FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Searching the Clues for IT Risks….


Introduction – Paul Rozek

• 17+ years with M&I Corporation • 9+ years with Jefferson Wells

Director – Tech. Risk Management Services• Member of IIA, ISACA, ISSA, HIPAA-

COW, Infragard, BRPA-SW• Masters Degree in Project Management


Jefferson Wells

• Headquartered in Milwaukee, WI• 10 year anniversary in 2006• 45 offices & over 2,500 employees• Subsidiary of Manpower International• Provide services in the areas of:

• Internal Controls• Technology Risk Management• Financial & Operational Management• Tax


Disclaimers / Ground Rules

The views and opinions expressed today do not necessarily reflect the position of Jefferson Wells International, Inc.

Any copyrights/trademarks belong to owners...

No recommendations of vendor products or services are intended. Such discussion is for illustrative purposes only. Each firm must assess its business, IT audit, and IT risk & control needs.


OR, Please Do Not Use These Tactics!!!


Session Overview

• What’s Happening With IT?• Why Worry About IT?• What Is IT Risk?• IT Risk Assessment Process - Examples• Future Trends and Considerations• Q&A


Appreciate The Past…

Herman Hollerith – 1890’sComputer Tabulating Recording Co.




Rear Adm. Grace M. HopperENIAC Team / COBOL – 1940/50



09/09/45 – Computer Debugging Is Born…



Thomas Watson Jr. - IBM



“Apple-A-Day”



Bill Gates – MS V.1.0 - 1985



Clifford Stoll



MOVIES:

“War Games”

“The ‘Net”

“Sneakers”

“Firewall”


Can You Guess the Hacker?


Contestant #1 – Hacker?










And the Answer Is….


What’s Happening With IT?

Technological and sourcing revolutions are changing how firms conduct business:

AlliancesInter-networkingOutsourcing“Menu Of Options”RegulationsAttacks


Financial Industry IT Challenges

1. Data Integrity & Quality

2. Data Security

3. Continuous Availability

4. Maximizing Performance


Why Worry About IT?

• Firms with 200,000+ attacks daily

• 2,500+ software security flaws yearly

• Numerous software patches

• Close to 100,000 known viruses (& hoaxes)

• 1,600+ default passwords


Why Worry About IT?

CSI/FBI Computer Crime & Security Highlights

• 85% Detected computer security breaches

• 70% Stated Internet is a frequent attack point

• 64% Acknowledged financial losses

• 36% Reported intrusions to law enforcement

• 35% Could quantify their financial losses


Justify Solutions Using F.U.D.?

Types of Costs Associated With A Breach:1. Hardware / Software replacement2. System / people downtime3. Consulting fees / Legal fees4. Information recovery5. Lost business / Reputation6. Incidentals (food, lodging, transportation)


Phishing – Any Bites???


Keystroke Logging Anyone?Check out: www.winwhatwhere.com or

www.keyghost.com

“before” “after”


Keystroke Logging Anyone?

or via keyboard…


Seen This Before?

Slide 31


1. Leave computers unattended

2. Use Post-it Notes or poor passwords

3. Open email attachments

4. Download software from the web

5. No change control for spreadsheets

6. Fail to take controls training seriously

End-User Errors Continue:


“Mini-Case Study”

“What’s

Wrong

With

This

Picture?”www.csoonline.com (March 2004)


Senate Bill 1386Where’s The Data???

Data is being disclosed way too easily!!!Tapes falling out of vehicles…Laptops stolen in airports…Laptops / PDAs left in taxicabs…Laptops with unencrypted hard drives…CD-ROMs left on airplanes…Email attachments / “Phishing”…


Risk/Compliance Challenge…


FERPA

HIPAA

GLBA

UETAE-SIGN

SOX

U.S.A.PATRIOT Act

DMCA

CAN-SPAM

CDC Select Agent

Program Bio-terrorism

Protection Act

TEACH

Copyright

BusinessProcesses

Anti-Terrorism

Research

Instruction

ElectronicRecords

HealthHuman

Subjects

Law EnforcementCopyright © 2004, University of Wisconsin Board of Regents

ECPACFAA

IT Security-Related Laws for Higher Ed.


Senate Bill #1386

(a.k.a. – The “You’ve Been Hacked” Act)California State Payroll system hacked in April 2002 – 250,000 SSN disclosed

Challenges:1. What is “personal information?”2. What constitutes a breach?3. How must individuals be notified?4. What new laws will appear? (NCSL)


Lots of Helpful Resources…


How Do You Define IT Risk?

Standards for the Professional Practice of Internal Auditing says risk is “the uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.”Remember – IT makes risk decisions everyday to support business success“IT risk” will become part of “ERM”


Financial Industry – “IT-RMP”

FIL-81-2005 released on August 18, 2005

“Information Technology Risk Management Program” (IT-RMP)

Rescinded IT-MERIT procedures & its work programs


IT-RMPFocuses on financial institution’s information security program and risk management practices for securing information assets. Such practices include:• Risk Assessments• Operations security and risk management• Audit and independent review• Disaster recovery and business continuity• Compliance with FDIC Rule Part 364,

Appendix B


IT Risk Assessment – Example

Step #1 – Identify information assetsStep #2 – Aggregate and prioritize assetsStep #3 – Identify risksStep #4 – Prioritize risksStep #5 – List and define risksStep #6 – Reference risksStep #7 – Recommend risk mitigation


IT Risk Assessment – Steps #1 & #2

Step #1 – Identify information assets

Step #2 – Aggregate and prioritize assets

1. Create IT asset lists – services, hardware,operating systems, applications, etc.

2. Assign relativity ratings – e.g., Critical, Essential, or Normal


IT Risk Assessment – Steps #3

1. Projects – “Failure to Deliver”2. Service Continuity – “Going Off-The-Air”3. Information Assets – “Protect & Preserve”4. Service Providers – “Breaks in Value Chain”5. Applications – “Flaky Systems”6. Infrastructure – “Shaky Foundations”7. Strategic – “Disabled by IT”

“Beating IT Risks” – Jordan & Silcock, 2005


IT Risk Class #1 – Project Risks

• Planned system enhancements may not occur

• Failures due to timing, quality, and/or scope

• Skill and experience of development team

• Number and types of technologies used

• Stability of requirements

• Poor / limited management oversight

• Defects found after placed into production


IT Risk Class #2 – BCP/DRP Risks

• Focus on systems versus services

• Business processes may grind to a halt

• Poor performance and response time degradation can impact user productivity

• Backup data integrity not tested

• Limited off-site recovery capabilities and/or untested recovery capabilities


IT Risk Class #3 – Information Assets

• Firm not aware of its information asset value

• Unknown risks of disclosure, change, or loss

• Business reliance on data integrity degraded

• Repair costs of “bad” data may be significant

• Data access is excessive, not reviewed or inconsistent with job roles and responsibilities

• Systems installed without control in mind


IT Risk Class #4 – Service Providers

• Failure to deliver impacts systems & services

• Products may be faulty

• Inadequate contract / relationship mgmt

• Failure to check results to scope of work

• Failure to identify and measure service levels

• Vendors provide inadequate professionals

• Lack of formal audit clause in contracts


IT Risk Class #5 – Application Risks

• Applications do not perform as expected

• Systems are not easy to maintain

• Documentation is non-existent or poor

• Output is costly or not useful

• System is difficult to use or understand

• Users not involved with design / final testing

• Application ownership not defined


Application Risks Are Increasing…

Infrastructure & Information Must Be Assessed!!!

GeneralLedgerSystem

Application 2 Application 3

Application 5A

Application 7

Application 8

Application 9

Appllication10A

Application 1

Application 9A

Application 10

Application 4

Application 6

Application 5


IT Risk Class #6 – Infrastructure

• Lack of environmental controls

• Incompatible or obsolete systems used

• Loss of network connectivity

• Data networks lack bandwidth / redundancy

• Departmental systems outside of central IT

• Costs difficult to measure or control



Network devices

Access points – Wired & Wireless

Remote access / Dial-up modems

Business partner connections

Open/required ports & services

Traffic/data flow requirements


InternalLAN

InternalLAN

HEWLETTPACKARD

HEWLETTPACKARD

HEWLETTPACKARD

1 2 3 4 5 6

7 8 9 101112

AB

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

Eth

erne

t

A

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

C

1 2 3 4 5 6

7 8 9 101112

AB

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

Eth

erne

t

A

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

C

Internal Router

Novell or Unix Server

Windows NT Workstation

Windows 98 Station

Windows NT 4.0 orWindows 2000 Server

Remote Access Server

Dialup

Internet DMZ/Gateway Servers

Mobile Home UserBranch Office(s)

Perimeter Router

Windows NT 4.0 orWindows 2000 Server

Frame Relay Circuit

Internet

HEWLETTPACKARD

Database Server(s)

Draw The Network



InternalLAN

InternalLAN

HEWLETTPACKARD

HEWLETTPACKARD

HEWLETTPACKARD

1 2 3 4 5 6

7 8 9101 112

AB

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

Eth

erne

t

A

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

C

1 2 3 4 5 6

7 8 9 101112

AB

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

Eth

erne

t

A

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

C

Internal Router

Novell/UNIX/AS400/OS390/...

Windows NTWorkstations

W2K/XP Workstations

Windows NT 4.0 orWindows 2000/.NET Server

Remote Access Server

DialupConnection

Internet DMZ/Gateway Servers

Mobile/Home User

Branch Office(s)

Perimeter Router

Information"leakage"

Inadequate loggingand detection

Unnecessaryports or services

Misconfiguredweb services

Inadequatepassword controls

Excessive file anddirectory access

Improperlyfiltered networks

Windows NT 4.0 orWindows 2000/.NET Server

DedicatedCircuits

Excessiveuser rights

Misconfiguredoperating systems

Excessive trustrelationships

Improperlyconfigured routingUnsecured Remote

Access Services (RAS)

Unauthorized serverson the network

Ineffective enterprisepolicies and standards

Misconfigured firewallsand/or TCP/IP

ports or services

InternetConnection

Inadequate databackup and retention

HEWLETTPACKARD

Database Server(s)ORACLESYBASEDB2/UDBMS-SQLACCESS

Inappropriate administrativerights and table attributes

Inadequate application anddata integrity controls

Inadequate controls overphysical access to devices

"xSP" and"BusinessPartner"Access

SLAs, "Confidentiality,Integrity, and Availability ",and encryption concerns

"Wireless"Networking

Remote ControlSoftware/Modems

InternetFirewall

InternalFirewall

"Hackers "and

"Script Kiddies"

Viruses, Worms, andTrojan Horse Programs


Weaker Wireless Architecture


Stronger Wireless Architecture


IT Risk Class #7 – Strategic/Emergent

• Too many tactical / ad hoc approaches

• Mgmt rebukes importance of IT systems

• Policies are informal or not deployed

• IT control frameworks not deployed

• Regulatory or audit issues not taken seriously


IT Risk Class** – Compliance Risks

• Regulations are misunderstood

• Regulations are not fully implemented

• Financial impact is not measured

• Poor communication with employees

• Lack of monitoring & metrics programs


Ranks: 25-30 Critical, 16-24 Essential, 15 or less Lower Priority

12RANK:

1=1X1What Data Can Be Replicated Manually? (1=all, 2=some, 3=none)

2=2X1Who Is Impacted By Disaster? (1=internal, 2=customer, 3=both)

2=2X1Time Before Disaster Impact Occurs? (1=days, 2=hours, 3=minutes)

4=2X2% of Processes With Dependencies?(1=0-33%, 2=34-66%, 3=66-100%)

3=3X1System Integral to Cash Flow? (1=no, 2=somewhat, 3=entirely)

Total=WeightXScoreSystem: Wireless LAN

IT Risk Assessment – Step #4 - BIA


IT Risk Assessment – Steps #5 & #6

Create a comprehensive list of IT risks

Reference the risks back to your assets

Create the IT Risk Management Report

(similar to a Business Impact Analysis)


IT Risk Assessment – Step #7

Risk AssumptionAccept potential IT risk

Risk AvoidanceChange how the IT system is used or,remove IT vulnerability/ability-to-exercise

Risk LimitationArchitect IT system boundaries (VLAN/IDS)

Risk TransferSomeone else “pays” (e.g., insurance)


DecisionSupportAnalysis

“Safeguard”Assessments

ThreatAssessment

VulnerabilityAssessment

RiskDetermination

ProcessCapture

IT Risk Assessment – Simpler???


IT Risk Assessments Must:

• Be Effective & Repeatable

• Identify & Prioritize Risks

• Support Mitigation & Reporting Decisions

• Be Monitored & Measured


“Future Trends & Observations…”

Management’s expectations of IT

Management’s responsibility for IT

“Both reasons” support IT Governance

• quality up• time-to-market down• service levels increased• costs contained

• re-engineered processes• right-sized operations• distributed processing• flattened organizations• empowerment• outsourcing

• safeguard assets

• information has become a valuable asset

• leverage IT


Future Item – IT Governance

• Structure of processes to direct & control the IT enterprise

• Designed to create / add business value

• Balances business risks with IT controls


IT Governance Options Include:

• FFIEC

• CobiT

• IT Infrastructure Library (ITIL)

• Microsoft Operations Framework

• ISO-17799

• NIST (SP800-30)


Future – IT Thinks Like Management

1. Maintain credibility by citing business benefits

2. Rely more on ROI than FUD

3. Consider use of an IT control framework

4. Use metrics to support benefits of controls and to quickly detect anomalies / defects

5. Help keep the firm out of regulatory reports


Future – Authentication Technologies

1. Authentication has major implications with virtually every type of business:

Function Application Data

2. “Multi-factor Authentication” risks must be analyzed and addressed


The 2nd of Security’s “5 A’s”

1. Access

2. Authentication

3. Authorization

4. Accountability

5. Awareness


Why Use Authentication?

Network AccessServer AccessDatabase AccessInternal Application AccessWeb Application AccessATM Cash MachinesEmail Message Validity and Integrity


Common Solutions Include:

User ID and Password CombinationsSecurity TokensBiometrics

FingerprintHandprintRetina ScansVoiceprint

Digital Certificates / LDAP / PKI / PGP


“New Solutions” – Passfaces

www.

passfaces.

com


Trends and Observations – “I think…”What’s Next – IT Perspective

Self-Assessments & ERM practicesVendors - risk assessments & SAS/70Regulations - lower risks / better controls IT policies and procedures deploymentEmphasis on SOD controlsIT governance / framework deploymentIT hiring & retention will be critical!!!


What’s Next – IT Audit Perspective

Increased demand for IT auditorsSoftware will “commoditize” reviewsFollowing standards will be standardIT auditors will bear ‘good news’ tooFrameworks/metrics will become a way for

IT auditors to add value with IT controlsIntegrated audits and application auditsIT auditor hiring & retention will be critical


What’s Next – IT Audit Perspective

Three Goals of Better IT Risk Management:

1. Improved Inputs to Audit Planning

2. Audit Plans Align with Strategic Plans

3. Audit Plans Reflect Changing IT Risks


Embrace The Future…

Who Knows The IT Risks & Opportunities…


Information Please…

Peers & Co-workersBooks and Manuals (hard & soft copy)Magazines (hard & soft copy)Email SubscriptionsSeminars / Conferences / WorkshopsVendor Demo SoftwareInternet Web Sites


Web Sites…

www.cfo.comwww.cio.comwww.csoonline.comwww.drj.comwww.baselinemag.cominfotech.aicpa.orgwww.dogpile.com


Watch For Warning Signs!

Major changes in systems or technology?Significantly changing business?Right-sizing or reengineering?Open access to systems & data?Excessive systems errors or crashes?General complaints by end-users?Ad hoc reporting for critical data?


Key Take-Away!!!

Manage and monitor IT risks 24X7

No “silver bullets” with IT controls

Obtain and use the best people, processes, technology, and business partners available

Make your IT control processes and current status visible in your firms!


“Searching The Clues For IT Risks”

Further Questions?Jefferson Wells888-444-5415

or414-347-2345paul.rozek@jeffersonwells.comwww.jeffersonwells.com

Documents

FIRMA – 2006 National Training Conference