sia partners us
DESCRIPTION
Sia Partners US. Presenters Gus Moreno IT Risk Specialist Tel : (917) 239-7549 Email : gus.moreno@sia- partners.com Alexis Wyrofsky Consultant Tel : (401) 862-1661 Email : alexis.wyrofsky @sia- partners.com. AIBA Presentation: IT Risk Assessments. September 20, 2012. Introduction - PowerPoint PPT PresentationTRANSCRIPT
Paris | New York | Rome | Milan | Casablanca | Dubai | Amsterdam | Brussels
New York Office641 Lexington Avenue, Suite 1322New York, NY 10022Tel : (212) 634 6325Internet : www.sia-conseil.com
Presenters
Gus MorenoIT Risk SpecialistTel : (917) 239-7549Email : [email protected]
Alexis WyrofskyConsultantTel : (401) 862-1661Email : [email protected]
Sia Partners US
AIBA Presentation: IT Risk Assessments
September 20, 2012
2CONFIDENTIAL © 2012 Sia Partners
page
2page
Table of Contents
2page
Introduction
IT Risk: In the News
IT Risk Hot Topics
IT Risk Program
IT Standards and Selective Article Links
1
2
3
4
5
CONFIDENTIAL © 2012 Sia Partners3
page
3page
3page
• With the growing complexity of Information Technology, financial institutions are exposed to a greater number of IT risks.
• Due to the increased threat, regulators hold companies accountable not only to regulatory requirements but also to standards of best practices and procedures.
• IT Risk expertise assists companies in navigating the current threats to their IT environment, and ensures compliance with regulatory requirements.
Introduction
In 2012 alone, many Information Security
attacks and operational issues made national news
headlines:
• Password File Hacking• Amazon Cloud Outage• SQL Injection Attacks• Mobile Device Attacks
Guidance for regulatory exams is published;
however, regulators’ focus changes based on the current IT trends. For
example, recent hot topics in Financial Services
include:
• Cyber Attacks• Data Leakage• Vendor Management• Disaster Recovery & Business Continuity
Plans• Data Privacy
CONFIDENTIAL © 2012 Sia Partners4
page
4page
4page
Password File Hacking IT Risk: In the News
SECURITY EVENT
• Since 2002, Information Security breaches have risen exponentially.• Cyber activity has spiked this year. • 6/2012: 3 major Password Breaches.
• LinkedIn: 6.4 million hacked passwords. • Lastfm.com. • eHarmony.
• Passwords were stored in database using a standard algorithm rather than encryption.
POSSIBLE RISK MITIGATION
Controls• Review quality of stored passwords.• Set up security monitoring procedures that should be able to detect an
attempted breach.• Establish adequate security perimeter controls.• Develop a security patch deployment process.
Cost-benefit• $200,000-300,000: set up adequate, A+ security measures, versus• $5.5 million: the average cost to a company of a security breach.
CONFIDENTIAL © 2012 Sia Partners5
page
5page
5page
Cloud ComputingIT Risk: In the News
OPERATIONAL EVENT
• 6/9/2012: Outage of Amazon Elastic Compute Cloud (EC2) caused by severe weather conditions.
• Mainstream websites running off the Amazon cloud were down – Netflix, Instagram, Pinterest, Heroku.
• 4/2011: Technical glitch caused an Amazon cloud outage.
• Caused service interruptions for websites Foursquare, Reddit and HootSuite.
POSSIBLE RISK MITIGATION
Controls• Understand availability of computer resources risk and
ensure that infrastructure is resilient.• E.g.: Establish an automatic switch over to a standby
machine.• Implement security monitoring in a cloud.• Establish vendor management controls.• Include cloud services in Disaster Recovery Plan.• Employ geographic distribution of data centers.
CONFIDENTIAL © 2012 Sia Partners6
page
6page
6page
SQL Injection HacksIT Risk: In the News
SECURITY EVENT
• 11/2011 - 1/2012: SQL injection hack affected over 1 million urls.1
• Infected by lilupophilupop.com malware.• The attacker can completely take over the underlying operating system of the
SQL server and the Web application. • Hacking process is partially manual and partially automated – suggests significant
preparation and manpower.• Toolkit constructed for a particular attack and targets a specific application
architecture. • 3/2011: Lizamoon.com SQL injection hack:
• 500,000 urls affected via redirects that push rogue AV software. • Quickly contained.
POSSIBLE RISK MITIGATION
• Establish patch deployment process.• Verify Virus / Malware process.• Set up Web application development policies and requirements.• Inspect application on Firewalls.• Ensure appropriate use of "least privileges." • Assume the applications are not secure (encrypt passwords, etc.).
1 According to the SANS Internet Storm Center; Cisco claims that fewer web pages were affected as online discussions following a hack increase hits.
CONFIDENTIAL © 2012 Sia Partners7
page
7page
7page
Mobile Device AttacksIT Risk: In the News
SECURITY EVENT
• Android malware attacks: New framework Tatanga –“man-in-the-mobile” attacks (MitMo):
• Intercept the secret codes sent by a bank via text message to a customer’s phone to verify a large transaction request.
• Initiate transfers and transactions by bypassing the out-of-bank authorization systems.• Target small businesses using online banking; mobile attacks expected to become more prevalent.
• Other Mobile Device Security Risks:• High potential for mobile devices to be lost or stolen.• Applications do not typically have encrypted containers (in place for email) or other security
measures.
POSSIBLE RISK MITIGATION
• Ensure Mobile Computing policies are in place:• State that applications must be downloaded from a trusted source, e.g., Google Play app
stores.• Set up multifactor authentication.• Implement user security awareness training.• Move slowly into the space.• Update and ensure SDLC process is specific for mobile device applications.
CONFIDENTIAL © 2012 Sia Partners8
page
8page
8page
Cyber AttacksIT Risk Hot Topics
Cyber Attacks
• Cyber attacks are increasingly more targeted to specific corporations.• Moving from simply making a point to wreaking financial havoc. • Advanced Persistent Threats (APTs) focus on hacking an individual employee rather than the
organization’s infrastructure.• Spear Phishing: hackers obtain a company email list in order to appear as a trusted source.• Example: RSA Spear Phishing Attack in 3/2011– Hackers sent phishing emails appearing to
come from a Recruitment website to employees of RSA.• Attachment in the email placed a malicious file on the employee’s computer, enabling
attackers to gain remote access to the company network and steal information regarding RSA’s SecurID keyfob products.
Cause of Risk
1
Risk Mitigation
2
• Establish effective security patch and virus/malware patch procedures.• Review network security processes to ensure that sufficient restriction exists for access to
business critical applications (either internally or externally hosted).• Perform ongoing penetration testing.• Implement a Computer Emergency Response Team (CERT) process.• Ensure Security Administration (both new hires and existing personnel) have adequate
training.• Ensure that strong password and pin requirements are included and enforced in company
policies. • Evaluate practices used by Help Desk to reduce opportunities for social engineering attacks.
CONFIDENTIAL © 2012 Sia Partners9
page
9page
9page
Data LeakageIT Risk Hot Topics
Data Leakage
• Reliance on the Internet and emails to transfer and store data. • Wireless networks.• Mobile devices.• Storage sites.• Personal and unauthorized websites.• File transmission, FTP, Skype, etc.• Social networking.• USB ports/thumb drives.• Remote access controls.
Cause of Risk
1
Risk Mitigation
2
• Assess all possible data leakage channels within the IT environment. • Apply measures to reduce the unauthorized disclosure of sensitive data to secure the
environment.• Ensure effective data classification process exists for all company information.• Identify potential leakage channels.• Establish additional controls where possible based a data classification system.• Implement monitoring solutions to manage sensitive information.• Put in place an ongoing employee awareness program.
CONFIDENTIAL © 2012 Sia Partners10
page
10page
10page
Vendor ManagementIT Risk Hot Topics
Vendor Management
• Increasing reliance on third-party vendors to perform many IT functions and services. Vendors and service providers are responsible for continuous operations of key
business IT processes and proper handling of sensitive data. • Prevalence of Cloud Services. • Service disruptions or Information Security breaches result in high financial or reputational
costs.
Cause of Risk
1
Risk Mitigation
2
• Ensure that due diligence is conducted on vendors. Prior to engagement during the Contract Phase.
– Right to Audit, Security Monitoring. On a periodic (annual) basis.
• Manage vendor relationships – enforce the adoption of internal controls by the vendor.• Monitor the vendor’s Information Security and data-handling procedures.
Restrict access to critical production data and information processing systems.• Implement security monitoring solutions for vendor access to business sensitive data.
CONFIDENTIAL © 2012 Sia Partners11
page
11page
11page
Disaster Recovery/Business Continuity PlansIT Risk Hot Topics
Disaster Recovery/Business Continuity Plans
• Post-9/11, Business Continuity (BCP) and Disaster Recovery (DR) became highlighted areas for regulatory examiners.
• Regulators going beyond the idea of alternate sites to the requirement that enough critical staff be available for principal trading applications, especially for “market makers.”
• Increased use of vendors would require that DR/BCP plans include an appropriate level of testing.
Cause of Risk
1
Risk Mitigation
2
• Include business continuity considerations into the overall design of the business model in order to reduce the risk of service disruptions.
• Ensure plans are robust, detailed, regularly updated, tested and approved by a bank’s Executive Management.
• Include areas such as pandemic crisis management, media communication, hardware recovery and security measures.
• Monitor and analyze the results of testing: Identify areas requiring special attention. Personnel that could benefit from additional training.
CONFIDENTIAL © 2012 Sia Partners12
page
12page
12page
Data PrivacyIT Risk Hot Topics
Data Privacy
• Differences in global data privacy regulations and standards:
Cause of Risk
1
Risk Mitigation
2
• 1995 EU Directive on Data Protection• Protects citizens' privacy and states that
permission is required by a consumer for a company to use or exchange personal data.
United States Europe Asia
• 2012: EC proposed General Data Protection Regulation, a draft update of the Directive.
• Requires reporting a data breach within 24 hours.
• US government has limited power to protect citizens’ data privacy.
• Federal Trade Commission rarely takes action against US companies for privacy breaches; usually levies small fines.
• If company has lawful access to data it may use it, as long as it is not prohibited (such as under Gramm-Leach-Bliley Act).
• Importance of privacy policy / statement: as long as a customer is made aware of the policy when data is collected and does not object, the company can use it.
• Patriot Act allows US officials to access phone, email and financial information without a warrant.
• May require companies to delete consumer data if its retention is not justified.
• Conforms data privacy rules across EU.
• US companies would be heavily penalized for releasing EU citizens’ personal data to US authorities (such as by complying with National Security Letters)
• 2011 marked a pivotal year in Asia with the introduction of many data protection regulations.
• South Korea: Personal Information Protection Act considered the most stringent data privacy regulation globally.
• Creates a Data Protection Commission.• Mandates a Privacy Compliance Officer for
businesses. • Requires data breach notification. • Introduces Privacy Impact Assessments.
• Hong Kong and the Philippines have both recently passed significant data privacy regulations.
• Review data protection control jurisdictions of business activities and verify their adherence to sovereign laws. • Corroborate that policies support the segregation of company and personal information that might go cross-border. • Review the security monitoring process, particularly the communication procedure in the event of a security breach. • Verify that cloud and email storage infrastructure supports infrastructure requirements.• Ensure that the DR solution is not in violation of regional standards.
CONFIDENTIAL © 2012 Sia Partners13
page
13page
13page
Designing and Implementing an IT Risk Program:
How to Monitor & Control IT RiskIT Risk Program
–Set up security controls
–Perform an annual independent IT Risk Assessment
–Conduct application security reviews
–Perform internal and external penetration tests
–Ensure security patches/malware patches are completed on a timely basis
–Maintain risk reporting that provides information on patching process (up-to-date)
–Verify that adequate number of Information Security personnel have adequate skillset
–Ensure existence of training program; up-to-date training of current employees
–Confirm that IS Policy allows for personal use on business devices and use of personal devices for business purposes
CONFIDENTIAL © 2012 Sia Partners14
page
14page
14page
Methodology and Process of an IT Risk Assessment:•Conduct in accordance with established industry and regulatory guidance (FFIEC, COBIT, etc., further discussed on slide 16).
IT Risk Assessment Methodology IT Risk Program
In addition to the previously mentioned “Hot Topics” scope should include the following areas:• Risk Management• Information Security Administration• Asset Management• Human Resources Security• Physical and Environmental Security• Network, Communications & Operations Management• Access Control• Information Systems Acquisition, Development & Maintenance• Incident Event & Communications Management• Compliance
Risk Assessment Process Should Encompass: • Review existing IT Risk related material in place• Develop specific control tools (such as the RCM discussed on slide 15)• Conduct interviews with key IT and IS personnel and management, as well as other relevant staff such as HR, Administration, Audit & Compliance
IT Risk Assessment Enables Management to:
• Obtain a comprehensive and documented understanding of risks in the IT / IS operational environment • Grasp the severity and level of urgency for each associated risk • Appropriately and accordingly take measures to reduce risks in order of priority • Ensure resources are deployed to address risks that have the most significant implications for the organization at that time• Plan and budget for projects that mitigate IT / IS risk according to assessed risk and priorities with varying mandates and longevity • Acknowledge and accept risks not considered by management to pose a significant threat
CONFIDENTIAL © 2012 Sia Partners15
page
15page
15page
Risk Control Matrix (RCM) Tool:
•Provides a qualitative assessment of the expected controls for each area of the IT environment.•Documents whether relevant control objectives are met.•Identifies open risk issues based on gaps between the required control and the control in place. •Categorizes issues based on a risk rating such as “High” “Medium” and “Low.” The determination of the risk rating is based on the severity of the risk and the probability of its occurrence.•Determines and tracks management’s decision whether each flagged risk should be remediated, partially remediated, accepted or a combination.•Prescribes recommendations on steps to address the risk deemed to need mitigation.
Sample RCM
Risk Control MatrixIT Risk Program
Control Objective& Associated Risks
Current or Planned Controls, Procedures Other Risk Mitigating Factors
Residual Risk Recommended Actions
D. Vendor Management
1. 1. 1. 1.
CONFIDENTIAL © 2012 Sia Partners16
page
16page
16page
Role of Internal Audit
•Audit the IT/IS Control Program.•IT Risk Assessment:
• Perform the IT Risk Assessment (if done in-house)• Collaborate with external vendor firm to oversee performance of assessment.
• FFIEC:• Maintains and publishes 11 FFIEC Information Technology Examination Handbooks which outline examination objectives and procedures for evaluating IT environments of financial institutions. • Provides introductory, reference, and educational training material on specific topics of interest to field examiners from the FFIEC member agencies.
• CobiT:• IT governance framework established by ISACA, the former Information Systems Audit and Control Association;
• Shared Assessments: • Evaluation program of security controls focusing on Information Technology and Information Security. • Created by several major US Banks (JPMorgan Chase, Bank of America, Citigroup, BNY Mellon) in association with the Big 4 accounting firms.
• ISO/IEC 27002:• Standard aimed at Information Security, which was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
IT Risk Guidance
Guidance & Internal Audit’s RoleIT Risk Program
CONFIDENTIAL © 2012 Sia Partners17
page
17page
17page
• http://ithandbook.ffiec.gov/it-booklets.aspx
•http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx
•http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html?pagewanted=2&_r=1&emc=eta1
• http://mobile.blogs.wsj.com/cio/2012/06/06/linkedin-password-breach-illustrates-endemic-security-issue/
•http://www.forbes.com/sites/anthonykosner/2012/06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/
•http://www.forbes.com/sites/anthonykosner/2012/07/01/survey-of-effects-of-cloud-outage-shows-how-much-of-the-web-runs-on-amazon/
•http://www.wired.com/cloudline/2012/06/amazon-outage-pilot-error/
•http://www.forbes.com/sites/kellyclay/2012/06/30/aws-power-outage-questions-reliability-of-public-cloud/
•http://www.huffingtonpost.com/2012/07/02/amazon-power-outage-cloud-computing_n_1642700.html
•http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
•http://mobile.eweek.com/c/a/Security/New-Android-Malware-Better-at-Targeting-Bank-Transactions-161221/
•http://www.nftc.org/default/Innovation/PromotingCrossBorderDataFlowsNFTC.pdf
•http://www.informationweek.com/security/attacks/sql-injection-hack-infects-1-million-web/232301355
•http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232301285/latest-sql-injection-campaign-infects-1-million-web-pages.html?itc=edit_stub
•http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/
•http://www.informationweek.com/government/security/nsa-chief-china-behind-rsa-attacks/232700341
•http://blogs.rsa.com/rivner/anatomy-of-an-attack/
•https://www.bit9.com/blog/2011/03/18/rsa-and-the-apt-attack/
•http://www.msnbc.msn.com/id/15221111/ns/technology_and_science-privacy_lost/t/la-difference-stark-eu-us-privacy-laws/#.UFEG95afht0
•http://cyberlaw.stanford.edu/node/5544
•http://www.computing.co.uk/ctg/news/2162386/europe-s-protection-laws-cause-conflict-warn-legal-experts
•http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2120983
IT Standards and Selective Article Links
CONFIDENTIAL © 2012 Sia Partners18
page
18page
18page
Contacts at Sia Partners US
Gus MorenoIT Risk Specialist
Sia Partners US641 Lexington Ave. Suite 1322 New York, NY 10022Office :(212) 634-6325 – Cell: (917) 239-7549Email: [email protected]
Alexis WyrofskyConsultant
Sia Partners US641 Lexington Ave. Suite 1322 New York, NY 10022Office :(212) 634-6325 – Cell: (401) 862-1661Email: [email protected]