Carole_Guess_AFWA13_PPT.pdf

8/10/2019 Carole_Guess_AFWA13_PPT.pdf

http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 1/16

10/16/20

IT AUDITIT AUDIT

NER STRONGNER STRONG



10/16/20

BioBio

• Indiana University Graduate (3 times so far)

• IT Audit Program Manager at IU Health

• 15+ years in Auditing, 13 as an IT Auditor

• 2nd degree Black belt candidate

• Mom to the most

adorable 9 year old

on the

planet.

Objectives for

Today

• IT general controls review strategies for non‐IT

au ors.

– How to test basic IT general controls in a small

business environment.

• Leading practice recommendations for securing

personal, proprietary and client confidential

e ectron c

n ormat on,

nc u ng porta e

storage

media, iPads/tablets, SmartPhones and remote

personal/Cloud storage.



10/16/20

What is PII?

(personally

identifiable

information)• Full name (or common name)

• Date of birth

• Birthplace

• National identification numbers (SSN, Driver’s License)

• Vehicle registration or plate number

• Email address (and/or IP address in some cases)

• Face (photos), fingerprints, or handwriting

• Genetic/Health information – including insurance information

• Credit card numbers

• Digital identity

• Criminal record

ITGCs(IT general controls)



10/16/20

ITCGs are…

• Controls that apply to all hardware/software,

,

environment. IT control objectives relate to

the confidentiality, integrity, and availability of

data and the overall management of the IT

function of the business enterprise.

ITCGs are…

• Types of ITGCs include:

– Automated Controls

• – Programmed controls (requirement configured in the application

settings).

• – ons ere a s rong con ro ecause w unc on e same way eac

time (as long as the control is not changed/reprogrammed).

• Example: Transaction requires management’s electronic approval/signoff to move process forward.

– Partially Automated Controls

• People rely on information from IT systems (system generated reports) for the control.

• Considered less strong because of the human element.

•

xamp e:

an

reconc a on,

w ere

e

con ro

uses

repor s

rom

e

general ledger system.

– Manual Controls

• People enable a control that is non‐technology dependent.

• Example: Two or more physical signatures on a check.



10/16/20

ITCGs for small spacesITCGs for small spaces

Common ITCGs for small business include

but are not limited to :

• IT governance

– Policies/procedure (SANS and NIST have good templates)

• Network security – Encryption

• Logical and physical access – Application (transaction) controls can be manual or automated

and include passwords, role‐based access, logging/monitoring, segregat on o ut es, etc.

• Virus/malware protection

• Disaster recovery

– Backup/restore

ITCGs for

small

spaces

Why are ITGCs important?

• There is an IT infrastructure supporting critical

business processes in almost every company.

• ITCGs can be applied regardless of business

size or complexity.

ou

e e c v e

s, re ance

on

systems may not be possible.



10/16/20

Reviewing ITGCs(How

to

hit

the

high

points

and

identify

the

risks)

The

“Usual

Suspects”

Checklist• Are IT policies and procedures documented?

• Have employees signed acceptable use and/or con identia ity agreements?

– Ask employees,

• “Are you familiar with the company’s IT

Security policies?”

• “Are you familiar with the company’s

Information policy?”

• “Where would you find a copy of these

policies?”



10/16/20

The “Usual Suspects” Checklist

• Is user

access

unique

and

role

based?

– Is the approver of access different from the

(Segregation of duties)

– Is access to network and all applications removed

immediately on termination?

– Are user accounts and user activity logs periodically reviewed?

• Are passwords/user credentials written down and

kept near the workstation (taped to monitor, inside

desk drawer,

under

keyboard

or

mouse

pad)?

The “Usual

Suspects”

Checklist

• Are workstations and servers in the business unit in

secure locations?

– Can visitors view/access workstations?

– Are screensavers used (with auto‐timeout and

password lock)?

– Who has physical access to the server room?

– Has the default password been changed?

– Encryption turned on?



10/16/20

The “Usual Suspects” Checklist• Can users access company systems remotely? VPN?

– If home computers are used for remote access, can

client/company data be downloaded to personal PCs?

(Potentially non‐secured connection; shared personal PC, etc.)

• Are user IDs or passwords shared with other employees/contractors?

– If yes, with whom and for what application(s)?

– Is there a business need to share?

• Can non‐company personnel access company system

– If yes, who and for what application(s)?

– Is there

a business

need

for

access?

– Has the 3rd party signed a confidentiality agreement?

The “Usual

Suspects”

Checklist

• Are applications and data backed up on a regular

– Is the backup kept in a secure off ‐site location?

• Are all mobile device (laptops, tablets, SmartPhones,

etc) used for company business required to be

password protected, (including BYODs)?

– Have default

passwords

been

changed?

– Malware protection?

– Encryption? (including SD cards)



10/16/20

The “Usual Suspects” Checklist

•

utilized for business purposes required to be

encrypted?

• Does the client know how to report a possible IT

security and/or privacy incident/breach?

– Indiana Privacy Law

The “Usual

Suspects”

Checklist

• Other considerations: –

(policy in place)

– Office equipment• Digital camera

• Copier hard‐drive

(internal memory card)

• Shredder ‐ use re uired

– Credit card acceptance

(PCI DSS) … a workshop

in itself



10/16/20

Mobile and Cloud computingMobile and Cloud computing(Considerations for you and your client)

Threats to

Mobile

Computing

Many businesses are going to BYODBYOD, but

conventional computer systems.

– Complete O/S, lots of apps and the end‐user is in

control (vs. IT).

• More viruses/malware (and lower threshold of hacking

ex erience needed

• Additional attacks flanks‐> SMS/text phishing

– Require weak or no authentication (default

password or minimal characters).



10/16/20

Threats to Mobile Computing (cont.)

– Lose your device, lose your data (it’s the data

’ , .

• Shipped with several GB of on‐board storage.

– “How to” for breaking vendor encryption can be easily

Googled.

• Memory cards are typically not encrypted by default.

• Remote wipe is frequently subject to failure.

– Criminals immediately remove SIM to prevent remote wipe

• If BYOD, who owns the data? (Get to Legal to discuss

liability ASAP). – What if Employee terminates?

Securing The DeviceSecuring The Device



10/16/20

Steps to Secure Your

Mobile Device1. Develop appropriate policies, procedures, standards,

and guidelines for mobile devices.

2. Configure mobile devices securely.

– Enable auto‐lock & password protection (complex passwords).

– Avoid using features that remember user names or passwords.

– Ensure browser security settings are configured appropriately.

– Enable remote wipe.

– Ensure that SSL protection is enabled, if available.

3. Connect to secure Wi‐Fi networks and disable Wi‐Fi, Bluetooth, GPS, etc. when not in use.

– set Bluetooth

‐enabled

devices

to

non

‐discoverable

to

render

them invisible to unauthenticated devices.


Mobile Device (cont.)4. Update mobile devices frequently. Select the automatic

update option if available.

5. Use digital certificates on mobile devices.

– An electronic “ID card" that verifies credentials when doing

business or other transactions on the Web.

6. Take appropriate physical security measures to prevent theft or enable recovery of mobile devices. – Use cable locks and tracking software (e.g., Computrace,

Loo out, Mo i eMe,

STOP .

– Never leave your mobile device unattended.

– Report lost or stolen devices immediately.

– Back up data on your mobile device on a regular basis.



10/16/20


Mobile Device (cont.)

7. Delete all information stored on a device

prior to discarding, exchanging, or

donating it.

8. Implement on‐going and up‐to‐date

mobile device security training.

Life in

“The

Cloud”Life

in

“The

Cloud”



10/16/20

The Cloud and Personal

Remote Storage• End users access cloud based applications

through a web browser on a desktop or

and data are stored on servers at a remote

location.

• Three types: – Private ‐ exclusive use by a single

organization.

– Public ‐ open use by the general public

(Amazon, Google, Microsoft, etc).• Includes Cloud‐based personal storage services

such as Box.net, GoogleDocs, DropBox,

RackSpace,

Carbonite,

Mozy,

Snapfish,

Flickr,

Shutterfly, etc.

– Hybrid ‐ a combination of public/private.

Security Considerations

for Cloud ComputingSecurity, privacy, identity, and other compliance implications of moving

data into the cloud.

1. Confidentiality and Privacy – Certain industries are governed by Federal/State regulations such as HIPAA or

FERPA to protect personal data; placing that data in the cloud introduces new

risk.

2. Data Breach Responsibilities and Security. Placing data and services in the

cloud amplify concerns about data breaches; (security is not under direct control of the data owner.) – Data breach generally carries with it an obligation to notify.

–

back.)

3. E‐Discovery – Records are not under direct institutional control; the institution no longer

has the record in the same way that it formerly did. How does one 'discover' what one does not have?

Source: https://wiki.internet2.edu/confluence/display/itsg2/Cloud+Computing+Security



10/16/20

Security Considerations

for Cloud Computing (cont.)

So can a public Cloud be used securely? Maybe….

•

store in the Cloud.

• For business use, pay close attention to Vendor contracts, BAA/SLA language.

• Emergence of Vertical Clouds (industry specific)

• NIST recently published “Special Publication 800‐

144: Guidelines on Security and Privacy in Public Cloud

Computing.”

Beyond This

WorkshopBeyond

This

Workshop

• SANS IT Policy templates ‐ http://www.sans.org/security‐resources/policies/

• ‐

http://www.cio.ca.gov/OIS/Government/documents/docs/RA_Checklist.doc

• 10 Best Practices for the Small Healthcare Environment ‐http://www.healthit.gov/sites/default/files/basic‐security‐for‐the‐small‐healthcare‐practice‐checklists.pdf

• CompTIA Risk Assessment Checklist For Small Business ‐

http://www.comptia.org/news/pressreleases/09‐07‐

28/A_Risk_Assessment_Checklist_For_Small_Business.aspx

•

ecur ng

ens ve

a a ‐

p: w ww. .org a a‐

secur y secur ng‐

sensitive‐data/overview/

• SmallBusinessComputing.com ‐ http://www.smallbusinesscomputing.com/



10/16/20

Questions?Questions?

Thanks!Thanks!

Carole J. Guess MBA, MSA, CISA, CRISC

[email protected]

Date post:	02-Jun-2018
Category:	Documents
Upload:	angel158
View:	216 times
Download:	0 times

Carole_Guess_AFWA13_PPT.pdf

Documents