Creating Value through Innovative IT Auditing

Similar documents
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

EC-Council. Certified Ethical Hacker. Program Brochure

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

High End Information Security Services

HP Fortify application security

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

The Incident Response Playbook for Android and ios

EC Council Certified Ethical Hacker V8

Bellevue University Cybersecurity Programs & Courses

Into the cybersecurity breach

[CEH]: Ethical Hacking and Countermeasures

FRONT RUNNER DIPLOMA PROGRAM INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

FORBIDDEN - Ethical Hacking Workshop Duration

Network Test Labs (NTL) Software Testing Services for igaming

Security and Privacy

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Security Intelligence Services. Cybersecurity training.

Enterprise Security and Risk Management

Cybersecurity The role of Internal Audit

LINUX / INFORMATION SECURITY

ISE Northeast Executive Forum and Awards

CEH Version8 Course Outline

IT Security Testing Services

The Evolution of Application Monitoring

The Evolving Threat Landscape: Protecting Your Mobile and Virtual Environment from Emerging Security Threats

Guideline on Auditing and Log Management

Loophole+ with Ethical Hacking and Penetration Testing

Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE MIKE.ZUSMAN@CARVESYSTEMS.COM

CYBER SECURITY TRAINING SAFE AND SECURE

Cyber and Mobile Landscape, Challenges, & Best Practices

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Cybersecurity: What CFO s Need to Know

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

An enterprise grade information security & forensic technical team

What Directors need to know about Cybersecurity?

EC-Council C E. Hacking Technology. v8 Certified Ethical Hacker

Cyber Security Management

THE WORLD IS MOVING FAST, SECURITY FASTER.

Five keys to a more secure data environment

Today s Cybersecurity Technology: Is Your Business Getting Full Protection?

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

A Systems Engineering Approach to Developing Cyber Security Professionals

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Integrated Threat & Security Management.

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

Secure Your Mobile Workplace

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Cybersecurity Workshop

HP Application Security Center

SECURITY ASPECTS OF OPEN SOURCE

Passing PCI Compliance How to Address the Application Security Mandates

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

Cybersecurity. Are you prepared?

Leveraging Regulatory Compliance to Improve Cyber Security

CYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore

The Next Generation of Security Leaders

ISO27032 Guidelines for Cyber Security

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Application Security Manager ASM. David Perodin F5 Engineer

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright Security Compass. 1

Combating a new generation of cybercriminal with in-depth security monitoring

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

CyberSecurity Solutions. Delivering

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

CNT Computer and Network Security Review/Wrapup

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

An Accelerated Pathway to Careers in Cybersecurity for Transitioning Veterans. NICE Annual Conference November 2015

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

ITU-IMPACT Training and Skills Development Course Catalogue

Application Code Development Standards

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Old National offers both Mobile Web and a Mobile App, so you can choose the best fit for your device type. Either solution enables you to:

Transcription:

Redefine Cybersecurity, Explore Innovative Strategies and Develop Trust Creating Value through Innovative IT Auditing Ronnie Koh Head of IT Audit, DBS Bank

How do we create value? By Increasing both Breadth and Depth in our Audit Coverage for Digital Bank & Cyber Security By embarking on Automation & Predictive IT Auditing By Investing in Our People Creating Value-Driven Talent Pool

Why do we need to innovate? New Technology Cyber Threats Insider Threats New Competitors Adapt to changing environment and uncertainties Growing Expectations Competent Risk Managers Expectations from Board of Directors Regulatory Changes

Why do we need to innovate? SHIFT LEFT Predictive Auditing Continuous Auditing Traditional Auditing Effort Increase focus on proactive & preventive risk identification Reactive Proactive Future Present Past

How did we transform? The 4Ps Productive Proactive Predictive Preventive Continuous Assessment (Automated Checks) Special Review (Project Life Cycle) of VA/PT Process Data Modelling for Predictive Analysis (e.g. Identify Insider Threats) Cyber Intelligence Early IT incident intervention Independent Security Assessment Source Code Review

Where were we and where are we now? 2016 Onwards.. 1. Insider threat analysis 2. Cyber wargaming 3. Cyber security intelligence 4. Extend Cyber security Lab to Regional Countries Before 2013 Pockets of cyber security review (mainly security surveillance) Between 2015 & 2016 1. itransformation Continuation 2. Continuous staff training 3. Enhance cyber security test lab 4. More in-depth cyber security audit projects 5. Introduce static & dynamic scanning tools Between 2014 & 2015 1. Commence itransformation 2. Kick-start staff training 3. Setup cyber security test lab 4. Establish cyber security audit framework 5. Roll out cyber security audit projects 6. Create cyber security awareness in Group Audit Between 2013 & 2014 1. Perform preliminary gap assessment referencing SANS Top 20 Controls 2. Create IT Audit training roadmap

What is our secret formula? FRAMEWORK PEOPLE TOOLS DEPTH BREADTH

FRAMEWORK

Breadth & Depth Our Framework Policies & Procedures Contract Agreement Security Awareness Cyber Security Framework Security Controls and Surveillance VA/PT Vulnerabilities Review High Level Dynamic Assessment for Web / Mobile Apps LEGEND Existing Cyber Security Coverage New Cyber Security Coverage Key Mgmt (SSL/HSM) Dynamic & Static Security Assessment for Web / Mobile Apps Network Vulnerability Assessment Secure SDLC Review Social Engineering In-depth Security Source Code Assessment Cyber Security Focus on Subsidiaries

PEOPLE

Breadth & Depth Equipping Our People Group Audit itransformation 1. Business Governance 2. Business process and operation 3. Testing manual and automated control Business Auditor IT Auditor (Application) 1. IT Governance 2. In-depth review of automated control i.e. design and implementation 3. IT General Controls (e.g. app resiliency, capacity management) 4. System Security More efficient & business-focused audit through reviewing business risk & processes from end-to-end covering both manual and automated controls!

Breadth & Depth Equipping Our People Group Audit itransformation NextGen IT Auditor System Management & Cyber Security (e.g. Cryptography, Source Code Review, Penetration Testing and Vulnerability Assessment) Input Controls Pre-processing (e.g. Input validation) Output Controls Books, records & reports (e.g. output storage & retention) Processing Controls (e.g. Business Logics) Application Security (e.g. Audit trails) System set-up controls (e.g. Parameter setup) Integrated Auditor

Breadth & Depth Equipping Our People External / Internal Training Enhance cyber security review capability in GA IT Audit Targeted training referencing the IT Audit Training Roadmap 1. Cyber Security Test Lab Development 2 Secure Source Code Scanning

Breadth & Depth Equipping Our People Future Initiatives 1. OJT Hands-on Security Assessment (VAPT) 5. Analytical- Based 2 Secure Auditing Approach Source Code to Scanning Review 2. Digital Banking Coverage Training 1. Cyber Security Test Lab 4. Source Development Code Review Training 6. Incorporate Cyber Intelligence for Predictive Capability 3. Extension of Cyber Lab to regional countries

TOOLS

Breadth & Depth Investing in Tools Cyber Security Tools Training / Practice Cyber Security Test Lab SANS Security Training (or equivalent; learning how to use the tools) Code Scanning Tool Training 1. Cyber Security Test Lab Development HP WebInspect On-the Job (OJT) training in using these tools in cyber security reviews Security Operations VA/PT process 2 Secure Source Code Scanning Independent Assessment Security Testing Tools Operating Environment

Creating Cyber Security Awareness #1 #2 #3 App/ Software Vulnerabilities Mobile Hacking Data Breach App/Software Vulnerabilities Web Vulnerabilities Skype Crash Vulnerability Mac OS Zero-Day Vulnerability Windows Update Malware Data Breach Credit Card Hacking Mobile Hacking Phishing Attack Apple Pay Hacking Whatsapp Account Hijack iphone Password Hacking Samsung Mobile Sofware Vulnerability SingPass Phishing Emails Magento Hacking Java Zero-Day Vulnerability UEFI BIOS Rootkit Hacking US Census Bureau Hacking United Airlines Hacking Certifi Gate Android Vulnerability Android Endless Reboot Bug Credit Card Skimming May 2015 June 2015 July 2015 August 2015 OpenSSL Vulnerability IE Browser Zero-Day Vulnerability Mumblehard Linux Malware Vehicle Hacking Elise Malware Venom Vulnerability Apple Safari Browser Vulnerability OpenSSH Brute Force LogJam SSL Attack ios Messaging Vulnerability ATM Skimming Apple Pay Hacking Rombertik Malware Whatsapp Account Hijack iphone Password Hacking Samsung Mobile Sofware Vulnerability

Creating Cyber Security Awareness Group Audit values the promotion of cybersecurity awareness on a periodic basis

Creating Value through Innovation Watch Video https://www.youtube.com/watch?v=tzm4nlpkbzy&feature=youtu.be

THE FUTURE OF AUDITING IS AUDITING THE FUTURE

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information