Does Audit Make us Secure? A practical response

Transcription

1 Does Audit Make us Secure? A practical response PRESENTED AT ISACA SV SPRING CONFERENCE MAY 15 TH 2015 Robin Basham, M.Ed, M.IT, CISA, CRISC, CGEIT, HISP, CRP, VRP Director, Enterprise Compliance Ellie Mae, Inc.

2 Companies that passed audit and had a major breach March 18, 2015 Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate. The Heartland intrusion began in May 2008, even though the company had passed multiple audits, including one conducted on Apr. 30. At the time, the Princeton (N.J.) company was in compliance with industry standards for data security, Carr says. Still, shortly afterward, 13 pieces of malware that capitalize on weaknesses in Microsoft (MSFT) software infiltrated one or more network servers. "We get pinged 200,000 times per day by people trying to hack into our system," Carr says. "You do everything you can to make sure one of those pings doesn't get through, and we thought we had done everything we could do."

3 Does audit make us secure? Why not?

4 Is it me? We establish scope and imply permission for less secure practices on lower impact systems We audit what we understand and miss the most important areas of risk We expose a wide range of people to known areas of weakness We distract people from their core responsibilities We create a false sense of security by under representing complex and broken processes

5 Did I Pick the Right form of Risk Assessment? If our goal is to determine if we are secure, we need to pick the right array of risk and threat assessment methods If our goal is to help management create a more secure enterprise, we have to engage with our business partners to provide meaningful metrics that inform choices and decisions about the architecture, processes, and people who run our enterprise. Integrated Audit (GRC) assists management to set compliance goals that can be achieved, to track where process evidence is stored, and to enable continuous improvement through internal control self assessment.

6 GRC Contributes by using a Cyber Security Model Identify CMDB, People, Process, Technology, relationships, alignment to controls Protect Architecture, Infrastructure, Monitoring Detect Defined Sources, Collection, Interpretation, Reporting Methods Respond RCA, Corrective Action, Management Meetings, Plans, Optimization Targets Recover Configuration baselines, response plans, lessons learned, Wiki, documentation, BIA

7 Configuration Management using Cobit 5

8 Stuff GRC Team can Track to Inform Control Design & Risk Intrusion Detection Systems (IDS) events Virus Alerts and corresponding HelpDesk cases to clean infected systems DLP events and confirmation on false positives, loss events and corrective actions Vulnerabilities Identified, risk ranking, effort and plan to remediate, status to remediate Patch requirements and mean time to remediate MTTR Daily Anti-Virus status (Red, Yellow, Green), # of events blocked, cleaned, definition updates Daily end point patching, # of systems in and out of compliance Daily system backups systems not backed up Number of Volume copies made, saved, purged Security Project Plans, Milestones, Issues or Blockers Infrastructure remediation through tickets and change requests Post Implementation Effectiveness for corrected security problems (ROI) Templated Configurations Systems Monitored Services per systems

9 Confirm Incident Definitions, Review, Response Scheduled outputs to central mailbox (restrict delete) Track incident notifications Establish and RUN Rules for follow up Set Flags to communicate closed corrective action

10 People and Access Focus on Integrated Reporting Access Governance Use PowerShell to gather all local Admin accounts on all systems Use ADManager or other tools to pull all members in all groups Compare active users in HR Systems to Roles granted to all identities Track effectiveness of department security roles and access grants Publish exception policy and have management sign off at least quarterly

11 How can audit drive security? Manage Corrective Actions!

12 Data System Relationships to Audit, Classification, Risk Assets include Applications, Products, Services, File Shares, Devices, OS, Infrastructure Assets are owned, administered, developed, supported, classified, documented Data and transactions source audit information

13 Get The Data Trend and Report

14 Inversion of Control v. Faith Managing Complexity through Framework Each control is a data point with related Governance Processes Policies - SOP, Corporate Strategic Objectives, Department Strategic and Tactical Objectives, Business Risks, Changing Owners, Programs, Initiatives, People, Tools, Access Profile and Asset Profiles. All of these elements are reviewed by three or more separate independent agencies at a rate that is Annual, Bi-Annual, Quarterly, Monthly or Continuously The GRC must Collectively represent reliable information to inform our management shareholders and customers that we manage our risks. Evidence that we actually accomplish this is required for SOX, SOC, FDIC and all of our Customers asking that we provide yearly Due Diligence. GRC has to Help Management to make us more secure

15 Document and Follow a Data Collection Practice Well thought out data collection strategy Order of operations Source coverage Test mapping Validation process Imports, Reference Tables, Audit Queries Output to Corrective Actions tracking

16 Give Management Knowledge Fact based observations

17 Risk Reporting Tie Controls to Corporate Risks Use the data collection strategy to inform corporate risk Make all reports personal by assigning programs, departments and key initiatives Incorporate notification strategies Maintain and gain consensus

18 It s always about money (Materiality) Financial statement audits measure materiality in monetary terms Integrated Audit provides IT assurance on non-financial items and, requiring alternative measures (maturity models and process assurance methodology). We meet objectives so we can make money or retain money.

19 Continuous Feedback GAP in ISMS

20 Focus on Effectiveness GAP v. Audit Bar

21 Risk Reports distributed to VP and executives

22 Tie every data point to the company mission speak business For want of a nail a horseshoe was lost, for want of a horseshoe a horse went lame, for want of a horse a rider never got through, for want of a rider a message never arrived, for want of a message an army was never sent, for want of an army a battle was lost, for want of a battle a war was lost, for want of a war a kingdom fell, and all for want of a nail.

23 Management uses Executive Strategy to put Risk Response in Three Buckets Own your bucket Avoid - Action PROHIBIT unacceptable high risk activities, transactions, financial losses, and asset exposures through appropriate limit structures and corporate standards. STOP specific activities by redefining objectives, refocusing strategies or redirecting resources. ELIMINATE at the source by designing and implementing internal preventive processes. Accept and Control ACCEPT risk at its present level taking no further action. PLAN for well-defined contingencies by documenting a responsive plan and empowering people to make decisions and periodically test and, if necessary, execute the plan. CONTROL risk through internal processes that reduce the likelihood of events occurring to an acceptable level. Share - Directions SHARE risk/rewards of investing in new markets and products by entering into alliances or joint ventures. CREATE new valueadding products, services and channels. RENEGOTIATE existing contractual agreements to reshape risk profile, i.e. transfer or reduce.

24 The risks identified have actual probability get the lessons learned

25 Thank You for your time