KPN Audit - Introduction
2
Objective - Provide assurance to the Board of Management and the
Supervisory Board (via the Audit Committee) of KPN N.V. concerning the
‘in control’ status of the company.
Engagement types
• Quality Assurance (Financial Reporting) and Compliance Reviews
• Risk Assessments
• Program Assurance and Out/In Sourcing Reviews
• IT Audits and Operational Audits
• Financial & Managerial Reporting Audits and Reviews
• Special Investigations
KPN Audit - Our motto
3
• To be right - Fact-based
• To be proved right - Based on a clear and logical story line
• Get it done - By helping the organization in fixing the
problem
2012 – De ‘KPN hack’
4
KPN Audit investigated:
• What happened?
• How could it happen?
KPN Security agenda
• Infrastructure security
• Organization (CISO, SOC)
• KPN Security Policy
• …. and more
KPN Security Operations Center
8
https://www.kpn.com/zakelijk/grootzakelijk/security/monitoring/compliance.htm
BCM – Supervisor Agentschap Telecom
10
Tw H11a ‘Suitable measures’, Tw H14 ‘Buitengewone Omstandigheden’
Tooling - Q Carbon
11
Activities:• Critical/vital services registration • Scope and Business Impact Analysis (BIA)• Risk Analysis (RA)• Risk Treatment Plan (RTP)
• Continuity plans • Planning tests/exercises • Critical Service Components
(half fabricaten) • Applications • Buildings • Reporting
Buildings
Applications
Critical Service Components
(Half fabricaten)
Critical/vital Services
Awareness, Capability, Visibility
KPN Refresh Classificatie15
Transparency is operating in such a way that it is easy for others to see what actions are performed.
It is about the ability of the receiver to have full access to the information he wants, not just the information the sender is willing to provide.
Awareness, Capability, Visibility
16
Security
Capability
Visibility &Risk
Intelligence
Security
Awareness