IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "IT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski"

Transcription

1 IT AUDIT Current Trends and Top Risks of Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti Managing Director Internal Audit Protiviti Associate Director Security & Privacy Solutions Protiviti

2 3 PRESENTATION AGENDA IT Audit Current Trends ~ 15 Min Case Study and Audit s View Point ~ 50 Min Considerations for a Modern Cyber Program ~ 15 Min What Can Internal Audit Do? ~ 20 Min Questions & Answers ~ 10 Min 4 IT AUDIT CURRENT TRENDS What are we are seeing in IT Audit from the top down? TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 2

3 5 GLOBAL IT AUDIT BEST PRACTICES ISACA and Protiviti partnered to conduct the fourth annual IT Audit Benchmarking Survey in the third quarter of 2014 This global survey, conducted online, consisted of a series of questions grouped into five categories: Today s Top Technology Challenges IT Audit in Relation to the Internal Audit Department Assessing IT Risks Audit Plan Skills and Capabilities More than 1,300 executives and professionals, including chief audit executives as well as IT audit vice presidents and directors, completed the online questionnaire 6 AUDIT VIEW POINT TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 3

4 7 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Cybersecurity is dominating the discussions at the Board Level. Two out of three organizations today are undergoing a major IT transformation (Source: Protiviti 2014 IT Priorities Survey) One in three companies do not have a written information security policy, and more than 40 percent lack a data encryption policy (Source: Protiviti 2014 IT Security and Privacy Survey) 8 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape An underlying theme emerging from these challenges is that technology is always changing and thus it is difficult to maintain a handle on it 4

5 9 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape High profile data breaches in many well known organizations are keeping IT security top of mind and heightening expectations from the board, executives and other stakeholders for sound security measures that involve the IT audit function 10 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape The development of a comprehensive cybersecurity framework should be driving compliance activities 5

6 11 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape It is imperative for IT auditors to keep their skills current in areas including, but not limited to, IT security, cloud computing and storage, outsourcing and vendor assurance, data analytics, computer assisted auditing tools, and more 12 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape Clearly, there is a trend toward a greater need for enhanced skills and resources around these technologies and areas much more so than in the past 6

7 13 AUDIT VIEW POINT TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 14 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. Do you have a designated IT audit director (or equivalent position)? 7

8 15 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. To whom does the IT Audit Leadership report? 16 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. Does IT Audit Leadership attend Audit Committee meetings? 8

9 17 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function isdo executed. you use outside resources to augment/provide your IT audit skill set? 18 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function The is executed. number of IT audit reports issued as a percentage of the total reports in IA 9

10 19 AUDIT VIEW POINT TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 20 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. Does your organization conduct an IT audit risk assessment? 10

11 21 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. How frequently is the IT Audit risk assessment updated? 22 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function iswhich executed. of the following activities is your IT audit function responsible for? 11

12 23 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function What is executed. level of involvement does IT audit have in significant technology projects? 24 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function iswhat executed. % of time does the IT audit spend on different nature of activities? 12

13 25 AUDIT VIEW POINT TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 26 IT AUDIT CURRENT TRENDS 04 IT AUDIT SKILLSETS Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is How executed. important are specific IT audit technical skills for your IT audit staff? 13

14 27 IT AUDIT CURRENT TRENDS 04 IT AUDIT SKILLSETS Themes in IT Audit Leadership, reporting lines, and how the IT Audit functionhow is executed. important are business and interpersonal skills for your IT audit staff? 28 IT AUDIT CURRENT TRENDS IT AUDIT SKILLSETS 04 Themes Are IT inaudits IT Audit conducted Leadership, by reporting individuals lines, and who how are the full time IT Audit internal audit professionals in function is executed. the internal audit department and who focus on IT audit projects? 14

15 29 IT AUDIT CURRENT TRENDS 04 IT AUDIT SKILLSETS Themes Are there in IT Audit specific Leadership, areas of reporting your current lines, andit how audit theplan IT Audit that you are not able to address function is executed. sufficiently due to lack of resources/skills? 30 IT AUDIT CURRENT TRENDS IN SUMMARY Cybersecurity and privacy are primary concerns Companies face significant IT audit staffing and resource challenges Audit committees, as well as organizations in general, are becoming more engaged in IT audit IT audit risk assessments are not being conducted, or updated, frequently enough Room for growth in IT audit reports and reporting structures 15

16 31 Example Scenarios Ladies and gentlemen, the stories you are about to hear are true. The names have been changed to protect the innocent. Source: Multiple Online Reports & Client Experiences 32 Common Scenario #1 Data Exposure Database server reaches end of life. Data is moved to an insecure location. Information is accessible from the Internet Database Server Firewall Secondary Server 16

17 33 Common Scenario #1 Data Exposure Asset Lifecycle Management Network Traffic Monitoring Data at Rest Scanning 34 Common Scenario #2 Malware Tor Network Attacker Trojan Malware Commands from Remote User Web Server IT Management Directory Stolen Admin Credentials External FTP Server File Server Data Exfiltration 17

18 35 Common Scenario #2 Malware Misconfigured Web Server Lack of MFA for Administrators Reused Credentials 36 Common Scenario #3 SQL Injection Attack Attacker Systems SQL Injection Web Server Re used Account Pivot File Server Chinese FTP Server Data Exfiltration 18

19 37 Common Scenario #3 SQL Injection Attack Web Application Firewall Network Segmentation Reused Credentials Review of Outbound Traffic Patterns Audit s View Point Source: 2014 IIARF Research Report on Cyber Security 19

20 39 AUDIT VIEW POINT According to the 3 rd annual survey of business executives by Protiviti and the Enterprise Risk Management (ERM) Initiative at the North Carolina State University Poole College of Management, Cybersecurity is key concern for Boards of Directors. 40 AUDIT VIEW POINT As the 3 rd Line of Defense, what steps can audit take? SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 20

21 41 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 42 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Cyber Security is an enterprise wide risk management issue; it is not just an IT Issue 21

22 43 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Understand the legal implications of cyber risks as they relate to your company s specific circumstances 44 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Access to cybersecurity expertise, and regular and adequate time on the board meeting agenda 22

23 45 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Set expectation that Management will establish an enterprise wide risk management framework with adequate staffing and budget 46 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Actions to avoid, accept, mitigate, or transfer risk should be discussed of all identified cyber risks 23

24 47 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 48 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research Does the organization use a security framework? 24

25 49 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research What are the Top 5 risks this organization has related to cybersecurity? 50 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research How are employees made aware of their role related to cybersecurity? 25

26 51 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research Are both internal and external threats considered when planning cybersecurity activities? 52 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research How is security governance handled within this organization? 26

27 53 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research In the event of a serious breach, has Management developed a robust response plan? 54 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 27

28 55 AUDIT VIEW POINT 03 COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon Speak the language and highlight the right risks to audit committee. Cybersecurity has become the #1 topic in Audit Committee discussions be prepared 56 AUDIT VIEW POINT 03 COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon Cybersecurity is a business risk that requires an enterprise wide response 28

29 57 AUDIT VIEW POINT 03 COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon Audit Committees are more and more likely to ask the question: In light of recent breaches, how is the organization aligning the Information Security Strategy to the organizational risk appetite and risk tolerance? They are more savvy. understand and be prepared to answer this question. 58 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 29

30 59 AUDIT VIEW POINT 04 DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist Ask the thousand How s..... How do we restrict outbound traffic? How do we know if it s for a valid business reason? How is anomalous activity detected? How do we know the tool is effective? How are we confident that is being done? How would we know if it isn t? 60 AUDIT VIEW POINT 04 DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist But we don t know what to ask..... Do you know the process? Dig into the process! Who is responsible? Are artifacts generated at each step? Is there governance and oversight? Is a data flow involved? Dig into the data flow! Where does data come from? What systems does it touch? What systems are next to those? 30

31 61 AUDIT VIEW POINT 04 DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist But how can we possibly keep up on cybersecurity..... News, Reddit, Twitter, Hacker News, Vendor Documentation Training, Conferences Internal Hire External Advisor / Assistance WHAT CAN INTERNAL AUDIT DO? Key Considerations 31

32 63 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS A Penetration Test is Not Enough Internal Audit plans frequently include a penetration test, and only a penetration test, as a cybersecurity related audit. The increased risk environment necessitates that Internal Audit look beyond penetration tests and increase the number of cybersecurity audits. Limits of Penetration Testing Function Unique Identifier ID Function Identity Category Unique Identifier ID AM ID BE ID GV ID RA Category Asset management Business Environment Governance Risk Assessment Function Unique Identifier Function Category Unique Identifier RS RP RS CO Category Response Planning Communications A penetration test does not always provide an accurate or comprehensive assessment of cybersecurity risk. The goal of a penetration test is to simulate a single attack, not to uncover all possible attack scenarios. It is also usually very timeconstrained, lasting weeks instead of the months that actual attackers have. Internal Audit departments need to rebalance their plans to cover more cybersecurity areas. PR DE Protect Detect ID RM PR AC PR AT PR DS PR IP PR MA PR PT DE AE DE CM DE DP Risk Management Strategy Access Control Awareness & Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies & Events Security Continuous Monitoring Detection Processes RS RC Respond Recover RS AN RS MI RS IM RC RP RC IM RC CO Analysis Mitigation Improvements Recovery Planning Improvements Communications 64 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Key Areas of an Internal Audit Plan for Cybersecurity An Internal Audit plan for cybersecurity should be based on the organization s risk profile and the external threat landscape. A balanced plan might include: Operational Security Topic (e.g., Security Monitoring) Technology Security Topic (e.g., SQL Server) Compliance Topic (e.g., PCI, Privacy) Internal and External Penetration Testing Organizations that are at high risk for cyberattack should consider an annual Breach Detection Audit as a point in time view on indicators of breach in the environment. 32

33 65 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Breach Detection Audit Organizations are not very good at self detecting breaches; IA can help identify gaps. Key Questions Are there signs that the organization is currently breached or has been in the recent past? How effective are in place security monitoring tools and processes? Have potential breaches been sufficiently investigated? Fieldwork Activities Forensic review of key indicators of a targeted attack (logs, network activity, systems). Evaluation of breach detection capabilities and processes. Review of previous potential breach incidents and organizational followup. Value Provided to Management Management will appreciate the timeliness and relevance. Proven action steps that Management can take improve its ability to detect breaches. Communication to stakeholders of key controls Management has invested in. Can be completed in 250 to 500 hours, depending on components desired. 66 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Third Party Access Audit IA can help Management limit risk associated with a hacked third party (e.g., HVAC). Key Questions Could a breach of a third party result in a breach of our organization? Are vendor, contractor, and other third party accounts sufficiently restricted? Would we know if a vendor account was being used improperly? Fieldwork Activities Review of policies and procedures for third parties. Review of a sample of third party accounts for appropriate access. Attempting privilege escalation from an example third party account. Value Provided to Management Topical given Target initial intrusion method. Factual arguments to support limiting vendor access further. Comforting stakeholders on a key area of risk (provided appropriate controls are in place). Can be completed in 150 to 250 hours, depending on components desired. 33

34 67 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS NIST Cybersecurity Framework (CSF) Audit IA can help Management validate its NIST CSF implementation or alignment. Key Questions Do we have sufficient cybersecurity control coverage as described in the NIST CSF? How mature is our control environment related to the NIST CSF categories? Fieldwork Activities Interviews and review of documents related to the NIST CSF controls. Testing a risk based sample of controls for effectiveness. Reviewing control maturity and efficiency. Value Provided to Management Directly responsive to Board interest in NIST CSF. Third party validation of successful control implementation. Can be completed in 250 to 350 hours, depending on organization size and scope of testing. 68 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Cloud Computing IA can help Management limit risk associated with vendors offering cloud computing services. Key Questions How are our assets protected by CSP s? How has cloud computing changed the technology environment? How are responsibility and risks shared between us and the vendor? Fieldwork Activities Develop a listing and risk profile of CSP s. Evaluate adherence of service level agreements and operating level agreements to policy. Review the completeness and effectiveness of contractual control requirements. Value Provided to Management Provide management with assurance on how sensitive data is being managed by service providers. Assess cloud provider security measures are aligned with company policies. Demonstrate that cloud computing is not just an IT responsibility. Can be completed in 200 to 250 hours, depending on organization size and scope of testing. 34

35 69 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Incident Management and Response IA can help identify gaps in current incident management processes and make recommendations accordingly. Key Questions Are we able to access critical business resources during unplanned maintenance or outage? How effective is our current incident management environment? Are the personnel able to respond to incidents and conduct effective analysis and investigation? Fieldwork Activities Document current and desired state capabilities Assess maturity and effectiveness of incident management program to requirements Map IT systems to business activities and priorities Value Provided to Management Provide assurance to stakeholders with regards to the organization s ability to quickly and effectively respond to minimize incident damage. Fewer incidents and shorter recovery time, keeping business disruption to a minimum. Reduce unplanned costs due to incidents. Can be completed in 250 to 300 hours, depending on organization size and scope of testing. 70 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS FFIEC Cybersecurity Assessment Tool On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released its highly anticipated Cybersecurity Assessment Tool. The FFIEC is a formal interagency organization empowered to create uniform principles, standards and report forms for the agencies. Key Principles Fieldwork Activities Risks Evaluated Designed to assist financial institutions conduct self assessment of cyber risks. Domains of Company s cybersecurity preparedness. Defined risk and maturity levels and examples. Elements can be adapted to be leveraged by most industries. Incorporates NIST CSF and can be mapped back. Conduct risk assessment to evaluate inherent risk profile levels for cyberrisks (5). Evaluate the maturity cybersecurity domains (5). Reviewing control maturity and efficiency. 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Services 4. Organizational Characteristics 5. External Threats Maturity Domains 1. Cyber Risk Management and Oversight 2. Threat Intelligence and Collaboration 3. Cybersecurity Controls 4. External Dependency Management 5. Cyber Incident Management and Resilience 35

36 71 CYBERSECURITY AUDIT PROGRAM Other Hot Topic Areas Depending on the organization s industry and maturity, there are a number of other areas that could demonstrate Internal Audit s awareness of new cybersecurity risks: Medical Device Security Potentially Embarrassing Information (PEI) Security Data Exfiltration Monitoring Destructive Malware Resilience Include someone from our information security team in brainstorming sessions when determining audit topic areas for the upcoming year. Q & A Eric Vyverberg David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti Managing Director Internal Audit Protiviti Associate Director Security & Privacy Solutions Protiviti

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015 Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Cybersecurity Framework Security Policy Mapping Table

Cybersecurity Framework Security Policy Mapping Table Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered

More information

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool 6/9/2016 Tim Segerson, Deputy Director Office of Examination & Insurance FFIEC Cybersecurity Assessment Tool LSCU Cyber Breakout June 17, 2016 Continuing saga of lost sensitive data Every event enhances

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Certified Identity and Security Technologist (CIST) Overview & Curriculum

Certified Identity and Security Technologist (CIST) Overview & Curriculum Overview Identity management and security technologies are increasingly needed to address the growing needs of businesses to counter threats, meet requirements, and mitigate risks. According to recent

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

Developing National Frameworks & Engaging the Private Sector

Developing National Frameworks & Engaging the Private Sector www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012

More information

Audit Capabilities: Beyond the Checklist. Niall Haddow, Business Leader Philip Young, Sr. IT Auditor Professional Strategies - Session S32

Audit Capabilities: Beyond the Checklist. Niall Haddow, Business Leader Philip Young, Sr. IT Auditor Professional Strategies - Session S32 Audit Capabilities: Beyond the Checklist Niall Haddow, Business Leader Philip Young, Sr. IT Auditor Professional Strategies - Session S32 Agenda Beyond the Checklist Visa Overview Visa Internal Audit Overview

More information

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015 Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework & A Tale of Two Criticalities NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented

More information

Cybersecurity. Considerations for the audit committee

Cybersecurity. Considerations for the audit committee Cybersecurity Considerations for the audit committee Insights on November 2012 governance, risk and compliance Fighting to close the gap Ernst & Young s 2012 Global Information Security Survey 2012 Global

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

Implementing a Framework

Implementing a Framework Implementing a Framework 44th Tennessee Higher Education Information Technology Symposium 2015 Greg Jackson Cyber Security Analyst Dynetics Inc. Information Systems Assessment Services (ISAS) www.dynetics.com

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

SECURITY 2.0 LUNCHEON

SECURITY 2.0 LUNCHEON PROTECTING YOUR ORGANIZATION SECURITY 2.0 LUNCHEON AGAINST CYBER THREATS Tommy Montgomery, Principal Consultant Viral Dhimar, Consultant Adam Ferguson, VP October 22, 2014 #SWCEvents Security 2.0: Next

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

Protecting what matters most: Cyber resilience in the mining industry

Protecting what matters most: Cyber resilience in the mining industry www.pwc.com/ca/cyber-resilience Protecting what matters most: Cyber resilience in the mining industry Richard Wilson, Partner Brian Lachine, Manager 2015 s Mining Cyber Security Leaders Richard Wilson

More information

CRR-NIST CSF Crosswalk 1

CRR-NIST CSF Crosswalk 1 IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative

More information

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Copyright Elevate Consult LLC. All Rights Reserved 1 Presenter Ray Guzman MBA, CISSP, CGEIT, CRISC, CISA Over 25

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

Larry Schoeberl, Supervisory Examiner National Credit Union Administration FFIEC Cybersecurity Assessment Tool

Larry Schoeberl, Supervisory Examiner National Credit Union Administration FFIEC Cybersecurity Assessment Tool Larry Schoeberl, Supervisory Examiner National Credit Union Administration FFIEC Cybersecurity Assessment Tool Michigan CU League & Affiliates Conference February 11, 2016 Agenda Risk Trends FFIEC Cybersecurity

More information

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1 PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

Cybersecurity Governance Update on New FFIEC Requirements

Cybersecurity Governance Update on New FFIEC Requirements Cybersecurity Governance Update on New FFIEC Requirements cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, Professional Services Firm

More information

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing Top 10 Baseline Cybersecurity Controls Banks Aren't Doing SECURE BANKING SOLUTIONS 1 Contact Information Chad Knutson President, SBS Institute Senior Information Security Consultant Masters in Information

More information

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense Tony Sager The Center for Internet Security Classic Risk Equation Risk = { Vulnerability, Threat, Consequence } countermeasures

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Cybersecurity Maturity Assessment: Are you where you should be?

Cybersecurity Maturity Assessment: Are you where you should be? Cybersecurity Maturity Assessment: Are you where you should be? NAFCU Services Webinar: 2/23/2016 A subsidiary of Introduction Matt Mitchell, CISSP- Director Risk Assurance 18 years information security

More information

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

Department of Management Services. Request for Information

Department of Management Services. Request for Information Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley

More information

IBM Security Strategy

IBM Security Strategy IBM Security Strategy Intelligence, Integration and Expertise Kate Scarcella CISSP Security Tiger Team Executive M.S. Information Security IBM Security Systems IBM Security: Delivering intelligence, integration

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

Cybersecurity Enhancement Account. FY 2017 President s Budget

Cybersecurity Enhancement Account. FY 2017 President s Budget Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities

More information

Cybersecurity@RTD Program Overview and 2015 Outlook

Cybersecurity@RTD Program Overview and 2015 Outlook Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

Cyber and Data Risk What Keeps You Up at Night?

Cyber and Data Risk What Keeps You Up at Night? Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014 Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks

More information

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons WSECU Cyber Security Journey David Luchtel VP IT Infrastructure & Opera:ons Objec:ve of Presenta:on Share WSECU s journey Overview of WSECU s Security Program approach Overview of WSECU s self- assessment

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the

More information

Agile Cyber Security Security for the Real World, Architectural Approach

Agile Cyber Security Security for the Real World, Architectural Approach Agile Cyber Security Security for the Real World, Architectural Approach Osama Al-Zoubi Senior Manger, Systems Engineering Fahad Aljutaily Senior Solution Architect, Security Market Trends Welcome to the

More information

Technology and Cyber Resilience Benchmarking Report 2012. December 2013

Technology and Cyber Resilience Benchmarking Report 2012. December 2013 Technology and Cyber Resilience Benchmarking Report 2012 December 2013 1 Foreword by Andrew Gracie Executive Director, Special Resolution Unit, Bank of England On behalf of the UK Financial Authorities

More information

KEY STEPS FOLLOWING A DATA BREACH

KEY STEPS FOLLOWING A DATA BREACH KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

Structuring the Chief Information Security Officer Organization

Structuring the Chief Information Security Officer Organization Structuring the Chief Information Security Officer Organization December 1, 2015 Julia Allen Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie

More information

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:

More information

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

Evolution Of Cyber Threats & Defense Approaches

Evolution Of Cyber Threats & Defense Approaches Evolution Of Cyber Threats & Defense Approaches Antony Abraham IT Architect, Information Security, State Farm Kevin McIntyre Tech Lead, Information Security, State Farm Agenda About State Farm Evolution

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The

More information

Top 20 Critical Security Controls

Top 20 Critical Security Controls Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need

More information

CONSULTING IMAGE PLACEHOLDER

CONSULTING IMAGE PLACEHOLDER CONSULTING IMAGE PLACEHOLDER KUDELSKI SECURITY CONSULTING SERVICES CYBERCRIME MACHINE LEARNING ECOSYSTEM & INTRUSION DETECTION: CYBERCRIME OR REALITY? ECOSYSTEM COSTS BENEFITS BIG BOSS Criminal Organization

More information

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc. Table of Contents PART I. IS Audit Process. CHAPTER 1. Technology and Audit. Technology and Audit. Batch and On-Line Systems. CHAPTER 2. IS Audit Function Knowledge. Information Systems Auditing. What

More information

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014 Aalborg Universitet Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication

More information

Address C-level Cybersecurity issues to enable and secure Digital transformation

Address C-level Cybersecurity issues to enable and secure Digital transformation Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,

More information

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com

More information

CYBER SECURITY, A GROWING CIO PRIORITY

CYBER SECURITY, A GROWING CIO PRIORITY www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------

More information

Is Your Company Ready for a Big Data Breach?

Is Your Company Ready for a Big Data Breach? Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication

More information

Cloud Computing Risk and Rewards

Cloud Computing Risk and Rewards Cloud Computing Risk and Rewards John Lazarine Vice President and Chief Audit Executive Mark Salamasick Director of Center for Internal Auditing For Dallas CPA Society Convergence 2013 May 8, 2013 John

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Defending the Database Techniques and best practices

Defending the Database Techniques and best practices ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target

More information

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust

More information

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience

More information

Enterprise Cybersecurity: Building an Effective Defense

Enterprise Cybersecurity: Building an Effective Defense : Building an Effective Defense Chris Williams Scott Donaldson Abdul Aslam 1 About the Presenters Co Authors of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of

More information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary

More information

Happy First Anniversary NIST Cyber Security Framework:

Happy First Anniversary NIST Cyber Security Framework: Happy First Anniversary NIST Cyber Security Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Problem Statement Management has not been given the correct information to understand and act upon

More information

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy 2015 Michigan NASCIO Award Nomination Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy Sponsor: David Behen, DTMB Director and Chief Information Officer Program Manager: Rod Davenport,

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action Where insights lead Cybersecurity and the role of internal audit: An urgent call to action The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could

More information

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives AUD105-2nd Edition Auditor s Guide to IT - 20 hours Objectives More and more, auditors are being called upon to assess the risks and evaluate the controls over computer information systems in all types

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Cybersecurity. Are you prepared?

Cybersecurity. Are you prepared? Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data

More information

Enterprise Cybersecurity: Building an Effective Defense

Enterprise Cybersecurity: Building an Effective Defense Enterprise Cybersecurity: Building an Effective Defense Chris Williams Oct 29, 2015 14 Leidos 0224 1135 About the Presenter Chris Williams is an Enterprise Cybersecurity Architect at Leidos, Inc. He has

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons

More information