information system implementations: baking in security and...
TRANSCRIPT
Information System Implementations:Baking In Security and Controls
Patra Carroll, Maricopa CountyPaul Smedegaard, KPMG LLP
Wednesday, August 29, 12
Maricopa County
Agenda
• Project Implementation Background• Independence and Security Considerations• Project Phases
– Design– Build– Test– Deploy and Maintain
• Resources
2
Wednesday, August 29, 12
Maricopa County
Get Out the Protection Paddle
3
Wednesday, August 29, 12
Maricopa County
Get Out the Protection Paddle
• NYSEG- Unauthorized Access
3
Wednesday, August 29, 12
Maricopa County
Get Out the Protection Paddle
• NYSEG- Unauthorized Access
• Briar Restaurant Group- PCIDSS Malcode
3
Wednesday, August 29, 12
Maricopa County
Get Out the Protection Paddle
• NYSEG- Unauthorized Access
• Briar Restaurant Group- PCIDSS Malcode
• Yahoo- 500K PWs Stolen
3
Wednesday, August 29, 12
Maricopa County
Get Out the Protection Paddle
• NYSEG- Unauthorized Access
• Briar Restaurant Group- PCIDSS Malcode
• Yahoo- 500K PWs Stolen
• U of A- 7K Records Compromised During New System Implementation
3
Wednesday, August 29, 12
Maricopa County
Project Constraints
4
Cost
Scop
e Time
Project Models
Wednesday, August 29, 12
Maricopa County
Residential Construction and Post Implementation Review
5
Wednesday, August 29, 12
Maricopa County
Cheapest Fix
6
Foundation Inspection?
Final Inspection?
Wednesday, August 29, 12
Maricopa County
Relative Cost of Fixing Security Defect
0
25
50
75
100
1 7 15
100
DesignImplementationTestingMaintenance
Source: (ISC)2
7
Wednesday, August 29, 12
Maricopa County 8
Security Frameworks
• ISO/IEC 27001- Information Acquisition, Development, and Maintenance
• NIST- Pub. 800-100 Chapter Three
• COBIT 5- Information Security
Wednesday, August 29, 12
Maricopa County
Independence Considerations
• Pre-engagement: Does your participation impair independence?
• Objectivity: Did you have any non-audit role during implementation?
• Skills: Do you have the relevant skills and knowledge to carry out the Post Implementation Review?
Excerpt from the IIA’s International Professional Practice Framework:
“1130.A1 - Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.”
https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Interactive-IPPF.aspx
9
Wednesday, August 29, 12
Maricopa County
Project Stages
10
• All projects have four primary phases – design, build, test, and deploy/maintain (NIST: Initiate, Develop/Acquire, Implement, Operate/Maintain, and Dispose)
• Ideal for Internal Audit and Security to be involved throughout the lifecycle of the project; however, sometimes not realistic
• Understanding the phases of a project will help the Internal Auditor to identify the key functions of each phase and to request relevant documentation
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages (Cont. )
11
• Design– Project goals and directions– Constraints (time, budget, and functionality)
• Build– Hardware, software, and cloud providers– Business processes, application functionality, and
controls• Test
– IT testing, end user testing, integration testing, regression testing
• Deploy and Maintain– Go/No-Go decisions– Short-term and long-term support
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages: Design
12
• Who, What, Where, When, Why, and How?– Who are the project stakeholders?– What are the project objectives and desired functionality?– Where is the project being completed?– When does the project need to be completed?– How much will the project cost?– What are the security requirements for decommissioned
and new system?• Time, Budget, and Functionality
– Define/Plan– Do– Measure– Report
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages: Design (Cont.)
13
• Key Design Stage Deliverables– Project charter– Communication plan– RAID log (Risks, Action Items, Issues, and Decisions)– Status reports and board communication– Initial contracts– Project plan and work breakdown structure (WBS) (Time)– Budget documents (Cost)– Business requirement document(s) (Functionality)– Security risk assessment & data classification
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages: Build
14
• Transform business requirements into technical requirements– Technical specifications (blue prints)– Modeling and prototyping
• Procure necessary hardware, software, or 3rd party service providers (e.g., cloud)
• Develop and/or customize system functionality– Business processes, application controls, general
IT controls– System interfaces, reports, and security
•Security planning and control development
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages: Build (Cont.)
15
• Key Build Stage Deliverables– Technical specifications and stakeholder approval– Business process and control modifications– Segregation of Duties (SoD) matrices– Project change requests– Status reports– Budget to actual reconciliations– Contract amendments– RAID log (Risks, Action Items, Issues, and
Decisions)– System security policies and procedures
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages: Test
16
• Critical stage often “rushed” to meet deadlines
• Test “functional” and “technical” specifications
• Categories of testing– Unit testing– Integration testing (end-to-end)– Load testing– User acceptance and regression testing – Configuration and controls testing– Security testing, certification, and accreditation
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages: Test (Cont.)
17
• Key Test Stage Deliverables– Test scenarios, scripts and results– Defect or “bug tracking” log– RAID log (Risks, Action Items, Issues, and
Decisions)– Status reports– Contract amendments– System access reports/security matrices– Stakeholder approval and sign off– Security certification and accreditation – Go/No-Go decision
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages:Deploy & Maintain
18
• No project is 100% perfect– Workarounds and manual controls
implemented at “go live”– Security permissions may be temporarily
“excessive” to support go live
• Change management is critical– Organizational training and awareness– User “acceptance” and “adoption”– Roll out process (phased, pilot, or big bang)
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages:Deploy & Maintain (Cont.)
19
• Reporting and Monitoring– Management and operational reports– Key performance indicators (KPIs) and service level
agreements (SLAs) (measured, monitored, reported)– ROI evaluation
• Ongoing Maintenance– Funding to support operations, licensing, personnel, and
future upgrades– Policies and procedures– Ongoing governance (risk assessments, reporting and BI
requirements, enhancements, etc.)– Security baselines and configuration audits
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages:Deploy & Maintain (Cont.)
20
Application Controls-– System configuration and account mapping– Exception and edit reports– Interface controls– System access controls– Segregation of duties controlsService Organization Control (SOC) reports and
associated end-user control considerationsSecurity Controls-– Security assessments (automated tools, internal control
audits, security checklists, and penetration testing– Monitor system logs and reports (SIEM)
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Project Stages:Deploy & Maintain (Cont.)
21
• Key Deploy and Maintain Project Stage Deliverables– Support agreements– Governance charters– Policies and procedures– Status reports– Budget to actual documentation– ROI evaluation– Post implementation surveys– Security baselines and vulnerability
assessments
Design
Build
Test
Deploy & Maintain
Wednesday, August 29, 12
Maricopa County
Thirsty for MoreImplementation Knowledge?
• ISACA IS Auditing Guideline: G29 Post Implementation Review http://www.isaca.org/Knowledge-Center/Standards/Pages/IS-Auditing-Guideline-G29-Post-Implementation-Review.aspx
• Project Management Institute – PMBOK http://www.pmi.org/en/PMBOK-Guide-and-Standards/Standards-Library-of-PMI-Global-Standards.aspx
• NIST 800-100 Chapter 3 http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
• ISO/IEC 27001/27002 http://www.iso.org/iso/catalogue_detail?csnumber=50297
• COBIT 5 Information Security http://www.isaca.org/COBIT/Pages/Product-Family.aspx
22
Wednesday, August 29, 12
Maricopa County
Summary
• Project Implementation Background
• Independence and Security Considerations
• Project Phases– Design
– Build
– Test
– Deploy and Maintain
• Resources
2342377SVO
Wednesday, August 29, 12
Maricopa County
Contact Information
Patra E. Carroll, CPA, CIAIT Audit SupervisorMaricopa County Internal
[email protected] www.maricopa.gov/
internal_audit/
Paul C. Smedegaard, CISADirector, AdvisoryKPMG [email protected] www.kpmg.com
24
Wednesday, August 29, 12