internal audit considerations for cybersecurity risks posed by vendors october 27-28 th, 2015...

24
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th , 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking Conference

Upload: dinah-walsh

Post on 17-Jan-2016

225 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Internal Audit Considerations for Cybersecurity Risks Posed by Vendors

October 27-28th, 2015Chicago IIA Chapter’s 2nd Annual IIA Chicago IT Hacking Conference

Page 2: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Who is KirkpatrickPrice?

KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 400 clients in 46 states, Canada, Asia and Europe. The firm has over 10 years of experience in information assurance by performing assessments, audits, and tests that strengthen information security, and compliance controls.

Page 3: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

WelcomeJoseph Kirkpatrick is a Risk Management Specialist in Compliance and Information Security helping organizations anticipate and prepare against threats.– Certified Information Systems Security Professional (CISSP)– Certified Information Systems Auditor (CISA)– Certified in Risk and Information Systems Control (CRISC)– Certified in the Governance of Enterprise IT (CGEIT)– PCI Qualified Security Assessor (QSA)

Page 4: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Understanding Risks Posed By Vendors

• Data Breaches through vendor relationships– Goodwill’s Point of Sale vendor had malware – Home Depot’s vendor’s credentials stolen– Target’s vendor opened a virus-laden email

• An examination of 57 broker-dealers and 49 registered investment advisers revealed that most had experienced cyber-attacks directly or through their vendors

(Securities and Exchange Commission—February 2015)

Page 5: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Understanding Risks Posed By Vendors

• Vendors bring unique compliance responsibilities– AT&T fined $25 million for call center vendors’

privacy practices– The HITECH Omnibus Rule extends responsibility

to Business Associates

Page 6: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Understanding Risks Posed By Vendors

• Vendors bring unique cybersecurity risk when given remote access– “BUT, it’s a secure VPN”– You are at the mercy of their network security

controls once privilege is given

Page 7: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Quantifying Vendor Risk

• In the past:– Vendor compliance managed contractually– Compliance risk/responsibility was transferred– Compliance activity kept at arms length

Page 8: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Quantifying Vendor Risk

• Now:– Full chain of custody– Oversee business relationships with service

providers– Ensure compliance with the law– Institute an Effective Process

Page 9: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Quantifying Vendor Risk

• Policies and Procedures• List of Third Parties to include activities

performed• Contracts with Third Parties• Evidence of due diligence

Page 10: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Quantifying Vendor Risk

• WHAT do they do for you?• WHO are they?• HOW do they do it?

Page 11: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Quantifying Vendor Risk

Page 12: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Vendor Risk Management

• Risk assessment• Develop/enhance policies & procedures• Continuous Monitoring• Remediation

Page 13: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Recommended Security Policy• Do you address 4th party risks (your vendors’ vendors)?• Do your policies define the permissible uses and disclosures of

sensitive data?• Do your agreements require vendors to provide evidence of

"appropriate safeguards?" How should they determine what's appropriate?

• Do you have a defined Incident Response Procedure?• Do you require the vendors to agree to provide you with all

necessary documentation in case of an audit?• Does your agreement have teeth? Termination if a violation?

Page 14: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Recommended Security Policy

• 30 percent of 40 banking organizations did not require outside vendors to notify them of breaches

(New York Department of Financial Services—April 2015)

Page 15: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Let's consider some example Vendors

• Law firm• Cleaning service• Contracted on-site vendor• Co-location facility• Cloud service provider

Page 16: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Recommended Security Measures for Internal Audit Consideration

• Vendor Policies & Procedures:–Regulatory compliance–Compliance training –Consumer complaints–Information Security

Page 17: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Recommended Security Measures for Internal Audit Consideration

• Types of Evidence–Training logs–Third Party Security Reports–Performance Reports–Audited financials

Page 18: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Recommended Security Measures for Internal Audit Consideration

• Types of Evidence– If VPN connectivity is enabled, what additional

controls are considered?• Access Control Lists• Penetration Testing• Network Monitoring• Security Event Logs• Jump Boxes

Page 19: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Onboarding and Offboarding Control Objectives

• Onboarding– Security Policy– Data Types– Access Requirements– Personnel– User Accounts and Types– Required Security Controls– Training

Page 20: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Onboarding and Offboarding Control Objectives

• Offboarding–Removal of user accounts–Analysis of type of data accessed–Analysis of access/event logs –Confirmation of return of data

Page 21: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Example Audit Programs

• Collect Evidence Related to:– Due Diligence in Vendor Selection

• Financials• Qualifications/Experience• Reputation/Litigation• 4th Parties• Scope of Internal Controls• Business Continuity• IT Management• Insurance

Page 22: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Example Audit Programs

• Collect Evidence Related to:– Contractual Issues

• Scope of Services• Costs/Fees• Reputation• Service Level Agreements• Management Reports• Right to Audit

• Confidentiality and Security• Business Continuity• Default and Termination• Dispute Resolution• Indemnification

Page 23: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Example Audit Programs

• Collect Evidence (Based on Risk) Related to:– Control Environment

• Management Control• Risk Assessment• Information Security

Program• Human Resources• IT Management• Network Security

• BCP/Disaster Recovery• Physical Security• Access Controls• Vulnerability Management• Regulatory Compliance

Page 24: Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking

Thank you for attending!

Q & A

For further information contact:Joseph Kirkpatrick

[email protected] Ext. 101