Topics and Trends. A presentation by Vonya Global Vonya Global LLC Duplication without written consent from Vonya Global is not permitted.

Transcription

1 Topics and Trends A presentation by Vonya Global

2 Presenter Steve Randall Partner Vonya Global Internal Audit co-sourcing and outsourcing firm based in Chicago with international capabilities, representation in 23 countries. Capabilities in Finance, Information Technology, Operations, and Compliance. Member of Institute of Internal Auditors Chairman of Social Media Committee Member of National Association of Corporate Directors

3 Information Risk Management All familiar with the concept of Risk Management Threats, Vulnerabilities, Likelihood One of the most important assets of any organization Focused on the entity Includes management of internal & external information Focus of the Information Security Team CISO CIRM Do you need both? Do You Have a Information Risk Management Program?

4 Information Risk Management Why Do We Care Information is the lifeblood of the organization Client information Employee information Organizational information Critical success factor Who should have when? Information is Power!

5 Information Risk Management Auditable Focus Areas Data security controls & practices How is data security focusing on INFORMATION? Business processes Cloud Computing impact Contract review HR practices Employee information HIPAA Hi-Tech Review Employee management Social networking sites Use of mobile technology

6 Information Risk Management Information Technology Focus Areas Consumerization of IT Cloud Computing Mobile Security Social Media

7 Consumerization of IT Definition The specific impact that consumer originated technologies can have on enterprises; Reflects how enterprises will be affected by, and can take advantage of, new technologies and models that originate and develop in the consumer space, rather than in the enterprise IT sector Source: Gartner, 2010

8 Consumerization of IT What is all the Hype? Is this the End of IT as we know it? Why do we care?

9 Consumerization of IT People are prepared to be: more productive, more available, and more agile Technology must meet employees needs Technology at work to be as good as at home They want to be empowered Embracing the workforce and empowering it with the latest and greatest technologies can Help businesses unleash productivity, reduce costs, and stay competitive Recent study, 83 percent of IT decision-makers characterized the effect of consumerization as mostly positive

10 Consumerization of IT Concept Drivers Workforce dynamics changing Impact of Millenials Smarter Tech Savy Employees Consumer driven innovation and collaboration focus Increasingly reliable global network(s) Expanding use of mobile based technology Smartphone Tablet Technology Device agnostic solutions Convergence of work and personal time Telecommuting Bring Your Own Device (BYOD)

11 Consumerization of IT

12 Consumerization of IT Risk Focus Points IT & Audit Protect the sensitive information Clear Policies Risk Based Guidance Clearly state expectations & controls Sound up to date contingency plans Control of Data System based enforcement of configurations Effective monitoring Effective Categorization of Known Threats Consumer driven Enterprise driven Protection of the Information!

13 Consumerization of IT Audit Points & Areas Device configuration & ongoing management controls Opportunities to apply rogue software patches Monitoring reports Access controls to sensitive information Employee libel devices How is information secured Who can use the solution (corporate desktop) E-discovery controls

14 Consumerization of IT Information Sources Microsoft Citrix CIO Magazine t_ignore_consumerization_of_it Ipswitch Forrester Research

15 Cloud Computing? Is it the 1970 s again? Not Bell Bottoms and Platform Shoes! Maybe it is using a centralized desktop to simplify the distributed computing platform? Is it the Internet? Everyone is getting into the game! If Not these then what? Many Definitions WHY NOW?

16 Cloud Computing What is it? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of 5 Essential Characteristics, 3 Service Models, and 4 Deployment Models. NIST Definition

17 What is the Cloud?

18 Cloud Computing 5 Essential Characteristics On-Demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service

19 Cloud Computing 3 Service Models Cloud Software as a Service (SaaS) Cloud Platform as a Service (PaaS) Cloud Infrastructure as a Service (IaaS)

20 Cloud Computing 4 Deployment Models Private Cloud Single organization Internally or Externally Managed On Premise or Off Premise Corporate Cloud Community Cloud Shared Concerns (Mission, Security Requirements, Policy, & Compliance Considerations) Managed by Organizations or Externally Managed On Premise or Off Premise Department of Defense Community Cloud for Afghanistan War

21 Cloud Computing 4 Deployment Models Public Cloud Services Available to General Public or Large Industry Group Owned by an Organization Selling Cloud Services Google, Amazon, Microsoft, IBM, etc. Hybrid Cloud Composition of two or more clouds Unique entities Bound together by standardized or proprietary technology Enable data and application portability

22 Cloud Computing Key Risks Contract Responsibilities (Cloud Service Provider CSP) Impact of Domestic and International Privacy Laws Data Caps Restraints Conduit to Data On CSP Site Service Level Protections Data Ownership Who owns the data and when? Application Version(s) Application Development Processes/Controls Legal E-Discovery

23 Cloud Computing Key Risks Internal & External Vulnerability Assessments Incident Response Policies & Procedures When is the Customer (You) Notified Remediation Process/Steps Data Deletion in the Cloud Is Data Really Destroyed What About Data Retention Admin Access Controls Who has Access Encryption of Access Data Encryption At Rest Data Data in the Communication Cloud

24 Cloud Computing Auditable Areas User vs CSP responsibilities (i.e. SAS70/SSAE 16) Ensure User Risks have appropriate mitigating controls Minimum of an annual review CSP service level performance (SLA management) Vulnerability assessments Data management Identity & access management Application security controls

25 Cloud Computing Auditable Areas Cloud BCP & disaster recovery processes What happens to data Data Retention Can your data recovery support your Recovery Point Objectives (RPO) Incident response, notification and remediation Legal E-Discovery processes & controls Who has access to your information? Key risk points are source of focus!!

26 Cloud Computing Information Sources ISACA Cloud Security Alliance (CSA) NIST

27 Cloud Computing Information Sources Gartner g_sitelink&ref=g_noreg TCLD PEW Report The Future of Cloud Computing

28 Mobile Security The Information Risk Marketplace Key Concept of Consumerization of IT One of the fastest growing information risk points Continued expansion of capabilities in the phone devices Integration of tablet platforms Expansive growth of applications for platform Corporate liable vs employee liable Not financially driven decision Employee choice

29 Mobile Security Growing Risk Areas Continued expansion of platforms Tablet expansion expected peak in period Continued expansion of applications Impact of Cloud Growth of alternative storage Clouds (Apple, Amazon, IBM, HP) Configuration management issues Change Management

30 Mobile Security Growing Risk Areas Threat Identification & Management Consumer Devices attaching to the corporate network Control of data Configurations Monitoring User device management

31 Mobile Security Risk Mitigation Focus Increasing use of device level encryption tools Use of tools designed to manage devices Over The Air (OTA) Major vendors attacking information risk management concepts Configuration management Enforcement of security controls OTA solutions Device Recovery Ongoing Edge of the Enterprise

32 Social Media Social media is the use of web-based and mobile technologies to turn communication into interactive dialogue Two Principles:

33 Social Media Channels Services: LinkedIn Facebook Twitter Blog Youtube RSS feeds Plaxo Classmates Myspace Etc

34 if you haven t gotten online and joined the conversation, you may be falling behind professionally Lucy Marcus CEO, Board Member

35 The site officially launched on May 5, 2003 World s largest professional online network More than 100 million members In over 200 countries One million new members every week More than 2 million companies have LinkedIn Company Pages

36 370,000 new sign-ups daily 95,000,000 Tweets per day 175,000,000 registered users

37 More than 500 million active users 50% of users log on to Facebook in any given day Average user has 130 friends People spend over 700 billion minutes per month on Facebook

38 Social Media It s Risky Reputation Risk One happy client/supplier tells one person One unhappy client/supplier tells millions Privacy Breaches IP Leaks No Physical Boundaries Little Time to React Employee Productivity (?) Threat to Information Resources Distributed Access (home computer, handheld device, etc )

39 Social Media Can We Audit? Evaluate Corporate Social Media Policy Is it defined Is it documented Has it been communicated Do we monitor and enforce policy? How? Who owns the various risks and what systems are they using to manage the risk Social Listening Do we???

40 Questions

41 Contact Information Vonya Global 150 N. Michigan Ave Suite 2935 Chicago, IL Steve Randall - srandall@vonyaglobal.com Kelvin Walker - kwalker@vonyaglobal.com