virginia association of school business officials may 24 ...€¦ · compliance–related to...
TRANSCRIPT
VirginiaAssociationofSchoolBusinessOfficialsMay24,2018
ClarenceRhudy,CPA,CISA,CITP
CourseObjectives
CurrentCybersecurityTrendsandStatistics TheRoleofAuditCommitteesandInternalAudit UnderstandingYourITRisks ControlFrameworks RegulatoryConsiderations VendorManagement KeyTakeaways
2
CybersecurityTrendsandStatistics:15MindbogglingStatistics
1. In2016,theU.Sgovernmentspent$28billiononcybersecurity— andthisisexpectedtoincreasein2017‐2018
2. AccordingtoMicrosoft,thepotentialcostofcybercrimetotheglobalcommunityis$500billion,andadatabreachwillcosttheaverageorganizationabout$3.8million
3. Ransomwareattacksincreasedby36percentin20174. Theaverageamountdemandedafteraransomwareattackis
$1,0775. 1in131emailscontainmalware
3
CybersecurityTrendsandStatistics:(cont’d)15MindbogglingStatistics
6. In2017,6.5percentofpeoplearevictimsofidentityfraud—resultinginfraudstersdefraudingpeopleofabout$16billion
7. 43percentofcyberattacksareaimedatsmallorganizations8. Unfilledcybersecurityjobsisexpectedtoreach3.5millionby
2021— comparedtoabout1millionin20169. 230,000newmalwaresamplesareproducedeveryday— and
thisispredictedtoonlykeepgrowing10. 78percentofpeopleclaimtoknowtherisksthatcomewith
clickingunknownlinksinemailsandyetstillclicktheselinks
4
CybersecurityTrendsandStatistics:(cont’d)15MindbogglingStatistics
11. 90percentofhackerscovertheirtracksbyusingencryption12. Ittakesmostbusinessesabout197 daystodetectabreachon
theirnetwork13. Androidisthesecondmosttargetedplatformbyhackersafter
Windows14. 81percentofdatabreachvictimsdonothaveasysteminplace
toself‐detectdatabreaches15. 95percentofAmericansareconcernedabouthowcompanies
usetheirdata
5
CybersecurityTrendsandStatistics:(cont’d)PublicSectorIndustryTrends– SecurityScorecard Report
6
2016 2017
EducationandGovernmentTowardtheBottom
CybersecurityTrendsandStatistics:(cont’d)PublicSectorIndustryTrends
7
CybersecurityTrendsandStatistics:(cont’d)RecentSchoolDataBreaches
8
Someofthemostrecentnotablereports: FloridaVirtualSchool– largeststate‐runvirtualschoolinthecountrydisclosedinearlyMarch2018thatithadtwomajordatabreaches.Recordsfor368,000studentswereleftunsecuredonlineforalmosttwoyearswithnopasswordprotection,inadditiontoamemberschooldistrictallowingunauthorizedindividualstocollectsocialsecuritynumbersandotherinformationonupto50,000individuals.Childrenandyoungadultsareaprimaryidentitythefttargetduetothemnothavingacredithistoryandvirtuallyunusedsocialsecurity– withparentsandchildrenoftennotcheckingcreditreportsforyearsaftersuchevents.
PennsylvaniaStateDepartmentofEducation– 360,000noticessentoutrelatedtoaFebruary22,2018breach.AnerrorbyanemployeeintheOfficeofAdministrationopenedawindowsof30minuteswhereanyuserloggingincouldhaveaccessedinformationinsystemofanyotheruserswhichincludeteachers,schooldistrictsandstateDepartmentofEducationstaff.Estimatedpotentialcostofcreditmonitoringservices$641,000.
CybersecurityTrendsandStatistics:(cont’d)RecentLocalGovernmentBreaches
9
Twomajorattacksoccurredinthespaceof3daysduringtheweekofMarch19,2018:
CityofAtlanta– ransomwaretookmuchofthecity’sinternalandexternalservicesoffline.AsofMarch30,2018,thecitywasstillattemptingtorecoverfromtheattack.ItisbelievedthattheattackeitherleveragedopensourceJavavulnerabilitiesorappliedbrute‐forcepasswordcrackingmethodstointroducetheransomware.
Baltimore,MD911system– takenofflinebyaransomwareattackbutservicerestoredshortlythereafter.TheexploitedvulnerabilitywascreatedduetoafirewallchangemadebyatechniciantroubleshootingtheCADsystem.
AuditCommitteesandInternalAudit
Effectiveriskmanagementistheproductoflayersofriskdefense:
Management –hasownership,responsibility,andaccountabilityforassessing,controlling,andmitigatingrisks.
RiskManagementandComplianceFunctions– facilitateandmonitortheimplementationofeffectiveriskmanagementpracticesbymanagement,andhelpriskownersinreportingadequaterisk‐relatedinformationupanddownthefirm.
InternalAudit– providesobjectiveassurancetotheboardonhoweffectivelytheorganizationassessesandmanagesitsrisks,includingthemannerinwhichthefirstandsecondlinesofdefenseoperate.
10
AuditCommitteesandInternalAudit(cont’d)AuditCommittee
11
Whyestablishanauditcommittee?Improve accountability.Auditcommitteesinthepublicsectorenhanceaccountabilityandassistlocallegislaturesinfulfillingtheirgovernanceresponsibilities.Followbestpractices.Auditcommitteesensurethequalityofannualauditsandensuremanagementimplementsauditrecommendations.EnsureIndependence.Auditcommitteesensurethatauditfunctionsareempoweredtoreportissuestooversightauthorities.
AuditCommitteesandInternalAudit(cont’d)AuditCommittee
12
Areauditcommitteesrequired?Auditcommitteesarerequiredinsomestatesandlocalities.Auditcommitteesforlocalgovernmentsaresometimesrequiredbystateorlocallaw.TheGovernmentFinanceOfficerAssociation(GFOA)recommendsthatallstateandlocalgovernmentsformallyestablishauditcommitteesbycharterorotherlegalmeans.Recommendationsaresimilarforothertypesoforganizations.
AuditCommitteesandInternalAudit(cont’d)AuditCommittee
13
Whataretheauditcommittee’sresponsibilities?Specificresponsibilitiesvarydependingontheformoftheorgnaization andreportingrelationshiptotheauditor.Supportandoversight oftheauditfunction–recruiting,appointing,overseeing,andremoving(ifneeded)theauditor;recommendationsfortheannualauditplanandauditor’sbudget;ensureindependencefrommanagement.Oversightofcontractswithaccountingfirms
AuditCommitteesandInternalAudit(cont’d)AuditCommittee
14
Howshouldtheauditcommitteebestructured?MembersshouldbeindependentofmanagementMembersshouldbecollectivelyknowledgeableaboutfinancialmattersandtheorganizationTheauditcommitteeshouldhavetheauthorityandresourcestoseekoutsideexpertisewhennecessaryStaggertermstoensurecontinuity
AuditCommitteesandInternalAudit(cont’d)AuditCommittee
15
Whatisanauditcommittee’s(orequivalent)roleincybersecurity?Auditcommitteesshouldbeeducatedoncybersecuritytrends,regulatorydevelopments,andmajorthreatstotheorganizationAuditcommitteesshouldhaveregulardialoguewithITmanagementtobetterunderstandwherecybersecurityeffortsshouldbefocusedAuditcommitteesshouldhelpdevelopandmonitoracybersecurityplan
AuditCommitteesandInternalAudit(cont’d)InternalAudit
16
TheThreeLinesofDefenseModel
AuditCommitteesandInternalAudit(cont’d)InternalAudit
17
Whatstepscaninternalaudittaketoassistwithcybersecurity?1. WorkwithmanagementandtheBODtodevelopa
cybersecuritystrategyandpolicy2. Identifyopportunitiestoimprovetheorganization’sabilityto
identify,assess,andmitigatecybersecurityrisktoanacceptablelevel
3. Assessandmitigatepotentialthreatsthatcouldresultfromactionsofanemployeeorbusinesspartner
4. Leveragerelationshipswiththeauditcommitteeandboardtoheightenawarenessandknowledgeoncyberthreatsandchangingcybersecurityrisk
5. Ensurethatcybersecurityriskisintegratedintotheauditplan
AuditCommitteesandInternalAudit(cont’d)InternalAudit
18
Whatstepscaninternalaudittaketoassistwithcybersecurity?6. Developandmaintainanunderstandingofhowemerging
technologiesandtrendsareaffectingthecybersecurityriskprofile
7. Evaluatethecybersecurityprogramagainstanagreeduponcontrolframework(suchasNISTCybersecurity)
8. Seekoutopportunitiestocommunicatetomanagementthatthestrongestpreventivecapabilityrequiresacombinationofhumanandtechnologysecurity
9. Emphasizethatcybersecuritymonitoringandincidentresponseshouldbeatoppriority
10. IdentifyanyIT/auditstaffingandresourceshortagesaswellasalackofsupportingtechnologytools
UnderstandingYourITRisksItisnotrealistictoperformariskassessmentoneveryapplication,function,orprocesswithinanorganization.Therefore,thefirstpriorityshouldbedefininganoperationalframeworkbyidentifyinginternalandexternalsystemsthatarecriticaltoyouroperationsorthatprocess,store,andtransmitlegallyprotectedorsensitivedata.Thenariskassessmentschedulecanbecreatedbasedoncriticalityanddatasensitivity.
19
UnderstandingYourITRisks(cont’d)RiskCategories
Whengoingthroughtheprocess,keepinmindthedifferentcategoriesofriskthatmayaffectyourorganization:Strategic – relatedtoadversebusinessdecisionsReputational – relatedtonegativepublicopinionOperational – relatedtolossresultingfrominadequateorfailedinternalprocesses,people,andsystems,orfromexternalevents
Transactional – relatedtoproblemswithserviceordeliveryCompliance – relatedtoviolationsoflaws,rules,orregulations,orfromnoncompliancewithinternalpoliciesandprocedures
20
UnderstandingYourITRisks(cont’d)Basicstepsofariskassessment
1. Characterizethesystem(process,function,orapplication)– willhelpdeterminetheviablethreats
2. Identifythreats– basicthreatswillapplytoeveryriskassessmentbut,dependingonthesystem,additionalthreatscouldbeincluded
3. Determineinherentriskandimpact– thestepisperformedwithoutconsideringyourcontrolenvironment
21
UnderstandingYourITRisks(cont’d)Basicstepsofariskassessment
4. Analyzethecontrolenvironment– identifythreatprevention,mitigation,detection,orcompensatingcontrolsinrelationtoidentifiedthreats
5. Determinealikelihoodrating– thelikelihoodofagivenexploittakingintoaccountthecontrolenvironment
6. Calculateyourriskrating– impact*likelihood=riskrating
22
ControlFrameworksAframeworkisacomprehensivesetofpracticesforimplementingsecuritycontrolstohelplowersecurityrisks. InternationalStandardsOrganization(ISO)27001–specifiesrequirementsforanoverallmanagementandcontrolframeworkformanaginganorganization’sinformationsecurityrisks.
NationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800‐53– providesacatalogofcustomizedsecuritycontrolsandiscommonlyusedbygovernmentagenciesastheirbaselinesecuritycontrolframework.
23
ControlFrameworks(cont’d) NISTCybersecurityFramework(CSF)– helpsownersandoperatorsofcriticalinfrastructuretomanagecybersecurity‐relatedrisk.
FederalInformationProcessingStandards(FIPS)–publiclyannouncedstandardsdevelopedbytheU.S.governmentforuseincomputersystemsbynon‐militaryagenciesandgovernmentcontractors.
24
ControlFrameworks(cont’d)
25
[VALUE]%
[VALUE]%
[VALUE]%PROJECTED
0
10
20
30
40
50
60
2012 2015 2020
PERCENTAGEOFU.S.ORGAN
IZATIONS
YEARS
CYBERSECURITYFRAMEWORKUSAGEAsof2015,30%ofU.S.organizationsusetheNISTCybersecurityFrameworkanduseispredictedtoriseto50%by2020accordingtoGartnerresearch.
ControlFrameworks(cont’d)SecurityReferenceMaterial
Thereferenceslistedbelowprovideadditionalguidanceforvariouscybersecuritytopicsthatareaddressedinthevariouscontrolframeworks. ISO27002– relatedtoISO27001 NISTSP800‐44– publicwebservers NISTSP800‐45– mailservers NISTSP800‐50andSP800‐16– ITsecuritytrainingprogram
NISTSP800‐66– TheHealthInsurancePortabilityandAccountabilityAct(HIPAA)SecurityRuleconcepts
26
ControlFrameworks(cont’d)SecurityReferenceMaterial
NISTSP800‐123– networkcommunicationservers NISTSP800‐124– mobiledevices NISTSP800‐125– virtualizationtechnologies NISTSP800‐144– cloudcomputing NISTSP800‐153– wirelessnetworks FederalInformationProcessingStandards(FIPS)200– securityrequirementsforfederalinformationsystems
FIPS140‐1&2– cryptographymodules
27
RegulatoryConsiderationsAnorganizationmayhavetocomplywithmanyregulationssuchas:FERPAHIPAATheHealthInformationTechnologyforEconomicandClinicalHealthAct(HITECH)
CMSInformationSecurityAcceptableRiskSafeguards(ARS)
42CodeofFederalRegulations(CFR)CriminalJusticeInformationServices(CJIS)SecurityPolicyPaymentCardIndustryDataSecurityStandard(PCIDSS)FederalInformationSecurityManagementAct(FISMA)
28
RegulatoryConsiderations(cont’d)RelevantVirginiaStateLawsAtleast42 stateshaveintroducedmorethan240 billsorresolutionsrelatedtocybersecurity. ListedbelowareafewVirginiastatelawsthataddressinformationsecurity:
Va.Code§ 2.2 – 603: Every agency and department is responsible for securing electronic data and shall comply with the requirements of the commonwealth's information technology security and risk-management program as set forth in Va. Code § 2.2-2009, and shall report all known incidents that threaten data security.
Va. Code § 2.2 – 2009: The CIO shall direct the development of policies, procedures and standards for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information.
Va. Code § 18.2-186.6 and § 32.1-127.1:05: Breach disclosure statutes
* Disclaimer: I am not a lawyer. Please check with legal counsel to understand current laws and regulations and to determine your organization’s specific compliance requirements.
29
RegulatoryConsiderations(cont’d)VigilanceisImperative
Keepinguptodatewithregulationsisimportantbutdoesnotguaranteeorganizationsaresecure.TruesecuritydependsonminimizingITrisksratherthancheckingalltherightboxes.Leadersshouldn’tletsatisfactorycompliancereportslullthemintocomplacency.Bepreparedfortoday’sandtomorrow’shackers,notyesterday’s!!
Aproactiveapproachincludes:ConductingperiodicsecurityassessmentsEvaluatingincidentresponsereadinessLeveraginganeffectivecontrolframework
30
VendorManagementMoreandmore,organizationsareaskingthirdpartiestobecomeinvolvedinmanagingandoperatingtheorganization’stechnology.BenefitstooutsourcingITmayinclude:
ControllingandreducingtherisingcostsofITAchievinggreaterefficiencyMakingtechnologysolutionsmoreresponsivetochange
Anyvendorwhohasaccesstoyourdataorwhohasaccesstoyourinternalnetworkisapotentialriskthat
mustbecloselymonitored.
31
VendorManagement(cont’d)What’sinavendormanagementprogram?
Avendormanagementprogramconsistsof4basicsteps:
1. Identifyandrankyourvendorlist– it’simportanttoidentifyallvendorsthathaveaccesstosensitivedataaswellasyournetwork.Inaddition,vendorsshouldberankedaccordingtotheriskassociatedwiththerelationship.
2. Performduediligence– researchthevendortodeterminetheircybersecuritycapabilities.Further,contractlanguageshouldbedevelopedthatrequiresthebehaviorsandcontrolsyoudeemnecessary.
32
VendorManagement(cont’d)What’sinavendormanagementprogram?
Avendormanagementprogramconsistsof4basicsteps:
3. DOCUMENT!!– theresultsoftheduediligenceneedtobedocumented.Createaspreadsheetordatabasetotrackallvendorsandtheirongoingreviewschedules.
4. Report– Youshouldhaveamechanismtoreportseriousissuestoseniormanagementandbepreparedtodemonstratetheresultsofyourvendormanagementprogramtoauditors.Itisrecommendedthatcriticalandhighriskvendorsbereviewedatleastannually.
Thevendormanagementprocessisnotaoneanddoneexercise
33
KeyTakeaways Itisnotpossibletoeliminateallrisk CreateappropriateriskassessmentsforCybersecurity Createandcommunicateaninformation
securitypolicyandrecordsmanagementprocess Leverageexistingcontrolframeworkstodevelopand
implementinformationsecurityinternalcontrols Createanddeliverinformationsecuritytraining Humannegligenceisoftenthebiggestrisktoorganizations Manyattackscouldhavebeenavoidedifusershadinstalledmonths‐oldsecuritypatches
Hireexperienced,qualified,andcertifiedITprofessionals CISA,CISSP
34
KeyTakeaways(cont’d) Developanincident/breachresponseprocessDevelopingaplanthatdetailsbreachnotificationprotocolsandidentifiesthecriticalstakeholdersinvolvedincontaining,removing,andcommunicatingthethreatcanensuretheorganization’sresponseisimmediateandcomprehensive
Createandimplementaninformationassurancebusinesscontinuityplan
Selectandimplementappropriateandaffordableinformationsecuritytoolsandtechnologies Threatmonitoringandanalyticaltoolsarecriticalweaponsinanorganization’sdefensearsenal
35
KeyTakeaways(cont’d) Createandcommunicateasecuritypatch
managementprogramKeepingoperatingsystemsandsoftwareupdatedwiththelatestsecuritypatchescanreducethenumberofexploitableentrypoints.Organizationsmustdevelopasolidunderstandingofthevulnerabilitiesthatexistandthedegreeofrisktheypresenttoensuretheappropriatemeasuresaretakentoaddressthem.
36
KeyTakeaways(cont’d)
Examplesofinternalauditfocusareas ITgovernance Changemanagement Logicalandphysicalaccess Mobilecomputing Penetrationtesting Vulnerabilitymanagement Businesscontinuityplanning Crisismanagement Vendormanagement
Examplesofindependentassessments FedRAMPThirdPartyAssessorOrganizationCloudSecurityAssessmentReports
FISMASecurityAssessments ITInternalAuditCo‐sourcing/Outsourcing
SOCReports Vulnerability/Penetrationtesting
37
Conductperiodiccybersecurityassessmentsbothinternallyandviaindependentconsultations