current trend in information technology

8/10/2019 Current Trend in Information Technology

1/44

Current Trends in Information

Technology: Which way forModern IT Auditors?

Joseph Akoki, ACA, MCP,CISA, AMIMC

Information Security & Risk InsightsAfrica Accra 2014


2/44

Quotes

Technology is like a fish. The longer it stays onthe shelf the less desirable it becomes

Andrew Heller What I did in my youth is hundred times easier

today technology breeds crime-Frank Abagnate

There will come a time when it isnt they arespying on me through my phone anymore.Eventually it will be my phone is spying onme Philip K. Dick

Information Security & Risk Insights AfricaAccra 2014


3/44

Reality!!! Technology changes twice every year,

the only way not be left behind is to

respond to changes if not you will betwice behind Anonymous

We are going closer and closer to theyear when cars will run with waterBANK

PHB Nigeria



4/44

With a 13% increase in identity fraud between

2010 and 2011, a study conducted by JavelinStrategy &Research showed that consumers maybe putting themselves at a higher risk for identitytheft as a result of their increasingly intimate

social media behaviors.



5/44

Point to note

Audit failure most times is not caused by

receiving brown envelopes but most timesit is not adhering to audit quality controlprocess



6/44

KNOWING YOUR

ENVIRONMENTS

5/27/2014

IS CONTROL IS CORPORATE CONTROL.......

So it is said that if you know your enemiesandknow yourself, you can win a hundred battles

without a single loss.If you only know yourself, but not youropponent, you may win or may lose.If you know neither yourselfnor your enemy,you will always endangeryourself

- Quotation from The Art Of War by SunTzu's

6


7/44

KNOWING YOURENVIRONMENTS

5/27/2014

Yourself(auditor) Tools

Competency( human resources)

Methodology

Time & deadlines Enemies(auditee)

Law & regulation

Business process of the auditee

Risk assessment by magt Changing technology

Danger/auditfailure

Danger/ audit

failure

QualityAudit

NB: Audit failure is where audit has failed to fulfill its objective of providing reliableevidence upon which audit opinion could be based.

7


8/44

Trend Drivers

Customers

Regulators

Competitors

Cost/Revenue



9/44

Training Objectives:


1. Identify the technologies that will have the greatest impact onbanking business and audit functions

2. Explain why understanding trends and new technologies canhelp an organization prepare for the future

3. Explore the risk inherent in these emerging technologies andaudit planning can respond adequately


10/44

Introduction btaining a broad view ofemerging trends and newtechnologies as they relate

to business can help an

organization anticipate and

prepare for the future


Organizations that can mosteffectively grasp the deep currentsof technological evolution can usetheir knowledge to protect

themselves against sudden and fataltechnological obsolescence


11/44

Quote from The McKinseyQuarterly

The emerging affluent segmentyoung,educated, and consumption-oriented urban

professionalscould account for up to a third ofall retail-banking revenues in the coming three tofive years:

They are tech savvy preferring online-banking and

smartphone applications; reluctant users of branches

bricks and mortal) ;

and price conscious and service

oriented.

(February 2012, Mikls Dietz, dm Homonnay, and Irene Shvakman)

Trend Drivers example

Customers

Quote from

The McKinsey

Quarterly


12/44

Gartner: Majority ofBanks Will Turn toCloud for Processing

Transactions By 2016.

News: Headline

IBM Develops NFC Authentication Technology

BarclaysPuts the Safety DepositBox in the Cloud. Barclays onlinebanking customers will now beable to scan and uploadimportant documents a cloud-

based document storagesystem.What Banks Should Know AboutDisaster Recovery in the Cloud.The cloud offers faster recovery

from disasters, but banks need tobe on the same page with theirproviders on issues like dataownership and interoperability.



13/44

The need to know the trend:

The jagged economic landscapecomplicated by

advancing technologies such as cloud social media

and mobile devices

can challenge the ability of an

IT auditor to provide comfort to executives already

overwhelmed with rapidly expanding opportunities

and pressures caused by shrinking margins.

Information Security & Risk InsightsAfrica Accra 2014


14/44

Pace of technological innovation is

increasing Medical knowledge is doubling every eightyears

50% of what students learn in their freshmanyear of college is obsolete, revised, or takenfor granted by their senior year

All of todays technical knowledge willrepresent only 1 percent of the knowledge thatwill be available in 2050

Potential business impact:

Shortened time-to-market for products andservices

Tighter competition based on new technologies

Tighter monitoring requirementsInformation Security & Risk Insights Africa

Accra 2014


15/44

The Digital Disruption

The five post digital

forces affecting business:cloud, mobile, social, analytics and

cyber

The digital revolution is disrupting every industry.

Creating new possibilities and changing the ways

business is done.

The only way to compete is to evolve



16/44

ews: ea ne


IBM announced it has developed a newmobile payments authentication securitytechnology based on near-field

communication(NFC) technology.According to IBM, a user engaging in a mobiletransaction would hold a contactless smartcardnext to the NFC reader of the mobile device andafter keying in their PIN, a one-time code wouldbe generated by the card and sent to the server

by the mobile device. The technology is basedon end-to-end encryption between thesmartcard and the server using the NationalInstitute of Standards & Technology (NIST) AES(Advanced Encryption Standard) scheme.Current technologies on the market require usersto carry an additional device, such as a randompassword generator, IBM stated



17/44

Gartner: Majority ofBanks Will Turn toCloud for Processing

Transactions By 2016.

News: Headline


BarclaysPuts the Safety DepositBox in the Cloud. Barclays onlinebanking customers will now beable to scan and uploadimportant documents a cloud-

based document storagesystem.What Banks Should Know AboutDisaster Recovery in the Cloud.The cloud offers faster recovery

from disasters, but banks need tobe on the same page with theirproviders on issues like dataownership and interoperability.



18/44

Continuity Across

Devices With more users workingacross multiple devices, wesee a move to provide themissing link in todayscomputing experiencethe

ability to pick up the sessionon a different device inexactly the same place youleft off.

Innovation will occur behindthe scenes, to provide acontinuous experience forusers across call logs, text

messages, notes and



19/44

All Encompassing Smartphones

Nowadays, consumersare increasingly relyingon their smartphones forjust about everything.

From researchingpurchasing decisions tomobile commerce,expect to see morebrands start to innovate

and cater to the needsof mobile audiences,both customers andstaff, to allow for moreseamless use and

integration of



20/44

IPv6: Major surgery for the

InternetIPv6 is the newInternet protocolreplacing IPv4.

Protecting IPv6 is notjust a question of

porting IPv4capabilities. There arefundamentalchanges to the

protocol which need



21/44

IPv6: Major surgery for theInternet contd The Difference Between IPv6 and IPv4 IP Addresses

An IP addressis binarynumbers but can be stored

as text for human readers. For example, a 32-bitnumeric address (IPv4) is written in decimal as fournumbers separated by periods. Each number canbe zero to 255. For example, 1.160.10.240could bean IP address.

IPv6 addresses are 128-bitIP address written in

hexadecimal and separated by colons. Anexample IPv6 address could be written like this:3ffe:1900:4545:3:200:f8ff:fe21:67cf

http://www.webopedia.com/TERM/I/IP_address.htmlhttp://www.webopedia.com/TERM/B/binary.htmlhttp://www.webopedia.com/TERM/B/binary.htmlhttp://www.webopedia.com/TERM/I/IP_address.html


22/44

Others are: T+3 becoming T

Instant transfers

ATM accepting cash and cheques

Cheques scanned with mobile phones

Wearable technologies

Virtualisation of all kinds- virtual customers , staffand projects Etc.



23/44

Cloud Computing



24/44

Contending With Cloud Services

Small, medium and large enterprisesare beginning to adopt cloud servicesPaaS and SaaS at a greater rate. Thistrend presents a big challenge fornetwork security, as traffic can go

around traditional points of inspection.Additionally, as the number ofapplications available in the cloudgrows, policy controls for Webapplications and cloud services will

also need to evolve.

But as the cloud evolves, so

too must network security.



25/44

What is cloud computing? Cloud Computing is not:

Any specific technology, such as VMware or SalesForce Virtualization

Outsourcing Grid computing Web hosting

Cloud Computing is: An IT delivery approach that binds together technology infrastructure,

applications, and internet connectivity as a defined, managed service thatcan be sourced in a flexible way

Cloud computing models typically leverage scalable and dynamic resources

through one or more service and deployment models The goal of cloud computing is to provide easy access to, and elasticity of, IT

services.



26/44

Key Areas to Focus on

during AuditIdentity and Access Management: Verify that only approved personnel are granted access to servicebased on their roles and

that access is removed in a timely manner upon the personnel's termination of employmentand/or change in their roles that does not require the said access.

Physical Security

Hosting & Data Logical Security Segregation of tiers; hosting encryption methods Accessibility from the open Internet, over permissive rules that open wide range of ports Authentication & Authorization Length / strength of passwords, systems to enforce / control password security / reset rules Use of hardware / software token. Management of key fobs Only authorized users are granted access rights after proper approval Access for transferred employees is modified in a timely manner Unauthorized access to cloud computing resources is removed promptly Periodic review of super-user and regular access to cloud applications Connection & Data Transmission Secure connectivity such as VPN IPSec, SSL, HTTPS where secure data is being transmitted for

regular users or administrators


27/44

Key Areas to Focus on duringAudit Auditing Cloud Computing in Five Relevant Areas Audit Objective(s) Technology Risks: Unique risks related to the use of virtual operating system with cotenants. Is your primary service provider utilizing another sub-service provider? For e.g.

there are several examples where a SaaS provider is utilizing an IaaS provider.Do you know whether your primary service provider is protecting youadequately from the risks inherent with util izing an IaaS provider?

Hypervisor technology utilized and whether it is patched Process for monitoring and patching for known vulnerabilities in hypervisor

technology Segregation of duties (SoD) considerations both from a technology as well as

business perspective, for e.g. from a technology SoD perspective does oneperson have access to the host and guest operating systems as well as theguest database. From a business perspective, for financially significantapplications, just because an application is in the cloud does not diminish theimportance of segregating access within the application

Logging of access to the applications and data, where relevant Protection of access logs from inadvertent deletion or unauthorized access


28/44

Common Observations WhenAuditing Cloud Computing Password settings for cloud resources (applications, virtual servers etc.) does not comply

with user organizations password policies. Sometimes the cloud vendor resources do notsupport the user organizations policy requirements, but several times, the cloudadministrators at the user organizations are not aware

Port settings on Cloud server instances not appropriately configured (administrator added

exceptions to administer cloud from their home computer and mobile device) Lack of policy and procedures for appropriate handling of security and privacy incidents Terminated users found to be active on applications in the cloud (even though the

individuals network access was terminated) and there was no IP range restriction Employees transferred out of a certain department had access to Cloud resources even

though they transferred to another department a few months ago Service providers SOC report was not reviewed for impact to user organization Sensitive data (PII) in the cloud was found to be not encrypted. Sometimes the user

organization is not aware that sensitive data resides in the cloud. Most commonly, with theuse of cloud for test environments, sensitive data is not scrambled/de-identified before

being sent to the cloud. It might even be your third-party development vendor doing that Use of shared accounts to administer the cloud


29/44

Good Practices in Cloud

Computing Sensitive data is encrypted before sending to the cloud Making sure that multiple people receive notifications from the cloud service

provider and that list of individuals/email id is periodically reviewed andupdated. This is simple to implement and very beneficial

Several cloud service providers offer the option of IP range restriction. Thatcould be a great tool in utilizing a cloud-based services but having thesecurity comfort of in-house IT

Use of secure connection when connecting to the cloud, anytime sensitivedata is exchanged

Access to cloud computing resources is integrated with the userorganizations identity and access management process instead of beinghandled one-off

Use of multi-factor authentication (MFA) such as hardware/software tokens,mobile authentication (particularly if the mobile phone is a company

resource) for administration of cloud resources. This could also protect in casethe user organizations employees are subject to phishing attack Review proper independent review report/certification: sometimes a SOC

report is not sufficient

Contd


30/44

Cont d Top Risk Areas

Information Security & Risk Insights Africa Accra 2014

Privileged useaccess

Who at the cloud provider will have access to your data? What controls does theprovider have over these peoples access? How does the provider hire and fire

RegulatoryCompliance

How will using the cloud affect your ability to comply with regulatory requirements (e.gSOX, GLBA, HIPPA, PCI). Has the provider undergone any kind of third party audit orcertification?

Data Locationand Ownership

Where will the data be stored? Will it be replicated out of the country? Can the customerrestrict where the data is stored? Who owns the data once it is in the cloud

Data Segregation How does the provider ensure that its other customers can not see my data ? What type

of encryption is in place? How are the keys managed

Recovery What happens to my data in the event of a disaster? Is it backed up or replicatedsomewhere? How can I access my backups? How long does it take to restore my data?

Forensic Support If any kind of legal investigation is required because of illegal activity- can the providersupport the customer ?

Long TermViability

What is the providers financial posture, will they be around in the next 5-15 years, if theyfail how does the customer get his data back

Third PartyRelationships

What third party relationships does your cloud provide have inplace

Due Diligence Have you performed extensive due diligence on your cloud provider


31/44

Contd

Information Security & Risk Insights Africa Accra 2014

Cloud providers key Riskand PerformanceIndicators

Understand the cloud providers key risks and performance indicatorsand how this can be monitored and measured from a customers

perspective


32/44

Auditing Mobile Computing



33/44

10 Steps for Auditing Mobile ComputingSecurity Test


Ensure that mobile devicemanagement software is running thelatest approved software and patches.

Verify that mobile clients have

protective features enabled if they arerequired by your mobile devicesecurity policy.

Determine the effectiveness of devicesecurity controls around protectingdata when a hacker has physicalaccess to the device

Evaluate the use of security monitoringsoftware and processes.

Verify that unmanaged devices arenot used on the network. Evaluatecontrols over unmanaged devices.

Evaluate procedures in place fortracking end user trouble tickets.

Ensure that appropriate securitypolicies are in place for your mobiledevices

Evaluate disaster recoveryprocesses in place to restoremobile device access should adisaster happen.

Evaluate whether effectivechange management processesexist.

Evaluate controls in place tomanage the service life cycle ofpersonally owned and company-owned devices and any

associated accounts used for thegateway


34/44

Auditing Mobile Device MgtOnce installed, an MDM solution can enforce numeroussecurity policies. Auditors should verify these policies are inplace:

Anti-malware and firewall policy.Mandates installation ofsecurity software to protect the devices apps, content,and operating system.

App/operating system update policy.Requires devices tobe configured to receive and install software updates andsecurity patches automatically.

App-vetting policy.Ensures that only trustworthy whitelisted apps can be installed; blocks black listed appsthat could contain malicious code.

Encryption policy.Ensures that the contents of the devicesbusiness container are encrypted and secured.



35/44

Auditing Mobile Device Mgtcontd. PIN policy.Sets up PIN complexity rules and expiration

periods, as well as prevents reuse of old PINs. Inactive-device lockout policy. Makes the device

inoperable after a predetermined period of inactivity, afterwhich a PIN must be entered to unlock it.

Jail break policy.Prohibits unauthorized alteration of adevices system settings configured by the manufacturer,which can leave devices susceptible to securityvulnerabilities.

Remote wipe policy.Erases the devices business containercontents should the device be lost or stolen.

Revoke access policy.Disconnects the employees devicefrom the organizations network when the MDMs remotemonitoring feature determines that it is no longer incompliance.


36/44

AUDITING Social Media



37/44

ROLE OF INTERNAL AUDITING-

Social MediaIT auditors should be mindful of the risksassociated with social media, and take

steps to validate that the institution hasestablished an effective social media riskmanagement program commensurate withthe degree of the institutions use of social

media. In auditing social media, internalauditors should consider the following steps:


38/44

Program Governance and

Oversight

Evaluate how the institution assignsaccountability for social media activities.

Review social media-related policies andprocedures for consistency with stated socialmedia objectives.

Assess the institution's process to stay informedof actual and proposed social media activities.

Evaluate procedures to review and approve

social media content before publication. Determine how social media risks are

periodically assessed and documented.


39/44

Alignment of Activities withEnterprise Strategy

Determine if the institution has documentedformally an enterprise-wide social mediastrategy.

Review the documented social media strategyfor specific objectives and defined metricsagainst which progress is measured, includingrisk appetite.

Evaluate the process by which business line

social media practices are reviewed forconsistency with the institution's enterprise-widesocial media strategies.


40/44

Compliance with Laws and

Regulations Discuss with legal and compliance personnel

how legal and regulatory requirements areassessed for applicability to social media

activities. Assess the completeness of the institution's

inventory of laws and regulations applicable tosocial media activities.

Evaluate how legal and compliance are

involved in the use of new social mediatechnologies that may impact compliance withlegal and regulatory requirements


41/44

Operational Risk Management

Determine if technological tools have been used tomonitor and restrict social media usage, and consideropportunities to automate new and existingpreventative and detective controls.

Evaluate how the institution provides and rescindsaccess to social media platforms, including standards forreviewing and approving access as appropriate.

Discuss with management the types of training providedto employees with access to the institution's social mediaplatforms.

Determine if third-party social media tools and software

solutions are evaluated for operational and complianceimpacts in accordance with the institution'sdocumented vendor management program, ifapplicable


42/44

Reputational Risk

Management Evaluate whether management distinguishes

consumer complaints received through socialmedia platforms from social media incidents.

Determine if management has identifiedcomplaint and incident scenarios that requireescalation to legal, compliance, seniormanagement, or other parties.

Assess how social media exchanges aremonitored for integrity and fairness toconsumers.


43/44

Last word for the modern day ITAuditor

The current trends in IT presentlyand in the future demands ITauditors to be IT savvy, currentand evolving so we have to:

Learn- moving with TechnologyTrain- build capacityShare- leveraging



44/44

.


current trend in information technology

Documents