Dan Hirstein CISA, CIA Director Advisory Services Deloitte & Touche LLP May 13, 2010

Transcription

1 Dan Hirstein CISA, CIA Director Advisory Services Deloitte & Touche LLP May 13, 2010

2 12 years as an information systems practitioner (Database Administrator, Security Administrator, Operations Manager, etc) 18 years in Internal Audit and Risk Consulting roles 12 years with Deloitte Certified Information Systems Auditor Certified Internal Auditor

3 The more things change the more things stay the same

4 Access to data should be provided to individuals based on their job duties and functions Access should be removed when no longer required Systems should be secured to prevent unauthorized or authorized personnel from using corporate data inappropriately All changes to technology resources should be performed based on managements intentions All data should be available in the event of an emergency

5 Application/System Terminal Timeouts Banner Pages Single use of userid Physical security User Privileges File/library permissions Remote access restrictions Disabling inactive users System parameters Centralized access processes Performance monitoring Audit logging Approval of changes

6 Users with excessive access to system resources Lack of thorough understanding of security principles among employees Ineffective system parameters Lack of adequate audit logging and monitoring Ineffective file restrictions Concern over social engineering

7 Regulatory requirements linked to controls (Sox, HIPAA, PCI controls) Access to system resources is performed by a variety of methods Social networking/engineering (Facebook, Linkedin, texting, , etc) USB/PDA Devices User community is more educated regarding use of technology Economy has challenged the trust in employees IT departments are a focus for reductions

8 Companies have given more attention to their technology environments specifically information security Companies have a better understanding of the significance of IT and its impact to the overall corporate risk profile The pervasiveness of exceptions have decreased over the past 3 years Smaller companies continue to struggle with implementing concepts such as segregation of duties and change control The economy is forcing IT to perform at a heightened level of efficiency and in some instances perform more or the same with less

9 What is the area with the highest number of exceptions?

10 User Security Key Guiding Principle Users should only have and retain access to what they need to perform their job functions

11 Segregation of Duties Excessive Privileges Transfer/Term Processes Control of Contractor Access Lack of effective security awareness training

12 Segregation of Duties Assigning risk to specific business process duties Utilizing tools to identify and modify access as appropriate Identity/Role Based Management User Reviews Regular reviews of user access for IT and business process responsibilities Review of application capabilities as well as authorization for access Inclusion of key process access capabilities Monitoring of completeness of reviews Inclusion of contractors in review processes Enhanced Transfer processes Automated processes to identify changes and verify access Notification of receiving and sending managers Regular review of conflicts between job functions

13 Change Management Key Guiding Principle How does management know if anything was changed or what was changed at 2 pm today

14 Developer Access to Production Source, Data and Application Continued and uninterrupted access Emergency Change Processes Obtaining Post approvals Control of Firecall IDs

15 Developer Access to Production Prohibit developer update access to production Allow restricted Firecall/special privileged userids Allow open ended Firecall/Special privileged userids Monitor activity of developer userids Emergency Change Process Implement post approval process Identify criteria for emergency changes

16 System Administration Key Guiding Principle Systems should be administered in a manner that promotes integrity of corporate data

17 File Permissions Inappropriate file permissions assigned to key application and system files Lack of processes to monitor file permissions changes System Trusting Lack of understanding and control of system trusting Lack of approval and monitoring processes Audit Logging Lack of auditing for successful and unsuccessful access attempts Lack of proactive monitoring

18 File Permissions Identification of key system and application files/directories Implementation of monitoring processes for file modifications Establishment of standard system build with correct permissions System Trusting Identification of various system trusting mechanisms and risks Implementation of approval processes Restricting access to files controlling trusts (where possible) Audit Logging Inclusion of file successes where risk has been identified Proactive review of certain logged activities

19 Future Considerations

20 Economy could impact the following through force reductions: System availability Ineffective execution of controls Taking shortcuts in control processes Lack of adequate review and monitoring Continued distributed access will stress controls Desire for quick reaction to market changes will stress change control processes Control over third party providers

21 Dan Hirstein (816)

22 Copyright 2010 Deloitte Development LLC. All rights reserved.