Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
FIRMA – 2006 National Training Conference
Searching the Clues for IT Risks….
FIRMA – 2006 National Training Conference
Introduction – Paul Rozek
• 17+ years with M&I Corporation • 9+ years with Jefferson Wells
Director – Tech. Risk Management Services• Member of IIA, ISACA, ISSA, HIPAA-
COW, Infragard, BRPA-SW• Masters Degree in Project Management
FIRMA – 2006 National Training Conference
Jefferson Wells
• Headquartered in Milwaukee, WI• 10 year anniversary in 2006• 45 offices & over 2,500 employees• Subsidiary of Manpower International• Provide services in the areas of:
• Internal Controls• Technology Risk Management• Financial & Operational Management• Tax
FIRMA – 2006 National Training Conference
Disclaimers / Ground Rules
The views and opinions expressed today do not necessarily reflect the position of Jefferson Wells International, Inc.
Any copyrights/trademarks belong to owners...
No recommendations of vendor products or services are intended. Such discussion is for illustrative purposes only. Each firm must assess its business, IT audit, and IT risk & control needs.
FIRMA – 2006 National Training Conference
OR, Please Do Not Use These Tactics!!!
FIRMA – 2006 National Training Conference
Session Overview
• What’s Happening With IT?• Why Worry About IT?• What Is IT Risk?• IT Risk Assessment Process - Examples• Future Trends and Considerations• Q&A
FIRMA – 2006 National Training Conference
Appreciate The Past…
Herman Hollerith – 1890’sComputer Tabulating Recording Co.
FIRMA – 2006 National Training Conference
FIRMA – 2006 National Training Conference
Appreciate The Past…
Rear Adm. Grace M. HopperENIAC Team / COBOL – 1940/50
FIRMA – 2006 National Training Conference
Appreciate The Past…
09/09/45 – Computer Debugging Is Born…
FIRMA – 2006 National Training Conference
Appreciate The Past…
Thomas Watson Jr. - IBM
FIRMA – 2006 National Training Conference
Appreciate The Past…
“Apple-A-Day”
FIRMA – 2006 National Training Conference
Appreciate The Past…
Bill Gates – MS V.1.0 - 1985
FIRMA – 2006 National Training Conference
Appreciate The Past…
Clifford Stoll
FIRMA – 2006 National Training Conference
Appreciate The Past…
MOVIES:
“War Games”
“The ‘Net”
“Sneakers”
“Firewall”
FIRMA – 2006 National Training Conference
Can You Guess the Hacker?
FIRMA – 2006 National Training Conference
Contestant #1 – Hacker?
FIRMA – 2006 National Training Conference
Contestant #2 – Hacker?
FIRMA – 2006 National Training Conference
Contestant #3 – Hacker?
FIRMA – 2006 National Training Conference
Contestant #4 – Hacker?
FIRMA – 2006 National Training Conference
Contestant #5 – Hacker?
FIRMA – 2006 National Training Conference
And the Answer Is….
FIRMA – 2006 National Training Conference
What’s Happening With IT?
Technological and sourcing revolutions are changing how firms conduct business:
AlliancesInter-networkingOutsourcing“Menu Of Options”RegulationsAttacks
FIRMA – 2006 National Training Conference
Financial Industry IT Challenges
1. Data Integrity & Quality
2. Data Security
3. Continuous Availability
4. Maximizing Performance
FIRMA – 2006 National Training Conference
Why Worry About IT?
• Firms with 200,000+ attacks daily
• 2,500+ software security flaws yearly
• Numerous software patches
• Close to 100,000 known viruses (& hoaxes)
• 1,600+ default passwords
FIRMA – 2006 National Training Conference
Why Worry About IT?
CSI/FBI Computer Crime & Security Highlights
• 85% Detected computer security breaches
• 70% Stated Internet is a frequent attack point
• 64% Acknowledged financial losses
• 36% Reported intrusions to law enforcement
• 35% Could quantify their financial losses
FIRMA – 2006 National Training Conference
Justify Solutions Using F.U.D.?
Types of Costs Associated With A Breach:1. Hardware / Software replacement2. System / people downtime3. Consulting fees / Legal fees4. Information recovery5. Lost business / Reputation6. Incidentals (food, lodging, transportation)
FIRMA – 2006 National Training Conference
Phishing – Any Bites???
FIRMA – 2006 National Training Conference
Keystroke Logging Anyone?Check out: www.winwhatwhere.com or
www.keyghost.com
“before” “after”
FIRMA – 2006 National Training Conference
Keystroke Logging Anyone?
or via keyboard…
FIRMA – 2006 National Training Conference
Seen This Before?
Slide 31
FIRMA – 2006 National Training Conference
1. Leave computers unattended
2. Use Post-it Notes or poor passwords
3. Open email attachments
4. Download software from the web
5. No change control for spreadsheets
6. Fail to take controls training seriously
End-User Errors Continue:
FIRMA – 2006 National Training Conference
“Mini-Case Study”
“What’s
Wrong
With
This
Picture?”www.csoonline.com (March 2004)
FIRMA – 2006 National Training Conference
Senate Bill 1386Where’s The Data???
Data is being disclosed way too easily!!!Tapes falling out of vehicles…Laptops stolen in airports…Laptops / PDAs left in taxicabs…Laptops with unencrypted hard drives…CD-ROMs left on airplanes…Email attachments / “Phishing”…
FIRMA – 2006 National Training Conference
Risk/Compliance Challenge…
FIRMA – 2006 National Training Conference
FERPA
HIPAA
GLBA
UETAE-SIGN
SOX
U.S.A.PATRIOT Act
DMCA
CAN-SPAM
CDC Select Agent
Program Bio-terrorism
Protection Act
TEACH
Copyright
BusinessProcesses
Anti-Terrorism
Research
Instruction
ElectronicRecords
HealthHuman
Subjects
Law EnforcementCopyright © 2004, University of Wisconsin Board of Regents
ECPACFAA
IT Security-Related Laws for Higher Ed.
FIRMA – 2006 National Training Conference
Senate Bill #1386
(a.k.a. – The “You’ve Been Hacked” Act)California State Payroll system hacked in April 2002 – 250,000 SSN disclosed
Challenges:1. What is “personal information?”2. What constitutes a breach?3. How must individuals be notified?4. What new laws will appear? (NCSL)
FIRMA – 2006 National Training Conference
Lots of Helpful Resources…
FIRMA – 2006 National Training Conference
How Do You Define IT Risk?
Standards for the Professional Practice of Internal Auditing says risk is “the uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.”Remember – IT makes risk decisions everyday to support business success“IT risk” will become part of “ERM”
FIRMA – 2006 National Training Conference
Financial Industry – “IT-RMP”
FIL-81-2005 released on August 18, 2005
“Information Technology Risk Management Program” (IT-RMP)
Rescinded IT-MERIT procedures & its work programs
FIRMA – 2006 National Training Conference
IT-RMPFocuses on financial institution’s information security program and risk management practices for securing information assets. Such practices include:• Risk Assessments• Operations security and risk management• Audit and independent review• Disaster recovery and business continuity• Compliance with FDIC Rule Part 364,
Appendix B
FIRMA – 2006 National Training Conference
IT Risk Assessment – Example
Step #1 – Identify information assetsStep #2 – Aggregate and prioritize assetsStep #3 – Identify risksStep #4 – Prioritize risksStep #5 – List and define risksStep #6 – Reference risksStep #7 – Recommend risk mitigation
FIRMA – 2006 National Training Conference
IT Risk Assessment – Steps #1 & #2
Step #1 – Identify information assets
Step #2 – Aggregate and prioritize assets
1. Create IT asset lists – services, hardware,operating systems, applications, etc.
2. Assign relativity ratings – e.g., Critical, Essential, or Normal
FIRMA – 2006 National Training Conference
IT Risk Assessment – Steps #3
1. Projects – “Failure to Deliver”2. Service Continuity – “Going Off-The-Air”3. Information Assets – “Protect & Preserve”4. Service Providers – “Breaks in Value Chain”5. Applications – “Flaky Systems”6. Infrastructure – “Shaky Foundations”7. Strategic – “Disabled by IT”
“Beating IT Risks” – Jordan & Silcock, 2005
FIRMA – 2006 National Training Conference
IT Risk Class #1 – Project Risks
• Planned system enhancements may not occur
• Failures due to timing, quality, and/or scope
• Skill and experience of development team
• Number and types of technologies used
• Stability of requirements
• Poor / limited management oversight
• Defects found after placed into production
FIRMA – 2006 National Training Conference
IT Risk Class #2 – BCP/DRP Risks
• Focus on systems versus services
• Business processes may grind to a halt
• Poor performance and response time degradation can impact user productivity
• Backup data integrity not tested
• Limited off-site recovery capabilities and/or untested recovery capabilities
FIRMA – 2006 National Training Conference
IT Risk Class #3 – Information Assets
• Firm not aware of its information asset value
• Unknown risks of disclosure, change, or loss
• Business reliance on data integrity degraded
• Repair costs of “bad” data may be significant
• Data access is excessive, not reviewed or inconsistent with job roles and responsibilities
• Systems installed without control in mind
FIRMA – 2006 National Training Conference
IT Risk Class #4 – Service Providers
• Failure to deliver impacts systems & services
• Products may be faulty
• Inadequate contract / relationship mgmt
• Failure to check results to scope of work
• Failure to identify and measure service levels
• Vendors provide inadequate professionals
• Lack of formal audit clause in contracts
FIRMA – 2006 National Training Conference
IT Risk Class #5 – Application Risks
• Applications do not perform as expected
• Systems are not easy to maintain
• Documentation is non-existent or poor
• Output is costly or not useful
• System is difficult to use or understand
• Users not involved with design / final testing
• Application ownership not defined
FIRMA – 2006 National Training Conference
Application Risks Are Increasing…
Infrastructure & Information Must Be Assessed!!!
GeneralLedgerSystem
Application 2 Application 3
Application 5A
Application 7
Application 8
Application 9
Appllication10A
Application 1
Application 9A
Application 10
Application 4
Application 6
Application 5
FIRMA – 2006 National Training Conference
IT Risk Class #6 – Infrastructure
• Lack of environmental controls
• Incompatible or obsolete systems used
• Loss of network connectivity
• Data networks lack bandwidth / redundancy
• Departmental systems outside of central IT
• Costs difficult to measure or control
FIRMA – 2006 National Training Conference
IT Risk Class #6 – Infrastructure
Network devices
Access points – Wired & Wireless
Remote access / Dial-up modems
Business partner connections
Open/required ports & services
Traffic/data flow requirements
FIRMA – 2006 National Training Conference
InternalLAN
InternalLAN
HEWLETTPACKARD
HEWLETTPACKARD
HEWLETTPACKARD
1 2 3 4 5 6
7 8 9 101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
erne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
1 2 3 4 5 6
7 8 9 101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
erne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
Internal Router
Novell or Unix Server
Windows NT Workstation
Windows 98 Station
Windows NT 4.0 orWindows 2000 Server
Remote Access Server
Dialup
Internet DMZ/Gateway Servers
Mobile Home UserBranch Office(s)
Perimeter Router
Windows NT 4.0 orWindows 2000 Server
Frame Relay Circuit
Internet
HEWLETTPACKARD
Database Server(s)
Draw The Network
IT Risk Class #6 – Infrastructure
FIRMA – 2006 National Training Conference
InternalLAN
InternalLAN
HEWLETTPACKARD
HEWLETTPACKARD
HEWLETTPACKARD
1 2 3 4 5 6
7 8 9101 112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
erne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
1 2 3 4 5 6
7 8 9 101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
erne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
Internal Router
Novell/UNIX/AS400/OS390/...
Windows NTWorkstations
W2K/XP Workstations
Windows NT 4.0 orWindows 2000/.NET Server
Remote Access Server
DialupConnection
Internet DMZ/Gateway Servers
Mobile/Home User
Branch Office(s)
Perimeter Router
Information"leakage"
Inadequate loggingand detection
Unnecessaryports or services
Misconfiguredweb services
Inadequatepassword controls
Excessive file anddirectory access
Improperlyfiltered networks
Windows NT 4.0 orWindows 2000/.NET Server
DedicatedCircuits
Excessiveuser rights
Misconfiguredoperating systems
Excessive trustrelationships
Improperlyconfigured routingUnsecured Remote
Access Services (RAS)
Unauthorized serverson the network
Ineffective enterprisepolicies and standards
Misconfigured firewallsand/or TCP/IP
ports or services
InternetConnection
Inadequate databackup and retention
HEWLETTPACKARD
Database Server(s)ORACLESYBASEDB2/UDBMS-SQLACCESS
Inappropriate administrativerights and table attributes
Inadequate application anddata integrity controls
Inadequate controls overphysical access to devices
"xSP" and"BusinessPartner"Access
SLAs, "Confidentiality,Integrity, and Availability ",and encryption concerns
"Wireless"Networking
Remote ControlSoftware/Modems
InternetFirewall
InternalFirewall
"Hackers "and
"Script Kiddies"
Viruses, Worms, andTrojan Horse Programs
FIRMA – 2006 National Training Conference
Weaker Wireless Architecture
FIRMA – 2006 National Training Conference
Stronger Wireless Architecture
FIRMA – 2006 National Training Conference
IT Risk Class #7 – Strategic/Emergent
• Too many tactical / ad hoc approaches
• Mgmt rebukes importance of IT systems
• Policies are informal or not deployed
• IT control frameworks not deployed
• Regulatory or audit issues not taken seriously
FIRMA – 2006 National Training Conference
IT Risk Class** – Compliance Risks
• Regulations are misunderstood
• Regulations are not fully implemented
• Financial impact is not measured
• Poor communication with employees
• Lack of monitoring & metrics programs
FIRMA – 2006 National Training Conference
Ranks: 25-30 Critical, 16-24 Essential, 15 or less Lower Priority
12RANK:
1=1X1What Data Can Be Replicated Manually? (1=all, 2=some, 3=none)
2=2X1Who Is Impacted By Disaster? (1=internal, 2=customer, 3=both)
2=2X1Time Before Disaster Impact Occurs? (1=days, 2=hours, 3=minutes)
4=2X2% of Processes With Dependencies?(1=0-33%, 2=34-66%, 3=66-100%)
3=3X1System Integral to Cash Flow? (1=no, 2=somewhat, 3=entirely)
Total=WeightXScoreSystem: Wireless LAN
IT Risk Assessment – Step #4 - BIA
FIRMA – 2006 National Training Conference
IT Risk Assessment – Steps #5 & #6
Create a comprehensive list of IT risks
Reference the risks back to your assets
Create the IT Risk Management Report
(similar to a Business Impact Analysis)
FIRMA – 2006 National Training Conference
IT Risk Assessment – Step #7
Risk AssumptionAccept potential IT risk
Risk AvoidanceChange how the IT system is used or,remove IT vulnerability/ability-to-exercise
Risk LimitationArchitect IT system boundaries (VLAN/IDS)
Risk TransferSomeone else “pays” (e.g., insurance)
FIRMA – 2006 National Training Conference
DecisionSupportAnalysis
“Safeguard”Assessments
ThreatAssessment
VulnerabilityAssessment
RiskDetermination
ProcessCapture
IT Risk Assessment – Simpler???
FIRMA – 2006 National Training Conference
IT Risk Assessments Must:
• Be Effective & Repeatable
• Identify & Prioritize Risks
• Support Mitigation & Reporting Decisions
• Be Monitored & Measured
FIRMA – 2006 National Training Conference
“Future Trends & Observations…”
Management’s expectations of IT
Management’s responsibility for IT
“Both reasons” support IT Governance
• quality up• time-to-market down• service levels increased• costs contained
• re-engineered processes• right-sized operations• distributed processing• flattened organizations• empowerment• outsourcing
• safeguard assets
• information has become a valuable asset
• leverage IT
FIRMA – 2006 National Training Conference
Future Item – IT Governance
• Structure of processes to direct & control the IT enterprise
• Designed to create / add business value
• Balances business risks with IT controls
FIRMA – 2006 National Training Conference
IT Governance Options Include:
• FFIEC
• CobiT
• IT Infrastructure Library (ITIL)
• Microsoft Operations Framework
• ISO-17799
• NIST (SP800-30)
FIRMA – 2006 National Training Conference
Future – IT Thinks Like Management
1. Maintain credibility by citing business benefits
2. Rely more on ROI than FUD
3. Consider use of an IT control framework
4. Use metrics to support benefits of controls and to quickly detect anomalies / defects
5. Help keep the firm out of regulatory reports
FIRMA – 2006 National Training Conference
Future – Authentication Technologies
1. Authentication has major implications with virtually every type of business:
Function Application Data
2. “Multi-factor Authentication” risks must be analyzed and addressed
FIRMA – 2006 National Training Conference
The 2nd of Security’s “5 A’s”
1. Access
2. Authentication
3. Authorization
4. Accountability
5. Awareness
FIRMA – 2006 National Training Conference
Why Use Authentication?
Network AccessServer AccessDatabase AccessInternal Application AccessWeb Application AccessATM Cash MachinesEmail Message Validity and Integrity
FIRMA – 2006 National Training Conference
Common Solutions Include:
User ID and Password CombinationsSecurity TokensBiometrics
FingerprintHandprintRetina ScansVoiceprint
Digital Certificates / LDAP / PKI / PGP
FIRMA – 2006 National Training Conference
“New Solutions” – Passfaces
www.
passfaces.
com
FIRMA – 2006 National Training Conference
Trends and Observations – “I think…”What’s Next – IT Perspective
Self-Assessments & ERM practicesVendors - risk assessments & SAS/70Regulations - lower risks / better controls IT policies and procedures deploymentEmphasis on SOD controlsIT governance / framework deploymentIT hiring & retention will be critical!!!
FIRMA – 2006 National Training Conference
What’s Next – IT Audit Perspective
Increased demand for IT auditorsSoftware will “commoditize” reviewsFollowing standards will be standardIT auditors will bear ‘good news’ tooFrameworks/metrics will become a way for
IT auditors to add value with IT controlsIntegrated audits and application auditsIT auditor hiring & retention will be critical
FIRMA – 2006 National Training Conference
What’s Next – IT Audit Perspective
Three Goals of Better IT Risk Management:
1. Improved Inputs to Audit Planning
2. Audit Plans Align with Strategic Plans
3. Audit Plans Reflect Changing IT Risks
FIRMA – 2006 National Training Conference
Embrace The Future…
Who Knows The IT Risks & Opportunities…
FIRMA – 2006 National Training Conference
Information Please…
Peers & Co-workersBooks and Manuals (hard & soft copy)Magazines (hard & soft copy)Email SubscriptionsSeminars / Conferences / WorkshopsVendor Demo SoftwareInternet Web Sites
FIRMA – 2006 National Training Conference
Web Sites…
www.cfo.comwww.cio.comwww.csoonline.comwww.drj.comwww.baselinemag.cominfotech.aicpa.orgwww.dogpile.com
FIRMA – 2006 National Training Conference
Watch For Warning Signs!
Major changes in systems or technology?Significantly changing business?Right-sizing or reengineering?Open access to systems & data?Excessive systems errors or crashes?General complaints by end-users?Ad hoc reporting for critical data?
FIRMA – 2006 National Training Conference
Key Take-Away!!!
Manage and monitor IT risks 24X7
No “silver bullets” with IT controls
Obtain and use the best people, processes, technology, and business partners available
Make your IT control processes and current status visible in your firms!
FIRMA – 2006 National Training Conference
“Searching The Clues For IT Risks”
Further Questions?Jefferson Wells888-444-5415
or414-347-2345paul.rozek@jeffersonwells.comwww.jeffersonwells.com