Information System Implementations:Baking In Security and Controls

Patra Carroll, Maricopa CountyPaul Smedegaard, KPMG LLP

Wednesday, August 29, 12

Maricopa County

Agenda

• Project Implementation Background• Independence and Security Considerations• Project Phases

– Design– Build– Test– Deploy and Maintain

• Resources

2

Wednesday, August 29, 12

Maricopa County

Get Out the Protection Paddle

3

Wednesday, August 29, 12

Maricopa County

Get Out the Protection Paddle

• NYSEG- Unauthorized Access

3

Wednesday, August 29, 12

Maricopa County

Get Out the Protection Paddle

• NYSEG- Unauthorized Access

• Briar Restaurant Group- PCIDSS Malcode

3

Wednesday, August 29, 12

Maricopa County

Get Out the Protection Paddle

• NYSEG- Unauthorized Access

• Briar Restaurant Group- PCIDSS Malcode

• Yahoo- 500K PWs Stolen

3

Wednesday, August 29, 12

Maricopa County

Get Out the Protection Paddle

• NYSEG- Unauthorized Access

• Briar Restaurant Group- PCIDSS Malcode

• Yahoo- 500K PWs Stolen

• U of A- 7K Records Compromised During New System Implementation

3

Wednesday, August 29, 12

Maricopa County

Project Constraints

4

Cost

Scop

e Time

Project Models

Wednesday, August 29, 12

Maricopa County

Residential Construction and Post Implementation Review

5

Wednesday, August 29, 12

Maricopa County

Cheapest Fix

6

Foundation Inspection?

Final Inspection?

Wednesday, August 29, 12

Maricopa County

Relative Cost of Fixing Security Defect

0

25

50

75

100

1 7 15

100

DesignImplementationTestingMaintenance

Source: (ISC)2

7

Wednesday, August 29, 12

Maricopa County 8

Security Frameworks

• ISO/IEC 27001- Information Acquisition, Development, and Maintenance

• NIST- Pub. 800-100 Chapter Three

• COBIT 5- Information Security

Wednesday, August 29, 12

Maricopa County

Independence Considerations

• Pre-engagement: Does your participation impair independence?

• Objectivity: Did you have any non-audit role during implementation?

• Skills: Do you have the relevant skills and knowledge to carry out the Post Implementation Review?

Excerpt from the IIA’s International Professional Practice Framework:

“1130.A1 - Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.”

https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Interactive-IPPF.aspx

9

Wednesday, August 29, 12

Maricopa County

Project Stages

10

• All projects have four primary phases – design, build, test, and deploy/maintain (NIST:  Initiate, Develop/Acquire, Implement, Operate/Maintain, and Dispose)

• Ideal for Internal Audit and Security to be involved throughout the lifecycle of the project; however, sometimes not realistic

• Understanding the phases of a project will help the Internal Auditor to identify the key functions of each phase and to request relevant documentation

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages (Cont. )

11

• Design– Project goals and directions– Constraints (time, budget, and functionality)

• Build– Hardware, software, and cloud providers– Business processes, application functionality, and

controls• Test

– IT testing, end user testing, integration testing, regression testing

• Deploy and Maintain– Go/No-Go decisions– Short-term and long-term support

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages: Design

12

• Who, What, Where, When, Why, and How?– Who are the project stakeholders?– What are the project objectives and desired functionality?– Where is the project being completed?– When does the project need to be completed?– How much will the project cost?– What are the security requirements for decommissioned

and new system?• Time, Budget, and Functionality

– Define/Plan– Do– Measure– Report

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages: Design (Cont.)

13

• Key Design Stage Deliverables– Project charter– Communication plan– RAID log (Risks, Action Items, Issues, and Decisions)– Status reports and board communication– Initial contracts– Project plan and work breakdown structure (WBS) (Time)– Budget documents (Cost)– Business requirement document(s) (Functionality)– Security risk assessment & data classification

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages: Build

14

• Transform business requirements into technical requirements– Technical specifications (blue prints)– Modeling and prototyping

• Procure necessary hardware, software, or 3rd party service providers (e.g., cloud)

• Develop and/or customize system functionality– Business processes, application controls, general

IT controls– System interfaces, reports, and security

•Security planning and control development

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages: Build (Cont.)

15

• Key Build Stage Deliverables– Technical specifications and stakeholder approval– Business process and control modifications– Segregation of Duties (SoD) matrices– Project change requests– Status reports– Budget to actual reconciliations– Contract amendments– RAID log (Risks, Action Items, Issues, and

Decisions)– System security policies and procedures

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages: Test

16

• Critical stage often “rushed” to meet deadlines

• Test “functional” and “technical” specifications

• Categories of testing– Unit testing– Integration testing (end-to-end)– Load testing– User acceptance and regression testing – Configuration and controls testing– Security testing, certification, and accreditation

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages: Test (Cont.)

17

• Key Test Stage Deliverables– Test scenarios, scripts and results– Defect or “bug tracking” log– RAID log (Risks, Action Items, Issues, and

Decisions)– Status reports– Contract amendments– System access reports/security matrices– Stakeholder approval and sign off– Security certification and accreditation – Go/No-Go decision

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages:Deploy & Maintain

18

• No project is 100% perfect– Workarounds and manual controls

implemented at “go live”– Security permissions may be temporarily

“excessive” to support go live

• Change management is critical– Organizational training and awareness– User “acceptance” and “adoption”– Roll out process (phased, pilot, or big bang)

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages:Deploy & Maintain (Cont.)

19

• Reporting and Monitoring– Management and operational reports– Key performance indicators (KPIs) and service level

agreements (SLAs) (measured, monitored, reported)– ROI evaluation

• Ongoing Maintenance– Funding to support operations, licensing, personnel, and

future upgrades– Policies and procedures– Ongoing governance (risk assessments, reporting and BI

requirements, enhancements, etc.)– Security baselines and configuration audits

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages:Deploy & Maintain (Cont.)

20

Application Controls-– System configuration and account mapping– Exception and edit reports– Interface controls– System access controls– Segregation of duties controlsService Organization Control (SOC) reports and

associated end-user control considerationsSecurity Controls-– Security assessments (automated tools, internal control

audits, security checklists, and penetration testing– Monitor system logs and reports (SIEM)

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Project Stages:Deploy & Maintain (Cont.)

21

• Key Deploy and Maintain Project Stage Deliverables– Support agreements– Governance charters– Policies and procedures– Status reports– Budget to actual documentation– ROI evaluation– Post implementation surveys– Security baselines and vulnerability

assessments

Design

Build

Test

Deploy & Maintain

Wednesday, August 29, 12

Maricopa County

Thirsty for MoreImplementation Knowledge?

• ISACA IS Auditing Guideline: G29 Post Implementation Review http://www.isaca.org/Knowledge-Center/Standards/Pages/IS-Auditing-Guideline-G29-Post-Implementation-Review.aspx

• Project Management Institute – PMBOK http://www.pmi.org/en/PMBOK-Guide-and-Standards/Standards-Library-of-PMI-Global-Standards.aspx

• NIST 800-100 Chapter 3 http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf

• ISO/IEC 27001/27002 http://www.iso.org/iso/catalogue_detail?csnumber=50297

• COBIT 5 Information Security http://www.isaca.org/COBIT/Pages/Product-Family.aspx

22

Wednesday, August 29, 12

Maricopa County

Summary

• Project Implementation Background

• Independence and Security Considerations

• Project Phases– Design

– Build

– Test

– Deploy and Maintain

• Resources

2342377SVO

Wednesday, August 29, 12

Maricopa County

Contact Information

Patra E. Carroll, CPA, CIAIT Audit SupervisorMaricopa County Internal

Audit602.506.0345pcarroll@mail.maricopa.gov www.maricopa.gov/

internal_audit/

Paul C. Smedegaard, CISADirector, AdvisoryKPMG LLP480.459.3623psmedegaard@kpmg.com www.kpmg.com

24

Wednesday, August 29, 12