Creating Value through Innovative IT Auditing

Transcription

1 Redefine Cybersecurity, Explore Innovative Strategies and Develop Trust Creating Value through Innovative IT Auditing Ronnie Koh Head of IT Audit, DBS Bank

2 How do we create value? By Increasing both Breadth and Depth in our Audit Coverage for Digital Bank & Cyber Security By embarking on Automation & Predictive IT Auditing By Investing in Our People Creating Value-Driven Talent Pool

3 Why do we need to innovate? New Technology Cyber Threats Insider Threats New Competitors Adapt to changing environment and uncertainties Growing Expectations Competent Risk Managers Expectations from Board of Directors Regulatory Changes

4 Why do we need to innovate? SHIFT LEFT Predictive Auditing Continuous Auditing Traditional Auditing Effort Increase focus on proactive & preventive risk identification Reactive Proactive Future Present Past

5 How did we transform? The 4Ps Productive Proactive Predictive Preventive Continuous Assessment (Automated Checks) Special Review (Project Life Cycle) of VA/PT Process Data Modelling for Predictive Analysis (e.g. Identify Insider Threats) Cyber Intelligence Early IT incident intervention Independent Security Assessment Source Code Review

6 Where were we and where are we now? 2016 Onwards.. 1. Insider threat analysis 2. Cyber wargaming 3. Cyber security intelligence 4. Extend Cyber security Lab to Regional Countries Before 2013 Pockets of cyber security review (mainly security surveillance) Between 2015 & itransformation Continuation 2. Continuous staff training 3. Enhance cyber security test lab 4. More in-depth cyber security audit projects 5. Introduce static & dynamic scanning tools Between 2014 & Commence itransformation 2. Kick-start staff training 3. Setup cyber security test lab 4. Establish cyber security audit framework 5. Roll out cyber security audit projects 6. Create cyber security awareness in Group Audit Between 2013 & Perform preliminary gap assessment referencing SANS Top 20 Controls 2. Create IT Audit training roadmap

7 What is our secret formula? FRAMEWORK PEOPLE TOOLS DEPTH BREADTH

8 FRAMEWORK

9 Breadth & Depth Our Framework Policies & Procedures Contract Agreement Security Awareness Cyber Security Framework Security Controls and Surveillance VA/PT Vulnerabilities Review High Level Dynamic Assessment for Web / Mobile Apps LEGEND Existing Cyber Security Coverage New Cyber Security Coverage Key Mgmt (SSL/HSM) Dynamic & Static Security Assessment for Web / Mobile Apps Network Vulnerability Assessment Secure SDLC Review Social Engineering In-depth Security Source Code Assessment Cyber Security Focus on Subsidiaries

10 PEOPLE

11 Breadth & Depth Equipping Our People Group Audit itransformation 1. Business Governance 2. Business process and operation 3. Testing manual and automated control Business Auditor IT Auditor (Application) 1. IT Governance 2. In-depth review of automated control i.e. design and implementation 3. IT General Controls (e.g. app resiliency, capacity management) 4. System Security More efficient & business-focused audit through reviewing business risk & processes from end-to-end covering both manual and automated controls!

12 Breadth & Depth Equipping Our People Group Audit itransformation NextGen IT Auditor System Management & Cyber Security (e.g. Cryptography, Source Code Review, Penetration Testing and Vulnerability Assessment) Input Controls Pre-processing (e.g. Input validation) Output Controls Books, records & reports (e.g. output storage & retention) Processing Controls (e.g. Business Logics) Application Security (e.g. Audit trails) System set-up controls (e.g. Parameter setup) Integrated Auditor

13 Breadth & Depth Equipping Our People External / Internal Training Enhance cyber security review capability in GA IT Audit Targeted training referencing the IT Audit Training Roadmap 1. Cyber Security Test Lab Development 2 Secure Source Code Scanning

14 Breadth & Depth Equipping Our People Future Initiatives 1. OJT Hands-on Security Assessment (VAPT) 5. Analytical- Based 2 Secure Auditing Approach Source Code to Scanning Review 2. Digital Banking Coverage Training 1. Cyber Security Test Lab 4. Source Development Code Review Training 6. Incorporate Cyber Intelligence for Predictive Capability 3. Extension of Cyber Lab to regional countries

15 TOOLS

16 Breadth & Depth Investing in Tools Cyber Security Tools Training / Practice Cyber Security Test Lab SANS Security Training (or equivalent; learning how to use the tools) Code Scanning Tool Training 1. Cyber Security Test Lab Development HP WebInspect On-the Job (OJT) training in using these tools in cyber security reviews Security Operations VA/PT process 2 Secure Source Code Scanning Independent Assessment Security Testing Tools Operating Environment

17 Creating Cyber Security Awareness #1 #2 #3 App/ Software Vulnerabilities Mobile Hacking Data Breach App/Software Vulnerabilities Web Vulnerabilities Skype Crash Vulnerability Mac OS Zero-Day Vulnerability Windows Update Malware Data Breach Credit Card Hacking Mobile Hacking Phishing Attack Apple Pay Hacking Whatsapp Account Hijack iphone Password Hacking Samsung Mobile Sofware Vulnerability SingPass Phishing s Magento Hacking Java Zero-Day Vulnerability UEFI BIOS Rootkit Hacking US Census Bureau Hacking United Airlines Hacking Certifi Gate Android Vulnerability Android Endless Reboot Bug Credit Card Skimming May 2015 June 2015 July 2015 August 2015 OpenSSL Vulnerability IE Browser Zero-Day Vulnerability Mumblehard Linux Malware Vehicle Hacking Elise Malware Venom Vulnerability Apple Safari Browser Vulnerability OpenSSH Brute Force LogJam SSL Attack ios Messaging Vulnerability ATM Skimming Apple Pay Hacking Rombertik Malware Whatsapp Account Hijack iphone Password Hacking Samsung Mobile Sofware Vulnerability

18 Creating Cyber Security Awareness Group Audit values the promotion of cybersecurity awareness on a periodic basis

19 Creating Value through Innovation Watch Video

20 THE FUTURE OF AUDITING IS AUDITING THE FUTURE

21 Questions?