IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Transcription

1 IT AUDIT Current Trends and Top Risks of Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti eric.vyverberg@protiviti.com Managing Director Internal Audit Protiviti david.kupinski@protiviti.com Associate Director Security & Privacy Solutions Protiviti randy.armknecht@protiviti.com 1

2 3 PRESENTATION AGENDA IT Audit Current Trends ~ 15 Min Case Study and Audit s View Point ~ 50 Min Considerations for a Modern Cyber Program ~ 15 Min What Can Internal Audit Do? ~ 20 Min Questions & Answers ~ 10 Min 4 IT AUDIT CURRENT TRENDS What are we are seeing in IT Audit from the top down? TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 2

3 5 GLOBAL IT AUDIT BEST PRACTICES ISACA and Protiviti partnered to conduct the fourth annual IT Audit Benchmarking Survey in the third quarter of 2014 This global survey, conducted online, consisted of a series of questions grouped into five categories: Today s Top Technology Challenges IT Audit in Relation to the Internal Audit Department Assessing IT Risks Audit Plan Skills and Capabilities More than 1,300 executives and professionals, including chief audit executives as well as IT audit vice presidents and directors, completed the online questionnaire 6 AUDIT VIEW POINT TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 3

4 7 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Cybersecurity is dominating the discussions at the Board Level. Two out of three organizations today are undergoing a major IT transformation (Source: Protiviti 2014 IT Priorities Survey) One in three companies do not have a written information security policy, and more than 40 percent lack a data encryption policy (Source: Protiviti 2014 IT Security and Privacy Survey) 8 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape An underlying theme emerging from these challenges is that technology is always changing and thus it is difficult to maintain a handle on it 4

5 9 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape High profile data breaches in many well known organizations are keeping IT security top of mind and heightening expectations from the board, executives and other stakeholders for sound security measures that involve the IT audit function 10 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape The development of a comprehensive cybersecurity framework should be driving compliance activities 5

6 11 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape It is imperative for IT auditors to keep their skills current in areas including, but not limited to, IT security, cloud computing and storage, outsourcing and vendor assurance, data analytics, computer assisted auditing tools, and more 12 IT AUDIT CURRENT TRENDS TODAY S TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape Clearly, there is a trend toward a greater need for enhanced skills and resources around these technologies and areas much more so than in the past 6

7 13 AUDIT VIEW POINT TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 14 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. Do you have a designated IT audit director (or equivalent position)? 7

8 15 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. To whom does the IT Audit Leadership report? 16 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. Does IT Audit Leadership attend Audit Committee meetings? 8

9 17 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function isdo executed. you use outside resources to augment/provide your IT audit skill set? 18 IT AUDIT CURRENT TRENDS IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function The is executed. number of IT audit reports issued as a percentage of the total reports in IA 9

10 19 AUDIT VIEW POINT TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 20 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. Does your organization conduct an IT audit risk assessment? 10

11 21 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed. How frequently is the IT Audit risk assessment updated? 22 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function iswhich executed. of the following activities is your IT audit function responsible for? 11

12 23 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function What is executed. level of involvement does IT audit have in significant technology projects? 24 IT AUDIT CURRENT TRENDS 03 RISK ASSESSMENT AND IT AUDIT PLAN Themes in IT Audit Leadership, reporting lines, and how the IT Audit function iswhat executed. % of time does the IT audit spend on different nature of activities? 12

13 25 AUDIT VIEW POINT TOP RISK AREAS Projects, technology innovations, and aspects of running the business of IT that are controlling the landscape IT AUDIT S ROLE IN THE DEPARTMENT Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is executed RISK ASSESSMENT AND IT AUDIT PLAN Discussion of the IT Audit risk assessment and how IT Auditors are spending their time IT AUDIT SKILLSETS IA departments staffing and how are departments getting deeper skills 26 IT AUDIT CURRENT TRENDS 04 IT AUDIT SKILLSETS Themes in IT Audit Leadership, reporting lines, and how the IT Audit function is How executed. important are specific IT audit technical skills for your IT audit staff? 13

14 27 IT AUDIT CURRENT TRENDS 04 IT AUDIT SKILLSETS Themes in IT Audit Leadership, reporting lines, and how the IT Audit functionhow is executed. important are business and interpersonal skills for your IT audit staff? 28 IT AUDIT CURRENT TRENDS IT AUDIT SKILLSETS 04 Themes Are IT inaudits IT Audit conducted Leadership, by reporting individuals lines, and who how are the full time IT Audit internal audit professionals in function is executed. the internal audit department and who focus on IT audit projects? 14

15 29 IT AUDIT CURRENT TRENDS 04 IT AUDIT SKILLSETS Themes Are there in IT Audit specific Leadership, areas of reporting your current lines, andit how audit theplan IT Audit that you are not able to address function is executed. sufficiently due to lack of resources/skills? 30 IT AUDIT CURRENT TRENDS IN SUMMARY Cybersecurity and privacy are primary concerns Companies face significant IT audit staffing and resource challenges Audit committees, as well as organizations in general, are becoming more engaged in IT audit IT audit risk assessments are not being conducted, or updated, frequently enough Room for growth in IT audit reports and reporting structures 15

16 31 Example Scenarios Ladies and gentlemen, the stories you are about to hear are true. The names have been changed to protect the innocent. Source: Multiple Online Reports & Client Experiences 32 Common Scenario #1 Data Exposure Database server reaches end of life. Data is moved to an insecure location. Information is accessible from the Internet Database Server Firewall Secondary Server 16

17 33 Common Scenario #1 Data Exposure Asset Lifecycle Management Network Traffic Monitoring Data at Rest Scanning 34 Common Scenario #2 Malware Tor Network Attacker Trojan Malware Commands from Remote User Web Server IT Management Directory Stolen Admin Credentials External FTP Server File Server Data Exfiltration 17

18 35 Common Scenario #2 Malware Misconfigured Web Server Lack of MFA for Administrators Reused Credentials 36 Common Scenario #3 SQL Injection Attack Attacker Systems SQL Injection Web Server Re used Account Pivot File Server Chinese FTP Server Data Exfiltration 18

19 37 Common Scenario #3 SQL Injection Attack Web Application Firewall Network Segmentation Reused Credentials Review of Outbound Traffic Patterns Audit s View Point Source: 2014 IIARF Research Report on Cyber Security 19

20 39 AUDIT VIEW POINT According to the 3 rd annual survey of business executives by Protiviti and the Enterprise Risk Management (ERM) Initiative at the North Carolina State University Poole College of Management, Cybersecurity is key concern for Boards of Directors. 40 AUDIT VIEW POINT As the 3 rd Line of Defense, what steps can audit take? SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 20

21 41 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 42 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Cyber Security is an enterprise wide risk management issue; it is not just an IT Issue 21

22 43 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Understand the legal implications of cyber risks as they relate to your company s specific circumstances 44 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Access to cybersecurity expertise, and regular and adequate time on the board meeting agenda 22

23 45 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Set expectation that Management will establish an enterprise wide risk management framework with adequate staffing and budget 46 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account Actions to avoid, accept, mitigate, or transfer risk should be discussed of all identified cyber risks 23

24 47 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 48 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research Does the organization use a security framework? 24

25 49 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research What are the Top 5 risks this organization has related to cybersecurity? 50 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research How are employees made aware of their role related to cybersecurity? 25

26 51 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research Are both internal and external threats considered when planning cybersecurity activities? 52 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research How is security governance handled within this organization? 26

27 53 AUDIT VIEW POINT ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research In the event of a serious breach, has Management developed a robust response plan? 54 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 27

28 55 AUDIT VIEW POINT 03 COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon Speak the language and highlight the right risks to audit committee. Cybersecurity has become the #1 topic in Audit Committee discussions be prepared 56 AUDIT VIEW POINT 03 COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon Cybersecurity is a business risk that requires an enterprise wide response 28

29 57 AUDIT VIEW POINT 03 COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon Audit Committees are more and more likely to ask the question: In light of recent breaches, how is the organization aligning the Information Security Strategy to the organizational risk appetite and risk tolerance? They are more savvy. understand and be prepared to answer this question. 58 AUDIT VIEW POINT SUPPORT THE BOARD There are five guiding principles for the Board of Directors according to recent IIA Research that should be taken into account ANTICIPATE THE BOARD There are six questions the Board of Directors should ask of their Cybersecurity Programs according to recent IIA Research COMMUNICATE IN BUSINESS TERMS Risk and Business Impact over Technical Jargon DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist 29

30 59 AUDIT VIEW POINT 04 DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist Ask the thousand How s..... How do we restrict outbound traffic? How do we know if it s for a valid business reason? How is anomalous activity detected? How do we know the tool is effective? How are we confident that is being done? How would we know if it isn t? 60 AUDIT VIEW POINT 04 DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist But we don t know what to ask..... Do you know the process? Dig into the process! Who is responsible? Are artifacts generated at each step? Is there governance and oversight? Is a data flow involved? Dig into the data flow! Where does data come from? What systems does it touch? What systems are next to those? 30

31 61 AUDIT VIEW POINT 04 DIG DEEPER Educate IA Staff to ask pointed questions that go beyond the checklist But how can we possibly keep up on cybersecurity..... News, Reddit, Twitter, Hacker News, Vendor Documentation Training, Conferences Internal Hire External Advisor / Assistance WHAT CAN INTERNAL AUDIT DO? Key Considerations 31

32 63 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS A Penetration Test is Not Enough Internal Audit plans frequently include a penetration test, and only a penetration test, as a cybersecurity related audit. The increased risk environment necessitates that Internal Audit look beyond penetration tests and increase the number of cybersecurity audits. Limits of Penetration Testing Function Unique Identifier ID Function Identity Category Unique Identifier ID AM ID BE ID GV ID RA Category Asset management Business Environment Governance Risk Assessment Function Unique Identifier Function Category Unique Identifier RS RP RS CO Category Response Planning Communications A penetration test does not always provide an accurate or comprehensive assessment of cybersecurity risk. The goal of a penetration test is to simulate a single attack, not to uncover all possible attack scenarios. It is also usually very timeconstrained, lasting weeks instead of the months that actual attackers have. Internal Audit departments need to rebalance their plans to cover more cybersecurity areas. PR DE Protect Detect ID RM PR AC PR AT PR DS PR IP PR MA PR PT DE AE DE CM DE DP Risk Management Strategy Access Control Awareness & Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies & Events Security Continuous Monitoring Detection Processes RS RC Respond Recover RS AN RS MI RS IM RC RP RC IM RC CO Analysis Mitigation Improvements Recovery Planning Improvements Communications 64 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Key Areas of an Internal Audit Plan for Cybersecurity An Internal Audit plan for cybersecurity should be based on the organization s risk profile and the external threat landscape. A balanced plan might include: Operational Security Topic (e.g., Security Monitoring) Technology Security Topic (e.g., SQL Server) Compliance Topic (e.g., PCI, Privacy) Internal and External Penetration Testing Organizations that are at high risk for cyberattack should consider an annual Breach Detection Audit as a point in time view on indicators of breach in the environment. 32

33 65 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Breach Detection Audit Organizations are not very good at self detecting breaches; IA can help identify gaps. Key Questions Are there signs that the organization is currently breached or has been in the recent past? How effective are in place security monitoring tools and processes? Have potential breaches been sufficiently investigated? Fieldwork Activities Forensic review of key indicators of a targeted attack (logs, network activity, systems). Evaluation of breach detection capabilities and processes. Review of previous potential breach incidents and organizational followup. Value Provided to Management Management will appreciate the timeliness and relevance. Proven action steps that Management can take improve its ability to detect breaches. Communication to stakeholders of key controls Management has invested in. Can be completed in 250 to 500 hours, depending on components desired. 66 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Third Party Access Audit IA can help Management limit risk associated with a hacked third party (e.g., HVAC). Key Questions Could a breach of a third party result in a breach of our organization? Are vendor, contractor, and other third party accounts sufficiently restricted? Would we know if a vendor account was being used improperly? Fieldwork Activities Review of policies and procedures for third parties. Review of a sample of third party accounts for appropriate access. Attempting privilege escalation from an example third party account. Value Provided to Management Topical given Target initial intrusion method. Factual arguments to support limiting vendor access further. Comforting stakeholders on a key area of risk (provided appropriate controls are in place). Can be completed in 150 to 250 hours, depending on components desired. 33

34 67 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS NIST Cybersecurity Framework (CSF) Audit IA can help Management validate its NIST CSF implementation or alignment. Key Questions Do we have sufficient cybersecurity control coverage as described in the NIST CSF? How mature is our control environment related to the NIST CSF categories? Fieldwork Activities Interviews and review of documents related to the NIST CSF controls. Testing a risk based sample of controls for effectiveness. Reviewing control maturity and efficiency. Value Provided to Management Directly responsive to Board interest in NIST CSF. Third party validation of successful control implementation. Can be completed in 250 to 350 hours, depending on organization size and scope of testing. 68 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Cloud Computing IA can help Management limit risk associated with vendors offering cloud computing services. Key Questions How are our assets protected by CSP s? How has cloud computing changed the technology environment? How are responsibility and risks shared between us and the vendor? Fieldwork Activities Develop a listing and risk profile of CSP s. Evaluate adherence of service level agreements and operating level agreements to policy. Review the completeness and effectiveness of contractual control requirements. Value Provided to Management Provide management with assurance on how sensitive data is being managed by service providers. Assess cloud provider security measures are aligned with company policies. Demonstrate that cloud computing is not just an IT responsibility. Can be completed in 200 to 250 hours, depending on organization size and scope of testing. 34

35 69 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS Incident Management and Response IA can help identify gaps in current incident management processes and make recommendations accordingly. Key Questions Are we able to access critical business resources during unplanned maintenance or outage? How effective is our current incident management environment? Are the personnel able to respond to incidents and conduct effective analysis and investigation? Fieldwork Activities Document current and desired state capabilities Assess maturity and effectiveness of incident management program to requirements Map IT systems to business activities and priorities Value Provided to Management Provide assurance to stakeholders with regards to the organization s ability to quickly and effectively respond to minimize incident damage. Fewer incidents and shorter recovery time, keeping business disruption to a minimum. Reduce unplanned costs due to incidents. Can be completed in 250 to 300 hours, depending on organization size and scope of testing. 70 CYBERSECURITY INTERNAL AUDIT CONSIDERATIONS FFIEC Cybersecurity Assessment Tool On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released its highly anticipated Cybersecurity Assessment Tool. The FFIEC is a formal interagency organization empowered to create uniform principles, standards and report forms for the agencies. Key Principles Fieldwork Activities Risks Evaluated Designed to assist financial institutions conduct self assessment of cyber risks. Domains of Company s cybersecurity preparedness. Defined risk and maturity levels and examples. Elements can be adapted to be leveraged by most industries. Incorporates NIST CSF and can be mapped back. Conduct risk assessment to evaluate inherent risk profile levels for cyberrisks (5). Evaluate the maturity cybersecurity domains (5). Reviewing control maturity and efficiency. 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Services 4. Organizational Characteristics 5. External Threats Maturity Domains 1. Cyber Risk Management and Oversight 2. Threat Intelligence and Collaboration 3. Cybersecurity Controls 4. External Dependency Management 5. Cyber Incident Management and Resilience 35

36 71 CYBERSECURITY AUDIT PROGRAM Other Hot Topic Areas Depending on the organization s industry and maturity, there are a number of other areas that could demonstrate Internal Audit s awareness of new cybersecurity risks: Medical Device Security Potentially Embarrassing Information (PEI) Security Data Exfiltration Monitoring Destructive Malware Resilience Include someone from our information security team in brainstorming sessions when determining audit topic areas for the upcoming year. Q & A Eric Vyverberg David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti eric.vyverberg@protiviti.com Managing Director Internal Audit Protiviti david.kupinski@protiviti.com Associate Director Security & Privacy Solutions Protiviti randy.armknecht@protiviti.com 36