Hot Topics in IT. CUAV Conference May 2012

Size: px

Start display at page:

Download "Hot Topics in IT. CUAV Conference May 2012"

Barbra Kelley
8 years ago
Views:

1 Hot Topics in IT CUAV Conference May 2012 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

2 Who Are We? Mike Cullen Manager 10+ years IT Audit Jarrett Blankenship Senior Consultant 6+ years IT Audit

3 Agenda Cloud Computing Contracts Big Data Security Changing Role of IT

4 Agenda More IT Topics Lightning Round Hacking FISMA Social Media Mobile Devices

5 CLOUD COMPUTING

7 Cloud Topics Contracts Big Data Security Changing Role of IT

8 Cloud Contracts What is it? Service level agreements Data processing and storage Infrastructure/security requirements Vendor relationship

9 Cloud Contracts What are the issues? Ownership of data Disposition of data Data breaches Data segregation Data location Data portability Legal/government requests for access to data

10 Cloud Contracts How can you audit/provide value? Ensure vendor/contracts process involves all stakeholders (e.g., units, legal, IT, finance, audit) Audit should be involved in negotiations to provide expertise on contract audit clauses and vendor certification programs (e.g., SSAE 16, PCI) Ensure there is a clear business owner of the vendor relationship Validate due diligence commiserate with the strategic importance and sensitivity of the data

11 Cloud Big Data What is it? Finding Meaning in Lots and Lots of Data Generated from Enterprise Systems Databases Social Networks Search Engines Etc, etc, etc

12 Cloud Big Data What are the issues? How do you balance the collection of information on students, alumni, faculty, or others with their rights to privacy? How do you measure the accuracy of the inferences from big data analysis?

13 Cloud Big Data How can you audit/provide value? Review controls for information privacy and security of data based on risk and regulatory requirements Validate data owners are aware of data usage Future need = Optimized use of Information, such as: Enrollment Retention Alumni Networking Fundraising Things we can t imagine right now

14 Cloud Security What is it? The growing challenge of securing data and information systems through collaboration with third parties providing services to the organization

15 Cloud Security What are the issues? Is Cloud security different than other Information Security? How can you be sure that data is secure in the Cloud? Who is responsible for what during a security breach? The Big Question: Is the Cloud more or less secure?

16 Cloud Security How can you audit/provide value? Conduct a Risk Assessment before moving a service to the cloud Review Vendor s Independent Certifications (e.g., SSAE 16, PCI) Ensure there are strong internal Data Security policies and procedures Thought: What is the right amount of due diligence to perform for a cloud provider?

17 Cloud Changing Role of IT What is it? IT as a Commodity that is flexible instead of a capital expense that is slow to change If the University moves everything to the Cloud, do we need a CIO? Do we even need an IT department?

18 Cloud Changing Role of IT What are the issues? IT s evolving role could be to: Set strategic priorities of technology for the organization Maintain a unified and efficient technology ecosystem Focus on developing new competitive advantages Provide advice and guidance on how to securely and efficiently leverage the cloud Innovators and Consultants instead of Doers and Managers

19 Cloud Changing Role of IT How can you audit/provide value? Validate IT strategy alignment to organization mission and goals Help IT define strategic roadmaps and plans to ensure risks are addressed Partner with IT to audit/review vendors, help create a vendor management program

20 SIDEBAR ON SERVICE ORGANIZATION CONTROLS (SOC) REPORTING

21 SOC Reports SOC 1 SOC 2 SOC 3 Purpose Reports on the controls of the service organization that are relevant to the user organization s financial reporting Reports on the effectiveness of the controls of the service organization related to compliance or operations, including trust services principles and criteria* Same purpose as SOC 2 *Trust services principles and criteria is security, availability, processing integrity, confidentiality, and/or privacy. The security, availability, and processing integrity criteria are related to the controls system and the confidentiality and privacy criteria are related to the information processed by the system.

22 SOC Reports SOC 1 SOC 2 SOC 3 Info required Details on the system, controls, and tests performed by the service auditor, and results of those tests Details on the system, controls, and tests performed by the service auditor, and results of those tests Same information as SOC 2, but with a less detailed description of the controls of the service organization Audience User organization s controllers, compliance officers, CFO, CIO, and financial statement auditors User organization s controllers, compliance officers, CFO, CIO, vendor management executives, regulators, other specified parties, and appropriate business partners Unrestricted and can be viewed by anyone who would like confidence in the controls of the service organization

23 MORE IT TOPICS: LIGHTNING ROUND

24 More IT Topics Hacktivism FISMA Social Media Mobile Devices

25 Hacktivism What is it? Hacking + Activism: The use of computers and computer networks as a means of protest to promote political ends (Wikipedia).

26 Hacktivism What are the issues? Universities are both targets of hacktivism AND ideal incubators for those wishing to participate in these movements.

27 Hacktivism How can you audit/provide value? Ensure traditional information security controls are maintained and up to date with emergent threats Ensure there is an incident response team trained and prepared to engage with law enforcement officials in the event of student, faculty, or staff involvement in criminal hactivism

28 FISMA What is it? The Federal Information Security Management Act of 2002 Requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

29 FISMA What are the issues? Must comply with FISMA if you: Receive grants or contracts from federal agencies Collect, store, process, transmit or use information on behalf of government agencies Information Security Program Integration of security into processes Annual reporting of compliance Training

30 FISMA How can you audit/provide value? Determine if you need to comply (check contracts, talk to researchers, talk to agency IG) Perform a risk assessment Categorize government information and systems in use Perform a gap analysis between requirements and current state of your organization Test design and effectiveness of controls Report on compliance

31 Social Media What is it? In a single day in 2012: 172 million people visit Facebook 40 million visit Twitter 22 million visit LinkedIn 20 million visit Google+ 17 million visit Pinterest

32 Social Media What are the issues? Control your brand Leverage social media to attract, retain, and empower their community members: Students Faculty/Staff Alumni/Donors Applicants Public relations via direct customer interaction and engagement

33 Social Media How can you audit/provide value? Review or audit: Strategy/Governance Policies/Roles Metrics and Monitoring Compliance and Regulatory Issues Stay current with trends in social media Google your organization on a periodic basis

34 Mobile Devices What is it? emarketer estimates million smartphone users in the US by the end of 2012 Gartner estimates million worldwide media tablet sales in 2012

35 Mobile Devices What are the issues? People Devices Applications Data Portability: Biggest Risk and Biggest Benefit

36 Mobile Devices How can you audit/provide value? Bring Your Own Device (BYOD) is becoming standard Help develop a comprehensive mobile device policy including: Full device lifecycle support program Data protections based on data classifications Desktop virtualization User awareness of their personal risks & responsibilities

37 Mobile Devices Mobile Device Information Security Framework 2012 Baker Tilly Beers & Cutler PLLC

38 Questions Or your rambling thoughts and opinions, followed by the phrase, What do you think about that?

39 Contact Info Mike Cullen Jarrett Blankenship

40 Resources Cloud Security Alliance ISO Standard European Union Safe Harbor (Dept. of Commerce) SSAE 16 (AICPA) Shared Assessments SysTrust TRUSTe NIST EDUCAUSE Internet2 Net+ 40

03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement

03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement Bring Your Own Device: A Framework for Audit Emily A Knopp, CPA, CISA Audit Director Angelo State University, Member of Texas Tech University System March 6, 2014 Texas Association of College of University