current trend in information technology: which way for ... trend in... · current trend in...
TRANSCRIPT
Current Trends in Information
Technology: Which way for
Modern IT Auditors?
Joseph Akoki, ACA, MCP,
CISA, AMIMC
Information Security & Risk Insights Africa Accra 2014
Quotes
Technology is like a fish. The longer it stays on the shelf the less desirable it becomes
Andrew Heller
What I did in my youth is hundred times easier today technology breeds crime-
Frank Abagnate
There will come a time when it isnt “ they are spying on me through my phone anymore. Eventually it will be my phone is spying on me” Philip K. Dick
Information Security & Risk Insights Africa
Accra 2014
Reality!!!
Technology changes twice every year,
the only way not be left behind is to
respond to changes if not you will be
twice behind… Anonymous
We are going closer and closer to the
year when cars will run with water– BANK
PHB Nigeria
Information Security & Risk Insights Africa
Accra 2014
“With a 13% increase in identity fraud between
2010 and 2011, a study conducted by Javelin
Strategy &Research showed that consumers may
be putting themselves at a higher risk for identity
theft as a result of their increasingly intimate social media behaviors”.
Information Security & Risk Insights Africa
Accra 2014
Point to note
“Audit failure most times is not caused by
receiving brown envelopes but most times
it is not adhering to audit quality control
process”
Information Security & Risk Insights Africa
Accra 2014
KNOWING YOUR
ENVIRONMENTS
5/27/2014
IS CONTROL IS CORPORATE CONTROL.......
So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself
- Quotation from The Art Of War by Sun Tzu's
6
KNOWING YOUR ENVIRONMENTS
5/27/2014
Yourself(auditor)
Tools
Competency( human resources)
Methodology
Time & deadlines
Enemies(auditee)
Law & regulation
Business process of the auditee
Risk assessment by magt
Changing technology
Danger/audit
failure
Danger/ audit
failure
Quality
Audit
NB: Audit failure is where audit has failed to fulfill its objective of providing reliable
evidence upon which audit opinion could be based.
7
Trend Drivers
• Customers
• Regulators
• Competitors
• Cost/Revenue Information Security & Risk Insights Africa
Accra 2014
Training Objectives:
Information Security & Risk Insights Africa
Accra 2014
1. Identify the technologies that will have the greatest impact on
banking business and audit functions
2. Explain why understanding trends and new technologies can
help an organization prepare for the future
3. Explore the risk inherent in these emerging technologies and
audit planning can respond adequately
Introduction • Obtaining a broad view of
emerging trends and new technologies as they relate to business can help an organization anticipate and prepare for the future
Information Security & Risk Insights Africa
Accra 2014
• Organizations that can most effectively grasp the deep currents of technological evolution can use their knowledge to protect themselves against sudden and fatal technological obsolescence
Quote from “The McKinsey Quarterly”
The “emerging affluent” segment—young,
educated, and consumption-oriented urban
professionals—could account for up to a third of
all retail-banking revenues in the coming three to
five years:
They are tech savvy, preferring online-banking and
smartphone applications; reluctant users of branches
(bricks and mortal) ; and price conscious and service
oriented. (February 2012, Miklós Dietz, Ádám Homonnay, and Irene Shvakman)
Trend Drivers – example Customers
Quote from “The McKinsey Quarterly”
Gartner: Majority of
Banks Will Turn to
Cloud for Processing
Transactions By 2016.
News: Headline
IBM Develops NFC Authentication Technology
Barclays Puts the Safety Deposit Box in the Cloud. Barclays online
banking customers will now be
able to scan and upload
important documents a cloud-based document storage
system.
What Banks Should Know About
Disaster Recovery in the Cloud. The cloud offers faster recovery
from disasters, but banks need to
be on the same page with their
providers on issues like data ownership and interoperability. Information Security & Risk Insights Africa
Accra 2014
The need to know the trend:
The jagged economic landscape — complicated by
advancing technologies, such as cloud, social media
and mobile devices — can challenge the ability of an
IT auditor to provide comfort to executives already
overwhelmed with rapidly expanding opportunities
and pressures caused by shrinking margins.
Information Security & Risk Insights Africa Accra 2014
Pace of technological innovation is
increasing Medical knowledge is doubling every eight
years
50% of what students learn in their freshman year of college is obsolete, revised, or taken for granted by their senior year
All of today’s technical knowledge will represent only 1 percent of the knowledge that will be available in 2050
Potential business impact:
Shortened time-to-market for products and services
Tighter competition based on new technologies
Tighter monitoring requirements Information Security & Risk Insights Africa
Accra 2014
The Digital Disruption
The five post digital
forces affecting business:
cloud, mobile, social, analytics and cyber
The digital revolution is disrupting every industry.
Creating new possibilities and changing the ways
business is done.
The only way to compete is to evolve !!!
Information Security & Risk Insights Africa
Accra 2014
News: Headline
IBM Develops NFC Authentication Technology
IBM announced it has developed a new
mobile payments authentication security
technology based on near-field
communication(NFC) technology.
According to IBM, a user engaging in a mobile transaction would hold a contactless smartcard next to the NFC reader of the mobile device and
after keying in their PIN, a one-time code would be generated by the card and sent to the server by the mobile device. The technology is based on end-to-end encryption between the smartcard and the server using the National Institute of Standards & Technology (NIST) AES
(Advanced Encryption Standard) scheme. Current technologies on the market require users to carry an additional device, such as a random password generator, IBM stated
Information Security & Risk Insights Africa
Accra 2014
Gartner: Majority of
Banks Will Turn to
Cloud for Processing
Transactions By 2016.
News: Headline
IBM Develops NFC Authentication Technology
Barclays Puts the Safety Deposit Box in the Cloud. Barclays online
banking customers will now be
able to scan and upload
important documents a cloud-based document storage
system.
What Banks Should Know About
Disaster Recovery in the Cloud. The cloud offers faster recovery
from disasters, but banks need to
be on the same page with their
providers on issues like data ownership and interoperability. Information Security & Risk Insights Africa
Accra 2014
Continuity Across
Devices With more users working
across multiple devices, we see a move to provide the
missing link in today’s
computing experience – the
ability to pick up the session
on a different device in
exactly the same place you
left off.
Innovation will occur behind
the scenes, to provide a
continuous experience for
users across call logs, text
messages, notes and
activities as they move from laptop to desktop, from
tablet to mobiles.
Information Security & Risk Insights Africa
Accra 2014
All Encompassing Smartphones
Nowadays, consumers
are increasingly relying
on their smartphones for
just about everything.
From researching
purchasing decisions to
mobile commerce,
expect to see more
brands start to innovate
and cater to the needs
of mobile audiences,
both customers and
staff, to allow for more
seamless use and
integration of
smartphones into our
daily lives.
Information Security & Risk Insights Africa
Accra 2014
IPv6: Major surgery for the
Internet IPv6 is the new
Internet protocol
replacing IPv4.
Protecting IPv6 is not
just a question of
porting IPv4
capabilities. There are
fundamental
changes to the
protocol which need
to be considered in
security policy.
Information Security & Risk Insights Africa
Accra 2014
IPv6: Major surgery for the Internet contd…
The Difference Between IPv6 and IPv4 IP Addresses
An IP address is binary numbers but can be stored as text for human readers. For example, a 32-bit numeric address (IPv4) is written in decimal as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.
IPv6 addresses are 128-bit IP address written in hexadecimal and separated by colons. An example IPv6 address could be written like this: 3ffe:1900:4545:3:200:f8ff:fe21:67cf
Information Security & Risk Insights Africa
Accra 2014
Others are:
T+3 becoming T
Instant transfers
ATM accepting cash and cheques
Cheques scanned with mobile phones
Wearable technologies
Virtualisation of all kinds- virtual customers , staff
and projects
Etc.
Information Security & Risk Insights Africa
Accra 2014
Cloud Computing
Information Security & Risk Insights Africa
Accra 2014
Contending With Cloud Services
Small, medium and large enterprises
are beginning to adopt cloud services
PaaS and SaaS at a greater rate. This
trend presents a big challenge for
network security, as traffic can go
around traditional points of inspection.
Additionally, as the number of
applications available in the cloud
grows, policy controls for Web
applications and cloud services will
also need to evolve.
But as the cloud evolves, so
too must network security.
Information Security & Risk Insights Africa
Accra 2014
What is cloud computing?
Cloud Computing is not: •Any specific technology, such as VMware or SalesForce
•Virtualization
•Outsourcing
•Grid computing
•Web hosting
Cloud Computing is:
An IT delivery approach that binds together technology infrastructure, applications, and internet connectivity as a defined, managed service that can be sourced in a flexible way
Cloud computing models typically leverage scalable and dynamic resources through one or more service and deployment models
The goal of cloud computing is to provide easy access to, and elasticity of, IT services.
Information Security & Risk Insights Africa
Accra 2014
Key Areas to Focus on during Audit
Identity and Access Management: Verify that only approved personnel are granted access to servicebased on their roles and
that access is removed in a timely manner upon the personnel's termination of employment and/or change in their roles that does not require the said access.
Physical Security Hosting & Data Logical Security Segregation of tiers; hosting encryption methods Accessibility from the open Internet, over permissive rules that open wide range of ports
Authentication & Authorization Length / strength of passwords, systems to enforce / control password security / reset rules Use of hardware / software token. Management of key fobs Only authorized users are granted access rights after proper approval Access for transferred employees is modified in a timely manner Unauthorized access to cloud computing resources is removed promptly Periodic review of super-user and regular access to cloud applications Connection & Data Transmission Secure connectivity such as VPN IPSec, SSL, HTTPS where secure data is being transmitted for
regular users or administrators
Key Areas to Focus on during Audit Auditing Cloud Computing in Five Relevant Areas Audit Objective(s)
Technology Risks:
Unique risks related to the use of virtual operating system with cotenants.
Is your primary service provider utilizing another sub-service provider? For e.g. there are several examples where a SaaS provider is utilizing an IaaS provider. Do you know whether your primary service provider is protecting you adequately from the risks inherent with utilizing an IaaS provider?
Hypervisor technology utilized and whether it is patched
Process for monitoring and patching for known vulnerabilities in hypervisor technology
Segregation of duties (SoD) considerations both from a technology as well as business perspective, for e.g. from a technology SoD perspective does one person have access to the host and guest operating systems as well as the guest database. From a business perspective, for financially significant applications, just because an application is in the cloud does not diminish the importance of segregating access within the application
Logging of access to the applications and data, where relevant
Protection of access logs from inadvertent deletion or unauthorized access
Common Observations When Auditing Cloud Computing •Password settings for cloud resources (applications, virtual servers etc.) does not comply
with user organization’s password policies. Sometimes the cloud vendor resources do not support the user organization’s policy requirements, but several times, the cloud administrators at the user organizations are not aware
•Port settings on Cloud server instances not appropriately configured (administrator added exceptions to administer cloud from their home computer and mobile device)
•Lack of policy and procedures for appropriate handling of security and privacy incidents
•Terminated users found to be active on applications in the cloud (even though the individual’s network access was terminated) and there was no IP range restriction
•Employees transferred out of a certain department had access to Cloud resources even though they transferred to another department a few months ago
•Service provider’s SOC report was not reviewed for impact to user organization •Sensitive data (PII) in the cloud was found to be not encrypted. Sometimes the user
organization is not aware that sensitive data resides in the cloud. Most commonly, with the use of cloud for test environments, sensitive data is not scrambled/de-identified before being sent to the cloud. It might even be your third-party development vendor doing that
•Use of shared accounts to administer the cloud
Good Practices in Cloud
Computing
Sensitive data is encrypted before sending to the cloud
Making sure that multiple people receive notifications from the cloud service provider and that list of individuals/email id is periodically reviewed and updated. This is simple to implement and very beneficial
Several cloud service providers offer the option of IP range restriction. That could be a great tool in utilizing a cloud-based services but having the security comfort of in-house IT
Use of secure connection when connecting to the cloud, anytime sensitive data is exchanged
Access to cloud computing resources is integrated with the user organization’s identity and access management process instead of being handled one-off
Use of multi-factor authentication (MFA) such as hardware/software tokens, mobile authentication (particularly if the mobile phone is a company resource) for administration of cloud resources. This could also protect in case the user organization’s employees are subject to phishing attack
Review proper independent review report/certification: sometimes a SOC report is not sufficient
Cont’d
Top Risk Areas
Information Security & Risk Insights Africa Accra 2014
Privileged use access
Who at the cloud provider will have access to your data? What controls does the provider have over these peoples access? How does the provider hire and fire
Regulatory Compliance
How will using the cloud affect your ability to comply with regulatory requirements (e.g SOX, GLBA, HIPPA, PCI). Has the provider undergone any kind of third party audit or certification?
Data Location
and Ownership Where will the data be stored? Will it be replicated out of the country? Can the customer
restrict where the data is stored? Who owns the data once it is in the cloud
Data Segregation How does the provider ensure that its other customers can not ‘see my data’ ? What type of encryption is in place? How are the keys managed
Recovery What happens to my data in the event of a disaster? Is it backed up or replicated somewhere? How can I access my backups? How long does it take to restore my data?
Forensic Support If any kind of legal investigation is required because of illegal activity- can the provider support the customer ?
Long Term Viability
What is the providers financial posture, will they be around in the next 5-15 years, if they fail how does the customer get his data back
Third Party Relationships
What third party relationships does your cloud provide have inplace
Due Diligence Have you performed extensive due diligence on your cloud provider
Cont’d
Information Security & Risk Insights Africa Accra 2014
Cloud providers key Risk
and Performance
Indicators
Understand the cloud providers key risks and performance indicators and how this can be monitored and measured from a customers perspective
Auditing Mobile Computing
Information Security & Risk Insights Africa
Accra 2014
10 Steps for Auditing Mobile Computing
Security Test
Information Security & Risk Insights Africa
Accra 2014
Ensure that mobile device
management software is running the
latest approved software and patches.
Verify that mobile clients have
protective features enabled if they are
required by your mobile device
security policy.
Determine the effectiveness of device
security controls around protecting
data when a hacker has physical
access to the device
Evaluate the use of security monitoring
software and processes.
Verify that unmanaged devices are
not used on the network. Evaluate
controls over unmanaged devices.
Evaluate procedures in place for
tracking end user trouble tickets.
Ensure that appropriate security
policies are in place for your mobile
devices
Evaluate disaster recovery processes in place to restore mobile device access should a disaster happen.
Evaluate whether effective change management processes exist.
Evaluate controls in place to
manage the service life cycle of personally owned and company-owned devices and any associated accounts used for the gateway
Auditing Mobile Device Mgt Once installed, an MDM solution can enforce numerous security policies. Auditors should verify these policies are in place: Anti-malware and firewall policy. Mandates installation of
security software to protect the device’s apps, content, and operating system.
App/operating system update policy. Requires devices to be configured to receive and install software updates and security patches automatically.
App-vetting policy. Ensures that only trustworthy “white listed” apps can be installed; blocks “black listed” apps that could contain malicious code.
Encryption policy. Ensures that the contents of the device’s business container are encrypted and secured. Information Security & Risk Insights Africa
Accra 2014
Auditing Mobile Device Mgt
contd. PIN policy. Sets up PIN complexity rules and expiration
periods, as well as prevents reuse of old PINs. Inactive-device lockout policy. Makes the device
inoperable after a predetermined period of inactivity, after which a PIN must be entered to unlock it.
Jail break policy. Prohibits unauthorized alteration of a device’s system settings configured by the manufacturer, which can leave devices susceptible to security vulnerabilities.
Remote wipe policy. Erases the device’s business container contents should the device be lost or stolen.
Revoke access policy. Disconnects the employee’s device from the organization’s network when the MDM’s remote monitoring feature determines that it is no longer in compliance.
AUDITING Social Media
Information Security & Risk Insights Africa
Accra 2014
ROLE OF INTERNAL AUDITING-Social Media IT auditors should be mindful of the risks
associated with social media, and take
steps to validate that the institution has
established an effective social media risk
management program commensurate with
the degree of the institution’s use of social
media. In auditing social media, internal
auditors should consider the following steps:
Program Governance and
Oversight
Evaluate how the institution assigns accountability for social media activities.
Review social media-related policies and procedures for consistency with stated social media objectives.
Assess the institution's process to stay informed of actual and proposed social media activities.
Evaluate procedures to review and approve social media content before publication.
Determine how social media risks are periodically assessed and documented.
Alignment of Activities with Enterprise Strategy Determine if the institution has documented
formally an enterprise-wide social media strategy.
Review the documented social media strategy for specific objectives and defined metrics against which progress is measured, including risk appetite.
Evaluate the process by which business line social media practices are reviewed for consistency with the institution's enterprise-wide social media strategies.
Compliance with Laws and
Regulations Discuss with legal and compliance personnel
how legal and regulatory requirements are assessed for applicability to social media activities.
Assess the completeness of the institution's inventory of laws and regulations applicable to social media activities.
Evaluate how legal and compliance are involved in the use of new social media technologies that may impact compliance with legal and regulatory requirements
Operational Risk Management
Determine if technological tools have been used to monitor and restrict social media usage, and consider opportunities to automate new and existing preventative and detective controls.
Evaluate how the institution provides and rescinds access to social media platforms, including standards for reviewing and approving access as appropriate.
Discuss with management the types of training provided to employees with access to the institution's social media platforms.
Determine if third-party social media tools and software solutions are evaluated for operational and compliance impacts in accordance with the institution's documented vendor management program, if applicable
Reputational Risk
Management
Evaluate whether management distinguishes
consumer complaints received through social
media platforms from social media incidents.
Determine if management has identified
complaint and incident scenarios that require
escalation to legal, compliance, senior
management, or other parties.
Assess how social media exchanges are
monitored for integrity and fairness to
consumers.
Last word for the modern day IT
Auditor
The current trends in IT presently and in the future demands IT auditors to be IT savvy, current and evolving so we have to:
Learn- moving with Technology
Train- build capacity
Share- leveraging
Information Security & Risk Insights Africa
Accra 2014
.
Information Security & Risk Insights Africa
Accra 2014