IT Risks and New Technology

Transcription

1 IT Risks and New Technology Phil Gesner, CPA.CITP, CISA Audit Supervisor and IT Auditor / Consultant Ocala, FL Florida Government Finance Officer s Association (FGFOA) July 25, 2013

2 Disclaimer The views expressed by the presenters do not necessarily represent the views, positions, or opinions of the presenter s respective organizations or any associated organizations cited. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client or attorney-client relationship.

3 WHY IT MATTERS Pervasiveness of IT throughout the organization, particularly in accounting and financial reporting IT is often critical to manage (plan, organize, direct, and control) the organization s: Business model, plans, competiveness, etc. Business risks Transaction flow and reporting Accounting and reporting related risks Source: AICPA IT Audit Training School

4 WHY IT MATTERS Today s business process environment 24/7 requirement becoming more common Focus on early error detection (Prevent rather than Detective) More highly automated - reducing reliance on manual controls Integrated with complex and highly efficient IT systems Electronic workflow with paperless trails Increased business partner involvement through direct access to process - the network extends beyond the company Source: AICPA IT Audit Training School

5 WHY IT MATTERS AICPA Auditing Standards Board Risk Based Auditing Standards Released in 2006 COSO Updated Internal Control Integrated Framework Released in 2013 COSO PowerPoint Presentation on Internal Control Integrated Framework (Free) COSO Guidance on Internal Control (For Purchase) Supersedes the Original Framework as of December 15, 2014 Update considers use of, and reliance on, evolving technologies (explicitly) Control Environment Suggests that Boards of Directors should have proper understanding of relevant systems and technology (or appropriate skills and expertise) to evaluate management s approach to managing new technology innovations, critical systems, and the opportunities and associated challenges Source: Parthun, Janis COSO Framework ED Places Emphasis on IT Controls. Information Technology Corner. AICPA IT Section. March

6 WHY IT MATTERS COSO Internal Control Integrated Framework Released in 2013 Update considers use of, and reliance on, evolving technologies (explicitly) Risk Assessment Suggests that external risk factors, such as technological developments that can impact the availability and use of data should be considered. Control Activities To be discussed in next two slides Information and Communication Suggests that management must be able to rely on relevant and quality information generated from both internal and external sources to effectively support the functioning of the other internal control components. Such information is very often obtained through information technology Source: Parthun, Janis COSO Framework ED Places Emphasis on IT Controls. Information Technology Corner. AICPA IT Section. March

7 #1: Complexity of IT Used should be considered. #2: IT may be involved in business processes and may be involved in the performance of control activities at the transaction level Application Controls IT-Dependent Manual Controls Source: Parthun, Janis COSO Framework ED Places Emphasis on IT Controls. Information Technology Corner. AICPA IT Section. March 2012.

8 #3: The effectiveness of Application and IT- Dependent Manual control depends upon the effectiveness of IT General Controls #4: IT General Controls (ITGC) aka. General Computer Controls (GCC) Source: Parthun, Janis COSO Framework ED Places Emphasis on IT Controls. Information Technology Corner. AICPA IT Section. March 2012.

9 WHY IT MATTERS Why is IT such a challenge? Unlike the certification of financial statements there is no universally accepted principle or standard for IT audit or risk assessment The concept of compliance to best practice Rapid change in IT is at times too rapid for best practices to fully develop or be recognized as such Lack of education and awareness Limited resources force organizations to select the pieces of IT security that they feel are absolutely necessary Things happen! Anti-virus are not updated timely viruses strike Source: AICPA IT Audit Training School

10 IT Risk Perception Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

11 IT Risk Reality Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

12 Risk Definition A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: the adverse impacts that would arise if the circumstance or event occurs; and How significant is the impact? Material Misstatement Assets Reputation Business the likelihood of occurrence. What are the chances that a risk will materialize? The probability that a given threat is capable of exploiting a given vulnerability. Source: Committee on Nation Security Systems (CNSS) Instruction No. 4009

13 Threat and Impact Definition Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. Impact: The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. Source: Committee on Nation Security Systems (CNSS) Instruction No. 4009

14 Threat Sources Source: National Institute of Standards and Technology (NIST) Publication : Guide for Conducting Risk Assessments

15 Threat Sources Source: National Institute of Standards and Technology (NIST) Publication : Guide for Conducting Risk Assessments

16 Threat Catalogs Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

17 Impact Considerations Level of classification of the impacted information asset Breaches of information security (e.g. loss of confidentiality, integrity and availability) Impaired operations (internal or third parties) Loss of business and financial value Disruption of plans and deadlines Damage of reputation Breaches of legal, regulatory or contractual requirements Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

18 Risk Likelihood Considerations Experience and statistics for threat likelihood Threat sources: motivation and capabilities Availability to possible attackers Possible attackers Accident sources: geographical /weather factors Human errors and equipment malfunction Vulnerabilities, individually and aggregation Effectiveness of existing controls Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

19 Vulnerability Definition Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Source: Committee on Nation Security Systems (CNSS) Instruction No. 4009

20 Generic Risk Model (NIST ) Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

21 Risk IT Risk Factors Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

22 Risk IT Complexity The nature and extent of IT risks are dependent on the level of complexity. Generally, as complexity increases, the type and number of potential IT risks increase. The manner in which IT is used in conducting business also has a direct relationship with the potential IT risks. Significant changes made to existing systems, or implementation of new system increase the potential IT risks. Shared data between systems increases the potential IT risks. Usage of emerging technologies (cloud computing, mobile - BYOD) increases the potential IT risks. Availability of evidence only in electronic formats increases the potential IT risks. Including reports Source: AICPA IT Audit Training School

23 Risk Complexity of IT Security Like Ogres And Onions Data & Business Processes IT Security Has Layers IT Security Also Involves People (Employees); therefore, Training is Critical

24 IT Security Protects the Data and Business Process Data & Business Processes Controls should be in place to protect the data and business processes. Data is an organizational asset Value of Data May not be readily ascertainable Not recorded on Books Varies Depending on Perspective Your Organization Other Organizations Employees External Individuals Vendors Your garbage is another individual s or organization s treasure!!!!

25 Risk IT Complexity Low Medium High Servers > 3 Network O/S COTS Nonstandard or >1 Multiple / WAN Workstations ~ 1 15 ~ > 30 Application COTS Some customization Remote Locations None ~ 1 2 > 2 ICFR In COTS or Few Medium number and/or manual Emerging/ Advanced IT ERP and/or customization Large number None to few Few to moderate Moderate to many Online Transaction None Few Many COTS = Commercial Off The Shelf (ie. Intuit Quickbooks) ERP = Enterprise Resource Planning (Ie. Oracle, PeopleSoft, SAP) Source: Singleton, Tommie W. The Minimum IT Controls to Assess in a Financial Audit (Part I). ISACA Journal. Volume I

26 Applications Purchased Systems Commercial Off The Shelf (COTS) and/or configurable systems Advantages Generally cheaper for general business use applications On-going support and maintenance Disadvantages Some limitations related to customizations Vendor dependence Example: Quickbooks Source: AICPA IT Audit Training School

27 Applications Configurable Packages Configurable mid-tier system Not as expensive as an ERP System or Custom Developed Application Found in small, mid or large organizations Increased capabilities when compared to Commercial Off the Shelf Purchased Systems: Configuration changes Customizations Examples: Microsoft Dynamics (Great Plains/Solomon), MAS/90, Navision, Munis, Eden, etc. Most Prevalent Source: AICPA IT Audit Training School

28 Applications Enterprise Resource Planning (ERP) System Integrates all facets of financial processing with operations, marketing, HR Requires specialized knowledge to setup (usually with the vendor and outside consultants) Generally, found in large organizations Very expensive to purchase & maintain Very complex security Examples: SAP, JD Edwards, PeopleSoft, Oracle Financials, Lawson, etc. Source: AICPA IT Audit Training School

29 Applications Custom Developed Custom Developed Application those applications that are designed and developed in-house to meet a specific business need for internal use (not resale) Advantages Customized to meet specific business need Independence from vendors Disadvantages No outside vendor support all by on-staff personnel (higher costs) Often longer deployment times and less controls Less prevalent, and becoming more so each day Source: AICPA IT Audit Training School

30 Risk IT Complexity Low Medium High Servers > 3 Network O/S COTS Nonstandard or >1 Multiple / WAN Workstations ~ 1 15 ~ > 30 Application COTS Some customization Remote Locations None ~ 1 2 > 2 ICFR (Internal Control over Financial Reporting) Emerging/ Advanced IT In COTS or Few Medium number and/or manual ERP and/or customization Large number None to few Few to moderate Moderate to many Online Transaction None Few Many COTS = Commercial Off The Shelf (ie. Intuit Quickbooks) ERP = Enterprise Resource Planning (Ie. Oracle, PeopleSoft, SAP) Source: Singleton, Tommie W. The Minimum IT Controls to Assess in a Financial Audit (Part I). ISACA Journal. Volume I

31 Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast. 2013

32 Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast. 2013

33 Risks IT Risk Factors for Internal Control Include Reliance on systems or programs that are processing data inaccurately, processing inaccurate data, or both Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions Unauthorized changes to data in master files Unauthorized changes to systems or programs Failure to make necessary changes to systems or programs Inappropriate manual intervention Potential loss of data or inability to access data as required Source: AICPA IT Audit Training School

34 Relationship of IT Risks to Financial Statements Risk of Material Misstatement (RMM) RMM Low IT Relevant FS Audit Procedure Unnecessary Financial Reporting RMM High IT Relevant FS Audit Procedure Necessary Risk High (Non-RMM) IT Relevant FS Audit Procedure Unnecessary Operational Audit Procedure Necessary Information Technology Risk or RMM RMM High IT NOT Relevant FS Audit Procedure Necessary Source: AICPA IT Audit Training School

35 Examples of Potential RMM Financial statement level Use of a highly customized / configurable application for financial processing where the entity does not also have effective controls as to how program changes or configuration changes are authorized, tested, approved, and deployed Assertion level Use of customized / configurable application for valuation of accounts receivable. Source: AICPA IT Audit Training School 35

36 Examples of Potential Risk of Material Misstatement Inherent Risks (IR) Complexity of Calculations The financial application has been programmed to perform complex calculations. Payroll Utility Billing Control Risk (CR) Risk or What Could Go Wrong?: Human error in coding or computer error in set up could result in amounts posted to wrong accounts or in wrong amounts. Are Controls In Place?: General ledger postings are automatic through computer set up codes; however, accounting staff are not familiar with the system set up and rely totally on outside computer service. Source: AICPA IT Audit Training School 36

37 How Does Use of IT Pose a RMM? An Example - Billing Inherent Risk The entity utilizes a customized application for its billing process. The billing process requires complex calculations and/or rate structures. The billing application automatically posts billings to the financial application. The entity s IT or financial personnel make frequent changes to the billing application. The revenue stream processed by the billing application represents a significant revenue source for the entity. Source: AICPA IT Audit Training School 37

38 Control Risk How Does Use of IT Pose a RMM? An Example - Billing The billing application may not calculate the customer s bill correctly. The billing application may not utilize the correct rates. The billing application may post inaccurate or incomplete information in to the financial application. Entity personnel may make inaccurate or unauthorized changes to the billing application. Entity personnel may have excessive access to the rate master file. Source: AICPA IT Audit Training School 38

39 IT Risks Entity Level Inadequate Oversight IT Strategic Plan does not align with Organization Strategic Plan Organization Strategic Plan does not align with IT Strategic Plan Parts of the organization pulling in different directions Lack of Risk Assessment Lack of Risk Management If management doesn t know what the risks are, how can they manage them? Vendor Oversight Is management monitoring outsourced services (IT or other-wise) to ensure that the controls and processes are operating as the organization intended?

40 IT Risks Logical Access / User Access User is not an employee or authorized user Authentication Risk Unauthorized or Excessive User Access Authorization Risk Data Functions Unauthorized/Authorized or Excessive Access Segregation of Duties Risks Data Functions Personnel processing transactions should not have Direct access to administer user access (setup, change user accounts, groups, and functions) Access to administer user access (application security) should be handled by IT Direct access to the database Inquiry only to the database is fine; however, generally users should be accessing the data through the application or a report writing application only.

41 IT Risks Program Change / Change Management Configuration Changes Functional Changes how the functionality of the application changes Business Processes Embedded in the Application Security Setup Changes Changing from Group/Role-based access (Ideal) to User Account-levelbased access (Not Ideal) Interface Changes how two applications transfer data between each other Report Changes how reports accumulate data

42 IT Risks Program Change / Change Management Change is not Authorized Authorization Risk A Business Unit has not Authorized the Change Risk that a change does not function the way the business intends Risk that a change is made to commit fraud or otherwise harm the business Access by Developers to the Live Production Environment Segregation of Duties Risk Allowing Developers Access to the Live Production Environment presents a risk that they could implement unauthorized program changes at any time without anyone s knowledge Ideally, someone that is not tasked w/ Development would be the only individual with access to make implement changes in the Live Production Environment Realistically, peer reviews or periodic review of all changes made to the production environment should be done, if the ideal situation

43 IT Risks Program Change / Change Management Change is not Tested Business Process Risk Risk that a change does not function the way the business intends Change is not approved for implementation Implementation Risk

44 Operational Risk The CIA Triad Confidentiality Assets must be protected from unauthorized access, use or disclosure while in storage, use and transit. Integrity Assets must be modified only by authorized users. Security The system is protected against unauthorized access (both physical and logical). Processing Integrity System processing is complete, accurate, timely, and authorized. Availability Authorized users are granted timely and uninterrupted access to assets.

45 Operational Risks Privacy Privacy Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA. Personal information is information that is about or can be related to an identifiable individual. GAPP on Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the state purposes.

46 Risk Treatment Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

47 Risk Mitigation Internal Controls: a practice approved by management to produce a desired outcome in a process Preventive - controls to stop the problem from occurring Detective - controls to find the problem Corrective - controls to repair the problem after detection Administrative - policies, standards, guidelines, and procedures Technical - controls using hardware or software for processing and analysis Physical - controls to implement barriers or deterrents Design > Document > Implement Test the controls prior to implementation to validate expectations Monitor results Re-test controls periodically. Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

48 IT Security, Control, and Risk Assessment Frameworks Security Program Development ISO 31000/27005 International Standards Organization Security Controls Development COBIT (Control OBjectives for IT) 5 Information Systems Audit and Control Association ISACA IT Governance Institute ITGI NIST Security and Privacy Controls for Federal Information Systems and Organizations National Institute of Standards and Technology Risk Assessment NIST Guide for Conducting Risk Assessments National Institute of Standards and Technology OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) by CERT (Computer Emergency Response Team) Source: AICPA Cyber Security Web Seminar Series Security Framework and Risk Assessment May 9, 2013

49 Corporate Governance IT Security, Control, and Risk Assessment Frameworks COSO TOGAF (The Open Group Enterprise Architecture Framework) Process Management ITIL (Information Technology Infrastructure Library) Six Sigma CMMI (Capability Maturity Model Integration)

50 New Technologies Mobile Computing Tablets Smartphones Laptops Readers Removable Devices Remote Connections Cloud Services Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

51 Risks Mobile Computing Mobile Device Platform Android, ios, Windows Mobile, Blackberry, etc. all have unique bugs and security vulnerabilities Malware, Trojan, virus, worms, spyware Authentication bypass Lost or stolen devices Substandard Cryptography Removable device storage Jail breaking Configuration errors and defaults Device service vulnerabilities Shared or common authentication (same passwords) Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

52 Risks Mobile Computing Mobile Applications Attack vectors for each device type Integrated malware, Trojan, virus, worms, spyware delivery and execution Malicious application functionality Insecure application programming Data leakage and remote access compromises Launch pad for pivot attacks Mobile devices are subject to the same traditional application based attacks Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

53 Risk Mobile Computing Mobile Networks Attacks against each mobile network type (WiFi, Bluetooth, Carrier) Synchronization Each network type requires different security protections Services are enabled by default or left on Mobile devices are subject to the same traditional network based attacks Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

54 Risks Mobile Computing Backend Applications and Storage Attacks against web, dbase, & storage servers Data leakage and compromise from backend services Vulnerabilities can be used to attack devices All data is potentially one click/touch away on cloud storage Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

55 Risks Mobile Computing Backend Applications and Storage Device and data compromise (unauthorized Bluetooth connections) BluePrinting BlueJacking BlueSnarfing NFC Mobile forensics Removable media theft BYOD/BYOT Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

56 Risk Mobile Computing BYOD Risks Unknown third-party access via mobile apps Challenges in tracking data Data management, segregation difficult for compliance Stolen, lost mobile devices leak data Disgruntled employees a risk Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

57 Risk Mobile Computing Privacy Concerns Applications that monitor traffic and history Applications that have access to all your contacts, calendar, etc. Location services and geolocation Single sign-on security Malware that uses the camera and mic to spy (scary!) Voic access Call history, browser history Trusted connections Ease drop on phone conversations & SMS Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

58 Mobile Mitigation Device Authentication Require secure authentication Multi-factor authentication Device encryption Transport encryption SSL, VPN, TLS Wireless authentication and encryption WPA, WPA2, WPA Enterprise, RADIUS Don t leave devices unattended Device timeouts Privacy screens Secure enclosures Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

59 Mobile Mitigation Download apps from trusted sources Secure application development methodology Mobile device management (icloud, Find iphone, MobileMe, Lookout Mobile Security) Control application permissions Device OS and firmware updates AV and Malware software Secure mobile browsing Disable service when not in use (Bluetooth, WiFi, gps, etc.) Device and media decommissioning Do not access corporate or sensitive websites over public wireless Use secure technology for remote access to backend systems (SSH, VPN, SSL, TLS) Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

60 Mobile Mitigation Download apps from trusted sources Secure application development methodology Mobile device management (icloud, Find iphone, MobileMe, Lookout Mobile Security) Control application permissions Device OS and firmware updates AV and Malware software Secure mobile browsing Disable service when not in use (Bluetooth, WiFi, gps, etc.) Device and media decommissioning Do not access corporate or sensitive websites over public wireless Use secure technology for remote access to backend systems (SSH, VPN, SSL, TLS) Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

61 Mobile Enterprise Mitigation Mobile device inventory management Mobile security and privacy governance Mobile computing policies and procedures Incorporate data classification standards Mobile device central management consoles Central policy based management (authentication, encryption, remote wiping, etc.) Blackberry Enterprise Server Active Sync (Android, ios) Mobile device synchronization standards Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

62 Mobile Enterprise Mitigation Mobile device application management Sandboxes or virtual phone technology Vmware Good Mobile Security Central endpoint protection (AV, malware, software installation, service and device control) Wireless authentication and encryption WPA, WPA2, RADIUS Don t leave devices unattended Privacy screens Device and media decommissioning Mobile incident response Employee training and awareness Source: AICPA Cyber Security Web Seminar Series Mobile Computing May 14, 2013

63 New Technologies Cloud Computing Cloud Computing Models Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

64 Risk New Technologies Mobile Computing Cloud Computing Models Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

65 Risk New Technologies Mobile Computing Cloud Computing Models Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

66 Risks Cloud Computing Cloud Technical Threats Vulnerable access management Data visible to other tenants Multi-tenancy visibility Hypervisor attacks Hypervisor: A computer tool allowing various software applications running on different OSs to coexist on the same server at the same time thereby enabling server virtualization Application attacks Application compatibility Collateral damage SaaS access security Outdated Virtual Machine (VM) security Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

67 Risks Cloud Computing Cloud Security Concerns Hypervisor exploit to compromise VMs Data leakage / data storage Insecure Application Programming Interfaces (API s) Improper access configuration Malicious Insiders / Subcontractors Storage and memory allocation / reallocation / clearing Maintenance of secure infrastructure: Hypervisor level Guest Machine / OS level Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

68 Risks Cloud Computing Cloud Governance Threats Regulatory Threats Asset ownership Asset disposal Asset location Information Security Governance Threats Physical security on all premises where data are stored Visibility of the security measures put in place by the CSP Media management Secure software SDLC Common security policy for community clouds Service termination issues Solid enterprise governance Support for audit and forensic investigations Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

69 Risk Mitigation Cloud Computing Cloud Security Essentials Contractual musts Definition of rights / ownership Right to audit / right to obtain assurance Cloud Service Provider (CSP) Security Program Management Information Security Policy Information Security Management System Personnel Management (vetting, training, monitoring) Perimeter/Internal defense and monitoring (DPI/ IDS/IPS, and DLP) Incident management Hardening and Change Control Redundancy DRP / BCP policies / procedures Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

70 Risk Mitigation Cloud Computing Cloud Security Frameworks Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

71 Risk Mitigation Cloud Computing Assess the Competency of Cloud Service Provider (CSP) CSP should be clear about their roles and responsibilities, the risks they represent to the end user, and be able to provide evidence of mitigating controls. Strong independent monitoring and auditing program and effective assurance reporting. Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

72 Risk Mitigation Cloud Computing Understand Inherent Security Risks What exactly are the scope of services? What are the CSPs responsibilities? What are the end users responsibilities? What infrastructure components does the CSP have control over? What components does the CSP have access to and does this enable access to data and/or applications? Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

73 Risk Mitigation Cloud Computing Understand Inherent Security Risks What data and applications are involved? Confidential? Personal? Compliance? Impact of security breaches to compliance, operations, etc.? What are the CSP s terms of agreement? What is the jurisdiction of data? Cross-border transfer of personal data? Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

74 Risk Mitigation Cloud Computing Specify security requirements during evaluation based on inherent risks Personnel requirements, including clearances, roles, and responsibilities Identity & Access Management Monitoring & Incident Management Information handling and disclosure agreements and procedures Network access control, connectivity, and filtering System configuration and patch management Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

75 Risk Mitigation Cloud Computing Specify security requirements during evaluation based on inherent risks Change Management Backup and recovery Data retention and sanitization Vulnerability scanning / penetration tests Risk assessment Independent auditing. Perimeter security Penetration Detection Data Loss Prevention Data erasure for PaaS / SaaS Physical Security Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

76 Risk Mitigation Cloud Computing Cloud Service Provider Agreement Key Terms The process for assessing the cloud provider s compliance with the service level agreement, including independent audits and testing Compensating controls the end-user may carry out at their discretion. Procedures, protections, and restrictions for collocating or commingling organizational data and for handling sensitive data The cloud provider s obligations upon contract termination, such as the return and expunging of data. Ownership rights over data Security and privacy performance visibility Data backup and recovery Incident response coordination and information sharing Disaster recovery. Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

77 Risk Mitigation Cloud Computing Cloud Service Provider Agreement Key Terms The process for assessing the cloud provider s compliance with the service level agreement, including independent audits and testing Compensating controls the end-user may carry out at their discretion. Procedures, protections, and restrictions for collocating or commingling organizational data and for handling sensitive data The cloud provider s obligations upon contract termination, such as the return and expunging of data. Ownership rights over data Security and privacy performance visibility Data backup and recovery Incident response coordination and information sharing Disaster recovery. Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

78 Risk Mitigation Cloud Computing How can I be sure that the Cloud Service Provider s controls are effective? CPA (Independent) Attestation Reporting: For Internal Control Over Financial (ICFR) Reporting Purposes: Statement on Standards for Attestation Engagement (SSAE) 16 Service Organization Control (SOC) 1 Reports Formerly SAS 70 Reports For Operational / Compliance Risk Scenarios SOC 2 Reports Other Attestations AT 101 Examinations AT 201 Agreed Upon Procedures AT 601 Compliance Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

79 Risk Mitigation Cloud Computing How do I evaluate Cloud Service Provider Reporting? Confirm Scope / System Description aligns to agreements and service level agreements (SLAs) Does the subject matter being reported on align to the user entity control requirements and risk management needs? Do the controls defined by the CSP prevent or detect risks represented by the CSP related to compliance with laws and regulations, and the efficiency and effectiveness of operations? Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

80 Risk Mitigation Cloud Computing How do I evaluate Cloud Service Provider Reporting? Do the controls provide sufficient information for users to understand how that control may affect the their entity? Frequency Responsible party Nature of activity performed Subject matter to which the control is applied Is timing, nature, extent of testing adequate to meet risk management needs. Is period of coverage of testing adequate. Do testing results indicate performance of controls is sufficient? Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

81 SOC Reports from User s Perspectives Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

82 SOC 2 Principle and Control Objectives Security e.g., protection of the system from unauthorized access, both logical and physical Confidentiality - system s ability to protect the information designated as confidential, as committed or agreed Processing Integrity e.g., completeness, accuracy, validity, timeliness, and authorization of system processing Availability accessibility to the system, products, or services as advertised or committed by contract, service-level, or other agreements Privacy personal information is collected, used, retained, disclosed, and destroyed in conformity with the entity s privacy notice and with criteria set forth in generally accepted privacy principles Request Expansion of Principles and Control Objectives When in Doubt User entities can request that the Cloud Service Provider / Service Organization extend the above criteria to address additional criteria related to regulatory requirements, service level agreements, etc. Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

83 Additional Cloud Computing Information / References Cloud Security Alliance: Security Guidance for critical areas of focus in cloud computing, 3.0 NIST Special Publication , Guidelines on Security and Privacy in Public Cloud Computing NIST : Information Security AICPA Service Organization Control: www. aicpa.org/soc Source: AICPA Cyber Security Web Seminar Series Cloud Security Considerations June 6, 2013

84 Why do we even use IT? Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data Enhance the timeliness, availability, and accuracy of information Facilitate the additional analysis of information Enhance the ability to monitor the performance of the entity s activities and its polices and procedures Reduce the risk that controls will be circumvented Enhance the ability to achieve effective segregation of duties by implementing security controls In applications, databases, and operating systems

85 Source: Woodard, Jocelyn TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, AICPA Top Technology Initiatives for CPA s Survey Managing and retaining data 2. Securing the IT environment 3. Managing IT risk and compliance 4. Ensuring privacy 5. Managing system implementations

86 Source: Woodard, Jocelyn TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, AICPA Top Technology Initiatives for CPA s Survey Preventing and responding to computer fraud 7. Enabling decision support and analytics 8. Governing and managing IT investment/spending 9. Leveraging emerging technologies 10. Managing vendors and service providers

87 Source: Woodard, Jocelyn TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, AICPA Top Technology Initiatives for CPA s Survey 2013 Ranges of 22% to 57% of survey respondents indicated that they were confident that their organizations were addressing these initiatives. Overall, this confidence was down from the 2012 survey. The decline in confidence levels may mean professionals are making more knowledgeable assessments of the ability of organizations to achieve technology goals. This more realistic assessment indicates that the goals may be more challenging than originally thought, and that organizations must have the focus, commitment and drive to achieve them. Donny Shimamoto, CPA, CITP, CGMA, Chair of the AICPA s Information Management and Technology Assurance (IMTA) Executive Committee

88 Source: Woodard, Jocelyn TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, AICPA Top Technology Initiatives for CPA s Survey Managing and retaining data Key Risk Factors Data management is integral to an organization s ability to mitigate risks. An organization whose data management policies and procedures are insufficient or ineffective is exposed to the consequences of poor data management. Business decisions or client advice may be based on incomplete or inaccurate data. Data may be stored in outdated or incompatible formats for retrieval or improperly backed up, resulting in irrevocable loss of data.

89 Source: Woodard, Jocelyn TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, AICPA Top Technology Initiatives for CPA s Survey Managing and retaining data Key Risk Management Factors An organization needs to develop a strategic plan for managing data in order to realize the most value from its investment in data acquisition and usage. An organization must develop policies and procedures to meet the internal, legal and compliance-related requirements for data retention and usage. An organization must be able to back up data and restore data in the event of a data loss (or a need to access historical data).

90 AICPA Top Technology Initiatives for CPA s Survey 2013 Title: Type: 2013 North America Top Technology Survey Analysis Video Webcast Date: Tuesday, July 16, 2013 Time: CPE: 2:00pm to 3:15pm ET 1.5 hrs ldevelopment/prdovr~pc-wbc13128i/pc-wbc13128i.jsp

91 Resources AICPA s Information Management and Technology Assurance (IMTA) Interest Area: Located under Interest Areas Tab on AICPA s Home Page Sponsor of the Certified Information Technology Professional (CITP) credential which recognizes CPA s for their ability to leverage technology to effectively manage information while ensuring the data s reliability, security, accessibility and relevance. Various Webcasts, Whitepapers, Newsletters, Etc. Much of the material discussed today was developed by the AICPA. 91

92 Resources Information Systems Audit and Control Association (ISACA): Sponsor of the Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), and Certified in Risk and Information Systems Control (CRISC) Exams IT Governance Institute Designed CoBIT (Control Objectives for Information and related Technology) w/ ISACA, AICPA, and Other Interested Parties to serve as a framework for IT governance and control to fit with and support COSO s Internal Control Integrated Framework 92

93 Contact Information Phil Gesner, CPA.CITP, CISA Audit Supervisor and IT Auditor / Consultant Ocala, FL pgesner@purvisgray.com Mobile: Company Website: LinkedIn: Florida Government Finance Officer s Association (FGFOA) July 25, 2013