8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 1/16
10/16/20
IT AUDITIT AUDIT
NER STRONGNER STRONG
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 2/16
10/16/20
BioBio
• Indiana University Graduate (3 times so far)
• IT Audit Program Manager at IU Health
• 15+ years in Auditing, 13 as an IT Auditor
• 2nd degree Black belt candidate
• Mom to the most
adorable 9 year old
on the
planet.
Objectives for
Today
• IT general controls review strategies for non‐IT
au ors.
– How to test basic IT general controls in a small
business environment.
• Leading practice recommendations for securing
personal, proprietary and client confidential
e ectron c
n ormat on,
nc u ng porta e
storage
media, iPads/tablets, SmartPhones and remote
personal/Cloud storage.
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 3/16
10/16/20
What is PII?
(personally
identifiable
information)• Full name (or common name)
• Date of birth
• Birthplace
• National identification numbers (SSN, Driver’s License)
• Vehicle registration or plate number
• Email address (and/or IP address in some cases)
• Face (photos), fingerprints, or handwriting
• Genetic/Health information – including insurance information
• Credit card numbers
• Digital identity
• Criminal record
ITGCs(IT general controls)
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 4/16
10/16/20
ITCGs are…
• Controls that apply to all hardware/software,
,
environment. IT control objectives relate to
the confidentiality, integrity, and availability of
data and the overall management of the IT
function of the business enterprise.
ITCGs are…
• Types of ITGCs include:
– Automated Controls
• – Programmed controls (requirement configured in the application
settings).
• – ons ere a s rong con ro ecause w unc on e same way eac
time (as long as the control is not changed/reprogrammed).
• Example: Transaction requires management’s electronic approval/signoff to move process forward.
– Partially Automated Controls
• People rely on information from IT systems (system generated reports) for the control.
• Considered less strong because of the human element.
•
xamp e:
an
reconc a on,
w ere
e
con ro
uses
repor s
rom
e
general ledger system.
– Manual Controls
• People enable a control that is non‐technology dependent.
• Example: Two or more physical signatures on a check.
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 5/16
10/16/20
ITCGs for small spacesITCGs for small spaces
Common ITCGs for small business include
but are not limited to :
• IT governance
– Policies/procedure (SANS and NIST have good templates)
• Network security – Encryption
• Logical and physical access – Application (transaction) controls can be manual or automated
and include passwords, role‐based access, logging/monitoring, segregat on o ut es, etc.
• Virus/malware protection
• Disaster recovery
– Backup/restore
ITCGs for
small
spaces
Why are ITGCs important?
• There is an IT infrastructure supporting critical
business processes in almost every company.
• ITCGs can be applied regardless of business
size or complexity.
ou
e e c v e
s, re ance
on
systems may not be possible.
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 6/16
10/16/20
Reviewing ITGCs(How
to
hit
the
high
points
and
identify
the
risks)
The
“Usual
Suspects”
Checklist• Are IT policies and procedures documented?
• Have employees signed acceptable use and/or con identia ity agreements?
– Ask employees,
• “Are you familiar with the company’s IT
Security policies?”
• “Are you familiar with the company’s
Information policy?”
• “Where would you find a copy of these
policies?”
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 7/16
10/16/20
The “Usual Suspects” Checklist
• Is user
access
unique
and
role
based?
– Is the approver of access different from the
(Segregation of duties)
– Is access to network and all applications removed
immediately on termination?
– Are user accounts and user activity logs periodically reviewed?
• Are passwords/user credentials written down and
kept near the workstation (taped to monitor, inside
desk drawer,
under
keyboard
or
mouse
pad)?
The “Usual
Suspects”
Checklist
• Are workstations and servers in the business unit in
secure locations?
– Can visitors view/access workstations?
– Are screensavers used (with auto‐timeout and
password lock)?
– Who has physical access to the server room?
– Has the default password been changed?
– Encryption turned on?
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 8/16
10/16/20
The “Usual Suspects” Checklist• Can users access company systems remotely? VPN?
– If home computers are used for remote access, can
client/company data be downloaded to personal PCs?
(Potentially non‐secured connection; shared personal PC, etc.)
• Are user IDs or passwords shared with other employees/contractors?
– If yes, with whom and for what application(s)?
– Is there a business need to share?
• Can non‐company personnel access company system
– If yes, who and for what application(s)?
– Is there
a business
need
for
access?
– Has the 3rd party signed a confidentiality agreement?
The “Usual
Suspects”
Checklist
• Are applications and data backed up on a regular
– Is the backup kept in a secure off ‐site location?
• Are all mobile device (laptops, tablets, SmartPhones,
etc) used for company business required to be
password protected, (including BYODs)?
– Have default
passwords
been
changed?
– Malware protection?
– Encryption? (including SD cards)
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 9/16
10/16/20
The “Usual Suspects” Checklist
•
utilized for business purposes required to be
encrypted?
• Does the client know how to report a possible IT
security and/or privacy incident/breach?
– Indiana Privacy Law
The “Usual
Suspects”
Checklist
• Other considerations: –
(policy in place)
– Office equipment• Digital camera
• Copier hard‐drive
(internal memory card)
• Shredder ‐ use re uired
– Credit card acceptance
(PCI DSS) … a workshop
in itself
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 10/16
10/16/20
Mobile and Cloud computingMobile and Cloud computing(Considerations for you and your client)
Threats to
Mobile
Computing
Many businesses are going to BYODBYOD, but
conventional computer systems.
– Complete O/S, lots of apps and the end‐user is in
control (vs. IT).
• More viruses/malware (and lower threshold of hacking
ex erience needed
• Additional attacks flanks‐> SMS/text phishing
– Require weak or no authentication (default
password or minimal characters).
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 11/16
10/16/20
Threats to Mobile Computing (cont.)
– Lose your device, lose your data (it’s the data
’ , .
• Shipped with several GB of on‐board storage.
– “How to” for breaking vendor encryption can be easily
Googled.
• Memory cards are typically not encrypted by default.
• Remote wipe is frequently subject to failure.
– Criminals immediately remove SIM to prevent remote wipe
• If BYOD, who owns the data? (Get to Legal to discuss
liability ASAP). – What if Employee terminates?
Securing The DeviceSecuring The Device
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 12/16
10/16/20
Steps to Secure Your
Mobile Device1. Develop appropriate policies, procedures, standards,
and guidelines for mobile devices.
2. Configure mobile devices securely.
– Enable auto‐lock & password protection (complex passwords).
– Avoid using features that remember user names or passwords.
– Ensure browser security settings are configured appropriately.
– Enable remote wipe.
– Ensure that SSL protection is enabled, if available.
3. Connect to secure Wi‐Fi networks and disable Wi‐Fi, Bluetooth, GPS, etc. when not in use.
– set Bluetooth
‐enabled
devices
to
non
‐discoverable
to
render
them invisible to unauthenticated devices.
Steps to Secure Your
Mobile Device (cont.)4. Update mobile devices frequently. Select the automatic
update option if available.
5. Use digital certificates on mobile devices.
– An electronic “ID card" that verifies credentials when doing
business or other transactions on the Web.
6. Take appropriate physical security measures to prevent theft or enable recovery of mobile devices. – Use cable locks and tracking software (e.g., Computrace,
Loo out, Mo i eMe,
STOP .
– Never leave your mobile device unattended.
– Report lost or stolen devices immediately.
– Back up data on your mobile device on a regular basis.
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 13/16
10/16/20
Steps to Secure Your
Mobile Device (cont.)
7. Delete all information stored on a device
prior to discarding, exchanging, or
donating it.
8. Implement on‐going and up‐to‐date
mobile device security training.
Life in
“The
Cloud”Life
in
“The
Cloud”
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 14/16
10/16/20
The Cloud and Personal
Remote Storage• End users access cloud based applications
through a web browser on a desktop or
and data are stored on servers at a remote
location.
• Three types: – Private ‐ exclusive use by a single
organization.
– Public ‐ open use by the general public
(Amazon, Google, Microsoft, etc).• Includes Cloud‐based personal storage services
such as Box.net, GoogleDocs, DropBox,
RackSpace,
Carbonite,
Mozy,
Snapfish,
Flickr,
Shutterfly, etc.
– Hybrid ‐ a combination of public/private.
Security Considerations
for Cloud ComputingSecurity, privacy, identity, and other compliance implications of moving
data into the cloud.
1. Confidentiality and Privacy – Certain industries are governed by Federal/State regulations such as HIPAA or
FERPA to protect personal data; placing that data in the cloud introduces new
risk.
2. Data Breach Responsibilities and Security. Placing data and services in the
cloud amplify concerns about data breaches; (security is not under direct control of the data owner.) – Data breach generally carries with it an obligation to notify.
–
back.)
3. E‐Discovery – Records are not under direct institutional control; the institution no longer
has the record in the same way that it formerly did. How does one 'discover' what one does not have?
Source: https://wiki.internet2.edu/confluence/display/itsg2/Cloud+Computing+Security
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 15/16
10/16/20
Security Considerations
for Cloud Computing (cont.)
So can a public Cloud be used securely? Maybe….
•
store in the Cloud.
• For business use, pay close attention to Vendor contracts, BAA/SLA language.
• Emergence of Vertical Clouds (industry specific)
• NIST recently published “Special Publication 800‐
144: Guidelines on Security and Privacy in Public Cloud
Computing.”
Beyond This
WorkshopBeyond
This
Workshop
• SANS IT Policy templates ‐ http://www.sans.org/security‐resources/policies/
• ‐
http://www.cio.ca.gov/OIS/Government/documents/docs/RA_Checklist.doc
• 10 Best Practices for the Small Healthcare Environment ‐http://www.healthit.gov/sites/default/files/basic‐security‐for‐the‐small‐healthcare‐practice‐checklists.pdf
• CompTIA Risk Assessment Checklist For Small Business ‐
http://www.comptia.org/news/pressreleases/09‐07‐
28/A_Risk_Assessment_Checklist_For_Small_Business.aspx
•
ecur ng
ens ve
a a ‐
p: w ww. .org a a‐
secur y secur ng‐
sensitive‐data/overview/
• SmallBusinessComputing.com ‐ http://www.smallbusinesscomputing.com/
8/10/2019 Carole_Guess_AFWA13_PPT.pdf
http://slidepdf.com/reader/full/caroleguessafwa13pptpdf 16/16
10/16/20
Questions?Questions?
Thanks!Thanks!
Carole J. Guess MBA, MSA, CISA, CRISC