Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Similar documents

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Managing cyber risks with insurance

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Hans Henrik Berthing, CPA, CISA, CGEIT, CRISC, CIA

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Developing National Frameworks & Engaging the Private Sector

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

Program Overview and 2015 Outlook

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Cyber Security. John Leek Chief Strategist

FFIEC Cybersecurity Assessment Tool

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

KEY TRENDS AND DRIVERS OF SECURITY

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Malware isn t The only Threat on Your Endpoints

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Assessing the Effectiveness of a Cybersecurity Program

PACB One-Day Cybersecurity Workshop

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

A HELPING HAND TO PROTECT YOUR REPUTATION

CGI Cyber Risk Advisory and Management Services for Insurers

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

RETHINKING CYBER SECURITY Changing the Business Conversation

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

F G F O A A N N U A L C O N F E R E N C E

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Professional Services Overview

Chairman Johnson, Ranking Member Carper, and Members of the committee:

External Supplier Control Requirements

Seminar on Unfair Competition Enforcement in the United States and Supply Chain Cybersecurity Issues. Palace Hotel Saigon, HCMC, November 19 th 2014

Middle Class Economics: Cybersecurity Updated August 7, 2015

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Cybersecurity. Threats to Nonprofits. Chris Debo Senior Manager, IT Audit. August 14, 2014

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cybersecurity and the Threat to Your Company

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012

State of Security Survey GLOBAL FINDINGS

SECURITY RISK MANAGEMENT

Protecting against cyber threats and security breaches

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

PROPOSED INTERPRETIVE NOTICE

Attachment A. Identification of Risks/Cybersecurity Governance

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Logging In: Auditing Cybersecurity in an Unsecure World

Defending the Database Techniques and best practices

Ed McMurray, CISA, CISSP, CTGA CoNetrix

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

OCIE CYBERSECURITY INITIATIVE

Answering your cybersecurity questions The need for continued action

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Information Security and Risk Management

Click to edit Master title style

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

How To Protect Yourself From A Hacker Attack

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Adopting a Cybersecurity Framework for Governance and Risk Management

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

How GCs And Boards Can Brace For The Cybersecurity Storm - Law360

CYBER-LIABILITY COVERAGE: The $ 45 Million Dollar Exposure

Defending Against Data Beaches: Internal Controls for Cybersecurity

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Meeting the Information Security Management Challenge in the Cyber-Age

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Mitigating and managing cyber risk: ten issues to consider

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL

Trends in Information Technology (IT) Auditing

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Cybersecurity Issues for Community Banks

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Supplier Vigilance: A Critical Layer of Defense

Cybersecurity: What CFO s Need to Know

New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Cybersecurity The role of Internal Audit

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Data Breach Response Planning: Laying the Right Foundation

CYBERSECURITY SLAs: MANANGING REQUIREMENTS AT ARM S LENGTH

Transcription:

Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015

Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2

Key Risks 3

4

Key Risks Board and Management: CIO, CAE, organizational leaders agree: Cyberthreats not only and IT problem, but fully fledged business risk Top 10 risk Separate from business interruption; loss of reputation and brand value; theft fraud and corruption 5

Key Risks Nature of attack: Denial of service attacks (DoS) Data security breaches Focus of attack: Credit card data (e.g. retail) Exploration data (e.g. oil and gas) Intellectual property (e.g. technology, strategic information) 6

Key Risks Internal Trusted employees Business partners External Stolen credentials Remote access systems 7

Key Risks Threats Rapidly evolving Increasingly sophisticated Methods continue to improve 8

Key Risks Cost of data breaches Fixing the problem Legal costs Fines Class Action Lawsuits 9

Incorporating Internal Audit 10

Incorporating Internal Audit Persistent threat Exposures Security posture Audit procedures Assisting management Resource application 11

Incorporating Internal Audit Be engaged at the strategic level: Understand board s approach to security Better understand the value of businesscritical data Working with systems administrators Being involved with new IT implementations 12

Incorporating Internal Audit Focus on: Specific types of attacks they face Weaknesses inherent in business practices, culture, IT systems Educating the Board Business risk Risk to data Critical assets Nature of network traffic Prevention, Detection and Response 13

Incorporating Internal Audit Key Elements: Leadership and governance Technical and operational controls Training and awareness Information risk management Response planning Crisis management 14

Incorporating Internal Audit Auditing defense mechanisms: Secure firewalls Up-to-date antivirus software Open communication to ISPs Effective network monitoring Rapid response plans 15

Incorporating Internal Audit Auditing defense mechanisms: Password management Data categorization, segregation, access storage, and retention process Suppliers cybersecurity practices; service agreements Cloud services Data security controls Corporate insurance coverage 16

Incorporating Internal Audit IT Audit Resources: Perform business and IT impact analysis and risk assessment Cyberrisk assessment External input on threats facing industry Current attack methods People, process and technology controls Incident response program Help optimize controls to prevent or detect cyber issues Ongoing monitoring of changing cyberrisk 17

Incorporating Internal Audit Internal Audit Resources: Drive discussion around risk and mitigation strategy Independently assess and prioritize cyberrisks against other critical enterprise risks Assess effectiveness of preparation Identify and monitor issues and risk related to emerging technology deployments 18

Incorporating Internal Audit Supporting the Audit Committee: Five Principles: 1. Understand and approach to cybersecurity 2. Legal implications 3. Access to expertise 4. Staffing and budget 5. Risk avoidance 19

Resources 20

Resources U.S. National Institue of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Consistent and effective evaluation of current security: Processes Procedures Technologies Links to other security standards and approaches 21

Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/# 22

Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/# 23

Resources Cybercrime Audit/Assurance Program Aligned with the NIST National Initiative for Cybersecurity Education http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cybercrime-audit-assurance-program.aspx 24

25

Source: ISACA IT Assurance Framework TM (ITAF TM ) 26

DS5.5 Security Testing, Surveillance and Monitoring 5 4 3 DS8.4 Incident Closure 2 1 DS5.6 Security Incident Definition 0 Assessment Target DS8.3 Incident Escalation DS8.2 Registration of Customer Queries Source: ISACA IT Assurance Framework TM (ITAF TM ) 27

Resources Cybersecurity Fundamentals Certificate Knowledge-based certificate offered by ISACA Implementing NIST Cybersecurity Framework Using COBIT 5 Focused on the CSF, goals, implementation steps and application 28

29

Internal Audit Focus Evaluating security risk and threats Data at risk Secure infrastructure Monitoring capability Rapid identification, response, containment and recovery 30

Sabrina Serafin sabrina.serafin@frazierdeeter.com Questions?