TEN TOP EMERGING IT AUDIT ISSSUES: THE UGANDAN PERSPECTIVEAS PART OF THE MONTHLY PRESENTATION SERIES.June, 2011BY

KETO NYAPENDI KAYEMBAASSISTANT AUDITOR GENERAL

PRESIDENT, ISACA KAMPALA CHAPTER

Content• Introduction• The main audit issues

▫ Issue▫ Risks▫ Recommendation

• Conclusion

ICT in Uganda

Economy

NDP:Science

and technolo

gy - strategicRapid

deployment of

emerging

technologies

creates risk

Deficiencies in IT controls

; significa

nt impact

Misaligned

technology will

fail

Las Vegas

Uganda: a

growing economy

IT security, audit and governanc

e in Uganda

Summary

1. Mobile devises & wireless tech2. Social networking3. Malware4. Major government systems5. Regulation6. Cloud computing7. Virtualization8. Database management9. Business continuity & Disaster

preparedness 10. Fraud

1.Mobile devices• Rapid expansion of handheld devices(evermore powerful)• Huge increase in mobile users & applications• The boundaries have expanded through 3G and 4G + Wi

Fi and WiMAX

• Risks▫ Very vulnerable, susceptible to malicious attacks▫ Information interception and Loss of critical business

data▫ Security and identity management an issue▫ Denial of service▫ ERP integration issues

• Recommendation▫ Managing information risks without stifling innovation

critical to value creation▫ Get inventory of mobile devices and their applications

(mcommerce). Understand the policies and procedures.

Boundaries have

expanded – not physical.

Smartphones, I pads, m commerce.Mobility enables: flexibility, availability, innovation and

increased productivity.

Uses of social media technology is

here.:-Face book-Linked in

-twitter

Risk• Brand

protection• Unauthorised

access to confidential data

• Disruption / denial of service

• User ignorance

Recommendation• Have an

inventory of social medial usage

• Establish existing policies, procedures & controls

• Amend audit plan to take care of the compliance & security needs.

2. Social networks

Security needs•Identity protection•User awareness of security needs•Organization data safety

3. Malware/cyber attacks• Increase in sophistication of malware - malicious code• More avenues of execution ie mobile devices, social networks.

Work at home issues. • New generation threats/attacks are now supported by

organised criminal groups, state sponsored• Risks

▫ New platforms allow more organisation data to be accessed and pushed outside the old perimeter firewall

▫ Loss or theft of critical information; intellectual property▫ Cash impact▫ Denial of service

• Recommendation▫ Understand organisation approach to malware identification, isolation

& remediation▫ Consider impacts beyond traditional spam ware/firewalls ie remote

users, mobile devices▫ Consider update schedules and monitoring ( beyond responsiveness to

patch updates)▫ Look at hardening of critical devices and access points▫ Have vulnerability assessments and detection procedures

3b. The use of the internet in business operations• Use of the internet in business operations. • Risks

▫ Malicious code importation▫ Theft of identity related information – credit card

info, ▫ Disruption and Denial of service

• Recommendation▫ Sensitisation of users on how to transact business on

the web▫ Proper protection of the sensitive areas using

antivirus, ▫ Browsing protection▫ Limit storage of identity related information▫ Encrypt any information that needs to be stored.

4. Major government systems• Ministry of ICT• NITA• National identity card• Electronic register• Integrated Financial Management system• Integrated payroll system.• Risks

▫ Ignore Governance, Control and Security issues▫ Duplication▫ Too many legacy systems – lack of value for money

• Need for ▫ Alertness▫ Assertiveness▫ Use alliances – Ie chapter▫ Preparedness▫ Involvement

•IT governance recognition -at the board level•Strategic use of IT for achievement of business objectives•Control practices well defined•Necessary oversight

5.Regulation• Strong need for regulation

▫ ICT laws being put in place▫ Regulations to follow▫ Need for compliance

• Protection : business robustness, national assets• Risks

▫ Not having sufficient numbers of ICT professionals to manage the assets

• Recommendation ▫ More prominence for SAG professionals▫ Need for skill acquisition.▫ Need for knowledge acquisition

6.Cloud computing• A mode for enabling convenient, on demand network access to a

shared pool of configurable computing resources:▫ Infrastructure as a service, IaaS ▫ Platform as a service, Paas▫ Software as a service, SaaS

• Sensitive data are no longer stored in a server farm controlled by the business, but rather in systems connected to the web and probably not owned by the business.

• Risks▫ Sustainability – reputation of provider▫ Confidentiality and availability of data▫ Third party access to data (competition)▫ Data ownership & Loss of data in a disaster situation.

• Recommendation▫ Ensure business objectives and risks that accompany the cloud are

identified and understood▫ May need to adjust business IT governance and security policies▫ Ensure there is a mechanism to ensure compliance with policy set

• Supplier gives more flexible, available, resilient and efficient IT services

• Increased ROI• Reduced cost• Increased risks

7 Virtualisation: Software technology that divides a physical resource , such as a

server, into virtual

resources called virtual

machines. VM’s. By 2012, 50% of servers

will be virtualised throughout the world.

Studies show.

Risks• Architectura

l vulnerability

• Software vulnerability

• Configuration risks

Recommendation• Policies and

procedures: disaster recovery & backup, data protection

• Ensure proper understanding by the organisation

• Roles & responsibilities clearly defined & documented

• Proper training of staff

• Following of set regulation

8.Database management• Regulation on types of data to

be stored• Identification of location of

data• Need for categorization of

sensitive data to enable better security management

• The cloud and mobile devices are a challenge.

• Risks▫ Regulatory penalties▫ Brand protection▫ Identity management▫ Privacy▫ integrity

• Recommendations▫ Assess level of adequacy of

current business requirements▫ Understand emerging

regulations▫ Corporation policies on

storage of PII▫ Identify specific data

management controls▫ Perform focused procedures

•Where is the data stored?•Where is personal data stored•How large is the data, is it all necessary •For how long is it needed

9. Business continuity and disaster preparedness• Provide continued existence and operation of the

organisation – assure continued operation.

•Risks▫ Loss of critical data▫ Slow rate of restart▫ Lack of employee awareness of BCP▫ Untested/unmodified plan.

•Recommendation▫ Identify all business processes▫ Ensure they are all catered for in the BCP▫ Ensure plan incorporates all aspects: ie chain of command, employee

management and safety, vendor management, supply chain management.

▫ BCP should be tested and modified periodically

10. IT perpetuated Fraud

Fraud

What else did I bring back from Vegas

The monthly meetings

a blessingUse

ISACA resourc

es

•adopt•Popularise•Participation in regulation formation•Recruit more SAG professionalsISACA’s

resource is its people

•African is unique, with unique problems , slightly slower

•our role to do the research

•share our area issues with the others

•contribute in the research topics

Your role

Provide security

skills

Provide audit skills

Provide governance

guidance

Do your part

Thankyou