sia partners us

Paris | New York | Rome | Milan | Casablanca | Dubai | Amsterdam | Brussels

New York Office641 Lexington Avenue, Suite 1322New York, NY 10022Tel : (212) 634 6325Internet : www.sia-conseil.com

Presenters

Gus MorenoIT Risk SpecialistTel : (917) 239-7549Email : [email protected]

Alexis WyrofskyConsultantTel : (401) 862-1661Email : [email protected]

Sia Partners US

AIBA Presentation: IT Risk Assessments

September 20, 2012

2CONFIDENTIAL © 2012 Sia Partners

page

2page

Table of Contents

2page

Introduction

IT Risk: In the News

IT Risk Hot Topics

IT Risk Program

IT Standards and Selective Article Links

1

2

3

4

5

CONFIDENTIAL © 2012 Sia Partners3

page

3page

3page

• With the growing complexity of Information Technology, financial institutions are exposed to a greater number of IT risks.

• Due to the increased threat, regulators hold companies accountable not only to regulatory requirements but also to standards of best practices and procedures.

• IT Risk expertise assists companies in navigating the current threats to their IT environment, and ensures compliance with regulatory requirements.

Introduction

In 2012 alone, many Information Security

attacks and operational issues made national news

headlines:

• Password File Hacking• Amazon Cloud Outage• SQL Injection Attacks• Mobile Device Attacks

Guidance for regulatory exams is published;

however, regulators’ focus changes based on the current IT trends. For

example, recent hot topics in Financial Services

include:

• Cyber Attacks• Data Leakage• Vendor Management• Disaster Recovery & Business Continuity

Plans• Data Privacy


page

4page

4page

Password File Hacking IT Risk: In the News

SECURITY EVENT

• Since 2002, Information Security breaches have risen exponentially.• Cyber activity has spiked this year. • 6/2012: 3 major Password Breaches.

• LinkedIn: 6.4 million hacked passwords. • Lastfm.com. • eHarmony.

• Passwords were stored in database using a standard algorithm rather than encryption.

POSSIBLE RISK MITIGATION

Controls• Review quality of stored passwords.• Set up security monitoring procedures that should be able to detect an

attempted breach.• Establish adequate security perimeter controls.• Develop a security patch deployment process.

Cost-benefit• $200,000-300,000: set up adequate, A+ security measures, versus• $5.5 million: the average cost to a company of a security breach.


page

5page

5page

Cloud ComputingIT Risk: In the News

OPERATIONAL EVENT

• 6/9/2012: Outage of Amazon Elastic Compute Cloud (EC2) caused by severe weather conditions.

• Mainstream websites running off the Amazon cloud were down – Netflix, Instagram, Pinterest, Heroku.

• 4/2011: Technical glitch caused an Amazon cloud outage.

• Caused service interruptions for websites Foursquare, Reddit and HootSuite.


Controls• Understand availability of computer resources risk and

ensure that infrastructure is resilient.• E.g.: Establish an automatic switch over to a standby

machine.• Implement security monitoring in a cloud.• Establish vendor management controls.• Include cloud services in Disaster Recovery Plan.• Employ geographic distribution of data centers.


page

6page

6page

SQL Injection HacksIT Risk: In the News

SECURITY EVENT

• 11/2011 - 1/2012: SQL injection hack affected over 1 million urls.1

• Infected by lilupophilupop.com malware.• The attacker can completely take over the underlying operating system of the

SQL server and the Web application. • Hacking process is partially manual and partially automated – suggests significant

preparation and manpower.• Toolkit constructed for a particular attack and targets a specific application

architecture. • 3/2011: Lizamoon.com SQL injection hack:

• 500,000 urls affected via redirects that push rogue AV software. • Quickly contained.


• Establish patch deployment process.• Verify Virus / Malware process.• Set up Web application development policies and requirements.• Inspect application on Firewalls.• Ensure appropriate use of "least privileges." • Assume the applications are not secure (encrypt passwords, etc.).

1 According to the SANS Internet Storm Center; Cisco claims that fewer web pages were affected as online discussions following a hack increase hits.


page

7page

7page

Mobile Device AttacksIT Risk: In the News

SECURITY EVENT

• Android malware attacks: New framework Tatanga –“man-in-the-mobile” attacks (MitMo):

• Intercept the secret codes sent by a bank via text message to a customer’s phone to verify a large transaction request.

• Initiate transfers and transactions by bypassing the out-of-bank authorization systems.• Target small businesses using online banking; mobile attacks expected to become more prevalent.

• Other Mobile Device Security Risks:• High potential for mobile devices to be lost or stolen.• Applications do not typically have encrypted containers (in place for email) or other security

measures.


• Ensure Mobile Computing policies are in place:• State that applications must be downloaded from a trusted source, e.g., Google Play app

stores.• Set up multifactor authentication.• Implement user security awareness training.• Move slowly into the space.• Update and ensure SDLC process is specific for mobile device applications.


page

8page

8page

Cyber AttacksIT Risk Hot Topics

Cyber Attacks

• Cyber attacks are increasingly more targeted to specific corporations.• Moving from simply making a point to wreaking financial havoc. • Advanced Persistent Threats (APTs) focus on hacking an individual employee rather than the

organization’s infrastructure.• Spear Phishing: hackers obtain a company email list in order to appear as a trusted source.• Example: RSA Spear Phishing Attack in 3/2011– Hackers sent phishing emails appearing to

come from a Recruitment website to employees of RSA.• Attachment in the email placed a malicious file on the employee’s computer, enabling

attackers to gain remote access to the company network and steal information regarding RSA’s SecurID keyfob products.

Cause of Risk

1

Risk Mitigation

2

• Establish effective security patch and virus/malware patch procedures.• Review network security processes to ensure that sufficient restriction exists for access to

business critical applications (either internally or externally hosted).• Perform ongoing penetration testing.• Implement a Computer Emergency Response Team (CERT) process.• Ensure Security Administration (both new hires and existing personnel) have adequate

training.• Ensure that strong password and pin requirements are included and enforced in company

policies. • Evaluate practices used by Help Desk to reduce opportunities for social engineering attacks.


page

9page

9page

Data LeakageIT Risk Hot Topics

Data Leakage

• Reliance on the Internet and emails to transfer and store data. • Wireless networks.• Mobile devices.• Storage sites.• Personal and unauthorized websites.• File transmission, FTP, Skype, etc.• Social networking.• USB ports/thumb drives.• Remote access controls.

Cause of Risk

1

Risk Mitigation

2

• Assess all possible data leakage channels within the IT environment. • Apply measures to reduce the unauthorized disclosure of sensitive data to secure the

environment.• Ensure effective data classification process exists for all company information.• Identify potential leakage channels.• Establish additional controls where possible based a data classification system.• Implement monitoring solutions to manage sensitive information.• Put in place an ongoing employee awareness program.


page

10page

10page

Vendor ManagementIT Risk Hot Topics

Vendor Management

• Increasing reliance on third-party vendors to perform many IT functions and services. Vendors and service providers are responsible for continuous operations of key

business IT processes and proper handling of sensitive data. • Prevalence of Cloud Services. • Service disruptions or Information Security breaches result in high financial or reputational

costs.

Cause of Risk

1

Risk Mitigation

2

• Ensure that due diligence is conducted on vendors. Prior to engagement during the Contract Phase.

– Right to Audit, Security Monitoring. On a periodic (annual) basis.

• Manage vendor relationships – enforce the adoption of internal controls by the vendor.• Monitor the vendor’s Information Security and data-handling procedures.

Restrict access to critical production data and information processing systems.• Implement security monitoring solutions for vendor access to business sensitive data.


page

11page

11page

Disaster Recovery/Business Continuity PlansIT Risk Hot Topics

Disaster Recovery/Business Continuity Plans

• Post-9/11, Business Continuity (BCP) and Disaster Recovery (DR) became highlighted areas for regulatory examiners.

• Regulators going beyond the idea of alternate sites to the requirement that enough critical staff be available for principal trading applications, especially for “market makers.”

• Increased use of vendors would require that DR/BCP plans include an appropriate level of testing.

Cause of Risk

1

Risk Mitigation

2

• Include business continuity considerations into the overall design of the business model in order to reduce the risk of service disruptions.

• Ensure plans are robust, detailed, regularly updated, tested and approved by a bank’s Executive Management.

• Include areas such as pandemic crisis management, media communication, hardware recovery and security measures.

• Monitor and analyze the results of testing: Identify areas requiring special attention. Personnel that could benefit from additional training.


page

12page

12page

Data PrivacyIT Risk Hot Topics

Data Privacy

• Differences in global data privacy regulations and standards:

Cause of Risk

1

Risk Mitigation

2

• 1995 EU Directive on Data Protection• Protects citizens' privacy and states that

permission is required by a consumer for a company to use or exchange personal data.

United States Europe Asia

• 2012: EC proposed General Data Protection Regulation, a draft update of the Directive.

• Requires reporting a data breach within 24 hours.

• US government has limited power to protect citizens’ data privacy.

• Federal Trade Commission rarely takes action against US companies for privacy breaches; usually levies small fines.

• If company has lawful access to data it may use it, as long as it is not prohibited (such as under Gramm-Leach-Bliley Act).

• Importance of privacy policy / statement: as long as a customer is made aware of the policy when data is collected and does not object, the company can use it.

• Patriot Act allows US officials to access phone, email and financial information without a warrant.

• May require companies to delete consumer data if its retention is not justified.

• Conforms data privacy rules across EU.

• US companies would be heavily penalized for releasing EU citizens’ personal data to US authorities (such as by complying with National Security Letters)

• 2011 marked a pivotal year in Asia with the introduction of many data protection regulations.

• South Korea: Personal Information Protection Act considered the most stringent data privacy regulation globally.

• Creates a Data Protection Commission.• Mandates a Privacy Compliance Officer for

businesses. • Requires data breach notification. • Introduces Privacy Impact Assessments.

• Hong Kong and the Philippines have both recently passed significant data privacy regulations.

• Review data protection control jurisdictions of business activities and verify their adherence to sovereign laws. • Corroborate that policies support the segregation of company and personal information that might go cross-border. • Review the security monitoring process, particularly the communication procedure in the event of a security breach. • Verify that cloud and email storage infrastructure supports infrastructure requirements.• Ensure that the DR solution is not in violation of regional standards.


page

13page

13page

Designing and Implementing an IT Risk Program:

How to Monitor & Control IT RiskIT Risk Program

–Set up security controls

–Perform an annual independent IT Risk Assessment

–Conduct application security reviews

–Perform internal and external penetration tests

–Ensure security patches/malware patches are completed on a timely basis

–Maintain risk reporting that provides information on patching process (up-to-date)

–Verify that adequate number of Information Security personnel have adequate skillset

–Ensure existence of training program; up-to-date training of current employees

–Confirm that IS Policy allows for personal use on business devices and use of personal devices for business purposes


page

14page

14page

Methodology and Process of an IT Risk Assessment:•Conduct in accordance with established industry and regulatory guidance (FFIEC, COBIT, etc., further discussed on slide 16).

IT Risk Assessment Methodology IT Risk Program

In addition to the previously mentioned “Hot Topics” scope should include the following areas:• Risk Management• Information Security Administration• Asset Management• Human Resources Security• Physical and Environmental Security• Network, Communications & Operations Management• Access Control• Information Systems Acquisition, Development & Maintenance• Incident Event & Communications Management• Compliance

Risk Assessment Process Should Encompass: • Review existing IT Risk related material in place• Develop specific control tools (such as the RCM discussed on slide 15)• Conduct interviews with key IT and IS personnel and management, as well as other relevant staff such as HR, Administration, Audit & Compliance

IT Risk Assessment Enables Management to:

• Obtain a comprehensive and documented understanding of risks in the IT / IS operational environment • Grasp the severity and level of urgency for each associated risk • Appropriately and accordingly take measures to reduce risks in order of priority • Ensure resources are deployed to address risks that have the most significant implications for the organization at that time• Plan and budget for projects that mitigate IT / IS risk according to assessed risk and priorities with varying mandates and longevity • Acknowledge and accept risks not considered by management to pose a significant threat


page

15page

15page

Risk Control Matrix (RCM) Tool:

•Provides a qualitative assessment of the expected controls for each area of the IT environment.•Documents whether relevant control objectives are met.•Identifies open risk issues based on gaps between the required control and the control in place. •Categorizes issues based on a risk rating such as “High” “Medium” and “Low.” The determination of the risk rating is based on the severity of the risk and the probability of its occurrence.•Determines and tracks management’s decision whether each flagged risk should be remediated, partially remediated, accepted or a combination.•Prescribes recommendations on steps to address the risk deemed to need mitigation.

Sample RCM

Risk Control MatrixIT Risk Program

Control Objective& Associated Risks

Current or Planned Controls, Procedures Other Risk Mitigating Factors

Residual Risk Recommended Actions

D. Vendor Management

1. 1. 1. 1.


page

16page

16page

Role of Internal Audit

•Audit the IT/IS Control Program.•IT Risk Assessment:

• Perform the IT Risk Assessment (if done in-house)• Collaborate with external vendor firm to oversee performance of assessment.

• FFIEC:• Maintains and publishes 11 FFIEC Information Technology Examination Handbooks which outline examination objectives and procedures for evaluating IT environments of financial institutions. • Provides introductory, reference, and educational training material on specific topics of interest to field examiners from the FFIEC member agencies.

• CobiT:• IT governance framework established by ISACA, the former Information Systems Audit and Control Association;

• Shared Assessments: • Evaluation program of security controls focusing on Information Technology and Information Security. • Created by several major US Banks (JPMorgan Chase, Bank of America, Citigroup, BNY Mellon) in association with the Big 4 accounting firms.

• ISO/IEC 27002:• Standard aimed at Information Security, which was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

IT Risk Guidance

Guidance & Internal Audit’s RoleIT Risk Program


page

17page

17page

• http://ithandbook.ffiec.gov/it-booklets.aspx

•http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx

•http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html?pagewanted=2&_r=1&emc=eta1

• http://mobile.blogs.wsj.com/cio/2012/06/06/linkedin-password-breach-illustrates-endemic-security-issue/

•http://www.forbes.com/sites/anthonykosner/2012/06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/

•http://www.forbes.com/sites/anthonykosner/2012/07/01/survey-of-effects-of-cloud-outage-shows-how-much-of-the-web-runs-on-amazon/

•http://www.wired.com/cloudline/2012/06/amazon-outage-pilot-error/

•http://www.forbes.com/sites/kellyclay/2012/06/30/aws-power-outage-questions-reliability-of-public-cloud/

•http://www.huffingtonpost.com/2012/07/02/amazon-power-outage-cloud-computing_n_1642700.html

•http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

•http://mobile.eweek.com/c/a/Security/New-Android-Malware-Better-at-Targeting-Bank-Transactions-161221/

•http://www.nftc.org/default/Innovation/PromotingCrossBorderDataFlowsNFTC.pdf

•http://www.informationweek.com/security/attacks/sql-injection-hack-infects-1-million-web/232301355

•http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232301285/latest-sql-injection-campaign-infects-1-million-web-pages.html?itc=edit_stub

•http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/

•http://www.informationweek.com/government/security/nsa-chief-china-behind-rsa-attacks/232700341

•http://blogs.rsa.com/rivner/anatomy-of-an-attack/

•https://www.bit9.com/blog/2011/03/18/rsa-and-the-apt-attack/

•http://www.msnbc.msn.com/id/15221111/ns/technology_and_science-privacy_lost/t/la-difference-stark-eu-us-privacy-laws/#.UFEG95afht0

•http://cyberlaw.stanford.edu/node/5544

•http://www.computing.co.uk/ctg/news/2162386/europe-s-protection-laws-cause-conflict-warn-legal-experts

•http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2120983

IT Standards and Selective Article Links


page

18page

18page

Contacts at Sia Partners US

Gus MorenoIT Risk Specialist

Sia Partners US641 Lexington Ave. Suite 1322 New York, NY 10022Office :(212) 634-6325 – Cell: (917) 239-7549Email: [email protected]

Alexis WyrofskyConsultant

Sia Partners US641 Lexington Ave. Suite 1322 New York, NY 10022Office :(212) 634-6325 – Cell: (401) 862-1661Email: [email protected]