31
Assessing IT Risks October 18, 2013 Sarah Keller-Weir Clark Schaefer Consulting Director of Technology Services

Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Embed Size (px)

Citation preview

Page 1: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Assessing IT Risks October 18, 2013

Sarah Keller-Weir

Clark Schaefer Consulting

Director of Technology Services

Page 2: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Agenda

• In the News

• Definition of Risk

• Inherent vs. Residual Risk

• Controlling IT Risks

• IT Governance and Internal Audit

• Risk Analysis

• Scoring and Ranking Risks

• Risk Mitigation Strategies

• Types of IT Controls

• Importance of IT Controls

• IT Control Frameworks and Standards

• Reporting on IT Controls

2

Page 3: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Sarah Keller-Weir, CISA

As the Technology service line Director at Clark Schaefer Consulting, Sarah Keller-Weir provides the Firm with extensive experience and knowledge regarding information security, IT audit, and other technology and control related services.

Sarah’s work in security operations has resulted in a proven track record of success in identifying system control weaknesses, protecting information assets, and leading clients to successful organizational changes.

She is well versed in internal controls and has successfully served in a variety of roles including consulting, risk management, and internal audit. Sarah is a Certified Information Systems Auditor and an active member of the Cincinnati chapters of ISACA and the Institute of Internal Auditors.

3

Page 4: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

4

In The News

September 2013: LexisNexis, Dunn & Bradstreet, Kroll hacked – USA Today

August 2013: 4 million patient records exposed due to theft of four unencrypted desktop computers from Chicago physicians group – PrivacyRights.org

July 2013: Social Security numbers, credit card and bank accounts exposed for 2.5 million Californians – Associated Press

May 2013: Chinese hackers who breached Google gained access to sensitive data – Washington Post

November 2012: Nationwide Insurance computer network was breached by hackers who stole names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupation, and employer information, affecting up to 1 million customers – PrivacyRights.org

October 2012: 3.6 million Social Security numbers hacked in S.C. – Thestate.com

August 2012: Dropbox gets hacked ... Again – Zdnet.com

March 2012: Global Payments discovered that up to 7 million credit card numbers may have been exposed due to unauthorized access to servers; resulted in fees of $94 million as well as $60 million spent on security repairs and upgrades ($20 million was recuperated from insurance recoveries) – PrivacyRights.org

Page 5: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Verizon 2013 Data Breach Report

• Analysis of 47,000+ reported security incidents and

621 confirmed data breaches that occurred in 2012

• 69% of breaches were spotted by an external party

– 9% were spotted by customers

• 66% of the breaches in the 2013 report took months or

even years to discover

• 75% of attacks are opportunistic – not targeted at a

specific individual or company

• 86% of attacks do not involve employees or other

insiders

5

Page 6: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Definition of “Risk”

• Risk is the uncertainty of an event occurring that

could have an impact on the achievement of an

organization’s objectives.

• Risk always has a source (internal or external) and is

measured in terms of impact and likelihood.

• A “risk assessment” should identify sources of risks

and then determine individual impact and likelihood

of these risks to the organization.

6

Page 7: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

IT Risk is Increasing

• Denial of service

• Information disclosure and privacy breach

• Data destruction and manipulation

• Malicious insiders and malicious code

– Attackers don’t discriminate on location, size, or industry

• Increased sophistication of users

• Growth in Internet connectivity and the abundance of

available information

– “BYOD”: Bring Your Own Device

7

Page 8: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

8

“Inherent” versus “Residual” Risk

• Inherent risk – Measured by assessing the consequence and likelihood of a

risk occurring before controls are applied.

• Residual risk – The remaining risk after controls have mitigated the inherent

risk.

• A risk assessment should target risks based

upon “inherent” risk not “residual” risk. – Why? Controls should be considered, but remember that at

times controls may be ineffective in mitigating risk.

Page 9: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Inherent vs. Residual Risk

9

Residual Risk

Risk 3

Risk 2

Risk 1

Inherent Risk

Con

trols C

on

tro

ls

Page 10: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Foundation of Controlling IT Risks

• Establish IT Governance

• Perform IT Risk Assessment

• Assign identified risks a value and review for IT

weaknesses

• Establish Risk and Control Matrix

• Install control processes based on IT Risk Assessment

10

Page 11: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

IT Governance

• Enhance the relationship between the business and IT.

• Visibility into IT management’s ability to achieve its

objectives.

• Management of risks and identification of continuous

improvement opportunities for business and IT

outcomes.

• IT governance improving adaptability of IT to

changing business and IT environments.

11

Page 12: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

IT Governance and Internal Audit

• Leadership

– Evaluate the relationship between IT objectives and the organization’s current/strategic needs.

• Organization structures

– Review how the business and IT personnel are communicating current / future needs through the organizational structure.

• IT processes

– Evaluate IT process activities and controls in place to manage the needs of the business

• Risk management

– Review the IT activity's processes to identify, assess, and monitor/mitigate risks within the IT environment.

• Control activities

– Assess the IT-defined key control activities to manage its business and the support of the overall organization.

12

Page 13: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Analyzing Risks

• IT controls are selected and implemented on the basis

of the risks they are designed to manage.

• Each control implementation has a cost that may not

be justified in terms of its effectiveness to contain the

targeted risk.

• Each control environment is unique and it is up to the

Chief Audit Executive to set the risk thresholds that

are appropriate for the organization.

13

Page 14: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Executive Level Risk Analysis

• Inventory key IT systems and processes

– Which IT assets are at risk, and what is the value of their confidentiality, integrity, and availability?

• Identify potential risks

– What could happen to adversely affect that information’s asset value (threat event)?

• Determine impact of threat event

– If a threat event happened, how bad could its impact be?

• Determine likelihood of threat event

– What is the probability of a threat event?

– How often might the event be expected to occur ?

14

Page 15: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Executive Level Risk Analysis, cont.

• Classify identified risks

– Confidentiality, integrity, availability, reliability,

compliance, effectiveness, efficiency

• Categorize identified risks

– Compliance, financial, operational, reputation, fraud

• Determine overall risk ranking

• Identify what can be done to reduce the risk

– How much will it cost? Is it cost-efficient?

15

Page 16: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Performing IT Risk Analysis

• Do IT policies — including IT controls — exist?

• Have responsibilities for IT and IT controls been defined, assigned, and accepted?

• Is the control designed effectively?

• Is the control operating effectively?

• Does the control achieve the desired result?

• Is the mix of preventive, detective, and corrective controls effective?

16

Page 17: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Performing IT Risk Analysis, cont.

• Do the controls provide evidence when control parameters

are exceeded or when controls fail?

• How is management alerted to failures, and which steps

are expected to be taken?

• Is evidence retained (e.g., through an audit trail)?

• Are the IT infrastructure equipment and tools logically and

physically secured?

• Are access and authentication control mechanisms used?

17

Page 18: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Performing IT Risk Analysis, cont.

• Are controls in place to protect the operating environment and data from viruses and other malicious software?

• Are firewall-related controls implemented?

• Are change and configuration management and quality assurance processes in place?

• Are structured monitoring and service measurement processes in place?

• Have the risks of outsourced services been taken into consideration?

18

Page 19: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

19

Scoring Risks

Likelihood & Impact

Ranking Score Frequency of Risk Nature of Impact

Very Low VL Could Occur Every 20+ Years Would Have Slight Impact

Low L Could Occur Every 10-20 Years Would Have Little Impact

Moderately Low ML Could Occur Every 4-9 Years Would Have Some Impact

Moderate M Could Occur Every 1-3 years Would Have Significant Impact

Moderately High MH Could Occur Every Quarterly Would Have Substantial Impact

High H Could Occur Monthly Would Have Material Impact

Very High VH Could Occur Weekly Would Have Detrimental Impact

Controls – Self Assessed

Ranking Score Control Description

Effective E No weaknesses have been detected

Partially Effective P Occasional lapse in controls detected

Ineffective I No controls are in place for this risk

Page 20: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

20

Ranking Risks

High Impact

Low Likelihood

Low Impact

Low Likelihood

High Impact

High Likelihood

Low Impact

High Likelihood

Lik

elih

oo

d

Impact

Page 21: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Risk Mitigation Strategies

• Accept the risk

– What is your organization’s risk appetite?

– What is the impact/likelihood associated with the risk?

• Eliminate the risk

– Is the risk associated with a specific technology that can be replaced?

• Share the risk

– Can the risk be shared with an outsourced IT service provider?

– Can the risk be transferred to an insurance company?

• Control/mitigate the risk

– Can controls be implemented to effectively mitigate the risk?

21

Page 22: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Types of IT Controls

22

• IT General Controls – Apply to all systems components, processes, and data

• Application Controls – Input: Control the entry of data into a system

• Input checks to verify authorization of data

• Segregation of duties enforced by the application security structure

– Processing: Safeguard the processing of data

within the application • Validating checks to ensure accurate and

complete data

• Comparison of control totals calculated

during input with total transactions

– Output: Concerned with the data as it exits

the applications • Controls over reporting or file distribution

to safeguard confidentiality/privacy of data

• Error handling

Page 23: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Types of IT Controls, cont.

23

• Preventive, Detective, Corrective Controls

– Handle errors, omissions, and security incidents through prevention, detection, and corrective actions

• Governance Controls

– Oversight of IT function

• Management Controls

– Controls established by management to address identified risks

• Technical Controls

– Specific to technologies in use at organization

Page 24: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Importance of IT Controls

• IT Management and Governance – Policies and procedures

– IT risk assessment

– Business and IT alignment and

communication

– Service provider oversight

• Logical and Administrative Access – User and administrator access provisioning

– Network, application, database, firewall, remote access

• Segregation of Duties (SOD) – SOD across and within different groups

• Physical and Environmental Controls – Data center and equipment access

– Environmental controls

24

Page 25: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Importance of IT Controls, cont.

• Systems Acquisition and Maintenance – Acquisition and retirement of systems

– Patch management and updates

– Software licensing

• Systems Development and Change Management – Development, testing, and deployment

– Change control

– Configuration management

• Operations and Monitoring – Event logging

– Virus protection

• Disaster Recovery – System backups or replication

– Disaster recovery planning and testing

25

Page 26: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Structure of IT Auditing

26

Page 27: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

IT Control Frameworks and Standards

• COBIT: Control Objectives for Information and Related Technology

– Framework created by ISACA for IT management and governance

• ITIL: Information Technology Infrastructure Library – Best practices for IT service management

• ISO 27001/27002 – International standard framework for IT management (27001) and best

practice IT controls (27002)

• NIST SP 800-53: National Institute of Standards and Technology Special Publication

– Best practice IT security controls for federal information systems

• PCI DSS: Payment Card Industry Data Security Standard – IT security requirements for companies that process, store, or transmit

credit card information

27

Page 28: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Reporting on IT Controls

• Internal Review

– Chief Audit Executive communicates results of IT audit to the CIO, external auditors, or regulators

– IT Risk Assessment is updated at least annually

– If IT is outsourced, obtain third party report (e.g., SSAE16 report) to determine design and operating effectiveness of controls at service provider

• External Review

– Comprehensive report is provided of the IT controls tested and weaknesses identified with recommendations for remediation.

• Examples: IT Audit Report, SSAE16 Report, Report on Compliance (PCI), Report of Examination (banking)

28

Page 29: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Conclusion

• Managing risks associated with IT is ongoing

challenge

• IT systems are at risk from malicious actions,

inadvertent user errors, and natural disasters

• Information is an asset and must be protected to

ensure its confidentiality, integrity, and availability

• To reduce risk and protect information and systems,

management must have an understanding of IT risks

within the environment

• Management must periodically assess IT governance

and risks through comprehensive risk analysis process

29

Page 30: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

Questions?

Questions?

30

Page 31: Assessing IT Risks - Clark Schaefer Consultingclarkschaefer.com/.../01/NKU-Security-Symposium-Assessing-IT-Risks.pdf•Are the IT infrastructure equipment and tools logically and

For More Information

If you wish to discuss any aspects of this presentation in

more detail, please feel free to contact us:

Clark Schaefer Consulting, LLC.

One East Fourth Street, Suite 1200

Cincinnati, OH 45202

(513) 768-7100

www.clarkschaefer.com

Or send an e-mail directly to Sarah at:

[email protected]

31