current trend in information technology
TRANSCRIPT
-
8/10/2019 Current Trend in Information Technology
1/44
Current Trends in Information
Technology: Which way forModern IT Auditors?
Joseph Akoki, ACA, MCP,CISA, AMIMC
Information Security & Risk InsightsAfrica Accra 2014
-
8/10/2019 Current Trend in Information Technology
2/44
Quotes
Technology is like a fish. The longer it stays onthe shelf the less desirable it becomes
Andrew Heller What I did in my youth is hundred times easier
today technology breeds crime-Frank Abagnate
There will come a time when it isnt they arespying on me through my phone anymore.Eventually it will be my phone is spying onme Philip K. Dick
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
3/44
Reality!!! Technology changes twice every year,
the only way not be left behind is to
respond to changes if not you will betwice behind Anonymous
We are going closer and closer to theyear when cars will run with waterBANK
PHB Nigeria
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
4/44
With a 13% increase in identity fraud between
2010 and 2011, a study conducted by JavelinStrategy &Research showed that consumers maybe putting themselves at a higher risk for identitytheft as a result of their increasingly intimate
social media behaviors.
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
5/44
Point to note
Audit failure most times is not caused by
receiving brown envelopes but most timesit is not adhering to audit quality controlprocess
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
6/44
KNOWING YOUR
ENVIRONMENTS
5/27/2014
IS CONTROL IS CORPORATE CONTROL.......
So it is said that if you know your enemiesandknow yourself, you can win a hundred battles
without a single loss.If you only know yourself, but not youropponent, you may win or may lose.If you know neither yourselfnor your enemy,you will always endangeryourself
- Quotation from The Art Of War by SunTzu's
6
-
8/10/2019 Current Trend in Information Technology
7/44
KNOWING YOURENVIRONMENTS
5/27/2014
Yourself(auditor) Tools
Competency( human resources)
Methodology
Time & deadlines Enemies(auditee)
Law & regulation
Business process of the auditee
Risk assessment by magt Changing technology
Danger/auditfailure
Danger/ audit
failure
QualityAudit
NB: Audit failure is where audit has failed to fulfill its objective of providing reliableevidence upon which audit opinion could be based.
7
-
8/10/2019 Current Trend in Information Technology
8/44
Trend Drivers
Customers
Regulators
Competitors
Cost/Revenue
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
9/44
Training Objectives:
Information Security & Risk Insights AfricaAccra 2014
1. Identify the technologies that will have the greatest impact onbanking business and audit functions
2. Explain why understanding trends and new technologies canhelp an organization prepare for the future
3. Explore the risk inherent in these emerging technologies andaudit planning can respond adequately
-
8/10/2019 Current Trend in Information Technology
10/44
Introduction btaining a broad view ofemerging trends and newtechnologies as they relate
to business can help an
organization anticipate and
prepare for the future
Information Security & Risk Insights AfricaAccra 2014
Organizations that can mosteffectively grasp the deep currentsof technological evolution can usetheir knowledge to protect
themselves against sudden and fataltechnological obsolescence
-
8/10/2019 Current Trend in Information Technology
11/44
Quote from The McKinseyQuarterly
The emerging affluent segmentyoung,educated, and consumption-oriented urban
professionalscould account for up to a third ofall retail-banking revenues in the coming three tofive years:
They are tech savvy preferring online-banking and
smartphone applications; reluctant users of branches
bricks and mortal) ;
and price conscious and service
oriented.
(February 2012, Mikls Dietz, dm Homonnay, and Irene Shvakman)
Trend Drivers example
Customers
Quote from
The McKinsey
Quarterly
-
8/10/2019 Current Trend in Information Technology
12/44
Gartner: Majority ofBanks Will Turn toCloud for Processing
Transactions By 2016.
News: Headline
IBM Develops NFC Authentication Technology
BarclaysPuts the Safety DepositBox in the Cloud. Barclays onlinebanking customers will now beable to scan and uploadimportant documents a cloud-
based document storagesystem.What Banks Should Know AboutDisaster Recovery in the Cloud.The cloud offers faster recovery
from disasters, but banks need tobe on the same page with theirproviders on issues like dataownership and interoperability.
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
13/44
The need to know the trend:
The jagged economic landscapecomplicated by
advancing technologies such as cloud social media
and mobile devices
can challenge the ability of an
IT auditor to provide comfort to executives already
overwhelmed with rapidly expanding opportunities
and pressures caused by shrinking margins.
Information Security & Risk InsightsAfrica Accra 2014
-
8/10/2019 Current Trend in Information Technology
14/44
Pace of technological innovation is
increasing Medical knowledge is doubling every eightyears
50% of what students learn in their freshmanyear of college is obsolete, revised, or takenfor granted by their senior year
All of todays technical knowledge willrepresent only 1 percent of the knowledge thatwill be available in 2050
Potential business impact:
Shortened time-to-market for products andservices
Tighter competition based on new technologies
Tighter monitoring requirementsInformation Security & Risk Insights Africa
Accra 2014
-
8/10/2019 Current Trend in Information Technology
15/44
The Digital Disruption
The five post digital
forces affecting business:cloud, mobile, social, analytics and
cyber
The digital revolution is disrupting every industry.
Creating new possibilities and changing the ways
business is done.
The only way to compete is to evolve
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
16/44
ews: ea ne
IBM Develops NFC Authentication Technology
IBM announced it has developed a newmobile payments authentication securitytechnology based on near-field
communication(NFC) technology.According to IBM, a user engaging in a mobiletransaction would hold a contactless smartcardnext to the NFC reader of the mobile device andafter keying in their PIN, a one-time code wouldbe generated by the card and sent to the server
by the mobile device. The technology is basedon end-to-end encryption between thesmartcard and the server using the NationalInstitute of Standards & Technology (NIST) AES(Advanced Encryption Standard) scheme.Current technologies on the market require usersto carry an additional device, such as a randompassword generator, IBM stated
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
17/44
Gartner: Majority ofBanks Will Turn toCloud for Processing
Transactions By 2016.
News: Headline
IBM Develops NFC Authentication Technology
BarclaysPuts the Safety DepositBox in the Cloud. Barclays onlinebanking customers will now beable to scan and uploadimportant documents a cloud-
based document storagesystem.What Banks Should Know AboutDisaster Recovery in the Cloud.The cloud offers faster recovery
from disasters, but banks need tobe on the same page with theirproviders on issues like dataownership and interoperability.
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
18/44
Continuity Across
Devices With more users workingacross multiple devices, wesee a move to provide themissing link in todayscomputing experiencethe
ability to pick up the sessionon a different device inexactly the same place youleft off.
Innovation will occur behindthe scenes, to provide acontinuous experience forusers across call logs, text
messages, notes and
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
19/44
All Encompassing Smartphones
Nowadays, consumersare increasingly relyingon their smartphones forjust about everything.
From researchingpurchasing decisions tomobile commerce,expect to see morebrands start to innovate
and cater to the needsof mobile audiences,both customers andstaff, to allow for moreseamless use and
integration of
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
20/44
IPv6: Major surgery for the
InternetIPv6 is the newInternet protocolreplacing IPv4.
Protecting IPv6 is notjust a question of
porting IPv4capabilities. There arefundamentalchanges to the
protocol which need
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
21/44
IPv6: Major surgery for theInternet contd The Difference Between IPv6 and IPv4 IP Addresses
An IP addressis binarynumbers but can be stored
as text for human readers. For example, a 32-bitnumeric address (IPv4) is written in decimal as fournumbers separated by periods. Each number canbe zero to 255. For example, 1.160.10.240could bean IP address.
IPv6 addresses are 128-bitIP address written in
hexadecimal and separated by colons. Anexample IPv6 address could be written like this:3ffe:1900:4545:3:200:f8ff:fe21:67cf
Information Security & Risk Insights AfricaAccra 2014
http://www.webopedia.com/TERM/I/IP_address.htmlhttp://www.webopedia.com/TERM/B/binary.htmlhttp://www.webopedia.com/TERM/B/binary.htmlhttp://www.webopedia.com/TERM/I/IP_address.html -
8/10/2019 Current Trend in Information Technology
22/44
Others are: T+3 becoming T
Instant transfers
ATM accepting cash and cheques
Cheques scanned with mobile phones
Wearable technologies
Virtualisation of all kinds- virtual customers , staffand projects Etc.
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
23/44
Cloud Computing
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
24/44
Contending With Cloud Services
Small, medium and large enterprisesare beginning to adopt cloud servicesPaaS and SaaS at a greater rate. Thistrend presents a big challenge fornetwork security, as traffic can go
around traditional points of inspection.Additionally, as the number ofapplications available in the cloudgrows, policy controls for Webapplications and cloud services will
also need to evolve.
But as the cloud evolves, so
too must network security.
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
25/44
What is cloud computing? Cloud Computing is not:
Any specific technology, such as VMware or SalesForce Virtualization
Outsourcing Grid computing Web hosting
Cloud Computing is: An IT delivery approach that binds together technology infrastructure,
applications, and internet connectivity as a defined, managed service thatcan be sourced in a flexible way
Cloud computing models typically leverage scalable and dynamic resources
through one or more service and deployment models The goal of cloud computing is to provide easy access to, and elasticity of, IT
services.
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
26/44
Key Areas to Focus on
during AuditIdentity and Access Management: Verify that only approved personnel are granted access to servicebased on their roles and
that access is removed in a timely manner upon the personnel's termination of employmentand/or change in their roles that does not require the said access.
Physical Security
Hosting & Data Logical Security Segregation of tiers; hosting encryption methods Accessibility from the open Internet, over permissive rules that open wide range of ports Authentication & Authorization Length / strength of passwords, systems to enforce / control password security / reset rules Use of hardware / software token. Management of key fobs Only authorized users are granted access rights after proper approval Access for transferred employees is modified in a timely manner Unauthorized access to cloud computing resources is removed promptly Periodic review of super-user and regular access to cloud applications Connection & Data Transmission Secure connectivity such as VPN IPSec, SSL, HTTPS where secure data is being transmitted for
regular users or administrators
-
8/10/2019 Current Trend in Information Technology
27/44
Key Areas to Focus on duringAudit Auditing Cloud Computing in Five Relevant Areas Audit Objective(s) Technology Risks: Unique risks related to the use of virtual operating system with cotenants. Is your primary service provider utilizing another sub-service provider? For e.g.
there are several examples where a SaaS provider is utilizing an IaaS provider.Do you know whether your primary service provider is protecting youadequately from the risks inherent with util izing an IaaS provider?
Hypervisor technology utilized and whether it is patched Process for monitoring and patching for known vulnerabilities in hypervisor
technology Segregation of duties (SoD) considerations both from a technology as well as
business perspective, for e.g. from a technology SoD perspective does oneperson have access to the host and guest operating systems as well as theguest database. From a business perspective, for financially significantapplications, just because an application is in the cloud does not diminish theimportance of segregating access within the application
Logging of access to the applications and data, where relevant Protection of access logs from inadvertent deletion or unauthorized access
-
8/10/2019 Current Trend in Information Technology
28/44
Common Observations WhenAuditing Cloud Computing Password settings for cloud resources (applications, virtual servers etc.) does not comply
with user organizations password policies. Sometimes the cloud vendor resources do notsupport the user organizations policy requirements, but several times, the cloudadministrators at the user organizations are not aware
Port settings on Cloud server instances not appropriately configured (administrator added
exceptions to administer cloud from their home computer and mobile device) Lack of policy and procedures for appropriate handling of security and privacy incidents Terminated users found to be active on applications in the cloud (even though the
individuals network access was terminated) and there was no IP range restriction Employees transferred out of a certain department had access to Cloud resources even
though they transferred to another department a few months ago Service providers SOC report was not reviewed for impact to user organization Sensitive data (PII) in the cloud was found to be not encrypted. Sometimes the user
organization is not aware that sensitive data resides in the cloud. Most commonly, with theuse of cloud for test environments, sensitive data is not scrambled/de-identified before
being sent to the cloud. It might even be your third-party development vendor doing that Use of shared accounts to administer the cloud
-
8/10/2019 Current Trend in Information Technology
29/44
Good Practices in Cloud
Computing Sensitive data is encrypted before sending to the cloud Making sure that multiple people receive notifications from the cloud service
provider and that list of individuals/email id is periodically reviewed andupdated. This is simple to implement and very beneficial
Several cloud service providers offer the option of IP range restriction. Thatcould be a great tool in utilizing a cloud-based services but having thesecurity comfort of in-house IT
Use of secure connection when connecting to the cloud, anytime sensitivedata is exchanged
Access to cloud computing resources is integrated with the userorganizations identity and access management process instead of beinghandled one-off
Use of multi-factor authentication (MFA) such as hardware/software tokens,mobile authentication (particularly if the mobile phone is a company
resource) for administration of cloud resources. This could also protect in casethe user organizations employees are subject to phishing attack Review proper independent review report/certification: sometimes a SOC
report is not sufficient
Contd
-
8/10/2019 Current Trend in Information Technology
30/44
Cont d Top Risk Areas
Information Security & Risk Insights Africa Accra 2014
Privileged useaccess
Who at the cloud provider will have access to your data? What controls does theprovider have over these peoples access? How does the provider hire and fire
RegulatoryCompliance
How will using the cloud affect your ability to comply with regulatory requirements (e.gSOX, GLBA, HIPPA, PCI). Has the provider undergone any kind of third party audit orcertification?
Data Locationand Ownership
Where will the data be stored? Will it be replicated out of the country? Can the customerrestrict where the data is stored? Who owns the data once it is in the cloud
Data Segregation How does the provider ensure that its other customers can not see my data ? What type
of encryption is in place? How are the keys managed
Recovery What happens to my data in the event of a disaster? Is it backed up or replicatedsomewhere? How can I access my backups? How long does it take to restore my data?
Forensic Support If any kind of legal investigation is required because of illegal activity- can the providersupport the customer ?
Long TermViability
What is the providers financial posture, will they be around in the next 5-15 years, if theyfail how does the customer get his data back
Third PartyRelationships
What third party relationships does your cloud provide have inplace
Due Diligence Have you performed extensive due diligence on your cloud provider
-
8/10/2019 Current Trend in Information Technology
31/44
Contd
Information Security & Risk Insights Africa Accra 2014
Cloud providers key Riskand PerformanceIndicators
Understand the cloud providers key risks and performance indicatorsand how this can be monitored and measured from a customers
perspective
-
8/10/2019 Current Trend in Information Technology
32/44
Auditing Mobile Computing
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
33/44
10 Steps for Auditing Mobile ComputingSecurity Test
Information Security & Risk Insights AfricaAccra 2014
Ensure that mobile devicemanagement software is running thelatest approved software and patches.
Verify that mobile clients have
protective features enabled if they arerequired by your mobile devicesecurity policy.
Determine the effectiveness of devicesecurity controls around protectingdata when a hacker has physicalaccess to the device
Evaluate the use of security monitoringsoftware and processes.
Verify that unmanaged devices arenot used on the network. Evaluatecontrols over unmanaged devices.
Evaluate procedures in place fortracking end user trouble tickets.
Ensure that appropriate securitypolicies are in place for your mobiledevices
Evaluate disaster recoveryprocesses in place to restoremobile device access should adisaster happen.
Evaluate whether effectivechange management processesexist.
Evaluate controls in place tomanage the service life cycle ofpersonally owned and company-owned devices and any
associated accounts used for thegateway
-
8/10/2019 Current Trend in Information Technology
34/44
Auditing Mobile Device MgtOnce installed, an MDM solution can enforce numeroussecurity policies. Auditors should verify these policies are inplace:
Anti-malware and firewall policy.Mandates installation ofsecurity software to protect the devices apps, content,and operating system.
App/operating system update policy.Requires devices tobe configured to receive and install software updates andsecurity patches automatically.
App-vetting policy.Ensures that only trustworthy whitelisted apps can be installed; blocks black listed appsthat could contain malicious code.
Encryption policy.Ensures that the contents of the devicesbusiness container are encrypted and secured.
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
35/44
Auditing Mobile Device Mgtcontd. PIN policy.Sets up PIN complexity rules and expiration
periods, as well as prevents reuse of old PINs. Inactive-device lockout policy. Makes the device
inoperable after a predetermined period of inactivity, afterwhich a PIN must be entered to unlock it.
Jail break policy.Prohibits unauthorized alteration of adevices system settings configured by the manufacturer,which can leave devices susceptible to securityvulnerabilities.
Remote wipe policy.Erases the devices business containercontents should the device be lost or stolen.
Revoke access policy.Disconnects the employees devicefrom the organizations network when the MDMs remotemonitoring feature determines that it is no longer incompliance.
-
8/10/2019 Current Trend in Information Technology
36/44
AUDITING Social Media
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
37/44
ROLE OF INTERNAL AUDITING-
Social MediaIT auditors should be mindful of the risksassociated with social media, and take
steps to validate that the institution hasestablished an effective social media riskmanagement program commensurate withthe degree of the institutions use of social
media. In auditing social media, internalauditors should consider the following steps:
-
8/10/2019 Current Trend in Information Technology
38/44
Program Governance and
Oversight
Evaluate how the institution assignsaccountability for social media activities.
Review social media-related policies andprocedures for consistency with stated socialmedia objectives.
Assess the institution's process to stay informedof actual and proposed social media activities.
Evaluate procedures to review and approve
social media content before publication. Determine how social media risks are
periodically assessed and documented.
-
8/10/2019 Current Trend in Information Technology
39/44
Alignment of Activities withEnterprise Strategy
Determine if the institution has documentedformally an enterprise-wide social mediastrategy.
Review the documented social media strategyfor specific objectives and defined metricsagainst which progress is measured, includingrisk appetite.
Evaluate the process by which business line
social media practices are reviewed forconsistency with the institution's enterprise-widesocial media strategies.
-
8/10/2019 Current Trend in Information Technology
40/44
Compliance with Laws and
Regulations Discuss with legal and compliance personnel
how legal and regulatory requirements areassessed for applicability to social media
activities. Assess the completeness of the institution's
inventory of laws and regulations applicable tosocial media activities.
Evaluate how legal and compliance are
involved in the use of new social mediatechnologies that may impact compliance withlegal and regulatory requirements
-
8/10/2019 Current Trend in Information Technology
41/44
Operational Risk Management
Determine if technological tools have been used tomonitor and restrict social media usage, and consideropportunities to automate new and existingpreventative and detective controls.
Evaluate how the institution provides and rescindsaccess to social media platforms, including standards forreviewing and approving access as appropriate.
Discuss with management the types of training providedto employees with access to the institution's social mediaplatforms.
Determine if third-party social media tools and software
solutions are evaluated for operational and complianceimpacts in accordance with the institution'sdocumented vendor management program, ifapplicable
-
8/10/2019 Current Trend in Information Technology
42/44
Reputational Risk
Management Evaluate whether management distinguishes
consumer complaints received through socialmedia platforms from social media incidents.
Determine if management has identifiedcomplaint and incident scenarios that requireescalation to legal, compliance, seniormanagement, or other parties.
Assess how social media exchanges aremonitored for integrity and fairness toconsumers.
-
8/10/2019 Current Trend in Information Technology
43/44
Last word for the modern day ITAuditor
The current trends in IT presentlyand in the future demands ITauditors to be IT savvy, currentand evolving so we have to:
Learn- moving with TechnologyTrain- build capacityShare- leveraging
Information Security & Risk Insights AfricaAccra 2014
-
8/10/2019 Current Trend in Information Technology
44/44
.
Information Security & Risk Insights AfricaAccra 2014