not all it audits are the same - microsoft azure€¦ · ©2013 cliftonlarsonallen llp. intro…...
TRANSCRIPT
©20
13 C
lifto
nLar
sonA
llen
LLP
©20
13 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
Not All “IT Audits” Are the Same How to Choose One That Is Right For You
©20
13 C
lifto
nLar
sonA
llen
LLP
Intro… • Scott Charleson
• Lots of certs - GWAPT, GPEN, GSEC,
CISSP, CEH, EnCE
• Hacking for CliftonLarsonAllen…
©20
13 C
lifto
nLar
sonA
llen
LLP
Intro… • Scott Charleson
• Lots of certs - GWAPT, GPEN, GSEC,
CISSP, CEH, EnCE
• Hacking for CliftonLarsonAllen
• Paleo Barefoot Runner
©20
13 C
lifto
nLar
sonA
llen
LLP
Presentation overview • What is Risk Assessment
• Governance Frameworks
• Types of “Audits”
©20
13 C
lifto
nLar
sonA
llen
LLP
“We need…” • “Our examiners said we need to
do an IT Audit…”
• “To be in compliance with XYZ, we
need to do a Risk Assessment…”
©20
13 C
lifto
nLar
sonA
llen
LLP
What is not a risk assessment..? • Vulnerability Scanning
• Penetration Test
• Phishing / Social Engineering
http://bit.ly/May20-2
©20
13 C
lifto
nLar
sonA
llen
LLP
Risk Assessment
• “The uncertainty of an event occurring that could have an impact on the achievement of objectives.”
Institute of Internal Auditors
(IIA) glossary’s definition of risk:
• Likelihood/Occurrence and • Impact/Consequences to the
business
Key terms when evaluating risk in an organization
are:
©20
13 C
lifto
nLar
sonA
llen
LLP
Risk Assessment – Inherent & Residual Risk • Inherent risk is the risk to an entity in the absence of any actions
management might take to alter either the risk’s likelihood or impact (ie. absent controls/before control effectiveness testing)
• Residual risk is the risk that remains after management’s response to the risk (ie. after control effectiveness testing)
• Risk assessment is applied first to inherent risks. Once risk responses have been developed, management then considers residual risk.
• Effective Risk Management requires that risk assessment be done both with respect to inherent risk and also following risk response.
©20
13 C
lifto
nLar
sonA
llen
LLP
Risk Assessment Risk Assessment Process (30K foot view)
1. Identify key assets and processes 2. Define threats & vulnerabilities to assets/processes 3. Quantify/qualify likelihood of occurrence 4. Establish Impact (to the business)
This is Inherent Risk
©20
13 C
lifto
nLar
sonA
llen
LLP
Risk Assessment Risk Assessment Process (30K foot view - continued)
1. Perform controls effectiveness testing 2. Analyze control testing results for mitigation
effectiveness This result is Residual Risk
• Build business plans and audit plans based on
residual risk. • Examiners expect to see Risk Assessment process
as basis for business decisions
©20
13 C
lifto
nLar
sonA
llen
LLP Governance Frameworks
• Common Frameworks - Matrix Resources: http://bit.ly/May20-1
©20
13 C
lifto
nLar
sonA
llen
LLP
Types of Risk Assessments and Audits • Risk Assessment
– Enterprise Risk Assessment – IT Risk Assessment – Compliance Risk Assessment
• IT Audits – Process Audits (ie. ACH) – IT Compliance Audits
• Security Assessment – Vulnerability Assessments – Penetration Testing – Social Engineering
©20
13 C
lifto
nLar
sonA
llen
LLP
Audit Philosophy and Approach Philosophy: • People, Rules and Tools Approach: • Understand • Test • Assess
©20
13 C
lifto
nLar
sonA
llen
LLP
Enterprise Risk – “drive the business” RISK OVERSIGHT & INSIGHT Board & Executive Management
People Process
Technology
Alternatives, Decisions, Scenarios & Events
Strategy & Execution
Risk Taking
Financial Reporting
Risk Avoidance
Operations Risk
Avoidance
Compliance Risk
Avoidance
Rewarded risk can drive value. Unrewarded risk can destroy value.
ENTERPRISE VALUE
STAKEHOLDER VALUE
Revenue Growth
Operating Margin
Asset Efficiency
Expectations
ENTERPRISE RISKS
GOVERNANCE Ethics/Decision Authority Oversight/Independence Compensation/Other
OPERATIONS Service Delivery Inventory Management Staffing and Employment Quality Standards Cost Management
INFRASTRUCTURE Compliance Finance & Accounting Tax Information Technology Insurance BCP Safety/Physical Security Legal/IP/Litigation Environmental / Other
EXTERNAL FACTORS Competition/Economic Conditions Geo-political/Regulatory Activism/Public Safety Natural Disasters/Other
STRATEGY Strategic Plan/Acquisitions/ Divestitures Succession Planning Brand/Marketing /Pricing Reputational
STAKEHOLDER VALUE
©20
13 C
lifto
nLar
sonA
llen
LLP
Enterprise Risk – “drive the business”
Conducting an Enterprise-Wide Risk Assessment is similar to sitting down with a financial planner to discuss your investment strategy. You determine your tolerance for risk by deciding whether you want to invest aggressively, preserve capital or take a conservative growth approach. This can be described as a control self assessment of your finances.
There is a clear distinction between an Enterprise Risk Assessment and an Enterprise Information Security Risk Assessment. The first type focuses on Financial, Strategic and Operational functions, and the latter is Information Security/Network/Technology driven. Clarify with your examiner which one is being requested if your business is asked to complete an Enterprise Risk Assessment.
©20
13 C
lifto
nLar
sonA
llen
LLP
IT Risk Assessment & Information Security Risk Assessment • Focus is on one
component of the enterprise:
Information Technology and/or
Information Security Management Program
©20
13 C
lifto
nLar
sonA
llen
LLP
Types of Risk Assessments and Audits • Risk Assessment
– Enterprise Risk Assessment – IT Risk Assessment – Compliance Risk Assessment
• IT Audits – Process Audits (ie. ACH) – IT Compliance Audits
• Security Assessment – Vulnerability Assessments – Penetration Testing – Social Engineering
©20
13 C
lifto
nLar
sonA
llen
LLP
Process Specific • ACH audits
• Wire transfer / Fed Line audits
• Application specific audits
• Business process specific audits
• Member authentication procedures
These tend to be focused on the operational
processes supporting the business process
©20
13 C
lifto
nLar
sonA
llen
LLP
“Traditional IT Audit” • Broad audits
– IT General Controls Review
• Specific/focused audits
– DRP/IR/BCP audits and testing
– SDLC and Change Management audits
– User and group permission audits
– Vendor management
©20
13 C
lifto
nLar
sonA
llen
LLP
“Traditional IT Audit” • IT General Controls Review “A mile wide and 10 feet deep”
©20
13 C
lifto
nLar
sonA
llen
LLP
“Traditional IT Audit” • IT General Controls Review
– Good for broad, high level coverage of IT management,
member information security program, and compliance
requirements
– Answers the question: “Do we have the right standards
and are they well documented?”
– Effectiveness testing tends to be light
– Does not really test the systems or ID exceptions
©20
13 C
lifto
nLar
sonA
llen
LLP
“Traditional IT Audit” – Focused Audits • Common Examples include DRP/IR/BCP audit and
testing; user access reviews; SDLC and Change
Management; ACH or other application audits
– More focused audits get to the next level of detail; focus on
the process and perhaps application level controls (ie.
menus); effectiveness testing tends to be more thorough,
but likely still based on sampling
– These can be Design or Compliance focused
©20
13 C
lifto
nLar
sonA
llen
LLP
Vulnerability Assessment • Port Scans and Vulnerability Scans
– They are like Radar… – Pros – Cons
• External and Internal Scanning – What are the benefits?
• Example – Monthly scanning for Business “A” – July – nothing new/unusual – August – nothing new/unusual – September - SSH open, and…
©20
13 C
lifto
nLar
sonA
llen
LLP
Penetration Testing • External Network
• Applications
• Internal Network
• Wireless
• Facilities (social engineering)
©20
13 C
lifto
nLar
sonA
llen
LLP
External Network Penetration Testing Everything that touches the outside 1. Routing devices 2. Remote access 3. Web/applications* 4. Other*: ___________________ ___________________ ___________________
©20
13 C
lifto
nLar
sonA
llen
LLP
Application Penetration Testing External Apps or Internal Apps
©20
13 C
lifto
nLar
sonA
llen
LLP
Internal Network Penetration Testing Everything that touches the inside
©20
13 C
lifto
nLar
sonA
llen
LLP
Wireless Network Penetration Testing
©20
13 C
lifto
nLar
sonA
llen
LLP
Definition of a Secure System
29
“A secure system is one we can depend on to behave as we expect.”
Source: “Web Security and Commerce” by Simson Garfinkel with Gene Spafford
• Confidentiality • Integrity • Availability
©20
13 C
lifto
nLar
sonA
llen
LLP
©20
13 C
lifto
nLar
sonA
llen
LLP
Intro…
©20
13 C
lifto
nLar
sonA
llen
LLP
Questions?
©20
13 C
lifto
nLar
sonA
llen
LLP
©20
13 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
Thank you!
Scott Charleson About.me/charleson
©20
13 C
lifto
nLar
sonA
llen
LLP Sources for Standards and Guidelines
• FFIEC IT Handbook http://bit.ly/May20-3
• NIST 800-53: Information Security and IT Auditing http://bit.ly/May20-4
• PCI Requirements http://bit.ly/May20-5 http://bit.ly/May20-6