INTERNAL AUDIT’S ROLE IN

INFORMATION SECURITY

VULNERABILITY MANAGEMENT &

BREACH PREVENTION

CHRISTY DECKER

VP OF INTERNAL AUDIT

SHARP HEALTHCARE

BRIAN LONG

IT INTERNAL AUDIT DIRECTOR

PWC

AHIA 34th Annual Conference – August 30 – September 2, 2015 – Portland, Oregon

www.ahia.org

1

Agenda

Introduction

Cyber Security Overview

Threat and Vulnerability Management (TVM)

Overview

TVM Case Study

Questions

2

Recent Security Incidents 3

Key Internet operator hit by hackers

Passwords of 250,000 accounts on a social networking site hacked

50 million customers hit in an electronic commerce company hack

A security company’s security breach may cost bank customers $100 million

Health insurance company that somehow allowed hackers to gain access to information it held on as many as 80M Americans…

A large technology company network data breach compromises 77 million user accounts…

Computer network had been hacked at least twice through criminal cyber attacks…

Cybersecurity Transformation

Sources: 1 - PwC 17th Annual Global CEO Survey 2 - 2015 Global State of Information Security 3 - PwC 6th Annual Digital IQ Survey 4 – Marc Goodman, Future Crimes

Technology Advances

81% of CEO’s believe technological advances will transform their business 81%

Cyber attacks a serious global concern

69% of CEOs in US are somewhat or extremely concerned by cyber attacks

69% Investing in cybersecurity

40% of CEO’s are investing in cybersecurity with budgets up in FY ‘13 and expected to show an increase again in FY ‘14

40% Days to detect security breaches

Average company takes about 211 days to detect a breach after cybersecurity threats have already occurred

211

4

Is IA doing enough?

Evolution of Threats

5

Heavy focus on identity management – right people, right place, right access

Focus on enhanced layers of security, adoption of incremental security solutions

Focus on security technology for the perimeter

Tech

nolo

gy R

eliance

/Com

ple

xity

Time

“Resilient Cyber Security”

“Inclusion &

Exclusion Security”

“Layered

Security”

“Perimeter

Security”

Assumed state of compromise

Security Market Paradigm Shift:

2010+ 2000s 1990s 1980s

Significant and evolving cyber threats unlike ever before

Highly skilled/motivated, and yet patient adversaries, including nation states

Increasing speed of business, digital transformation, and hyper connectivity across supply chain and to customers

Massive consumerization of IT and reliance on mobile technologies

Increasing regulatory compliance requirements (e.g., SEC Cyber Guidance)

How mature is your

organization?

Attention at the Board and Audit Committee level…

Increase in the Security and Privacy regulatory mandates in recent years, as well as

expected changes in upcoming years.

Emerging technologies and reliance on third parties have created a borderless

infrastructure.

Growing demand by business leaders to understand how privacy (“what” data is sensitive

to the business) and security (“how” to protect the data deemed sensitive) is integrated.

Increase in threats and vulnerabilities to sensitive data and corporate assets.

Even companies that place great emphasis on securing their business processes can

become the victim of cybercrime. Cybercrime can manifest in many ways from theft of

payment card information to the theft of intellectual property or other highly sensitive

business information.

While the financial statement audit would not normally address the operational risks

associated with cybercrime, such risks may nevertheless fall within the scope of

responsibility of a company's audit committee.

Having a documented, demonstrated and regularly tested program helps in the event of

regulatory oversight.

6

Information Security Program Maturity

7

Information Security Program Maturity

Framework (ISPMF)

Innovation and Agility Shareholder Value Brand Protection Customer Loyalty Legal and Regulatory

Commitments

People

The ability of the people that support the

information security program to successfully

execute the requisite activities

Technology

The ability of the technology infrastructure to

support the operational processes that

comprise the information security program

Process

The ability of the operational processes that

comprise the information security program to

meet the anticipated expectations of

stakeholders

Information Security Program Strategy

The ability of the Information Security Program’s long-term plan to meet the anticipated expectations of stakeholders

Third Party Security

Management

Security Strategy,

Governance and

Management

Risk, Compliance and Policy

Management

Identity and Access

Management

Security Architecture and

Operations

Information Privacy and Protection Threat Intelligence and Vulnerability

Management Physical and Environment Security Incident and Crisis Management

Information

Security

Program

Execution

Business

Drivers

Cloud Computing & Vendor Risk Management

8

01

02

03

04

Text to go here go here go here go here go here go here go here

Text to go here go here go here go here go here go here go here

Text to go here go here go here go here go here go here go here

Text to go here go here go here go here go here go here go here

Value Add and Impactful Internal Audits

Audit Key Focus Areas

Cloud Computing

Advisory Review /

Assessment

• Comprehensive review of organization’s cloud computing strategy and approach

spanning key areas, including Strategy & Governance, Architecture, Risk &

Security, and Cloud Operating Model

• Evaluate the organization’s strategy for cloud solution adoption and utilizing

cloud technologies

Vendor Risk

Management Program

Assessment

• Perform assessment of an organization’s VRM function, identifying gaps against

leading practices and regulatory requirements

• Assessment areas include vendor risk profiling and stratification, program

governance and oversight, vendor intake and due-diligence processes, and

ongoing assessment and monitoring activities

Vendor Audits and

Assessments

• Performance of on-site, remote, or self-assessments as deemed appropriate for

specified vendors, using the Global Network of Firms and Service Delivery

Centers

• Risk assessments to determine risk of services being outsourced, and vendors

providing services to determine a risk score and drive appropriate response by

the organization

Web Application Security Assessment (WASA)

9

Value Add and Impactful Internal Audits

Audit Key Focus Areas

Web Application

Security Assessment

• Evaluate the security of web applications using a combination of manual and

automated testing techniques. Our testing approach works to identify insecure

web server and portal software configuration settings and their susceptibility to

both common and custom application level attacks.

Threat and Vulnerability Management (TVM)

10

01

02

03

04

Text to go here go here go here go here go here go here go here

Text to go here go here go here go here go here go here go here

Text to go here go here go here go here go here go here go here

Text to go here go here go here go here go here go here go here

Value Add and Impactful Internal Audits

Audit Key Focus Areas

Attack & Penetration

Testing

• Focuses on analyzing the risks posed from an external or internal threat actor

attempting to gain access to an organization’s “crown jewels”

• Demonstrate impact by leveraging a wide range of manual and automated

scanning methods and tools to survey, identify, and exploit potential

vulnerabilities in a client’s IT environment

Infrastructure Security

Assessments (Network,

Operating Systems,

Databases,

Virtualization)

• Deep-dive diagnostic reviews and assessments of network and technology

infrastructure

• Comprehensive network security assessments, focusing on the architecture,

technology safeguards, operation, and monitoring of the network environment –

networking perimeter, internal network segmentation, global wide area networks,

and wireless networks

Threat & Vulnerability

Management Program

Assessment

• Perform assessment of an organization’s TVM function, identifying gaps against

leading practices and the industry specific risk landscape

• Assess whether internal practices relevant to identification, evaluation, and

remediation of security threats and vulnerabilities are conducive to a secure and

effective IT environment

Threat and Vulnerability Management (TVM)

Program 11

Defining program ownership,

policies/procedures and integration with

enterprise risk management program

Evaluating threats and vulnerabilities and

establishing communication and tracking

mechanisms

Defining program ownership,

policies/procedures and and

integration with enterprise risk

management program

Actively identifying asset

weaknesses before they can be

exploited by an attack

Actively monitoring and enhancing

the TVM program

Isolating and resolving asset

security issues once identified

Threat and vulnerability management

program

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

TVM Security Strategy & Planning Assessment

12

Program ownership

Assess the governance structure and the designated roles and responsibilities

Policy and procedure assessment

Assess management’s intent and directives as documented in the relevant policies and procedures

Integration with risk management

Assess the integration of the TVM program into the overall enterprise information security risk management program

Threat and vulnerability management

program

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

Defining program ownership,

policies/procedures and integration

with enterprise

risk management program

Threat Detection Capabilities Analysis

13

Intrusion monitoring

Assess the effectiveness of the intrusion monitoring

Malicious program detection

Assess the capabilities and configuration of the malicious program management tools

Rogue technology discovery

Assess tools, controls and procedures to detect, prevent and control rogue technologies in the environment

Log activity analysis

Assess log monitoring and anomaly detection capabilities and the organization’s technology audit capabilities

Breach indicator analysis

Assess capabilities in place to identify indicators of a security breach

Threat and vulnerability management

program

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

Actively identifying and isolating

threats to minimize their impact upon

assets

Vulnerability Detection Analysis

14

Compliance testing

Evaluate conformance with established security guidelines and policies and compliance monitoring techniques

Vulnerability scanning

Evaluate vulnerability scanning capabilities by assessing factors such as tools, techniques, scope and frequency

Penetration testing

Evaluate penetration testing capabilities by assessing factors such as methodology, attack scenarios, scope and frequency

Intelligence analysis

Evaluate the process of gathering security intelligence from multiple sources and the effective use of intelligence tools

Threat and vulnerability management

program

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

Actively identifying asset weaknesses

before they can be exploited by an

attack

Threat and Vulnerability Evaluation Analysis

15

Security intelligence

Assess the process of assimilation and correlation of security information and the process of responding to the identified issues

Communication and tracking

Assess the process of communicating the identified threats and vulnerabilities and tracking them until closure

Controls effectiveness evaluation

Assess the process of evaluating the controls and mitigating mechanisms

Threat and vulnerability management

program

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

Evaluating threats and vulnerabilities

and establishing communication and

tracking mechanism

Threat and Vulnerability Remediation and

Response Analysis 16

Security infrastructure implementation

Assess the process to check if infrastructure and controls are implemented consistently with the company’s security standards, such that they achieve the desired benefits and functionality

Security remediation

Assess the security remediation of the vulnerabilities detected and the process of verification

Incident response

Assess the process of evaluating the controls and mitigating mechanisms

Threat and vulnerability management

program

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

Isolating and resolving asset security

issues once identified

Security Information Management and

Sustenance Analysis 17

Program maturity enhancement

Assess the process to continually monitor and enhance the program’s maturity

Threat awareness

Assess the organization’s security awareness activities to educate relevant users on threats

Reporting

Assess the procedures to report the status of the TVM program and the actions taken in response improve the current capabilities

Threat and vulnerability management

program

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

Actively monitoring and enhancing

the TVM program

TVM Audit Case Study 18

Scope:

External IP scope-100 IPs and A&P testing on

15%

Internal IP scope -300 IPs and A&P testing on

15%

Web Application Security Assessment (WASA) –

production or test environment

Internal Testing Requirements:

VPN account that will allow connectivity from

testing center

Internal host with appropriate requirements for

testing team to install applications

Privileged account (Admin or SA) to install testing

tools to internal host

Have you scoped your

audit differently?

TVM Audit Case Study (continued)

Timing

Rules of Engagement

Frequency and method of status updates

Reporting

Technical

Management

Audit Committee

19

Audit Planning – Key Players

Given the wide span of a network security review, there are many key players that need to be involved and aware of testing and timing.

Key Players

IT Security team

IT Infrastructure team

IT Applications team (depending on scoping)

Compliance

Operations

20

Scoping Definitions

Vulnerability Assessment Identify an organization’s technical vulnerabilities,

misconfigurations and weaknesses utilizing automated and manual techniques to scan a company’s network.

Attack & Penetration (A&P) A vulnerability is like leaving a window open in your home. It

is a weakness that can be exploited, but until a thief attempts to enter the home through the window, the risk may not be fully appreciated. An Attack & Penetration assessment attempts to exploit the vulnerabilities discovered during the vulnerability assessment to demonstrate the potential impact on the organization.

21

Scoping Considerations

External Assessment

Wireless Security Assessment

Web Application Security Assessment

Data Center(s)

Internal Assessment

Social Engineering Attacks

22

Scoping Considerations

Testing Times

Should consider support staff and what is being tested

Onshore or Offshore resources

BioMed devices – security vs. patient safety

Risk Based Approach

How homogenous is the environment?

23

Audit Planning - Timeline

With multiple key players, potential connectivity problems during testing and sensitivity of results, this is not a typical audit and can take longer than expected.

Example Timeline

Scoping - 1-2 weeks

Access Setup/Prep - 1-2 weeks

Testing – varies based on testing windows and scoping/samples

Want to consider support staff during non-business hours

Validation of Results by IT 2-3 weeks

Reporting – 1-2 weeks

24

Internal Scan/Assessment

Why perform an internal scan?

All security environments are only as strong as their weakest

link and ill-informed and untrained employees are often the

weakest link in the IT Security environment.

Internal A&P testing focuses on evaluating risks you might

encounter from a contractor or disgruntled employee who

has access to the internal network with the goal of gaining

unauthorized access to customer, employee or proprietary

data.

Hosting Providers/Cloud Services

Don’t forget hosting providers and SaaS/IaaS

25

Audit Testing Process

Establish rules under which scanning will be performed

Tools to be used (e.g., Nessus, Qualys, etc.)

Systems or user accounts to be leveraged (for internal

scanning)

Testing windows

Escalation protocols if high priority issues identified or

system downtime

26

Reporting/Presenting to Audit

Committee

Education & Communication

Provide a high-level overview of the IT network

Appropriate level of detail

Summarize results in a way that can be understood by audit committee

Include actionable remediation items for processes

Benchmark to other organizations and the industry

27

Lessons Learned

Timeline may require flexibility – recommend

building in buffer time

Large number of people involved and coordination

of all personnel

Frequency and participation of key players for

status updates

Confirm the test environment (if applicable) is an

exact replica of the production environment before

testing

28

Lessons Learned

Difficult to summarize findings for Audit Committee

Educate and provide a high-level overview of the IT

network

Provide IT with detail that maps to summarized findings so

all parties are aligned, but IT can remediate detailed issues

Remediation of issues

Truly evaluate root cause of issues and remediate process,

not specific issues

Make sure the right people are involved at the right

levels to make remediation decisions and take action

29

Other/Reminders 30

Results are incredibly sensitive

Always encrypt when sending detailed results and or

reports

Based on initial results, scope may expand based

on risk of findings – be prepared to discuss this

potential

Questions? 31

Thank you! Christy Decker

VP Internal Audit, Sharp HealthCare

(858)499-5508

christy.decker@sharp.com

Brian Long

Health Industries Internal Audit Director, PwC

(859)552-4816

brian.m.long@us.pwc.com

Save the Date September

11-14, 2016

35th Annual Conference Atlanta, Georgia