Redefine Cybersecurity, Explore Innovative Strategies and Develop Trust

Jointly Organized By :

Creating Value through Innovative

IT Auditing

Ronnie Koh

Head of IT Audit, DBS Bank

Jointly Organized By :

By Increasing both Breadth and Depth in our Audit Coverage

for Digital Bank & Cyber Security

How do we create value?

By Investing in Our People – Creating Value-Driven Talent

Pool

By embarking on Automation & Predictive IT Auditing

Jointly Organized By :

Why do we need to innovate?

Cyber

Threats New

Technology

Growing

Expectations

Adapt to

changing

environment and

uncertainties

Competent

Risk

Managers Regulatory

Changes

Insider

Threats

New

Competitors

Expectations from

Board of Directors

Jointly Organized By :

Why do we need to innovate?

Traditional Auditing

Effort

Past Present Future

Continuous Auditing

Predictive Auditing

Reactive

Proactive

Increase focus

on proactive &

preventive

risk

identification

“SHIFT LEFT”

Jointly Organized By :

How did we transform? The 4Ps

Proactive

• Special Review

(Project Life

Cycle) of VA/PT

Process

Preventive

• Independent

Security

Assessment

• Source Code

Review

Predictive

• Data Modelling

for Predictive

Analysis (e.g.

Identify Insider

Threats)

• Cyber

Intelligence

• Early IT incident

intervention

Productive

• Continuous

Assessment

(Automated

Checks)

Jointly Organized By :

Where were we and where are we now?

Before 2013 Pockets of cyber

security review (mainly security surveillance)

Between 2013 & 2014 1. Perform preliminary gap

assessment referencing SANS Top 20 Controls

2. Create IT Audit training roadmap

Between 2014 & 2015 1. Commence iTransformation

2. Kick-start staff training 3. Setup cyber security test lab 4. Establish cyber security audit framework 5. Roll out cyber security audit projects 6. Create cyber security awareness in

Group Audit

Between 2015 & 2016 1. iTransformation Continuation 2. Continuous staff training

3. Enhance cyber security test lab 4. More in-depth cyber security audit projects 5. Introduce static & dynamic scanning tools

2016 Onwards.. 1. Insider threat analysis 2. Cyber wargaming 3. Cyber security intelligence 4. Extend Cyber security Lab to

Regional Countries

Jointly Organized By :

What is our ‘secret’ formula?

PEOPLE TOOLS FRAMEWORK

DEPTH BREADTH

FRAMEWORK

Jointly Organized By :

Breadth & Depth – Our Framework

Cyber Security

Framework

Policies &

Procedures

Contract

Agreement

Security Controls

and Surveillance

Security

Awareness

VA/PT Vulnerabilities Review

Key Mgmt (SSL/HSM)

Dynamic & Static Security Assessment for Web

/ Mobile Apps

High Level Dynamic Assessment for Web /

Mobile Apps

Network

Vulnerability

Assessment

Social

Engineering

Secure SDLC

Review

In-depth Security Source Code Assessment

Cyber Security Focus on Subsidiaries

LEGEND

Existing Cyber Security Coverage

New Cyber Security Coverage

PEOPLE

Jointly Organized By :

Breadth & Depth – Equipping Our People

Group Audit iTransformation

Business

Auditor IT Auditor

(Application)

1. IT Governance 2. In-depth review of

automated control i.e. design and implementation

3. IT General Controls

(e.g. app resiliency, capacity management)

4. System Security

1. Business Governance 2. Business process and

operation 3. Testing manual and

automated control

More efficient & business-focused audit through reviewing

business risk & processes from end-to-end covering both

manual and automated controls!

Jointly Organized By :

Breadth & Depth – Equipping Our People

Group Audit iTransformation

NextGen IT Auditor

System Management & Cyber Security

(e.g. Cryptography, Source Code Review, Penetration Testing and Vulnerability

Assessment)

Integrated Auditor

System set-up controls

(e.g. Parameter setup)

Application Security

(e.g. Audit trails)

Input Controls

Pre-processing

(e.g. Input validation)

Processing Controls

(e.g. Business Logics)

Output Controls

Books, records & reports

(e.g. output storage & retention)

Jointly Organized By :

Breadth & Depth – Equipping Our People

External / Internal Training

1. Cyber Security

Test Lab

Development

2 Secure

Source Code

Scanning

Enhance cyber security review capability in GA IT Audit…

Targeted training referencing the IT Audit Training Roadmap

Jointly Organized By :

Breadth & Depth – Equipping Our People

Future Initiatives

1. Cyber Security

Test Lab

Development

2 Secure

Source Code

Scanning

2. Digital

Banking

Coverage

Training

6. Incorporate

Cyber

Intelligence

for Predictive

Capability

4. Source

Code

Review

Training

3. Extension

of Cyber Lab to regional countries

1. OJT

Hands-on

Security

Assessment

(VAPT)

5. Analytical-Based Auditing

Approach to Review

TOOLS

Jointly Organized By :

Breadth & Depth – Investing in Tools

1. Cyber Security

Test Lab

Development

2 Secure

Source Code

Scanning

Cyber Security Tools Training / Practice

Cyber Security Test Lab

SANS Security Training (or equivalent;

learning how to use the tools)

Code Scanning Tool Training

On-the Job (OJT) training in using

these tools in cyber security reviews

• Security Operations

• VA/PT process

• Independent Assessment

HP WebInspect

Security Testing Tools

Operating Environment

Jointly Organized By :

Creating Cyber Security Awareness

App/Software Vulnerabilities

Web Vulnerabilities

Credit Card Hacking

Data Breach

Mobile Hacking

Phishing Attack

Rombertik Malware

May 2015 June 2015 July 2015 August 2015

Mumblehard Linux Malware Venom Vulnerability Apple Safari Browser Vulnerability LogJam SSL Attack iOS Messaging Vulnerability

Skype Crash Vulnerability

Magento Hacking

SingPass Phishing Emails

Apple Pay Hacking Whatsapp Account Hijack iPhone Password Hacking Samsung Mobile Sofware Vulnerability

OpenSSL Vulnerability IE Browser Zero-Day Vulnerability Vehicle Hacking

OpenSSH Brute Force

ATM Skimming

Apple Pay Hacking Whatsapp Account Hijack iPhone Password Hacking Samsung Mobile Sofware Vulnerability

Java Zero-Day Vulnerability UEFI BIOS Rootkit Hacking US Census Bureau Hacking United Airlines Hacking

Mac OS Zero-Day Vulnerability Windows Update Malware

Certifi Gate Android Vulnerability Android Endless Reboot Bug

Credit Card Skimming

Elise Malware

App/

Software

Vulnerabilities

Mobile

Hacking

Data

Breach

#1 #2 #3

Jointly Organized By :

Creating Cyber Security Awareness

Group Audit values the promotion of cybersecurity awareness on a periodic basis

Jointly Organized By :

Creating Value through Innovation

Watch Video

https://www.youtube.com/watch?v=tzm4nlPkBZY&feature=youtu.be

Jointly Organized By :

THE FUTURE OF AUDITING IS

AUDITING THE FUTURE

Jointly Organized By :

Questions?