Upload
nguyenkhanh
View
222
Download
2
Embed Size (px)
Citation preview
Redefine Cybersecurity, Explore Innovative Strategies and Develop Trust
Jointly Organized By :
Creating Value through Innovative
IT Auditing
Ronnie Koh
Head of IT Audit, DBS Bank
Jointly Organized By :
By Increasing both Breadth and Depth in our Audit Coverage
for Digital Bank & Cyber Security
How do we create value?
By Investing in Our People – Creating Value-Driven Talent
Pool
By embarking on Automation & Predictive IT Auditing
Jointly Organized By :
Why do we need to innovate?
Cyber
Threats New
Technology
Growing
Expectations
Adapt to
changing
environment and
uncertainties
Competent
Risk
Managers Regulatory
Changes
Insider
Threats
New
Competitors
Expectations from
Board of Directors
Jointly Organized By :
Why do we need to innovate?
Traditional Auditing
Effort
Past Present Future
Continuous Auditing
Predictive Auditing
Reactive
Proactive
Increase focus
on proactive &
preventive
risk
identification
“SHIFT LEFT”
Jointly Organized By :
How did we transform? The 4Ps
Proactive
• Special Review
(Project Life
Cycle) of VA/PT
Process
Preventive
• Independent
Security
Assessment
• Source Code
Review
Predictive
• Data Modelling
for Predictive
Analysis (e.g.
Identify Insider
Threats)
• Cyber
Intelligence
• Early IT incident
intervention
Productive
• Continuous
Assessment
(Automated
Checks)
Jointly Organized By :
Where were we and where are we now?
Before 2013 Pockets of cyber
security review (mainly security surveillance)
Between 2013 & 2014 1. Perform preliminary gap
assessment referencing SANS Top 20 Controls
2. Create IT Audit training roadmap
Between 2014 & 2015 1. Commence iTransformation
2. Kick-start staff training 3. Setup cyber security test lab 4. Establish cyber security audit framework 5. Roll out cyber security audit projects 6. Create cyber security awareness in
Group Audit
Between 2015 & 2016 1. iTransformation Continuation 2. Continuous staff training
3. Enhance cyber security test lab 4. More in-depth cyber security audit projects 5. Introduce static & dynamic scanning tools
2016 Onwards.. 1. Insider threat analysis 2. Cyber wargaming 3. Cyber security intelligence 4. Extend Cyber security Lab to
Regional Countries
Jointly Organized By :
Breadth & Depth – Our Framework
Cyber Security
Framework
Policies &
Procedures
Contract
Agreement
Security Controls
and Surveillance
Security
Awareness
VA/PT Vulnerabilities Review
Key Mgmt (SSL/HSM)
Dynamic & Static Security Assessment for Web
/ Mobile Apps
High Level Dynamic Assessment for Web /
Mobile Apps
Network
Vulnerability
Assessment
Social
Engineering
Secure SDLC
Review
In-depth Security Source Code Assessment
Cyber Security Focus on Subsidiaries
LEGEND
Existing Cyber Security Coverage
New Cyber Security Coverage
Jointly Organized By :
Breadth & Depth – Equipping Our People
Group Audit iTransformation
Business
Auditor IT Auditor
(Application)
1. IT Governance 2. In-depth review of
automated control i.e. design and implementation
3. IT General Controls
(e.g. app resiliency, capacity management)
4. System Security
1. Business Governance 2. Business process and
operation 3. Testing manual and
automated control
More efficient & business-focused audit through reviewing
business risk & processes from end-to-end covering both
manual and automated controls!
Jointly Organized By :
Breadth & Depth – Equipping Our People
Group Audit iTransformation
NextGen IT Auditor
System Management & Cyber Security
(e.g. Cryptography, Source Code Review, Penetration Testing and Vulnerability
Assessment)
Integrated Auditor
System set-up controls
(e.g. Parameter setup)
Application Security
(e.g. Audit trails)
Input Controls
Pre-processing
(e.g. Input validation)
Processing Controls
(e.g. Business Logics)
Output Controls
Books, records & reports
(e.g. output storage & retention)
Jointly Organized By :
Breadth & Depth – Equipping Our People
External / Internal Training
1. Cyber Security
Test Lab
Development
2 Secure
Source Code
Scanning
Enhance cyber security review capability in GA IT Audit…
Targeted training referencing the IT Audit Training Roadmap
Jointly Organized By :
Breadth & Depth – Equipping Our People
Future Initiatives
1. Cyber Security
Test Lab
Development
2 Secure
Source Code
Scanning
2. Digital
Banking
Coverage
Training
6. Incorporate
Cyber
Intelligence
for Predictive
Capability
4. Source
Code
Review
Training
3. Extension
of Cyber Lab to regional countries
1. OJT
Hands-on
Security
Assessment
(VAPT)
5. Analytical-Based Auditing
Approach to Review
Jointly Organized By :
Breadth & Depth – Investing in Tools
1. Cyber Security
Test Lab
Development
2 Secure
Source Code
Scanning
Cyber Security Tools Training / Practice
Cyber Security Test Lab
SANS Security Training (or equivalent;
learning how to use the tools)
Code Scanning Tool Training
On-the Job (OJT) training in using
these tools in cyber security reviews
• Security Operations
• VA/PT process
• Independent Assessment
HP WebInspect
Security Testing Tools
Operating Environment
Jointly Organized By :
Creating Cyber Security Awareness
App/Software Vulnerabilities
Web Vulnerabilities
Credit Card Hacking
Data Breach
Mobile Hacking
Phishing Attack
Rombertik Malware
May 2015 June 2015 July 2015 August 2015
Mumblehard Linux Malware Venom Vulnerability Apple Safari Browser Vulnerability LogJam SSL Attack iOS Messaging Vulnerability
Skype Crash Vulnerability
Magento Hacking
SingPass Phishing Emails
Apple Pay Hacking Whatsapp Account Hijack iPhone Password Hacking Samsung Mobile Sofware Vulnerability
OpenSSL Vulnerability IE Browser Zero-Day Vulnerability Vehicle Hacking
OpenSSH Brute Force
ATM Skimming
Apple Pay Hacking Whatsapp Account Hijack iPhone Password Hacking Samsung Mobile Sofware Vulnerability
Java Zero-Day Vulnerability UEFI BIOS Rootkit Hacking US Census Bureau Hacking United Airlines Hacking
Mac OS Zero-Day Vulnerability Windows Update Malware
Certifi Gate Android Vulnerability Android Endless Reboot Bug
Credit Card Skimming
Elise Malware
App/
Software
Vulnerabilities
Mobile
Hacking
Data
Breach
#1 #2 #3
Jointly Organized By :
Creating Cyber Security Awareness
Group Audit values the promotion of cybersecurity awareness on a periodic basis
Jointly Organized By :
Creating Value through Innovation
Watch Video
https://www.youtube.com/watch?v=tzm4nlPkBZY&feature=youtu.be