Cybersecurity The Role Of Internal Audit

1m ago
12 Views
2 Downloads
268.57 KB
14 Pages
Last View : 1d ago
Last Download : 1m ago
Upload by : Madison Stoltz
Share:
Transcription

CybersecurityThe role of Internal Audit

Cyber risk—High on the agendaAudit committees and board members are seeing cybersecurity as a top risk,underscored by recent headlines and increased government and regulatoryfocusRecent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosureobligations relating to cybersecurity risks and incidents .“Registrants should address cybersecurity risks and cyberincidents in their Management’s Discussion and Analysis ofFinancial Condition and Results of Operations (MD&A), RiskFactors, Description of Business, Legal Proceedings andFinancial Statement Disclosures.” SEC Division of CorporateFinance Disclosure Guidance: Topic No. 2 - CybersecurityEver-growing concerns about cyber-attacks affecting the nation’s critical infrastructure prompted thesigning of the Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.The Executive Order highlights the focus on an improved cybersecurity frameworkand the rapid changes of regulatory agency expectations and oversightOne of the foundational drivers behind the update and release of the 2013 COSO Framework wasthe need to address how organizations use and rely on evolving technology for internal controlpurposes2Discussion Deck—Cybersecurity—The Role of Internal AuditCopyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—DriversThe forces driving growth and efficiency may create a broadattack surfaceTechnology becomes more pervasive Internet, cloud, mobile, and social are mainstreamplatforms inherently oriented for sharing Employees want continuous, real-time access totheir informationTechnologyexpansionChanging business models Service models have evolved—outsourcing, offshoring,contracting, and remote workforceMore data to protect Increased volume of customers’ personal, account, andcredit card data, as well as employee’s personalidentifiable information and also company trade secrets The need to comply with privacy requirements across awide array of jurisdictionsThreat actors with varying motives Hackers to nation states Continuously innovating and subvertingcommon controls Often beyond the reach of a country’slaw enforcement3Discussion Deck—Cybersecurity—The Role of Internal AuditData attackersCopyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—AppetiteManagement should develop an understanding of who might attack, why,and howWho might attack?What are they after, and what business risks do Ineed to mitigate? Theft of IP/strategic plansFinancial fraudReputation damageBusiness disruptionDestruction of critical infrastructureThreats to health and safety Governance and operating modelPolicies and standardsManagement processes and capabilitiesRisk reportingRisk awareness and culture Threat intelligenceSecurity monitoringBehavioral analysisRisk analyticsWhat tactics might they use?Cyber Risk Program and GovernanceSecureAre controls in place to guard against known andemerging threats?VigilantCan we detect malicious or unauthorized activity, includingthe unknown?ResilientCan we act and recover quickly to reduce impact?4Discussion Deck—Cybersecurity—The Role of Internal Audit Cyber criminalsHactivists (agenda driven)Nation statesInsiders/partnersCompetitorsSkilled individual hackers Spear phishing, drive bydownload, etc. Software or hardware vulnerabilities Third-party compromise Multi-channel attacks Stolen credentials Perimeter defensesVulnerability managementAsset managementIdentity managementSecure SDLCData protection Incident response Forensics Business continuity /disaster recovery Crisis managementCopyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—Roles and responsibilitiesEffective risk management is the product of multiple layers of risk defense.Internal Audit should support the board’s need to understand theeffectiveness of cybersecurity controls.Roles and responsibilities1stLine of defensebusiness and ITfunctions2nd Line of defenseinformation and technologyrisk managementfunction3rd Line ofdefenseinternal audit Incorporate risk-informed decision making into day-to-dayoperations and fully integrate risk management into operationalprocesses Define risk appetite and escalate risks outside of tolerance Mitigate risks, as appropriate Establish governance and oversightSet risk baselines, policies, and standardsImplement tools and processesMonitor and call for action, as appropriateProvide oversight, consultation, checks and balances, andenterprise-level policies and standards Independently review program effectiveness Provide confirmation to the board on risk managementeffectiveness Meet requirements of SEC disclosure obligations focused oncybersecurity risksGiven recent high profile cyber attacks and data losses, and the SEC’s and other regulators’ expectations, it iscritical for Internal Audit to understand cyber risks and be prepared to address the questions and concernsexpressed by the audit committee and the board5Discussion Deck—Cybersecurity—The Role of Internal AuditCopyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—Deloitte cybersecurity framework*An assessment of the organization’s cybersecurity should evaluate specific capabilitiesacross multiple domainsCybersecurity risk and compliance managementSecure Compliance monitoringIssue and corrective action planningRegulatory and exam managementRisk and compliance assessment and mgmt.Integrated requirements and control frameworkSecure development life cycle Third-party management Evaluation and selectionContract and service initiationOngoing monitoringService terminationVigilantIncident response and forensicsApplication security testingThreat modeling and intelligenceSecurity event monitoring and loggingPenetration testingVulnerability management ResilientRecover strategy, plans & proceduresTesting & exercisingBusiness impact analysisBusiness continuity planningDisaster recovery planning Information and asset classification and inventoryInformation records managementPhysical and environment security controlsPhysical media handlingData classification and inventoryBreach notification and managementData loss preventionData security strategyData encryption and obfuscationRecords and mobile device management Change managementConfiguration managementNetwork defenseSecurity operations managementSecurity architectureAccount provisioningPrivileged user managementAccess certificationAccess management and governanceRisk analytics Security operations Security direction and strategySecurity budget and finance managementPolicy and standards managementException managementTalent strategyIdentity and access managementData management and protectionCrisis management and resiliency Secure build and testingSecure coding guidelinesApplication role design/accessSecurity design/architectureSecurity/risk requirementsInformation and asset managementThreat and vulnerability management Security program and talent managementInformation gathering and analysis around:– User, account, entity– Events/incidents– Fraud and anti-money laundering– Operational lossSecurity awareness and training Security trainingSecurity awarenessThird-party responsibilities* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and itssubsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.6Discussion Deck—Cybersecurity—The Role of Internal AuditCopyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—Deloitte cybersecurity framework*Certain cybersecurity domains may be partially covered by existing IT audits, however manycapabilities have historically not been reviewed by internal auditCybersecurity risk and compliance managementSecure Compliance monitoringIssue and corrective action planningRegulatory and exam managementRisk and compliance assessment and mgmt.Integrated requirements and control frameworkSecure development life cycle Third-party management Evaluation and selectionContract and service initiationOngoing monitoringService terminationVigilantIncident response and forensicsApplication security testingThreat modeling and intelligenceSecurity event monitoring and loggingPenetration testingVulnerability management ResilientRecover strategy, plans & proceduresTesting & exercisingBusiness impact analysisBusiness continuity planningDisaster recovery planning Information and asset classification and inventoryInformation records managementPhysical and environment security controlsPhysical media handling Account provisioningPrivileged user managementAccess certificationAccess management and governanceRisk analyticsData classification and inventoryBreach notification and managementData loss preventionData security strategyData encryption and obfuscationRecords and mobile device management Security operations Security direction and strategySecurity budget and finance managementPolicy and standards managementException managementTalent strategyIdentity and access managementData management and protectionCrisis management and resiliency Secure build and testingSecure coding guidelinesApplication role design/accessSecurity design/architectureSecurity/risk requirementsInformation and asset managementThreat and vulnerability management Security program and talent managementInformation gathering and analysis around:– User, account, entity– Events/incidents– Fraud and anti-money laundering– Operational lossSecurity awareness and trainingChange managementConfiguration managementNetwork defenseSecurity operations managementSecurity architecture Security trainingSecurity awarenessThird-party responsibilities* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.SOX (financially relevant systems only)7Discussion Deck—Cybersecurity—The Role of Internal AuditPenetration and vulnerability testingBCP/DRP TestingCopyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—Assessment approachDeliverablesKey activitiesPhaseAn internal audit assessment of cybersecurity should cover all domainsand relevant capabilities, and involve subject matter specialists whenappropriate8Phase I: Planning and scopingPhase II: Understandcurrent statePhase III: RiskassessmentPhase IV: Gap assessmentand recommendationsActivities: Identify specific internal andexternal stakeholders: IT,Compliance, Legal, Risk, etc. Understand organizationmission and objectives Identify industry requirementsand regulatory landscape Perform industry and sector riskprofiling (i.e., review industryreports, news, trends,risk vectors) Identify in-scope systemsand assets Identify vendors and third-partyinvolvementActivities: Conduct interviews andworkshops to understand thecurrent profile Perform walkthroughs of inscope systems and processesto understand existing controls Understand the use of thirdparties, including reviews ofapplicable reports Review relevant policies andprocedures, including securityenvironment, strategic plans,and governance for bothinternal and externalstakeholders Review self assessments Review prior auditsActivities: Document list of potential risksacross all in-scope capabilities Collaborate with subject matterspecialists and management tostratify emerging risks, anddocument potential impact Evaluate likelihood and impactof risks Prioritize risks based uponorganization’s objectives,capabilities, and risk appetite Review and validate the riskassessment results withmanagement and identifycriticalityActivities: Document capabilityassessment results anddevelop assessment scorecard Review assessment resultswith specific stakeholders Identify gaps and evaluatepotential severity Map to maturity analysis Document recommendations Develop multiyearcybersecurity/IT audit planDeliverable: Assessment objectives andscope Capability assessment scorecardframeworkDeliverable: Understanding of environmentand current stateDeliverable: Prioritized risk ranking Capability assessment findingsDeliverables: Maturity analysis Assessment scorecard Remediation recommendations Cybersecurity audit planDiscussion Deck—Cybersecurity—The Role of Internal AuditCopyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—Assessment maturity analysisMaintaining and enhancing security capabilities can help mitigate cyberthreats and help the organization to arrive at its desired level of maturityStage 1: Initial Recognized the issueAd-hoc/case by casePartially achieved goalsNo training, communication, orstandardizationStage 2: Managed Process is managed Responsibility defined Defined procedures withdeviations Process reviewsStage 4: PredictableStage 3: Defined Defined processCommunicated proceduresPerformance data collectedIntegrated with other processesCompliance oversight Defined quantitative performancethresholds and control limits Constant improvement Automation and tools implemented Managed to business objectivesMaturity analysisCybersecurity domainInitialManagedDefinedPredictableStage 5: Optimized Continuously improved Improvement objectivesdefined Integrated with IT Automated workflow Improvements from newtechnologyOptimizedCybersecurity risk and compliance mgmt.SecureThird-party managementSecure development life cycleInformation and asset managementSecurity program and talent managementCurrent state CMMI maturity*9VigilantThreat and vulnerability managementResilientIdentity and access managementCrisis management and resiliencyData management and protectionRisk analyticsSecurity operationsSecurity awareness and trainingDiscussion Deck—Cybersecurity—The Role of Internal Audit*The industry recognizedCapability Maturity ModelIntegration (CMMI) can be usedas the model for the assessment.Each domain consists of specificcapabilities which are assessedand averaged to calculate anoverall domain maturity.Copyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—Assessment scorecardA scorecard can support the overall maturity assessment, with detailedcyber risks for people, process, and technology. Findings should bedocumented and recommendations identified for all gaps.Capability assessment findingsand recommendationsAssessment ScorecardPeople Process TechnologyCybersecurity domainThreat and vulnerability management—Penetration testingCybersecurity risk and compliance mgmt.AreaSecureThird-party managementSecure development life cyclePeopleInformation and asset managementSecurity program and talent managementFindingsVigilantResilientIdentity and access managementThreat and vulnerability managementCrisis management and resiliency21ProcessData management and protectionRisk analyticsSecurity operationsTechnologySecurity awareness and training1: Initial1042: Managed3: Defined4: PredictableDiscussion Deck—Cybersecurity—The Role of Internal AuditRef.RecommendationsRef. The organization has The organization may find itsome resources within theof more value and costISOC that can conductbenefit to utilize currentpenetration testing, but notresources to conduct internalon a routine basis due to2.6.4penetration testing on a2.6.4operational constraintsroutine and dedicated basisand multiple roles thatsince they do have individualsthose resources arewith the necessary skills tofulfillingperform this duty. The organization haslimited capability toconduct penetrationtesting in a stagedenvironment or againstnew and emerging threats The organization shouldexpand its penetration testingcapability to include moreadvance testing, more2.6.5advanced social engineering,and develop greater controlover the frequency of testing The organization lacks Either through agreementstandard tools to performwith a third-party vendor, orits own ad-hoc and on-thethrough technologyspot penetration tests toacquisition, develop theconfirm or support2.6.6technology capability topotential vulnerabilityperform out of cycleassessment alerts and/orpenetration testing.incident investigationfindings.2.6.52.6.65: OptimizedCopyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk— Representative internal audit planA cybersecurity assessment can drive a risk-based IT internal audit plan.Audit frequency should correspond to the level of risk identified, andapplicable regulatory requirements/expectations.Internal AuditFY 2015FY 2016FY 2017Notes (representative)SOX IT GeneralComputer ControlsXXXAnnual requirement but only covers financiallysignificant systems and applicationsExternal Penetration andVulnerability TestingXXXCover a portion of IP addresses each yearInternal Vulnerability TestingBusiness Continuity Plan/DisasterRecovery PlanXXData Protection andInformation SecurityXXThird-party ManagementRisk AnalyticsXCrisis ManagementXSocial MediaXData Loss Protection (DLP)11Lower risk due to physical access controlsDiscussion Deck—Cybersecurity—The Role of Internal AuditXCoordinate with annual 1st and 2nd line ofdefense testingLower risk due to XLower risk due to XAnnual testing to cycle through risk areas, andcontinuous monitoringXCyber war gaming scenario plannedSocial media policy and awareness programXShared drive scan for SSN / Credit Card #Copyright 2015 Deloitte Development LLC. All rights reserved.

Cyber risk—Deloitte IT internal auditLeading cybersecurity risk management services—specifically suited tocollaborate with youThe right resources at the right time#1 provider of cyber risk management solutions The only organization with the breadth, depth, and insight to helpcomplex organizations become secure, vigilant, and resilient 1000 cyber risk management projects in the US alone in 2014executed cross industry 11,000 risk management and security professionals globally acrossthe Deloitte Touche Tohmatsu Limited network of member firms Deloitte has provided IT audit services for the past 30 years and ITaudit training to the profession for more than 15 years. Ourprofessionals bring uncommon insights and a differentiated approachto IT auditing, and we are committed to remaining an industry leader.We have distinct advantages through: Access to a global team of IA professionals, including IT subjectmatter specialists in a variety of technologies and risk areas A responsive team of cyber risk specialists with wide-rangingcapabilities virtually anywhere in the world, prepared to advise ascircumstances arise or as business needs change A differentiated IT IA approach that has been honed over the yearsin some of the most demanding environments in the world, withtools and methodologies that help accelerate IT auditAccess to leading practices and the latest IT thought leadership onaudit trends and issuesContributing to the betterment of cyber risk managementpractices Assisted National Institute of Standards and Technology indeveloping their cybersecurity framework in response to the 2013Executive Order for Improving Critical Infrastructure Cybersecurity Third-party observer of the Quantum Dawn 2 Cyber AttackSimulation, conducted by the Securities Industry and FinancialMarkets Association in July 2013 Working with government agencies on advanced threat solutionsNamed as a Kennedy Vanguard Leader in cyber security consulting: “[Deloitte] continually develops, tests, and launches methodologies that reflect a deepunderstanding of clients’ cyber security and help the firm set the bar.”Source: Kennedy Consulting Research & Advisory; Cyber Security Consulting 2013; Kennedy Consulting Research & Advisory estimates 2013 Kennedy Information, LLC. Rreproduced under license. “Deloitte’s ability to execute rated the highest of all the participants”Forrester Research, “Forrester WaveTM: Information Security Consulting Services Q1 2013”, Ed Ferrara and Andrew Rose, February 1, 201312Discussion Deck—Cybersecurity—The Role of Internal AuditCopyright 2015 Deloitte Development LLC. All rights reserved.

Contacts13Discussion Deck—Cybersecurity—The Role of Internal AuditCopyright 2015 Deloitte Development LLC. All rights reserved.

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or otherprofessional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that mayaffect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.Copyright 2015 Deloitte Development LLC. All rights reserved.36 USC 220506Member of Deloitte Touche Tohmatsu Limited

Change management Configuration management Network defense Security operations management Security architecture . Security operations Security training Security awareness Third-party responsibilities . Security awareness and training Recover