Assurance over

Cybersecurity using

COBIT 5 Special thanks to ISACA for supplying material for this presentation.

Anthony Noble, VP IT Audit, Viacom Inc.

Anthony.noble@viacom.com

Disclamer

The opinions and views expressed in this session are those of the presenter alone and do not reflect the official policies or positions of ISACA or Viacom.

Why Cybersecurity Matters to Internal Audit

Security has become a board and executive level issue. In fact, 82 percent of respondents to the “ISACA 2016 State of Cybersecurity” report that their enterprise board of directors is “concerned” or “very concerned” about cybersecurity

Why Cybersecurity Matters to Internal Audit

In September 2015, the Securities and Exchange Commission (SEC) fined R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, $75,000 for failing to establish the required cyber security policies and procedures in advance of a breach that occurred in July 2013. Now we have to make sure our Enterprise’s Cybersecurity Program is defendable in court.

IT Audit Needs to Respond

Half of the latest IIA “Pulse of Internal Audit” survey respondents (52 percent) believe lack of cybersecurity expertise among internal audit staff very much or extremely affects internal audit’s ability to address cybersecurity risk.

The Protiviti “2016 Internal Audit Capabilities and Needs” survey believes that three out of four Internal Audit departments are including cybersecurity risk in their audit plans and that the board must be engaged on the issue.

Protiviti Recommends that CAE’s:

• Ensure cybersecurity risk is integrated formally into the audit plan.

• Evaluate the organization’s cybersecurity program against the National Institute of Standards and Technology Cybersecurity Framework.

• Work with management and the board of directors to develop a cybersecurity strategy and policy.

• Identify and act on opportunities to improve the organization’s ability to identify, assess, and mitigate cybersecurity risk to an acceptable level.

• Recognize that cybersecurity risk is not only external; assess and mitigate potential threats that could result from the actions of an employee or business partner.

Protiviti “2016 Internal Audit Capabilities and Needs”

Defining the Assurance Role

Cybersecurity Frameworks – Take Your Pick!

• The COBIT 5 framework can be applied to any process, including Cybersecurity, and a separate book “COBIT 5 for Information Security” has been published

• ISO 27001:2013 Information Security Management is an international standard for implementing an information security management system and Enterprises can be certified against it

• NIST Cybersecurity Framework is a voluntary free US approach for implementing Cybersecurity

NIST Cybersecurity Framework

NIST Framework – Tier 3 - Repeatable

• Risk Management Process – The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated.

• Integrated Risk Management Program – There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed.

• External Participation – The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

COBIT 5 - Enablers

COBIT 5 Processes

Recommended IA Action Areas

Where should IA start with Cybersecurity if no IT risk register or assessment exists? Lots of areas when you expand the NIST Framework out so easy to get lost in the details. The Center for Internet Security publishes a list of Critical Controls (if an enterprise was not connected to the Internet we would have much less to worry about) so let’s start there. Knowing what you need to protect (Identify process) generally comes first.

Center for Internet Security 2016 Top 20 Critical Controls

http://www.cisecurity.org/critical-controls.cfm

Where to Start – Top Five

• Do we know what is connected to our systems and networks? (CSC 1)

• Do we know what software is running (or trying to run) on our systems and networks? (CSC 2)

• Are we continuously managing our systems using “known good” configurations? (CSC 3)

• Are we continuously looking for and managing “known bad” software? (CSC 4)

• Do we limit and track the people who have the administrative privileges to change, bypass, or over-ride our security settings? (CSC 5)

SANS Critical Security Controls Poster –

Maps Controls to Various Frameworks

COBIT 5 areas:

• CSC 1 – APO13 (Manage Security) – DSS05 (Manage Security Services) – BAI09 (Manage Assets)

• CSC 2 – APO13 – DSS05

• CSC 3 – APO13 – DSS05 – BAI10 (Manage Configuration)

• CSC 4 – APO13 – DSS05

• CSC 5 – APO13 – DSS05

NIST Areas

• CSC 1 – ID.AM-1 – ID.AM- 3, PR.DS-3

• CSC 2 – ID.AM-2, ID.AM-6

• CSC 3 – PR.IP-1

• CSC 4 – ID.RA-1, ID.RA-2, PR.IP-12, DE.CM-8, RS.MI-3

• CSC 5 – PR.AC-4, PR.AT-2, PR.MA-2, PR.PT-3

Example Using CSC 1 – Asset Inventory

• ID.AM-1: Physical devices and systems within the organization are inventoried

– COBIT 5 BAI09.01, BAI09.02

• ID.AM-3: Organizational communication and data flows are mapped

– COBIT 5 DSS05.02

• PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

– COBIT 5 BAI09.03

18

COBIT 5 Process Practices / Control Objectives

• Process Practices are Control Objectives

– Describe what a process needs to achieve to realise its process goals in support of enterprise goals

• Process Activities are Controls

– Go one step further in detail and provide more description of how things should happen

Example Using CSC 1 – BAI09.01

• BAI09.01 Identify and record current assets

• Maintain an up-to-date and accurate record of all IT assets required to deliver services and ensure alignment with configuration and financial management 1. Identify all owned assets in an asset register that records current status. Maintain

alignment with the change management and configuration management processes, the configuration management system, and the financial accounting records.

2. Identify legal, regulatory or contractual requirements that need to be addressed when managing the asset.

3. Verify the existence of all owned assets by performing regular physical and logical inventory checks and reconciliation including the use of software discovery tools.

Example Using CSC 1 – BAI09.03

• BAI09.03 Manage the asset lifecycle

• Manage assets from procurement to disposal to ensure that assets are utilized as effectively and efficiently as possible and are accounted for and physically protected 1. Source, receive, verify, test and record all assets in a controlled

manner, including physical labeling, as required.

2. Deploy assets following the standard implementation life cycle, including change management and acceptance testing.

3. Dispose of assets securely, considering, e.g., the permanent deletion of any recorded data on media devices and potential damage to the environment.

Example Using CSC 1 – DSS05.02

• DSS05.02 Manage network and connectivity security

• Use security measures and related management procedures to protect information over all methods of connectivity 1. Allow only authorized devices to have access to corporate

information and the enterprise network. Configure these devices to force password entry.

2. Encrypt information in transit according to its classification

3. Configure network equipment in a secure manner.

4. Carry out periodic penetration testing to determine adequacy of network protection.

Audit / Assurance Programs Available Through ISACA

• COBIT 5 Audit programs have been released by ISACA

• Also a specific one for assurance over use of the NIST framework is out too

• Members can download them for free

http://www.isaca.org/KNOWLEDGE-CENTER/RESEARCH/Pages/Audit-Assurance-Programs.aspx