Hot Topics in IT. CUAV Conference May 2012

Similar documents
03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

How To Protect Your Organization From Liability From A Cell Phone (For Business)

Understanding changes to the Trust Services Principles for SOC 2 reporting

Orchestrating the New Paradigm Cloud Assurance

Security Controls What Works. Southside Virginia Community College: Security Awareness

Third Party Risk Management 12 April 2012

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cybersecurity and the AICPA Cybersecurity Attestation Project

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Customer-Facing Information Security Policy

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Cloud Security Trust Cisco to Protect Your Data

ISE Northeast Executive Forum and Awards

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

SECURITY RISK MANAGEMENT

Consolidated Audit Program (CAP) A multi-compliance approach

IT Insights. Managing Third Party Technology Risk

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Leveraging Regulatory Compliance to Improve Cyber Security

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Logging In: Auditing Cybersecurity in an Unsecure World

Privacy Governance and Compliance Framework Accountability

Hans Bos Microsoft Nederland.

Cloud Security. DLT Solutions LLC June #DLTCloud

Managing data security and privacy risk of third-party vendors

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Vendor Management Best Practices

Top Ten Technology Risks Facing Colleges and Universities

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

Securing the Microsoft Cloud

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

PRESENTATION TOPICS 2/27/2014. Why Update Policies? 21st Century Best Practices for Information Governance & Policies. Why update policies??

CONSULTING IMAGE PLACEHOLDER

The Next Generation of Security Leaders

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Developing National Frameworks & Engaging the Private Sector

SAS No. 70, Service Organizations

Big Data, Big Risk, Big Rewards. Hussein Syed

Trends in Information Technology (IT) Auditing

Cloud Computing An Auditor s Perspective

Internal audit value optimization for insurance organizations

10 Smart Ideas for. Keeping Data Safe. From Hackers

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Data safety at UXprobe. White Paper Copyright 2015 UXprobe bvba

Managing risks in a Salesforce environment

Cybersecurity as a Risk Factor in doing business

Security in the Cloud

Cloud Security and Managing Use Risks

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Information for Management of a Service Organization

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Italy. EY s Global Information Security Survey 2013

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

A framework for auditing mobile devices

Data Processing Agreement for Oracle Cloud Services

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Information Security: A Perspective for Higher Education

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Cloud Computing; What is it, How long has it been here, and Where is it going?

How To Protect Yourself From A Hacker Attack

Cybersecurity in the States 2012: Priorities, Issues and Trends

Securing the Cloud Infrastructure

Cyberprivacy and Cybersecurity for Health Data

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Program Management Standard

Transcription:

Hot Topics in IT CUAV Conference May 2012 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Who Are We? Mike Cullen Manager 10+ years IT Audit Jarrett Blankenship Senior Consultant 6+ years IT Audit www.bakertilly.com

Agenda Cloud Computing Contracts Big Data Security Changing Role of IT

Agenda More IT Topics Lightning Round Hacking FISMA Social Media Mobile Devices

CLOUD COMPUTING

Cloud Topics Contracts Big Data Security Changing Role of IT

Cloud Contracts What is it? Service level agreements Data processing and storage Infrastructure/security requirements Vendor relationship

Cloud Contracts What are the issues? Ownership of data Disposition of data Data breaches Data segregation Data location Data portability Legal/government requests for access to data

Cloud Contracts How can you audit/provide value? Ensure vendor/contracts process involves all stakeholders (e.g., units, legal, IT, finance, audit) Audit should be involved in negotiations to provide expertise on contract audit clauses and vendor certification programs (e.g., SSAE 16, PCI) Ensure there is a clear business owner of the vendor relationship Validate due diligence commiserate with the strategic importance and sensitivity of the data

Cloud Big Data What is it? Finding Meaning in Lots and Lots of Data Generated from Enterprise Systems Databases Social Networks Search Engines Etc, etc, etc

Cloud Big Data What are the issues? How do you balance the collection of information on students, alumni, faculty, or others with their rights to privacy? How do you measure the accuracy of the inferences from big data analysis?

Cloud Big Data How can you audit/provide value? Review controls for information privacy and security of data based on risk and regulatory requirements Validate data owners are aware of data usage Future need = Optimized use of Information, such as: Enrollment Retention Alumni Networking Fundraising Things we can t imagine right now

Cloud Security What is it? The growing challenge of securing data and information systems through collaboration with third parties providing services to the organization

Cloud Security What are the issues? Is Cloud security different than other Information Security? How can you be sure that data is secure in the Cloud? Who is responsible for what during a security breach? The Big Question: Is the Cloud more or less secure?

Cloud Security How can you audit/provide value? Conduct a Risk Assessment before moving a service to the cloud Review Vendor s Independent Certifications (e.g., SSAE 16, PCI) Ensure there are strong internal Data Security policies and procedures Thought: What is the right amount of due diligence to perform for a cloud provider?

Cloud Changing Role of IT What is it? IT as a Commodity that is flexible instead of a capital expense that is slow to change If the University moves everything to the Cloud, do we need a CIO? Do we even need an IT department?

Cloud Changing Role of IT What are the issues? IT s evolving role could be to: Set strategic priorities of technology for the organization Maintain a unified and efficient technology ecosystem Focus on developing new competitive advantages Provide advice and guidance on how to securely and efficiently leverage the cloud Innovators and Consultants instead of Doers and Managers

Cloud Changing Role of IT How can you audit/provide value? Validate IT strategy alignment to organization mission and goals Help IT define strategic roadmaps and plans to ensure risks are addressed Partner with IT to audit/review vendors, help create a vendor management program

SIDEBAR ON SERVICE ORGANIZATION CONTROLS (SOC) REPORTING

SOC Reports SOC 1 SOC 2 SOC 3 Purpose Reports on the controls of the service organization that are relevant to the user organization s financial reporting Reports on the effectiveness of the controls of the service organization related to compliance or operations, including trust services principles and criteria* Same purpose as SOC 2 *Trust services principles and criteria is security, availability, processing integrity, confidentiality, and/or privacy. The security, availability, and processing integrity criteria are related to the controls system and the confidentiality and privacy criteria are related to the information processed by the system.

SOC Reports SOC 1 SOC 2 SOC 3 Info required Details on the system, controls, and tests performed by the service auditor, and results of those tests Details on the system, controls, and tests performed by the service auditor, and results of those tests Same information as SOC 2, but with a less detailed description of the controls of the service organization Audience User organization s controllers, compliance officers, CFO, CIO, and financial statement auditors User organization s controllers, compliance officers, CFO, CIO, vendor management executives, regulators, other specified parties, and appropriate business partners Unrestricted and can be viewed by anyone who would like confidence in the controls of the service organization

MORE IT TOPICS: LIGHTNING ROUND

More IT Topics Hacktivism FISMA Social Media Mobile Devices

Hacktivism What is it? Hacking + Activism: The use of computers and computer networks as a means of protest to promote political ends (Wikipedia).

Hacktivism What are the issues? Universities are both targets of hacktivism AND ideal incubators for those wishing to participate in these movements.

Hacktivism How can you audit/provide value? Ensure traditional information security controls are maintained and up to date with emergent threats Ensure there is an incident response team trained and prepared to engage with law enforcement officials in the event of student, faculty, or staff involvement in criminal hactivism

FISMA What is it? The Federal Information Security Management Act of 2002 Requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

FISMA What are the issues? Must comply with FISMA if you: Receive grants or contracts from federal agencies Collect, store, process, transmit or use information on behalf of government agencies Information Security Program Integration of security into processes Annual reporting of compliance Training

FISMA How can you audit/provide value? Determine if you need to comply (check contracts, talk to researchers, talk to agency IG) Perform a risk assessment Categorize government information and systems in use Perform a gap analysis between requirements and current state of your organization Test design and effectiveness of controls Report on compliance

Social Media What is it? In a single day in 2012: 172 million people visit Facebook 40 million visit Twitter 22 million visit LinkedIn 20 million visit Google+ 17 million visit Pinterest

Social Media What are the issues? Control your brand Leverage social media to attract, retain, and empower their community members: Students Faculty/Staff Alumni/Donors Applicants Public relations via direct customer interaction and engagement

Social Media How can you audit/provide value? Review or audit: Strategy/Governance Policies/Roles Metrics and Monitoring Compliance and Regulatory Issues Stay current with trends in social media Google your organization on a periodic basis

Mobile Devices What is it? emarketer estimates 115.8 million smartphone users in the US by the end of 2012 Gartner estimates 118.9 million worldwide media tablet sales in 2012

Mobile Devices What are the issues? People Devices Applications Data Portability: Biggest Risk and Biggest Benefit

Mobile Devices How can you audit/provide value? Bring Your Own Device (BYOD) is becoming standard Help develop a comprehensive mobile device policy including: Full device lifecycle support program Data protections based on data classifications Desktop virtualization User awareness of their personal risks & responsibilities

Mobile Devices Mobile Device Information Security Framework 2012 Baker Tilly Beers & Cutler PLLC

Questions Or your rambling thoughts and opinions, followed by the phrase, What do you think about that?

Contact Info Mike Cullen mike.cullen@bakertilly.com 703-923-8339 Jarrett Blankenship jarrett.blankenship@bakertilly.com 703-923-8350 www.bakertilly.com

Resources Cloud Security Alliance ISO 27000 Standard European Union Safe Harbor (Dept. of Commerce) SSAE 16 (AICPA) Shared Assessments SysTrust TRUSTe NIST EDUCAUSE Internet2 Net+ 40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information