INFORMATION TECHNOLOGY AND INFORMATION MANAGEMENT AUDIT

JOSE LUIS GARCIA

DIRECTOR, IT AUDIT, SCOTIABANK CHILE

May 14, 2013

Your Presenter

Jose Luis Garcia

Director, IT Audit

Scotiabank Chile

Agenda

• Definition of Information

• Information Criteria

• IT Audit Layer Approach

• Physical Security Layer

• IT Service Continuity Layer

• Logical Security Layer

• SDLC Layer

• IT Management Layer

• Conclusions

3

Definition of Information

• Information is a valuable asset

– Business details

• Customer data, financial reports, business transactions

– Knowledge

• Policies, procedures, workflows

– IT related data

• Parameters, configuration settings, privileges

• As any other valuable asset, information must be

protected

4

Information Criteria

5

• Effectiveness

• Efficiency

• Confidentiality

• Integrity

• Availability

• Compliance

• Reliability

Physical

Security

6

Layer approach

Service

Continuity

Logical

Security

SDLC IT

Management

Cobit Domains

7

Control Objectives PO

Control

Objectives

AI

Control

Objectives

DS

Control Objectives ME

Poll #1

Does your organization have its own datacentre?

a) Yes, we have a single datacentre

b) Yes, we have a primary site and a backup site

c) No, we outsource our datacentre services to a third-party

d) No, we use cloud services

e) I don’t know

f) Not applicable

8

Physical Security Layer

9

• Owned datacentres

– Organizations were responsible for controls

– Physical security controls:

• Electronic and keypad locks, codified badges, biometric devices,

security guards, security cameras, alarm systems.

– Environmental controls:

• Fire alarms, smoke and water detectors, UPS, etc.

• Outsourced datacentres

– Providers were required to demonstrate the effectiveness of

internal controls

• SAS 70 Report, Section 5970 Report, CSAE 3416

– Governance principles

• Contract clauses, SLAs

Physical Security Layer

10

• Cloud computing

– Data processing has become a commodity

– Technology enablers

• Virtualization

• Service Oriented Architecture (SOA)

– Service delivery can be run from anywhere

– New datacentre standards

• TIA-942

Poll #2

Does your organization have a disaster recovery

plan in place?

a) Yes, the plan is formalized and tested periodically

b) Yes, the plan has been recently approved

c) No, but there are plans to prepare one

d) No, there are no immediate plans to prepare one

e) No, we rely on a third party provider

f) I don’t know

g) Not applicable

11

IT Service Continuity Layer

12

• Business operations depend on technology

• Technology is vulnerable to disasters

• BCP / DRP

• Recovery approach

– Redundancy

• Cold sites

• Warm sites

• Hot sites

• Disk mirroring / High availability technologies

IT Service Continuity Layer

13

• Cloud computing

• Resilience approach

– BCP for local events

– Due diligence on provider’s BCP

– Backup data

– Cloud redundancy

Service models

Deployment models

IT Service Continuity

14

Analysis: Amazon's Christmas faux

pas shows risks in the cloud (Reuters) - A Christmas Eve glitch traced to

Amazon.com Inc that shuttered Netflix for users from

Canada to South America highlights the risks that

companies take when they move their datacenter

operations to the cloud. http://www.reuters.com/article/2012/12/27/us-amazon-cloud-

idUSBRE8BQ00220121227

Lessons from Amazon Cloud Lightning

Strike Outage By Tony Bradley, PCWorld Aug 10, 2011 7:16 AM

A lightning strike in Dublin took out a power transformer. In

and of itself, that isn't all that unusual or noteworthy, but this

particular lightning strike also impacted the backup power

systems at Amazon's cloud data center, knocking the service

offline. Looking back, there are some lessons to be learned

both for Amazon, and for businesses that rely on cloud

services. http://www.pcworld.com/article/237673/lessons_from_amazon_cloud_lightning_s

trike_outage.html

F.B.I. Seizes Web Servers, Knocking Sites

Offline By VERNE G. KOPYTOFF

The F.B.I. seized Web servers in a raid on a data center early

Tuesday, causing several Web sites, including those run by the

New York publisher Curbed Network, to go offline.

In an e-mail to one of its clients on Tuesday afternoon,

DigitalOne’s chief executive, Sergej Ostroumow, said: “This

problem is caused by the F.B.I., not our company. In the night

F.B.I. has taken 3 enclosures with equipment plugged into them,

possibly including your server — we cannot check it.”

http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-

servers-knocking-sites-offline/

Amazon's partial cloud failure takes out

several popular websites A partial failure of Amazon's cloud server network brought down

the websites of several popular services, including Quora, Reddit

and Foursquare for several hours beginning around 4:41am

Eastern Time Thursday. The issues were isolated to the

company's data centers in Northern Virginia. http://betanews.com/2011/04/21/amazon-s-partial-cloud-failure-takes-

out-several-popular-websites/

Logical Security Layer

• Logical Access Controls

– Data classification

• Restricted, private, public

– Access matrices

– System profiles

– Audit logs

• User account and password management

– Identification

– Authentication

• Malicious code control

– Hardening

– Antivirus

15

Logical Security Layer

• Network security

– Firewalls

– IDS

– Proxies

• Mobile devices

– Encryption

– Configuration

– Remote wipe

• Social media

– Policies

16

Logical Security Layer

• Cloud

– Privileged accounts

– Change control process

– Hardening local systems and infrastructure

17

SDLC Layer

• Complex business environment

– IS as a competitive advantage

– New technologies

• In-house SDLC methodologies

– Size, density

– Linear models

• SDLC, Waterfall

– Iterative models • Prototyping, Spiral, RAD

18

SDLC Layer

• In-house SDLC methodologies (continued)

– Parallel models

• Alternative path

– Rapid response models

• UML, XP

• Third-party development

– Integration

– Security

– Dependency

19

Poll #3

Does your organization measure the financial

benefits of IT applications?

a) There is an ongoing monitoring of all IT applications

b) All new IT applications are evaluated after

implementation

c) Only some applications are evaluated

d) No, financial benefits are not measured

e) I don’t know

f) Not applicable

20

IT Management Layer

• IT Governance

– IT function, service providers, Information Security

• Business – IT Alignment

– Steering Committee

• Value Management

– Different type of investments

– Key metric definition

– Accountability

– Ongoing monitoring

21

IT Management Layer

• IT Portfolio Management

– Strategic direction

– Resource availability

– Selection criteria

– Monitor benefits

• Investment Management

– Business case

– Develop program plan

– Update operational IT portfolios

– Retire program

22

Conclusions

• Technology has transformed organizations;

• Risk and controls have evolved;

• Use a layer approach to identify major

concerns for your organization;

• There are many IT control guidelines available

to assist auditors to identify risks and controls

on each layer.

23

Questions?

Jose Luis Garcia

Director, IT Audit

Scotiabank Chile