ten top emerging it audit isssues: the ugandan perspective as part of the monthly presentation...
Post on 21-Dec-2015
215 views
TRANSCRIPT
TEN TOP EMERGING IT AUDIT ISSSUES: THE UGANDAN PERSPECTIVEAS PART OF THE MONTHLY PRESENTATION SERIES.June, 2011BY
KETO NYAPENDI KAYEMBAASSISTANT AUDITOR GENERAL
PRESIDENT, ISACA KAMPALA CHAPTER
Content• Introduction• The main audit issues
▫ Issue▫ Risks▫ Recommendation
• Conclusion
ICT in Uganda
Economy
NDP:Science
and technolo
gy - strategicRapid
deployment of
emerging
technologies
creates risk
Deficiencies in IT controls
; significa
nt impact
Misaligned
technology will
fail
Las Vegas
Uganda: a
growing economy
IT security, audit and governanc
e in Uganda
Summary
1. Mobile devises & wireless tech2. Social networking3. Malware4. Major government systems5. Regulation6. Cloud computing7. Virtualization8. Database management9. Business continuity & Disaster
preparedness 10. Fraud
1.Mobile devices• Rapid expansion of handheld devices(evermore powerful)• Huge increase in mobile users & applications• The boundaries have expanded through 3G and 4G + Wi
Fi and WiMAX
• Risks▫ Very vulnerable, susceptible to malicious attacks▫ Information interception and Loss of critical business
data▫ Security and identity management an issue▫ Denial of service▫ ERP integration issues
• Recommendation▫ Managing information risks without stifling innovation
critical to value creation▫ Get inventory of mobile devices and their applications
(mcommerce). Understand the policies and procedures.
Boundaries have
expanded – not physical.
Smartphones, I pads, m commerce.Mobility enables: flexibility, availability, innovation and
increased productivity.
Uses of social media technology is
here.:-Face book-Linked in
Risk• Brand
protection• Unauthorised
access to confidential data
• Disruption / denial of service
• User ignorance
Recommendation• Have an
inventory of social medial usage
• Establish existing policies, procedures & controls
• Amend audit plan to take care of the compliance & security needs.
2. Social networks
Security needs•Identity protection•User awareness of security needs•Organization data safety
3. Malware/cyber attacks• Increase in sophistication of malware - malicious code• More avenues of execution ie mobile devices, social networks.
Work at home issues. • New generation threats/attacks are now supported by
organised criminal groups, state sponsored• Risks
▫ New platforms allow more organisation data to be accessed and pushed outside the old perimeter firewall
▫ Loss or theft of critical information; intellectual property▫ Cash impact▫ Denial of service
• Recommendation▫ Understand organisation approach to malware identification, isolation
& remediation▫ Consider impacts beyond traditional spam ware/firewalls ie remote
users, mobile devices▫ Consider update schedules and monitoring ( beyond responsiveness to
patch updates)▫ Look at hardening of critical devices and access points▫ Have vulnerability assessments and detection procedures
3b. The use of the internet in business operations• Use of the internet in business operations. • Risks
▫ Malicious code importation▫ Theft of identity related information – credit card
info, ▫ Disruption and Denial of service
• Recommendation▫ Sensitisation of users on how to transact business on
the web▫ Proper protection of the sensitive areas using
antivirus, ▫ Browsing protection▫ Limit storage of identity related information▫ Encrypt any information that needs to be stored.
4. Major government systems• Ministry of ICT• NITA• National identity card• Electronic register• Integrated Financial Management system• Integrated payroll system.• Risks
▫ Ignore Governance, Control and Security issues▫ Duplication▫ Too many legacy systems – lack of value for money
• Need for ▫ Alertness▫ Assertiveness▫ Use alliances – Ie chapter▫ Preparedness▫ Involvement
•IT governance recognition -at the board level•Strategic use of IT for achievement of business objectives•Control practices well defined•Necessary oversight
5.Regulation• Strong need for regulation
▫ ICT laws being put in place▫ Regulations to follow▫ Need for compliance
• Protection : business robustness, national assets• Risks
▫ Not having sufficient numbers of ICT professionals to manage the assets
• Recommendation ▫ More prominence for SAG professionals▫ Need for skill acquisition.▫ Need for knowledge acquisition
6.Cloud computing• A mode for enabling convenient, on demand network access to a
shared pool of configurable computing resources:▫ Infrastructure as a service, IaaS ▫ Platform as a service, Paas▫ Software as a service, SaaS
• Sensitive data are no longer stored in a server farm controlled by the business, but rather in systems connected to the web and probably not owned by the business.
• Risks▫ Sustainability – reputation of provider▫ Confidentiality and availability of data▫ Third party access to data (competition)▫ Data ownership & Loss of data in a disaster situation.
• Recommendation▫ Ensure business objectives and risks that accompany the cloud are
identified and understood▫ May need to adjust business IT governance and security policies▫ Ensure there is a mechanism to ensure compliance with policy set
• Supplier gives more flexible, available, resilient and efficient IT services
• Increased ROI• Reduced cost• Increased risks
7 Virtualisation: Software technology that divides a physical resource , such as a
server, into virtual
resources called virtual
machines. VM’s. By 2012, 50% of servers
will be virtualised throughout the world.
Studies show.
Risks• Architectura
l vulnerability
• Software vulnerability
• Configuration risks
Recommendation• Policies and
procedures: disaster recovery & backup, data protection
• Ensure proper understanding by the organisation
• Roles & responsibilities clearly defined & documented
• Proper training of staff
• Following of set regulation
8.Database management• Regulation on types of data to
be stored• Identification of location of
data• Need for categorization of
sensitive data to enable better security management
• The cloud and mobile devices are a challenge.
• Risks▫ Regulatory penalties▫ Brand protection▫ Identity management▫ Privacy▫ integrity
• Recommendations▫ Assess level of adequacy of
current business requirements▫ Understand emerging
regulations▫ Corporation policies on
storage of PII▫ Identify specific data
management controls▫ Perform focused procedures
•Where is the data stored?•Where is personal data stored•How large is the data, is it all necessary •For how long is it needed
9. Business continuity and disaster preparedness• Provide continued existence and operation of the
organisation – assure continued operation.
•Risks▫ Loss of critical data▫ Slow rate of restart▫ Lack of employee awareness of BCP▫ Untested/unmodified plan.
•Recommendation▫ Identify all business processes▫ Ensure they are all catered for in the BCP▫ Ensure plan incorporates all aspects: ie chain of command, employee
management and safety, vendor management, supply chain management.
▫ BCP should be tested and modified periodically
10. IT perpetuated Fraud
Fraud
What else did I bring back from Vegas
The monthly meetings
a blessingUse
ISACA resourc
es
•adopt•Popularise•Participation in regulation formation•Recruit more SAG professionalsISACA’s
resource is its people
•African is unique, with unique problems , slightly slower
•our role to do the research
•share our area issues with the others
•contribute in the research topics
Your role
Provide security
skills
Provide audit skills
Provide governance
guidance
Do your part
Thankyou