Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
kpmgeISSA
Atul GuptaManagerInformation Risk Management
kpmg, India.Mail: [email protected]
iSAC 200521 July 2005
ICT ManagementIT audit and general controls
Writing on the wall
kpmgeISSA
Progress
IT audit
Potential threats– IT risks
Risk Management– IT Controls
Acts/ Standards/ Guidelines– Impact on IT controls and audit
kpmgeISSA
IT audit
History of IT audit– Began as EDP auditing
– Developed largely as result of rise in technology in accounting systems
– Typically carried with
• Financial statement audit
• Internal audit
• Other attestation engagement
kpmgeISSA
IT audit
History of IT audit
– Initial computerized accounting system
• Used in 1954
• Primarily mainframe based systems
– Changes in 1960s
• Increased usage of computing environment
– EDP auditing
• Formalized in 1968 by AICPA along with big eight
• Formation of EDPAA
• COBIT - 1977
kpmgeISSA
IT audit
Major events– Equity Funding Corporation of America (1964 – 1973)– AT&T (1998)– Popularity of Internet and adoption by corporates– Enron Debacle– 9/11 attacks– Acts/ Regulations
• GLBA• HIPAA• SAS70• UK DPA• EU – Directive on Data protection
kpmgeISSA
IT audit
Review of controls in an entity’s technology infrastructure
Review the Information systems• Safeguard assets
• Maintains data integrity
• Operating effectively
• Aligned with business objectives and organization’s goals
kpmgeISSA
The Clock is Ticking
Changing IT environment – High Octane Fuel for Disaster???
Is your neighborhood safe???
Is security a costly proposition???
kpmgeISSA
Changing IT environment – High Octane Fireball
Complex Information Systems
Systems enabled businesses andInternet grow @ the speed of light– More & more businesses processes are getting
technology enabled
– Decentralized operations and connectivity to business partners
– Remote connectivity to corporate network
– Increased virus attacks
kpmgeISSA
Changing IT environment
Internet
Hosts running unnecessary services
Information leakage
Incorrect trust relationships
Misconfigured firewalls and routers Weak
Passwords
Improperly defined shares
Misconfigured or unpatched OS
Inadequate logging, monitoring or detection
Unsecured remote
access points
Misconfigured Web servers
Unpatched, outdated or
default configured software
Old anti virus definition
Representative network diagram
kpmgeISSA
Reality Check – The Unsafe Neighborhood
Increased threats due to– Sophisticated social engineering methods
– Building technical knowledge and skills
– Gaining leverage through automation
– Exploiting network interconnections &moving easily through infrastructure
– Becoming more skilled at maskingtheir behavior
kpmgeISSA
Changing Paradigm
anti-detection
passwordguessing
self-replicatingcode password
cracking
exploitingknown
vulnerabilities
disablingaudits
backdoors
hijackingsessions
stealthdiagnostics
packet forging,spoofing
HackingTools
IntruderSkill
Web-crawlerattacks
kpmgeISSA
Reality Check – The Cost Factor
Market growth is driving technology vendors to– Decrease time to market while keeping cost,
performance and features as primary
– Invisibles such as security many times remain SECONDARY
• SERVICE PACKS & HOT FIXES are not the optimum solution
The Profit Margin vs. SecurityParadox – Is it really a paradox??
kpmgeISSA
Suppliers
BusinessPartners
CustomerData
PersonalData
Customers
THE WORLD
TransactionsContent
AttackersCompetition
EnforcementAgencies
Where does that leave today’s Organisation
CorporateData
Employees
Just a mouse click away…………….
Just aboutANYONE
kpmgeISSA
The Stake
Business reputation
A 100 points off your share price
Loss of customer personal identity and privacy,if not credit card numbers and hard cash
Solvency
Survival
kpmgeISSA
Deciphering it further
Identification
Authentication
Can we find out who is trying to reach us?
Can we ensure that the users are who they pretend to be?
Can we limit/control their actions?
Can we ensure that the privacy of sensitive information is maintained?
Can we ensure that the data has not been manipulated during or after the transmission?
Can we ensure that the sender and receiver are accountable/ responsible for their actions?
Can we ensure the ability to trace actions?
Can we detect any unauthorised access attempts?
Can we correct the errors as soon as they are detected?
Authorization
Confidentiality
Integrity
Non repudiation
Auditability
Intrusion Detection
Error Correction
kpmgeISSA
What is there in IT controls?
“It’s what keeps the hackers out.”
“It’s managing access to systems through the use of IDs and passwords.”“It’s the process of encrypting data so others can’t read it.”“It’s a barrier, preventing me from doing what I need to do.”“It’s unnecessary overhead.”
kpmgeISSA
IT controls
Key facets of IT controls include:– People – organization, responsibility, accountability,
and leadership
– Process – policies, procedures, and practices
– Technology – scalable technical support for automation, integration, and enabling of information security operations.
Bottom line: It’s NOT just a technology problem.
kpmgeISSA
IT controls
IT Controls– General IT controls
• Derived from the security policy
• Addresses IT controls environment for the organization
– Business system application controls
• Aligned with the business processes
• Addresses the system based controls requirement for effective usage of IT systems
kpmgeISSARecommended Controls
Residual Risks
Comparative Analysis
Existing Controls
Expected Controls
Controls environment/ Business Processes • Understand the controls environment/ business process requirements
• Establish control objectives• Identify control parameters
• Risk assessment• Assess the controls requirement
– Management controls– Application controls– Manual controls
• Identify the existing controls• Evaluate the effectiveness and compliance to existing controls
• Assess adequacy of implemented controls vis-à-vis the risks to which organization and business processesare exposed
• Assess control effectiveness• Identify the residual risk• Risk rating• Risk exposure• Identify the required controls
IT Controls
kpmgeISSA
General IT controls
– Management of IT
– Continuity of systems
– Physical security and environmental control
– Security of information and systems
– Systems development
– Change management
– Control assurance
kpmgeISSA
Business system application controlsIntegrated Application System Controls Framework
ASSESSMENT PHASE FOLLOW UP AND EVALUATE PHASE CLOSE OUT PHASE
1 2 3 4 5
INITIATE PHASE DESIGN PHASE
• System administration
• Change management
• Business continuity
• Disaster recovery• Support
Adequate maintenance and support
• User access rights• Infrastructure security
(Network, O/S & Dbs)• Monitoring and
detection• Security policies &
procedures• User security
administration
Facilitate processes and support key platforms
• Process documentation
• Control risk analysis
• Control design
Effective, efficient
controls that maximize
functionality
• Data mapping• Data
Conversion• Interfaces• Audit trail
Accurate, complete and timely data for
decision-making
kpmgeISSA
Enforcement of IT controls
Sarbanes Oxley 404– Management of Internal Controls (including IT controls)
• Internal control report (based on controls framework)
– General IT controls
– Business system application controls
• Report – validated and signed off
• Material weakness in controls is documented and reported
kpmgeISSA
Enforcement of IT controls
BS 7799/ ISO 27001– Information Security Management System
– Only standard against which certification is possible
– Covers the information assets
• Including the IT infrastructure
kpmgeISSA
Enforcement of IT controls
Statement on Auditing Standard (SAS) 70– Audit of third party service provider– Primarily covers
• General IT controls• Transaction processing and application system controls
– Main differences• SAS 70 is an examination standard• Governed by AICPA guidelines• Certification can not be carried out• Reorting
– Type 1– Type 2
kpmgeISSA
Enforcement of IT controls
Various data privacy/ information security acts– Gramm-Leach-Bliely Act, 1999 (for financial institutes)
• Inform customer about the information practices with respect to gathering, use and disclosure of customer’s non-public personal financial information
– Health Insurance Portability and Accountability Act (HIPAA) • Safeguard identifiable health information from inappropriate disclosure
– UK Data Privacy Act, 1998• Individual has certain rights regarding information held about them
– EU directive on data protection• Directive 95/46/EC
– India IT Act 2000• Provides legal infrastructure for e-commerce in India
kpmgeISSA
The way forward
Seven Habit for Effective Information Controls
Strategic Focus towards Information Controls
Risk Management -> Information Controls
Process, Not a End Destination
Top Management Presence and Authority in Decision Making
Recognizing that the Weakest Link will cause Maximum Exposure
Continuous Improvement, Periodic Assessment
Line Management Responsibility for Information Controls
1
2
3
4
5
6
7