cybersecurity: considerations for internal audit - · pdf file ·...
TRANSCRIPT
![Page 1: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/1.jpg)
Cybersecurity: Considerations for Internal Audit
IIA Atlanta Chapter Meeting
January 9, 2015
![Page 2: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/2.jpg)
Agenda • Key Risks • Incorporating Internal Audit • Resources for Internal Auditors • Questions
2
![Page 3: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/3.jpg)
Key Risks
3
![Page 4: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/4.jpg)
4
![Page 5: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/5.jpg)
Key Risks
• Board and Management: – CIO, CAE, organizational leaders agree: Cyberthreats not only and IT problem, but fully
fledged business risk – Top 10 risk Separate from business interruption; loss of
reputation and brand value; theft fraud and corruption
5
![Page 6: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/6.jpg)
Key Risks • Nature of attack:
– Denial of service attacks (DoS) – Data security breaches
• Focus of attack: – Credit card data (e.g. retail) – Exploration data (e.g. oil and gas) – Intellectual property (e.g. technology, strategic
information)
6
![Page 7: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/7.jpg)
Key Risks
• Internal – Trusted employees – Business partners
• External – Stolen credentials – Remote access systems
7
![Page 8: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/8.jpg)
Key Risks
• Threats – Rapidly evolving – Increasingly sophisticated – Methods continue to improve
8
![Page 9: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/9.jpg)
Key Risks
• Cost of data breaches – Fixing the problem – Legal costs – Fines – Class Action Lawsuits
9
![Page 10: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/10.jpg)
Incorporating Internal Audit
10
![Page 11: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/11.jpg)
Incorporating Internal Audit
Persistent threat Exposures Security posture Audit procedures Assisting management Resource application
11
![Page 12: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/12.jpg)
Incorporating Internal Audit
Be engaged at the strategic level: – Understand board’s approach to security – Better understand the value of business-
critical data – Working with systems administrators – Being involved with new IT implementations
12
![Page 13: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/13.jpg)
Incorporating Internal Audit Focus on:
– Specific types of attacks they face – Weaknesses inherent in business practices,
culture, IT systems – Educating the Board Business risk Risk to data Critical assets Nature of network traffic
– Prevention, Detection and Response
13
![Page 14: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/14.jpg)
Incorporating Internal Audit
Key Elements: – Leadership and governance – Technical and operational controls – Training and awareness – Information risk management – Response planning – Crisis management
14
![Page 15: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/15.jpg)
Incorporating Internal Audit
Auditing defense mechanisms: – Secure firewalls – Up-to-date antivirus software – Open communication to ISPs – Effective network monitoring – Rapid response plans
15
![Page 16: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/16.jpg)
Incorporating Internal Audit Auditing defense mechanisms:
– Password management – Data categorization, segregation, access storage,
and retention process – Suppliers’ cybersecurity practices; service
agreements – Cloud services – Data security controls – Corporate insurance coverage
16
![Page 17: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/17.jpg)
Incorporating Internal Audit IT Audit Resources:
– Perform business and IT impact analysis and risk assessment
– Cyberrisk assessment External input on threats facing industry Current attack methods
– People, process and technology controls – Incident response program – Help optimize controls to prevent or detect cyber
issues – Ongoing monitoring of changing cyberrisk
17
![Page 18: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/18.jpg)
Incorporating Internal Audit Internal Audit Resources:
– Drive discussion around risk and mitigation strategy – Independently assess and prioritize cyberrisks
against other critical enterprise risks – Assess effectiveness of preparation – Identify and monitor issues and risk related to
emerging technology deployments
18
![Page 19: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/19.jpg)
Incorporating Internal Audit Supporting the Audit Committee:
– Five Principles: 1. Understand and approach to cybersecurity 2. Legal implications 3. Access to expertise 4. Staffing and budget 5. Risk avoidance
19
![Page 20: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/20.jpg)
Resources
20
![Page 21: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/21.jpg)
Resources • U.S. National Institue of Standards and
Technology (NIST) – Framework for Improving Critical Infrastructure
Cybersecurity – Consistent and effective evaluation of current
security: Processes Procedures Technologies
– Links to other security standards and approaches
21
![Page 22: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/22.jpg)
22
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/#
![Page 23: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/23.jpg)
23
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/#
![Page 24: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/24.jpg)
Resources Cybercrime Audit/Assurance Program • Aligned with the NIST
National Initiative for Cybersecurity Education
24
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cybercrime-Audit-Assurance-Program.aspx
![Page 25: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/25.jpg)
25
![Page 26: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/26.jpg)
26
Source: ISACA IT Assurance FrameworkTM (ITAFTM)
![Page 27: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/27.jpg)
27
0
1
2
3
4
5
DS5.5 Security Testing,Surveillance and Monitoring
DS5.6 Security IncidentDefinition
DS8.2 Registration of CustomerQueriesDS8.3 Incident Escalation
DS8.4 Incident Closure
AssessmentTarget
Source: ISACA IT Assurance FrameworkTM (ITAFTM)
![Page 28: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/28.jpg)
Resources Cybersecurity Fundamentals Certificate • Knowledge-based
certificate offered by ISACA Implementing NIST Cybersecurity Framework Using COBIT 5 • Focused on the CSF, goals,
implementation steps and application
28
![Page 29: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/29.jpg)
29
![Page 30: Cybersecurity: Considerations for Internal Audit - · PDF file · 2015-01-15Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting . January 9, 2015 . ... –](https://reader033.vdocuments.us/reader033/viewer/2022051406/5abcceee7f8b9a76038e542f/html5/thumbnails/30.jpg)
Internal Audit Focus
Evaluating security risk and threats Data at risk Secure infrastructure Monitoring capability Rapid identification, response,
containment and recovery
30