©20

13 C

lifto

nLar

sonA

llen

LLP

©20

13 C

lifto

nLar

sonA

llen

LLP

CLAconnect.com

Not All “IT Audits” Are the Same How to Choose One That Is Right For You

©20

13 C

lifto

nLar

sonA

llen

LLP

Intro… • Scott Charleson

• Lots of certs - GWAPT, GPEN, GSEC,

CISSP, CEH, EnCE

• Hacking for CliftonLarsonAllen…

©20

13 C

lifto

nLar

sonA

llen

LLP

Intro… • Scott Charleson

• Lots of certs - GWAPT, GPEN, GSEC,

CISSP, CEH, EnCE

• Hacking for CliftonLarsonAllen

• Paleo Barefoot Runner

©20

13 C

lifto

nLar

sonA

llen

LLP

Presentation overview • What is Risk Assessment

• Governance Frameworks

• Types of “Audits”

©20

13 C

lifto

nLar

sonA

llen

LLP

“We need…” • “Our examiners said we need to

do an IT Audit…”

• “To be in compliance with XYZ, we

need to do a Risk Assessment…”

©20

13 C

lifto

nLar

sonA

llen

LLP

What is not a risk assessment..? • Vulnerability Scanning

• Penetration Test

• Phishing / Social Engineering

http://bit.ly/May20-2

©20

13 C

lifto

nLar

sonA

llen

LLP

Risk Assessment

• “The uncertainty of an event occurring that could have an impact on the achievement of objectives.”

Institute of Internal Auditors

(IIA) glossary’s definition of risk:

• Likelihood/Occurrence and • Impact/Consequences to the

business

Key terms when evaluating risk in an organization

are:

©20

13 C

lifto

nLar

sonA

llen

LLP

Risk Assessment – Inherent & Residual Risk • Inherent risk is the risk to an entity in the absence of any actions

management might take to alter either the risk’s likelihood or impact (ie. absent controls/before control effectiveness testing)

• Residual risk is the risk that remains after management’s response to the risk (ie. after control effectiveness testing)

• Risk assessment is applied first to inherent risks. Once risk responses have been developed, management then considers residual risk.

• Effective Risk Management requires that risk assessment be done both with respect to inherent risk and also following risk response.

©20

13 C

lifto

nLar

sonA

llen

LLP

Risk Assessment Risk Assessment Process (30K foot view)

1. Identify key assets and processes 2. Define threats & vulnerabilities to assets/processes 3. Quantify/qualify likelihood of occurrence 4. Establish Impact (to the business)

This is Inherent Risk

©20

13 C

lifto

nLar

sonA

llen

LLP

Risk Assessment Risk Assessment Process (30K foot view - continued)

1. Perform controls effectiveness testing 2. Analyze control testing results for mitigation

effectiveness This result is Residual Risk

• Build business plans and audit plans based on

residual risk. • Examiners expect to see Risk Assessment process

as basis for business decisions

©20

13 C

lifto

nLar

sonA

llen

LLP Governance Frameworks

• Common Frameworks - Matrix Resources: http://bit.ly/May20-1

©20

13 C

lifto

nLar

sonA

llen

LLP

Types of Risk Assessments and Audits • Risk Assessment

– Enterprise Risk Assessment – IT Risk Assessment – Compliance Risk Assessment

• IT Audits – Process Audits (ie. ACH) – IT Compliance Audits

• Security Assessment – Vulnerability Assessments – Penetration Testing – Social Engineering

©20

13 C

lifto

nLar

sonA

llen

LLP

Audit Philosophy and Approach Philosophy: • People, Rules and Tools Approach: • Understand • Test • Assess

©20

13 C

lifto

nLar

sonA

llen

LLP

Enterprise Risk – “drive the business” RISK OVERSIGHT & INSIGHT Board & Executive Management

People Process

Technology

Alternatives, Decisions, Scenarios & Events

Strategy & Execution

Risk Taking

Financial Reporting

Risk Avoidance

Operations Risk

Avoidance

Compliance Risk

Avoidance

Rewarded risk can drive value. Unrewarded risk can destroy value.

ENTERPRISE VALUE

STAKEHOLDER VALUE

Revenue Growth

Operating Margin

Asset Efficiency

Expectations

ENTERPRISE RISKS

GOVERNANCE Ethics/Decision Authority Oversight/Independence Compensation/Other

OPERATIONS Service Delivery Inventory Management Staffing and Employment Quality Standards Cost Management

INFRASTRUCTURE Compliance Finance & Accounting Tax Information Technology Insurance BCP Safety/Physical Security Legal/IP/Litigation Environmental / Other

EXTERNAL FACTORS Competition/Economic Conditions Geo-political/Regulatory Activism/Public Safety Natural Disasters/Other

STRATEGY Strategic Plan/Acquisitions/ Divestitures Succession Planning Brand/Marketing /Pricing Reputational

STAKEHOLDER VALUE

©20

13 C

lifto

nLar

sonA

llen

LLP

Enterprise Risk – “drive the business”

Conducting an Enterprise-Wide Risk Assessment is similar to sitting down with a financial planner to discuss your investment strategy. You determine your tolerance for risk by deciding whether you want to invest aggressively, preserve capital or take a conservative growth approach. This can be described as a control self assessment of your finances.

There is a clear distinction between an Enterprise Risk Assessment and an Enterprise Information Security Risk Assessment. The first type focuses on Financial, Strategic and Operational functions, and the latter is Information Security/Network/Technology driven. Clarify with your examiner which one is being requested if your business is asked to complete an Enterprise Risk Assessment.

©20

13 C

lifto

nLar

sonA

llen

LLP

IT Risk Assessment & Information Security Risk Assessment • Focus is on one

component of the enterprise:

Information Technology and/or

Information Security Management Program

©20

13 C

lifto

nLar

sonA

llen

LLP

Types of Risk Assessments and Audits • Risk Assessment

– Enterprise Risk Assessment – IT Risk Assessment – Compliance Risk Assessment

• IT Audits – Process Audits (ie. ACH) – IT Compliance Audits

• Security Assessment – Vulnerability Assessments – Penetration Testing – Social Engineering

©20

13 C

lifto

nLar

sonA

llen

LLP

Process Specific • ACH audits

• Wire transfer / Fed Line audits

• Application specific audits

• Business process specific audits

• Member authentication procedures

These tend to be focused on the operational

processes supporting the business process

©20

13 C

lifto

nLar

sonA

llen

LLP

“Traditional IT Audit” • Broad audits

– IT General Controls Review

• Specific/focused audits

– DRP/IR/BCP audits and testing

– SDLC and Change Management audits

– User and group permission audits

– Vendor management

©20

13 C

lifto

nLar

sonA

llen

LLP

“Traditional IT Audit” • IT General Controls Review “A mile wide and 10 feet deep”

©20

13 C

lifto

nLar

sonA

llen

LLP

“Traditional IT Audit” • IT General Controls Review

– Good for broad, high level coverage of IT management,

member information security program, and compliance

requirements

– Answers the question: “Do we have the right standards

and are they well documented?”

– Effectiveness testing tends to be light

– Does not really test the systems or ID exceptions

©20

13 C

lifto

nLar

sonA

llen

LLP

“Traditional IT Audit” – Focused Audits • Common Examples include DRP/IR/BCP audit and

testing; user access reviews; SDLC and Change

Management; ACH or other application audits

– More focused audits get to the next level of detail; focus on

the process and perhaps application level controls (ie.

menus); effectiveness testing tends to be more thorough,

but likely still based on sampling

– These can be Design or Compliance focused

©20

13 C

lifto

nLar

sonA

llen

LLP

Vulnerability Assessment • Port Scans and Vulnerability Scans

– They are like Radar… – Pros – Cons

• External and Internal Scanning – What are the benefits?

• Example – Monthly scanning for Business “A” – July – nothing new/unusual – August – nothing new/unusual – September - SSH open, and…

©20

13 C

lifto

nLar

sonA

llen

LLP

Penetration Testing • External Network

• Applications

• Internal Network

• Wireless

• Facilities (social engineering)

©20

13 C

lifto

nLar

sonA

llen

LLP

External Network Penetration Testing Everything that touches the outside 1. Routing devices 2. Remote access 3. Web/applications* 4. Other*: ___________________ ___________________ ___________________

©20

13 C

lifto

nLar

sonA

llen

LLP

Application Penetration Testing External Apps or Internal Apps

©20

13 C

lifto

nLar

sonA

llen

LLP

Internal Network Penetration Testing Everything that touches the inside

©20

13 C

lifto

nLar

sonA

llen

LLP

Wireless Network Penetration Testing

©20

13 C

lifto

nLar

sonA

llen

LLP

Definition of a Secure System

29

“A secure system is one we can depend on to behave as we expect.”

Source: “Web Security and Commerce” by Simson Garfinkel with Gene Spafford

• Confidentiality • Integrity • Availability

©20

13 C

lifto

nLar

sonA

llen

LLP

©20

13 C

lifto

nLar

sonA

llen

LLP

Intro…

©20

13 C

lifto

nLar

sonA

llen

LLP

Questions?

©20

13 C

lifto

nLar

sonA

llen

LLP

©20

13 C

lifto

nLar

sonA

llen

LLP

CLAconnect.com

Thank you!

Scott Charleson About.me/charleson

©20

13 C

lifto

nLar

sonA

llen

LLP Sources for Standards and Guidelines

• FFIEC IT Handbook http://bit.ly/May20-3

• NIST 800-53: Information Security and IT Auditing http://bit.ly/May20-4

• PCI Requirements http://bit.ly/May20-5 http://bit.ly/May20-6