2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP



Similar documents
About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

HIPAA Compliance and Reporting Requirements

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Internet threats: steps to security for your small business

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

NATIONAL CYBER SECURITY AWARENESS MONTH

SECURITY CONSIDERATIONS FOR LAW FIRMS

Remote Deposit Quick Start Guide

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

An Introduction on How to Better Protect Your Computer and Sensitive Data

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Computer Security at Columbia College. Barak Zahavy April 2010

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

National Cyber Security Month 2015: Daily Security Awareness Tips

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Protecting your business from fraud

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

Defending Against Data Beaches: Internal Controls for Cybersecurity

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

INFORMATION SECURITY FOR YOUR AGENCY

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Patrick Gray Principal Security Strategist DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

What keep the CIO up at Night Managing Security Nightmares

University System of Maryland University of Maryland, College Park Division of Information Technology

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Cyber Security. John Leek Chief Strategist

Don t Fall Victim to Cybercrime:

BE SAFE ONLINE: Lesson Plan

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Protecting Yourself Against Identity Theft. Identity theft is a serious. What is Identity Theft?

Network Security & Privacy Landscape

10 Smart Ideas for. Keeping Data Safe. From Hackers

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cybersecurity Workshop

Identity Theft. CHRISTOS TOPAKAS Head of Group IT Security and Control Office

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

PACB One-Day Cybersecurity Workshop

Corporate Account Takeover & Information Security Awareness

Is your data secure?

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

How To Protect Yourself From Cyber Threats

How-To Guide: Cyber Security. Content Provided by

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

IIABSC Spring Conference

Cybersecurity and internal audit. August 15, 2014

Data Management Policies. Sage ERP Online

The silver lining: Getting value and mitigating risk in cloud computing

Cyber Risks and Insurance Solutions Malaysia, November 2013

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

WELCOME TO SECURE

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

The Key to Secure Online Financial Transactions

Cybersecurity Issues for Community Banks

A Case for Managed Security

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Into the cybersecurity breach

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

PREP Course # 20: HIPAA Security Presented by: Joe Baskin, Manager, Information Security

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Vendor Management Best Practices

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

AUDIT TAX SYSTEMS ADVISORY

Learn to protect yourself from Identity Theft. First National Bank can help.

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Cybersecurity: Protecting Your Business. March 11, 2015

Common Cyber Threats. Common cyber threats include:

Hands on, field experiences with BYOD. BYOD Seminar

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Vulnerability Assessment & Compliance

PENETRATION TESTING GUIDE. 1

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

Security Issues in Cloud Computing

What is Management Responsible For?

Mitigating and managing cyber risk: ten issues to consider

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

LIGC-ACC Presentation November 9, 2015

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Secure Your Mobile Workplace

Questions You Should be Asking NOW to Protect Your Business!

How To Audit The Minnesota Department Of Agriculture Network Security Controls Audit

Transcription:

2010 AICPA Top Technology Initiatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter Partner-in-Charge, Habif, Arogeti,& Wynne LLP ( HA&W ) IT Audit & Assurance Services SAS 70,SSAE 16, Security and Privacy Trust Services, IT Governance, and other compliance services. 20 years of IT advisory and audit experience - focused mainly on financial services, mfg/distribution, and technology service providers. Chairperson of AICPA s Information Technology Executive Committee (ITEC) Dan Schroeder, Leading author of IT Considerations for Risk Based Auditing whitepaper Lead development of AICPA IT Audit School. CPA/ CITP, CISA, CISM, CIA 2 Agenda Top Technology Initiatives Background and Results Results drivers: the Story behind the Story. Take-Aways

2010 Survey Approach Survey options: designed by IT Executive Committee with intent to represent the CPA s unique perspective regarding those initiatives they believe will impact financial management and the fulfillment of other fiduciary responsibilities such as safeguarding of business assets, oversight of business performance, and compliance with regulatory requirements. Survey context: [ what are the top technology considerations] that you, your senior management team, or your client may be encountering during the next 12 to 18 months. (example, the audit committee, CEOs, CFOs, CIOs, etc.) 20 th year of the survey! Managed by the IT Section 4 Survey results 5 2010 Top 10 Technology Topics Relevancy to CFOs, Audit Committees, Audit Partners. 1.Securing data and IT against hacking, viruses, etc. 2.Security precautions for potential data breaches. 3.Internal controls and IT governance effectiveness. 4.Reporting and analytical functions effectiveness (business intelligence, dashboards, etc.) 5.Privacy policies and procedures.

2010 Top 10 Technology Topics Relevancy to CFOs, Audit Committees, Audit Partners. 6. IT risk considerations for planning audit and attest engagements. 7. Aligning audit procedures to IT risk assessments. 8. Adequacy of core accounting and reporting technology. 9. Cloud / SaaS security considerations. 10.Cloud / SaaS reliability considerations. 2010 Top Technology Topics Primary Topics Security Data Management Privacy Cloud computing security, integrity & reliability Business Intelligence Risk based approach to: Management of IT systems IT Auditing and Assurance 8 The Changing Risk Landscape AICPA 2010 Top Technology Topics 9

Key Risk Concerns: 2010 Security Data Management Privacy Cloud Computing 10 11 Data proliferation is key driver of security and privacy risks Do you really know what data your company has, where it is, how it is protected?

Legal Regulations Gramm-Leach-Bliley Act Health Insurance Portability and For Financial, Health Accountability Act and other Personal Red Flag Rule Information that HITECH can be used for identify theft, Children s Online Privacy Protection electronic data Act carries greater risk Drivers License Information Protection of liability than State information security breach notification requirements paper Massachusetts Information Security Protection Act 13 Legal Regulations Generally, the notification obligations under HITECH and State laws requires: any business that owns, licenses or maintains computerized data to disclose any breach of the security of its systems following discovery or notification of the breach in the security of the data if unencrypted personal information of a state resident was, or is reasonably believed to have been, acquired by an unauthorized person Notice required to be delivered to each affected resident 14 Data increasingly source of regulatory and reputation risk Personal information Individual s first name or initial and last name, in combination with one or more additional data elements such as: Personal health information, social security number, driver s license number, state identification card number, or an account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account 330 million records containing personal identity-related information have been involved in data breaches since 2005 15

Security Threats: from cyber vandalism to cyber crime Identity-related personal data is the primary target for cyber thieves. Proliferation and power of malware and advanced persistent threats ( APT ). Weak web sites likely infected with malware. Security experts predicts criminals to take cyber extortion tactics to the U.S. Security Threats: from cyber vandalism to cyber thieves Phishing the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into giving private information that will be used for theft. Social networks increasingly targeted by phishing Pharming a hacker s attack aiming to redirect a website s traffic to another bogus website. Pharming can be conducted either by changing the hosts file on a victim s computer or by exploitation of a vulnerability in software. 17 Phishing, Malware and ACH Fraud Online fraud 2009 est. $559M, double 2008 Spearphishing: targeted email; e.g., to controller, or other executive, requesting they click on link for some apparently official purpose. Link installs Trojan malware, usually for keystroke logging, often to identify banking credentials. Banking Trojan malware: Readily for sale on Internet. Estimated to be in 88% of Fortune 500 18

19 http://www.networkworld.com/news/2010/03 1110-zeus-botnet.html Cloud Computing expanding risk landscape SaaS single application, multi-tenant architecture; e.g., Salesforce.com, Google apps Utility Computing storage and virtual servers. Web Services e.g., Google Maps, ADP payroll, USPS, etc. PaaS development environments as a service; e.g., Intuit Partner Platform MSP Managed Service Provider application exposed to hosted IT functionality, rather than to users; e.g., SecureWorks, and Postini. Service Commerce Platforms e.g., expense management systems, purchasing, e.g., Reardon Commerce, ARIBA,. AICPA 2010 Top Technology Topics LEVERAGING NEW(ER) TECHNOLOGIES 21

Leveraging technology Cloud computing Business Intelligence (Enterprise Performance Management) Systems upgrade / replacement 22 RISK MANAGEMENT 23 Question of Trust / Reliance Key Theme in Survey 6. IT risk considerations for planning audit and attest engagements. 7. Aligning audit procedures to IT risk assessments. 9. Cloud / SaaS security considerations 10. Cloud / SaaS reliability considerations

HOW DOES AN AUDITOR (OR A USER) OF A SYSTEM KNOW IT IS TRUSTWORTHY? IS THERE A ONE-SIZED FITS ALL APPROACH? IT Creates Many Types of Risks Financial risks for Auditors ICFR Security Risks Confidentiality Availability Processing Integrity Privacy Compliance and Operational Risks Risk-Based Approach to Assurance & Audit Whether provider or user of IT services: Understand role of IT Understand Inherent Risks Understand if mitigating controls are adequate Improve controls as needed Audit / assurance reporting (if needed) 27

Service Provider Risk Management: (Cloud / SaaS) No one-size fits all approach SAS 70 being replaced by SSAE 16 AICPA Assessment and Attestation Reporting Options for different types of service provider risk Type of Risk Attestation Controls Guidance Financial (ICFR) SSAE 16 Security Confidentiality Availability Processing Integrity Privacy Generally Accepted Privacy Principles ( GAPP ) AICPA Trust Services Principles & Criteria 29 AICPA 2010 Top Technology Topics TOP TAKE-AWAYS FOR TRUSTED BUSINESS ADVISORS 30

Data Management: new management discipline needed Know what data your business collects, where it resides, who accesses it, how it is shared, purged, etc. Understand applicable regulations. Limit collection and storage of identity related data to that which is absolutely essential. Assess data management risk and develop commensurate risk management program involving policies, procedures, system controls, and insurance. Policies and procedures pertain to Classification, Access and security, Retention, and Disclosure 31 Security considerations Always run strong antivirus software that includes browsing protection that can automatically detect suspicious sites and malicious code. When accessing sensitive websites (e.g., banking), look for site keys or other advanced forms of authentication (e.g., biometrics) to reduce phishing risk. Restrict use of administrative rights on end user devices if not possible, monitor for presence of unauthorized functions. Extend security to handheld devices and smartphones: passcodes and screen locks after idle time, and capability to remotely wipe the device. Stay current on patches and updates. Additional Controls to Prevent Banking Fraud Talk to your bank and understand the security controls that are available with your online banking system. Use a separate computer for online banking that is segmented from rest of the network. The computer should have internet access only to the banking website and nothing else.

The Human Firewall A good human firewall employee is one who filters good security practices and rejects any others much like a network firewall only allows authorized traffic and rejects any other The only way to build a good human firewall is to raise people s awareness; to teach them good habits, to make them recognize bad practices and change them into good practices Your cyber security is only as good as the people who manage it and those who use it Source: Patrick Gray, CISCO, Atlanta, GA 2010 Secureworld Conference Education is key Few executives grasp the case for investing in safeguards against hackers, worms, and the like. Education starts at the top and works its way down the food chain throughout the entire business. Employees must understand that it is not their computer. Source: Patrick Gray, CICSO, Atlanta, GA 2010 Secureworld Conference Recap: 2010 Top 10 Technology Topics Relevancy to CFOs, Audit Committees, Audit Partners. 1. Securing data and IT against hacking, viruses, etc. 2. Security precautions for potential data breaches. 3. Internal controls and IT governance effectiveness. 4. Reporting and analytical functions effectiveness (business intelligence, dashboards, etc.) 5. Privacy policies and procedures. 6. IT risk considerations for planning audit and attest engagements. 7. Aligning audit procedures to IT risk assessments. 8. Adequacy of core accounting and reporting technology. 9. Cloud / SaaS security considerations. 10. Cloud / SaaS reliability considerations.

Contact Info. Dan Schroeder dan.schroeder@hawcpa.com 770-353-8379 AICPA IT Section Member Benefits Discounts on Educational programs, such as AICPA TECH Conference and IT Audit School program Discounts on valuable software and tools, including IDEA products and training sessions with Audimation Services Free monthly web seminars on topics critical to CPAs (plus an opportunity for CPE discounts!) Valuable technology content, including discussion papers, studies & practice aids Communications, including electronic newsletters, podcasts, featured articles, profiles and news about the profession and the IT Community Networking groups and IT Community events at TECH+ conference AICPA CITP Credential holder benefits IT Section membership, plus: Differentiation from CPAs and other technology and financial management professionals Customizable marketing materials, including targeted brochures that highlight your ability to leverage technology for real business results CITP Networking Groups Additional discounts, including $125 discount on conference registration to TECH+! To find out more about the IT Section membership or the Certified Information Technology Professional (CITP) Credential, please go to http://infotech.aicpa.org for more details.

More Information Additional Top Technology Initiatives information is available on the IT Center Website: www.aicpa.org/toptech For further information, e-mail ITinfo@aicpa.org or call 888-777-7077, option 4 from 9:00am-6:00pm ET. Subscribe to the Top Technology Initiatives Podcast! Visit http://toptechinitiatives.podomatic.com/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information