create a false sense of security by under representing complex and broken processes
Did I Pick the Right form of Risk Assessment?
If our goal is to determine if we are secure, pick the right risk assessment methods
If our goal is to enable a more secure enterprise, engage business partners to provide meaningful metrics that inform choices and decisions about the architecture
Integrated Audit (GRC) assists management to set compliance goals, track where process evidence is stored, and enable continuous improvement through internal control self assessment.
GRC Contributes by using a Cyber Security Model
Identify – CMDB, People, Process, Technology, relationships, alignment to controls
Protect – Architecture, Infrastructure, MonitoringDetect – Defined Sources, Collection, Interpretation, Reporting Methods
Respond – RCA, Corrective Action, Management Meetings, Plans, Optimization Targets
Recover – Configuration baselines, response plans, lessons learned, Wiki, documentation, BIA
Configuration Management using Cobit®5
GRC Team Tracks to Inform Control Design & Risk
Intrusion Detection Systems (IDS) events Virus Alerts and corresponding HelpDesk cases to
clean infected systems DLP events and confirmation on false positives, loss
events and corrective actions Vulnerabilities Identified, risk ranking, effort and
plan to remediate, status to remediate Patch requirements and mean time to remediate
MTTR Daily Anti-Virus status (Red, Yellow, Green), # of
events blocked, cleaned, definition updates Daily end point patching, # of systems in and out of
compliance Daily system backups – systems not backed up
Number of Volume copies made, saved, purged Security Project Plans, Milestones, Issues or
Blockers Infrastructure remediation through tickets and
change requests Post Implementation Effectiveness for corrected
security problems (ROI) Template Configurations NON template configurations Systems Monitored Services per systems
Confirm Incident Definitions, Review, Response
Scheduled outputs to central mailbox (restrict delete) Track incident notifications Establish and RUN Rules for follow up Set Flags to communicate closed corrective action
People and Access – Focus on Integrated Reporting
Access Governance Use PowerShell to gather all local
Admin accounts on all systems Use ADManager or other tools to
pull all members in all groups Compare active users in HR
Systems to Roles granted to all identities
Track effectiveness of department security roles and access grants
Publish exception policy and have management sign off at least quarterly
How can audit drive security? Manage Corrective Actions!
Data System Relationships to Audit, Classification, Risk
Assets include Applications, Products, Services, File Shares, Devices, OS, Infrastructure
Assets are owned, administered, developed, supported, classified, documented
Data and transactions source audit information
Get The Data – Trend and Report – Examples of Data Sources
Inversion of Control v. Faith– Managing Complexity through Framework
Each control is a data point with related Information Security Governance Processes – Policies - SOP, Corporate Strategic Objectives, Department Strategic and Tactical Objectives, Business Risks, Control RACI, Control Programs, Initiatives, People, Tools, Access Profiles and Asset Profiles.
The GRC must Collectively represent reliable information to inform our management shareholders and customers that we manage our risks.
GRC has to Help Management to make us more secure
Document and Follow a Data Collection PracticeImplement a meaningful output process
Data collection strategySource coverage – the architecture stackTest mappingValidation process Imports, Reference Tables, Audit QueriesOutput to Corrective Actions tracking
Give Management Knowledge – Fact based observationsAnswer Their Questions
Continuous Feedback – GAP in ISMS
Risk Reporting – Tie Controls to Corporate Risks (The 10K)
Use the data collection strategy to inform corporate risk
Make all reports “personal” by assigning programs, departments and key initiatives
Incorporate notification strategies
Maintain and gain consensus
The risks identified have actual probability – get the lessons learned
REMEMBER: It’s always about money – (Materiality)
Financial statement audits measure materiality in monetary terms Integrated Audit provides IT assurance on non-financial items and,
requiring alternative measures (maturity models and process assurance methodology).
We meet objectives so we can make money or retain money.
Focus on Effectiveness GAP v. Audit Bar
Control IDJ15J2A1:J
19
Control Objective Control Effectiveness
Test ID HeatIn place GAP
Accountable
DS5 DS5 Ensure Systems Security
Needs Strengthening
(Important)
DS5 5.1 Management of IT Security;#143;#DS5 5.2 IT Security Plan;#144;#DS5 5.3 Identity Management;#145;#DS5 5.4 User Account Asset Provisioning and De-Provisioning;#146;#DS5 5.5 Security Testing,
36 3/31/2015 -2
240;#170000 IT:Sr. VP, IT & CIO;#586;#170000 IT:Chi ef Security Offi cer;#209;#740000 Saa s Opera ti ons:VP, SAAS
DS2 DS2 Ma na ge Third-pa rty Services
Needs Strengthening
(Minor)
DS2 2.1 Identification Supplier Relationships;#124;#DS2 2.3 Supplier Risk Management;#126 34 3/31/2015 -2
692;#170000 IT;#215;#170000 IT:Di rector, Informa tion Risk Mgt
AI1 AI Identify Automated Sol utions
Needs Strengthening
(Important)
AI1 1.1 Definition Maintenance Business Functional Technical Requirement;#75;#AI1 1.4 Requirements and Feasibility Decis ion and Approval;#78;#ISMS_6.1.5 Information security in project management;#654
27 3/31/2015 -2
240;#170000 IT:Sr. VP, IT & CIO;#293;#310000 Product Devel opment:EVP, CTO
DS10 DS10 Ma na ge Problems Needs Strengthening
(Mi nor)
DS10 10.1 Identification and Classification of Problems;#169;#DS10 10.2 Problem Tracking and Resolution;#170;#DS10 10.3 Problem Closure;#171;#DS10 10.4 Integration of Change, Configuration and Problem
26 3/31/2015 -2
209;#740000 Sa a s Opera ti ons:VP, SAAS Opera ti ons
DS4 DS4 Ensure Continuous Servi ce
Needs Strengthening
(Mi nor)
DS4 4.1 IT Continuity Framework;#133;#DS4 4.2 Continuity Plans for Accounting and MIS Transaction Services;#134;#DS4 4.3 Critica l IT Resources;#135;#DS4 4.4 Maintenance of the IT Continuity Plan;#136;#DS4 4.5 Testing of
26 3/31/2015 -2
240;#170000 IT:Sr. VP, IT & CIO
DS9 DS9 Ma na ge the Confi gura tion
Needs Strengthening
(Minor)
DS9 9.1 Configuration Repository and Baseline Servers and Standard desktop;#166;#DS9 9.2 Identification and Maintenance of Configuration Items;#167;#DS9 9.3 Configuration Integrity
14 3/31/2015 -2
209;#740000 Sa a s Opera ti ons:VP, SAAS Opera ti ons
AI5 AI5 Procure IT Resources Needs Strengthening
(Mi nor)
AI5 5.4 Software Acquisition;#100;#AI5 5.3 Supplier Selection;#99;#AI5 5.2 Supplier Contract Management;#98;#AI5 5.1 Procurement Control;#97
12 3/31/2015 -2
215;#170000 IT:Di rector, Informa tion Ri sk Mgt
DS13 DS13 Ma nage IT Opera ti ons
Needs Strengthening
(Mi nor)
DS13 13.5 Preventive Maintenance for Hardware;#188;#DS13 13.4 Sensitive Documents and Output Devices;#187;#DS13 13.3 Infrastructure Monitoring;#186;#DS13 13.2 Event Monitoring data Transaction
12 3/31/2015 -1
209;#740000 Sa a s Opera ti ons:VP, SAAS Opera ti ons
AI7 AI7 Insta ll a nd Accredi t Sol utions a nd Cha nges
Needs Strengthening
(Mi nor)
AI7 7.1 Release Planning and Training ;#106;#AI7 7.2 Release Test Plan;#107;#AI7 7.3 Implementation Plan;#108;#AI7 7.4 Test Environment;#109;#AI7 7.5 System and Data Conversion;#110;#AI7 7.6 Testing of Product
10 3/31/2015 -2
316;#720000 Techni ca l Support:VP, Techni cal Support
DS1 DS1 Defi ne a nd Mana ge Service Levels
Needs Strengthening
(Mi nor)
DS1 1.1 Service Level Management Framework - Encompass;#118;#DS1 1.2 Definition of Services - PSA and Encompass;#119;#DS1 1.3 Service Level Agreements - SBP - PSA and
9 3/31/2015 -1
237;#740000 Sa a s Opera ti ons:Sr. IT Servi ces Mana ger
Use control effectiveness to predict and prepare for external audit Have detailed corrective actions plan Measure heat, impact, likelihood, controllability, plus GAP to strategic maturity If a control isn’t owned, find out how important it is to the board
Risk Reports distributed to VP and executives
Management uses Executive Strategy to determine Risk Response
Avoid - Action• PROHIBIT unacceptable
high risk activities, transactions, financial losses, and asset exposures through appropriate limit structures and corporate standards.
• STOP specific activities by redefining objectives, refocusing strategies or redirecting resources.
• ELIMINATE at the source by designing and implementing internal preventive processes.
Accept and Control• ACCEPT risk at its present
level taking no further action.
• PLAN for well-defined contingencies by documenting a responsive plan and empowering people to make decisions and periodically test and, if necessary, execute the plan.
• CONTROL risk through internal processes that reduce the likelihood of events occurring to an acceptable level.
Share - Directions• SHARE risk/rewards of
investing in new markets and products by entering into alliances or joint ventures.
• CREATE new value-adding products, services and channels.
• RENEGOTIATE existing contractual agreements to reshape risk profile, i.e. transfer or reduce.
Thank You for your time