Embed Size (px)
Citation preview
Assessing IT Risks October 18, 2013
Sarah Keller-Weir
Clark Schaefer Consulting
Director of Technology Services
Agenda
• In the News
• Definition of Risk
• Inherent vs. Residual Risk
• Controlling IT Risks
• IT Governance and Internal Audit
• Risk Analysis
• Scoring and Ranking Risks
• Risk Mitigation Strategies
• Types of IT Controls
• Importance of IT Controls
• IT Control Frameworks and Standards
• Reporting on IT Controls
2
Sarah Keller-Weir, CISA
As the Technology service line Director at Clark Schaefer Consulting, Sarah Keller-Weir provides the Firm with extensive experience and knowledge regarding information security, IT audit, and other technology and control related services.
Sarah’s work in security operations has resulted in a proven track record of success in identifying system control weaknesses, protecting information assets, and leading clients to successful organizational changes.
She is well versed in internal controls and has successfully served in a variety of roles including consulting, risk management, and internal audit. Sarah is a Certified Information Systems Auditor and an active member of the Cincinnati chapters of ISACA and the Institute of Internal Auditors.
3
4
In The News
September 2013: LexisNexis, Dunn & Bradstreet, Kroll hacked – USA Today
August 2013: 4 million patient records exposed due to theft of four unencrypted desktop computers from Chicago physicians group – PrivacyRights.org
July 2013: Social Security numbers, credit card and bank accounts exposed for 2.5 million Californians – Associated Press
May 2013: Chinese hackers who breached Google gained access to sensitive data – Washington Post
November 2012: Nationwide Insurance computer network was breached by hackers who stole names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupation, and employer information, affecting up to 1 million customers – PrivacyRights.org
October 2012: 3.6 million Social Security numbers hacked in S.C. – Thestate.com
August 2012: Dropbox gets hacked ... Again – Zdnet.com
March 2012: Global Payments discovered that up to 7 million credit card numbers may have been exposed due to unauthorized access to servers; resulted in fees of $94 million as well as $60 million spent on security repairs and upgrades ($20 million was recuperated from insurance recoveries) – PrivacyRights.org
Verizon 2013 Data Breach Report
• Analysis of 47,000+ reported security incidents and
621 confirmed data breaches that occurred in 2012
• 69% of breaches were spotted by an external party
– 9% were spotted by customers
• 66% of the breaches in the 2013 report took months or
even years to discover
• 75% of attacks are opportunistic – not targeted at a
specific individual or company
• 86% of attacks do not involve employees or other
insiders
5
Definition of “Risk”
• Risk is the uncertainty of an event occurring that
could have an impact on the achievement of an
organization’s objectives.
• Risk always has a source (internal or external) and is
measured in terms of impact and likelihood.
• A “risk assessment” should identify sources of risks
and then determine individual impact and likelihood
of these risks to the organization.
6
IT Risk is Increasing
• Denial of service
• Information disclosure and privacy breach
• Data destruction and manipulation
• Malicious insiders and malicious code
– Attackers don’t discriminate on location, size, or industry
• Increased sophistication of users
• Growth in Internet connectivity and the abundance of
available information
– “BYOD”: Bring Your Own Device
7
8
“Inherent” versus “Residual” Risk
• Inherent risk – Measured by assessing the consequence and likelihood of a
risk occurring before controls are applied.
• Residual risk – The remaining risk after controls have mitigated the inherent
risk.
• A risk assessment should target risks based
upon “inherent” risk not “residual” risk. – Why? Controls should be considered, but remember that at
times controls may be ineffective in mitigating risk.
Inherent vs. Residual Risk
9
Residual Risk
Risk 3
Risk 2
Risk 1
Inherent Risk
Con
trols C
on
tro
ls
Foundation of Controlling IT Risks
• Establish IT Governance
• Perform IT Risk Assessment
• Assign identified risks a value and review for IT
weaknesses
• Establish Risk and Control Matrix
• Install control processes based on IT Risk Assessment
10
IT Governance
• Enhance the relationship between the business and IT.
• Visibility into IT management’s ability to achieve its
objectives.
• Management of risks and identification of continuous
improvement opportunities for business and IT
outcomes.
• IT governance improving adaptability of IT to
changing business and IT environments.
11
IT Governance and Internal Audit
• Leadership
– Evaluate the relationship between IT objectives and the organization’s current/strategic needs.
• Organization structures
– Review how the business and IT personnel are communicating current / future needs through the organizational structure.
• IT processes
– Evaluate IT process activities and controls in place to manage the needs of the business
• Risk management
– Review the IT activity's processes to identify, assess, and monitor/mitigate risks within the IT environment.
• Control activities
– Assess the IT-defined key control activities to manage its business and the support of the overall organization.
12
Analyzing Risks
• IT controls are selected and implemented on the basis
of the risks they are designed to manage.
• Each control implementation has a cost that may not
be justified in terms of its effectiveness to contain the
targeted risk.
• Each control environment is unique and it is up to the
Chief Audit Executive to set the risk thresholds that
are appropriate for the organization.
13
Executive Level Risk Analysis
• Inventory key IT systems and processes
– Which IT assets are at risk, and what is the value of their confidentiality, integrity, and availability?
• Identify potential risks
– What could happen to adversely affect that information’s asset value (threat event)?
• Determine impact of threat event
– If a threat event happened, how bad could its impact be?
• Determine likelihood of threat event
– What is the probability of a threat event?
– How often might the event be expected to occur ?
14
Executive Level Risk Analysis, cont.
• Classify identified risks
– Confidentiality, integrity, availability, reliability,
compliance, effectiveness, efficiency
• Categorize identified risks
– Compliance, financial, operational, reputation, fraud
• Determine overall risk ranking
• Identify what can be done to reduce the risk
– How much will it cost? Is it cost-efficient?
15
Performing IT Risk Analysis
• Do IT policies — including IT controls — exist?
• Have responsibilities for IT and IT controls been defined, assigned, and accepted?
• Is the control designed effectively?
• Is the control operating effectively?
• Does the control achieve the desired result?
• Is the mix of preventive, detective, and corrective controls effective?
16
Performing IT Risk Analysis, cont.
• Do the controls provide evidence when control parameters
are exceeded or when controls fail?
• How is management alerted to failures, and which steps
are expected to be taken?
• Is evidence retained (e.g., through an audit trail)?
• Are the IT infrastructure equipment and tools logically and
physically secured?
• Are access and authentication control mechanisms used?
17
Performing IT Risk Analysis, cont.
• Are controls in place to protect the operating environment and data from viruses and other malicious software?
• Are firewall-related controls implemented?
• Are change and configuration management and quality assurance processes in place?
• Are structured monitoring and service measurement processes in place?
• Have the risks of outsourced services been taken into consideration?
18
19
Scoring Risks
Likelihood & Impact
Ranking Score Frequency of Risk Nature of Impact
Very Low VL Could Occur Every 20+ Years Would Have Slight Impact
Low L Could Occur Every 10-20 Years Would Have Little Impact
Moderately Low ML Could Occur Every 4-9 Years Would Have Some Impact
Moderate M Could Occur Every 1-3 years Would Have Significant Impact
Moderately High MH Could Occur Every Quarterly Would Have Substantial Impact
High H Could Occur Monthly Would Have Material Impact
Very High VH Could Occur Weekly Would Have Detrimental Impact
Controls – Self Assessed
Ranking Score Control Description
Effective E No weaknesses have been detected
Partially Effective P Occasional lapse in controls detected
Ineffective I No controls are in place for this risk
20
Ranking Risks
High Impact
Low Likelihood
Low Impact
Low Likelihood
High Impact
High Likelihood
Low Impact
High Likelihood
Lik
elih
oo
d
Impact
Risk Mitigation Strategies
• Accept the risk
– What is your organization’s risk appetite?
– What is the impact/likelihood associated with the risk?
• Eliminate the risk
– Is the risk associated with a specific technology that can be replaced?
• Share the risk
– Can the risk be shared with an outsourced IT service provider?
– Can the risk be transferred to an insurance company?
• Control/mitigate the risk
– Can controls be implemented to effectively mitigate the risk?
21
Types of IT Controls
22
• IT General Controls – Apply to all systems components, processes, and data
• Application Controls – Input: Control the entry of data into a system
• Input checks to verify authorization of data
• Segregation of duties enforced by the application security structure
– Processing: Safeguard the processing of data
within the application • Validating checks to ensure accurate and
complete data
• Comparison of control totals calculated
during input with total transactions
– Output: Concerned with the data as it exits
the applications • Controls over reporting or file distribution
to safeguard confidentiality/privacy of data
• Error handling
Types of IT Controls, cont.
23
• Preventive, Detective, Corrective Controls
– Handle errors, omissions, and security incidents through prevention, detection, and corrective actions
• Governance Controls
– Oversight of IT function
• Management Controls
– Controls established by management to address identified risks
• Technical Controls
– Specific to technologies in use at organization
Importance of IT Controls
• IT Management and Governance – Policies and procedures
– IT risk assessment
– Business and IT alignment and
communication
– Service provider oversight
• Logical and Administrative Access – User and administrator access provisioning
– Network, application, database, firewall, remote access
• Segregation of Duties (SOD) – SOD across and within different groups
• Physical and Environmental Controls – Data center and equipment access
– Environmental controls
24
Importance of IT Controls, cont.
• Systems Acquisition and Maintenance – Acquisition and retirement of systems
– Patch management and updates
– Software licensing
• Systems Development and Change Management – Development, testing, and deployment
– Change control
– Configuration management
• Operations and Monitoring – Event logging
– Virus protection
• Disaster Recovery – System backups or replication
– Disaster recovery planning and testing
25
Structure of IT Auditing
26
IT Control Frameworks and Standards
• COBIT: Control Objectives for Information and Related Technology
– Framework created by ISACA for IT management and governance
• ITIL: Information Technology Infrastructure Library – Best practices for IT service management
• ISO 27001/27002 – International standard framework for IT management (27001) and best
practice IT controls (27002)
• NIST SP 800-53: National Institute of Standards and Technology Special Publication
– Best practice IT security controls for federal information systems
• PCI DSS: Payment Card Industry Data Security Standard – IT security requirements for companies that process, store, or transmit
credit card information
27
Reporting on IT Controls
• Internal Review
– Chief Audit Executive communicates results of IT audit to the CIO, external auditors, or regulators
– IT Risk Assessment is updated at least annually
– If IT is outsourced, obtain third party report (e.g., SSAE16 report) to determine design and operating effectiveness of controls at service provider
• External Review
– Comprehensive report is provided of the IT controls tested and weaknesses identified with recommendations for remediation.
• Examples: IT Audit Report, SSAE16 Report, Report on Compliance (PCI), Report of Examination (banking)
28
Conclusion
• Managing risks associated with IT is ongoing
challenge
• IT systems are at risk from malicious actions,
inadvertent user errors, and natural disasters
• Information is an asset and must be protected to
ensure its confidentiality, integrity, and availability
• To reduce risk and protect information and systems,
management must have an understanding of IT risks
within the environment
• Management must periodically assess IT governance
and risks through comprehensive risk analysis process
29
Questions?
Questions?
30
For More Information
If you wish to discuss any aspects of this presentation in
more detail, please feel free to contact us:
Clark Schaefer Consulting, LLC.
One East Fourth Street, Suite 1200
Cincinnati, OH 45202
(513) 768-7100
www.clarkschaefer.com
Or send an e-mail directly to Sarah at:
31
