VirginiaAssociationofSchoolBusinessOfficialsMay24,2018

ClarenceRhudy,CPA,CISA,CITP

CourseObjectives

CurrentCybersecurityTrendsandStatistics TheRoleofAuditCommitteesandInternalAudit UnderstandingYourITRisks ControlFrameworks RegulatoryConsiderations VendorManagement KeyTakeaways

2

CybersecurityTrendsandStatistics:15MindbogglingStatistics

1. In2016,theU.Sgovernmentspent$28billiononcybersecurity— andthisisexpectedtoincreasein2017‐2018

2. AccordingtoMicrosoft,thepotentialcostofcybercrimetotheglobalcommunityis$500billion,andadatabreachwillcosttheaverageorganizationabout$3.8million

3. Ransomwareattacksincreasedby36percentin20174. Theaverageamountdemandedafteraransomwareattackis

$1,0775. 1in131emailscontainmalware

3

CybersecurityTrendsandStatistics:(cont’d)15MindbogglingStatistics

6. In2017,6.5percentofpeoplearevictimsofidentityfraud—resultinginfraudstersdefraudingpeopleofabout$16billion

7. 43percentofcyberattacksareaimedatsmallorganizations8. Unfilledcybersecurityjobsisexpectedtoreach3.5millionby

2021— comparedtoabout1millionin20169. 230,000newmalwaresamplesareproducedeveryday— and

thisispredictedtoonlykeepgrowing10. 78percentofpeopleclaimtoknowtherisksthatcomewith

clickingunknownlinksinemailsandyetstillclicktheselinks

4

CybersecurityTrendsandStatistics:(cont’d)15MindbogglingStatistics

11. 90percentofhackerscovertheirtracksbyusingencryption12. Ittakesmostbusinessesabout197 daystodetectabreachon

theirnetwork13. Androidisthesecondmosttargetedplatformbyhackersafter

Windows14. 81percentofdatabreachvictimsdonothaveasysteminplace

toself‐detectdatabreaches15. 95percentofAmericansareconcernedabouthowcompanies

usetheirdata

5

CybersecurityTrendsandStatistics:(cont’d)PublicSectorIndustryTrends– SecurityScorecard Report

6

2016 2017

EducationandGovernmentTowardtheBottom

CybersecurityTrendsandStatistics:(cont’d)PublicSectorIndustryTrends

7

CybersecurityTrendsandStatistics:(cont’d)RecentSchoolDataBreaches

8

Someofthemostrecentnotablereports: FloridaVirtualSchool– largeststate‐runvirtualschoolinthecountrydisclosedinearlyMarch2018thatithadtwomajordatabreaches.Recordsfor368,000studentswereleftunsecuredonlineforalmosttwoyearswithnopasswordprotection,inadditiontoamemberschooldistrictallowingunauthorizedindividualstocollectsocialsecuritynumbersandotherinformationonupto50,000individuals.Childrenandyoungadultsareaprimaryidentitythefttargetduetothemnothavingacredithistoryandvirtuallyunusedsocialsecurity– withparentsandchildrenoftennotcheckingcreditreportsforyearsaftersuchevents.

PennsylvaniaStateDepartmentofEducation– 360,000noticessentoutrelatedtoaFebruary22,2018breach.AnerrorbyanemployeeintheOfficeofAdministrationopenedawindowsof30minuteswhereanyuserloggingincouldhaveaccessedinformationinsystemofanyotheruserswhichincludeteachers,schooldistrictsandstateDepartmentofEducationstaff.Estimatedpotentialcostofcreditmonitoringservices$641,000.

CybersecurityTrendsandStatistics:(cont’d)RecentLocalGovernmentBreaches

9

Twomajorattacksoccurredinthespaceof3daysduringtheweekofMarch19,2018:

CityofAtlanta– ransomwaretookmuchofthecity’sinternalandexternalservicesoffline.AsofMarch30,2018,thecitywasstillattemptingtorecoverfromtheattack.ItisbelievedthattheattackeitherleveragedopensourceJavavulnerabilitiesorappliedbrute‐forcepasswordcrackingmethodstointroducetheransomware.

Baltimore,MD911system– takenofflinebyaransomwareattackbutservicerestoredshortlythereafter.TheexploitedvulnerabilitywascreatedduetoafirewallchangemadebyatechniciantroubleshootingtheCADsystem.

AuditCommitteesandInternalAudit

Effectiveriskmanagementistheproductoflayersofriskdefense:

Management –hasownership,responsibility,andaccountabilityforassessing,controlling,andmitigatingrisks.

RiskManagementandComplianceFunctions– facilitateandmonitortheimplementationofeffectiveriskmanagementpracticesbymanagement,andhelpriskownersinreportingadequaterisk‐relatedinformationupanddownthefirm.

InternalAudit– providesobjectiveassurancetotheboardonhoweffectivelytheorganizationassessesandmanagesitsrisks,includingthemannerinwhichthefirstandsecondlinesofdefenseoperate.

10

AuditCommitteesandInternalAudit(cont’d)AuditCommittee

11

Whyestablishanauditcommittee?Improve accountability.Auditcommitteesinthepublicsectorenhanceaccountabilityandassistlocallegislaturesinfulfillingtheirgovernanceresponsibilities.Followbestpractices.Auditcommitteesensurethequalityofannualauditsandensuremanagementimplementsauditrecommendations.EnsureIndependence.Auditcommitteesensurethatauditfunctionsareempoweredtoreportissuestooversightauthorities.

AuditCommitteesandInternalAudit(cont’d)AuditCommittee

12

Areauditcommitteesrequired?Auditcommitteesarerequiredinsomestatesandlocalities.Auditcommitteesforlocalgovernmentsaresometimesrequiredbystateorlocallaw.TheGovernmentFinanceOfficerAssociation(GFOA)recommendsthatallstateandlocalgovernmentsformallyestablishauditcommitteesbycharterorotherlegalmeans.Recommendationsaresimilarforothertypesoforganizations.

AuditCommitteesandInternalAudit(cont’d)AuditCommittee

13

Whataretheauditcommittee’sresponsibilities?Specificresponsibilitiesvarydependingontheformoftheorgnaization andreportingrelationshiptotheauditor.Supportandoversight oftheauditfunction–recruiting,appointing,overseeing,andremoving(ifneeded)theauditor;recommendationsfortheannualauditplanandauditor’sbudget;ensureindependencefrommanagement.Oversightofcontractswithaccountingfirms

AuditCommitteesandInternalAudit(cont’d)AuditCommittee

14

Howshouldtheauditcommitteebestructured?MembersshouldbeindependentofmanagementMembersshouldbecollectivelyknowledgeableaboutfinancialmattersandtheorganizationTheauditcommitteeshouldhavetheauthorityandresourcestoseekoutsideexpertisewhennecessaryStaggertermstoensurecontinuity

AuditCommitteesandInternalAudit(cont’d)AuditCommittee

15

Whatisanauditcommittee’s(orequivalent)roleincybersecurity?Auditcommitteesshouldbeeducatedoncybersecuritytrends,regulatorydevelopments,andmajorthreatstotheorganizationAuditcommitteesshouldhaveregulardialoguewithITmanagementtobetterunderstandwherecybersecurityeffortsshouldbefocusedAuditcommitteesshouldhelpdevelopandmonitoracybersecurityplan

AuditCommitteesandInternalAudit(cont’d)InternalAudit

16

TheThreeLinesofDefenseModel

AuditCommitteesandInternalAudit(cont’d)InternalAudit

17

Whatstepscaninternalaudittaketoassistwithcybersecurity?1. WorkwithmanagementandtheBODtodevelopa

cybersecuritystrategyandpolicy2. Identifyopportunitiestoimprovetheorganization’sabilityto

identify,assess,andmitigatecybersecurityrisktoanacceptablelevel

3. Assessandmitigatepotentialthreatsthatcouldresultfromactionsofanemployeeorbusinesspartner

4. Leveragerelationshipswiththeauditcommitteeandboardtoheightenawarenessandknowledgeoncyberthreatsandchangingcybersecurityrisk

5. Ensurethatcybersecurityriskisintegratedintotheauditplan

AuditCommitteesandInternalAudit(cont’d)InternalAudit

18

Whatstepscaninternalaudittaketoassistwithcybersecurity?6. Developandmaintainanunderstandingofhowemerging

technologiesandtrendsareaffectingthecybersecurityriskprofile

7. Evaluatethecybersecurityprogramagainstanagreeduponcontrolframework(suchasNISTCybersecurity)

8. Seekoutopportunitiestocommunicatetomanagementthatthestrongestpreventivecapabilityrequiresacombinationofhumanandtechnologysecurity

9. Emphasizethatcybersecuritymonitoringandincidentresponseshouldbeatoppriority

10. IdentifyanyIT/auditstaffingandresourceshortagesaswellasalackofsupportingtechnologytools

UnderstandingYourITRisksItisnotrealistictoperformariskassessmentoneveryapplication,function,orprocesswithinanorganization.Therefore,thefirstpriorityshouldbedefininganoperationalframeworkbyidentifyinginternalandexternalsystemsthatarecriticaltoyouroperationsorthatprocess,store,andtransmitlegallyprotectedorsensitivedata.Thenariskassessmentschedulecanbecreatedbasedoncriticalityanddatasensitivity.

19

UnderstandingYourITRisks(cont’d)RiskCategories

Whengoingthroughtheprocess,keepinmindthedifferentcategoriesofriskthatmayaffectyourorganization:Strategic – relatedtoadversebusinessdecisionsReputational – relatedtonegativepublicopinionOperational – relatedtolossresultingfrominadequateorfailedinternalprocesses,people,andsystems,orfromexternalevents

Transactional – relatedtoproblemswithserviceordeliveryCompliance – relatedtoviolationsoflaws,rules,orregulations,orfromnoncompliancewithinternalpoliciesandprocedures

20

UnderstandingYourITRisks(cont’d)Basicstepsofariskassessment

1. Characterizethesystem(process,function,orapplication)– willhelpdeterminetheviablethreats

2. Identifythreats– basicthreatswillapplytoeveryriskassessmentbut,dependingonthesystem,additionalthreatscouldbeincluded

3. Determineinherentriskandimpact– thestepisperformedwithoutconsideringyourcontrolenvironment

21

UnderstandingYourITRisks(cont’d)Basicstepsofariskassessment

4. Analyzethecontrolenvironment– identifythreatprevention,mitigation,detection,orcompensatingcontrolsinrelationtoidentifiedthreats

5. Determinealikelihoodrating– thelikelihoodofagivenexploittakingintoaccountthecontrolenvironment

6. Calculateyourriskrating– impact*likelihood=riskrating

22

ControlFrameworksAframeworkisacomprehensivesetofpracticesforimplementingsecuritycontrolstohelplowersecurityrisks. InternationalStandardsOrganization(ISO)27001–specifiesrequirementsforanoverallmanagementandcontrolframeworkformanaginganorganization’sinformationsecurityrisks.

NationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800‐53– providesacatalogofcustomizedsecuritycontrolsandiscommonlyusedbygovernmentagenciesastheirbaselinesecuritycontrolframework.

23

ControlFrameworks(cont’d) NISTCybersecurityFramework(CSF)– helpsownersandoperatorsofcriticalinfrastructuretomanagecybersecurity‐relatedrisk.

FederalInformationProcessingStandards(FIPS)–publiclyannouncedstandardsdevelopedbytheU.S.governmentforuseincomputersystemsbynon‐militaryagenciesandgovernmentcontractors.

24

ControlFrameworks(cont’d)

25

[VALUE]%

[VALUE]%

[VALUE]%PROJECTED

0

10

20

30

40

50

60

2012 2015 2020

PERCENTAGEOFU.S.ORGAN

IZATIONS

YEARS

CYBERSECURITYFRAMEWORKUSAGEAsof2015,30%ofU.S.organizationsusetheNISTCybersecurityFrameworkanduseispredictedtoriseto50%by2020accordingtoGartnerresearch.

ControlFrameworks(cont’d)SecurityReferenceMaterial

Thereferenceslistedbelowprovideadditionalguidanceforvariouscybersecuritytopicsthatareaddressedinthevariouscontrolframeworks. ISO27002– relatedtoISO27001 NISTSP800‐44– publicwebservers NISTSP800‐45– mailservers NISTSP800‐50andSP800‐16– ITsecuritytrainingprogram

NISTSP800‐66– TheHealthInsurancePortabilityandAccountabilityAct(HIPAA)SecurityRuleconcepts

26

ControlFrameworks(cont’d)SecurityReferenceMaterial

NISTSP800‐123– networkcommunicationservers NISTSP800‐124– mobiledevices NISTSP800‐125– virtualizationtechnologies NISTSP800‐144– cloudcomputing NISTSP800‐153– wirelessnetworks FederalInformationProcessingStandards(FIPS)200– securityrequirementsforfederalinformationsystems

FIPS140‐1&2– cryptographymodules

27

RegulatoryConsiderationsAnorganizationmayhavetocomplywithmanyregulationssuchas:FERPAHIPAATheHealthInformationTechnologyforEconomicandClinicalHealthAct(HITECH)

CMSInformationSecurityAcceptableRiskSafeguards(ARS)

42CodeofFederalRegulations(CFR)CriminalJusticeInformationServices(CJIS)SecurityPolicyPaymentCardIndustryDataSecurityStandard(PCIDSS)FederalInformationSecurityManagementAct(FISMA)

28

RegulatoryConsiderations(cont’d)RelevantVirginiaStateLawsAtleast42 stateshaveintroducedmorethan240 billsorresolutionsrelatedtocybersecurity. ListedbelowareafewVirginiastatelawsthataddressinformationsecurity:

Va.Code§ 2.2 – 603: Every agency and department is responsible for securing electronic data and shall comply with the requirements of the commonwealth's information technology security and risk-management program as set forth in Va. Code § 2.2-2009, and shall report all known incidents that threaten data security.

Va. Code § 2.2 – 2009: The CIO shall direct the development of policies, procedures and standards for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information.

Va. Code § 18.2-186.6 and § 32.1-127.1:05: Breach disclosure statutes

* Disclaimer: I am not a lawyer. Please check with legal counsel to understand current laws and regulations and to determine your organization’s specific compliance requirements.

29

RegulatoryConsiderations(cont’d)VigilanceisImperative

Keepinguptodatewithregulationsisimportantbutdoesnotguaranteeorganizationsaresecure.TruesecuritydependsonminimizingITrisksratherthancheckingalltherightboxes.Leadersshouldn’tletsatisfactorycompliancereportslullthemintocomplacency.Bepreparedfortoday’sandtomorrow’shackers,notyesterday’s!!

Aproactiveapproachincludes:ConductingperiodicsecurityassessmentsEvaluatingincidentresponsereadinessLeveraginganeffectivecontrolframework

30

VendorManagementMoreandmore,organizationsareaskingthirdpartiestobecomeinvolvedinmanagingandoperatingtheorganization’stechnology.BenefitstooutsourcingITmayinclude:

ControllingandreducingtherisingcostsofITAchievinggreaterefficiencyMakingtechnologysolutionsmoreresponsivetochange

Anyvendorwhohasaccesstoyourdataorwhohasaccesstoyourinternalnetworkisapotentialriskthat

mustbecloselymonitored.

31

VendorManagement(cont’d)What’sinavendormanagementprogram?

Avendormanagementprogramconsistsof4basicsteps:

1. Identifyandrankyourvendorlist– it’simportanttoidentifyallvendorsthathaveaccesstosensitivedataaswellasyournetwork.Inaddition,vendorsshouldberankedaccordingtotheriskassociatedwiththerelationship.

2. Performduediligence– researchthevendortodeterminetheircybersecuritycapabilities.Further,contractlanguageshouldbedevelopedthatrequiresthebehaviorsandcontrolsyoudeemnecessary.

32

VendorManagement(cont’d)What’sinavendormanagementprogram?

Avendormanagementprogramconsistsof4basicsteps:

3. DOCUMENT!!– theresultsoftheduediligenceneedtobedocumented.Createaspreadsheetordatabasetotrackallvendorsandtheirongoingreviewschedules.

4. Report– Youshouldhaveamechanismtoreportseriousissuestoseniormanagementandbepreparedtodemonstratetheresultsofyourvendormanagementprogramtoauditors.Itisrecommendedthatcriticalandhighriskvendorsbereviewedatleastannually.

Thevendormanagementprocessisnotaoneanddoneexercise

33

KeyTakeaways Itisnotpossibletoeliminateallrisk CreateappropriateriskassessmentsforCybersecurity Createandcommunicateaninformation

securitypolicyandrecordsmanagementprocess Leverageexistingcontrolframeworkstodevelopand

implementinformationsecurityinternalcontrols Createanddeliverinformationsecuritytraining Humannegligenceisoftenthebiggestrisktoorganizations Manyattackscouldhavebeenavoidedifusershadinstalledmonths‐oldsecuritypatches

Hireexperienced,qualified,andcertifiedITprofessionals CISA,CISSP

34

KeyTakeaways(cont’d) Developanincident/breachresponseprocessDevelopingaplanthatdetailsbreachnotificationprotocolsandidentifiesthecriticalstakeholdersinvolvedincontaining,removing,andcommunicatingthethreatcanensuretheorganization’sresponseisimmediateandcomprehensive

Createandimplementaninformationassurancebusinesscontinuityplan

Selectandimplementappropriateandaffordableinformationsecuritytoolsandtechnologies Threatmonitoringandanalyticaltoolsarecriticalweaponsinanorganization’sdefensearsenal

35

KeyTakeaways(cont’d) Createandcommunicateasecuritypatch

managementprogramKeepingoperatingsystemsandsoftwareupdatedwiththelatestsecuritypatchescanreducethenumberofexploitableentrypoints.Organizationsmustdevelopasolidunderstandingofthevulnerabilitiesthatexistandthedegreeofrisktheypresenttoensuretheappropriatemeasuresaretakentoaddressthem.

36

KeyTakeaways(cont’d)

Examplesofinternalauditfocusareas ITgovernance Changemanagement Logicalandphysicalaccess Mobilecomputing Penetrationtesting Vulnerabilitymanagement Businesscontinuityplanning Crisismanagement Vendormanagement

Examplesofindependentassessments FedRAMPThirdPartyAssessorOrganizationCloudSecurityAssessmentReports

FISMASecurityAssessments ITInternalAuditCo‐sourcing/Outsourcing

SOCReports Vulnerability/Penetrationtesting

37

Conductperiodiccybersecurityassessmentsbothinternallyandviaindependentconsultations

38

ClarenceRhudy,CPA,CISA,CITPcrhudy@becpas.com

540345‐0936