Emerging Technology and Security Update

Transcription

1 Emerging Technology and Security Update February 13, 2015 Jordan Reed Managing Director

2 Agenda 2015 Internal Audit Capabilities and Needs Survey 2014 IT Priorities Survey Results 2014 IT Security and Privacy Survey 2015 IT Audit Benchmarking Survey Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

3 Current Events Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

4 Protiviti s 2015 Internal Audit Capabilities and Needs Survey Preview

5 Survey Overview About the Survey Protiviti conducted the survey in December More than 800 respondents took the survey. The survey included close to 290 topics areas divided into four major sections: General Technical Knowledge Technical Knowledge specific to U.S. Financial Services Industry, Healthcare Provider Industry, Healthcare Payer Industry and Manufacturing Industry Audit Process Knowledge Personal Skills and Capabilities Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

6 General Technical Knowledge Three-Year Comparison S.No Need to Improve "Need to Improve" Rank Areas Evaluated by Respondents Competency (5-pt. scale) 1 45% 1 GTAG 16: Data Analysis Technologies % (Tie) NIST Cybersecurity Framework % 2 Mobile Applications % 3 Practice Advisory : Continuous Assurance % 4 The Guide to the Assessment of IT Risk (GAIT) % ISO (information security) % 5 (Tie) Cloud Computing % GTAG 17: Auditing IT Governance Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

7 General Technical Knowledge Three-Year Comparison Social media applications Recently enacted IIA Standard Functional Reporting Interpretation (Standard 1110) Recently enacted IIA Standards Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1) GTAG 16 Data Analysis Technologies Recently enacted IIA Standard Overall Opinions (Standard 2450) Cloud computing The Guide to the Assessment of IT Risk (GAIT) GTAG 13 Fraud Prevention and Detection in an Automated World ISO (information security COSO Internal Control Framework (DRAFT 2012 version) Practice Guide Assessing the Adequacy of Risk Management GTAG 6 Managing and Auditing IT Vulnerabilities Fraud risk management Mobile applications NIST Cybersecurity Framework Social media applications Cloud Computing GTAG 16: Data Analysis Technologies GTAG 16: Data Analysis Technologies NIST Cybersecurity Framework Mobile Applications Practice Advisory : Continuous Assurance The Guide to the Assessment of IT Risk (GAIT) ISO (information security) Cloud Computing GTAG 17: Auditing IT Governance Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

8 Protiviti s IT Priorities Survey

9 Top Priorities According to the survey results, IT transformation has become the new normal for companies. Nearly two-thirds of respondents (63 percent) reported that some form of major IT transformation is under way in their organizations. Most notable priorities for 2014 : Enhancing and protecting business value. All eyes on security. Managing and classifying all that data. Strengthening IT asset management. More mobile, more social Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

10 Managing Security and Privacy Key Findings Among all of the IT organization s many responsibilities, managing security and privacy ranks among its most vital priorities. Preparing for, monitoring for and responding to security incidents swiftly and effectively, based on an established policy and tested processes understandably is deemed to be a critical concern. Other significant priorities include enterprise data classification and management, identity and access management, and IT user management, as well as technical infrastructure configuration. Organizations are continuing to evolve their thirdparty/vendor management programs, especially in light of recent security breaches undertaken by using vendor credentials Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

11 IT Process Capabilities: Managing Security and Privacy Three-Year Comparison Overall Results* Managing and classifying enterprise data California Security Breach Information Act (SB 1386) Managing and classifying enterprise data Incident response Developing and maintaining security and privacy standards Monitoring Security Events U.S. Gramm-Leach-Bliley Act Monitoring security events Managing IT Users Managing user identities and access Managing third-party vendors Managing Third-Party Vendors Managing third-party vendors Incident response Monitoring security events Implementing security/privacy solutions and strategies Managing user identities and access Implementing security/privacy solutions and strategies Managing and classifying enterprise data Managing user identities and access *Certain areas in this category were not included in all years of the survey Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

12 Management and Use of Data Assets Key Findings Legacy infrastructure can limit the ability to access data in more meaningful ways. Big Data expands further the demand for information and value from data analytics, while providing increased technical complexity. Note: Most organizations are thinking about big data. Large company CIOs place a greater priority on big data for 2014 Master Data Management and Data Governance are important components of the IT function s role in protecting business value. Data analytics are important to enhancing business decision making and strategic direction. Business Intelligence and reporting tools are a significant priority but require an effective and comprehensive information management strategy to be successful Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

13 Managing IT Assets Key Findings Monitoring and accounting for IT assets have grown more complex due to smart device proliferation, growing workforce mobility and reliance on external partners. Software and hardware deployment, along with managing software licensing and compliance, are the most significant IT asset management priorities. Retirement issues, including licensing recovery and sensitive data contained on retired assets are of concern. Improving the management and administration of backup and recovery, along with a need for better storage management and planning are emphasized. Looking for ways to strengthen database change management, IT infrastructure change management, job processing and network performance planning Focusing on the development, ongoing maintenance and testing of business continuity programs and IT disaster recovery plans. Ensuring IT aspects of BCM programs align with business objectives and needs, and have the support of executive management Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

14 Protiviti s IT Security and Privacy Survey

15 Key Findings Bridging the Data security Chasm 1 Board engagement is a key differentiator in the strength of IT security profiles. 2 There remains a surprising lack of key core information security policies. 3 Organizations lack high confidence in their ability to prevent a cyber attack or data breach. 4 Not all data is equal companies retaining data without structure has more than doubled. 5 Many are still unprepared for a crisis Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

16 The Top Performers How engaged is your board of directors with information security risks? High engagement and level of understanding by the board Medium engagement and level of understanding by the board Low engagement and level of understanding by the board All respondents Large companies ($1B) Small companies (<$1B) 30% 34% 26% 41% 45% 36% 20% 12% 30% Don t know 9% 9% 8% Which of the following policies does your organization have in place? Large companies ($1B) Small companies (<$1B) Acceptable use policy 76% 87% 86% 84% 69% Record retention/ destruction Policy Written information security policy (WISP) 76% 86% 81% 84% 71% 66% 78% 75% 79% 52% Data Encryption Policy 59% 68% 66% 67% 52% Social Media Policy* 59% NA NA 67% 51% * New category Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

17 Questions from the Board What are the macro level risks that face the company? Are organizations creating specific roles to deal with this area? How long would it take us to respond to an incident? Could that [insert name of breached company] event happen to us? Is what we have in place for data protection today enough? How are we measuring results against costs? What is the value of security? What are we doing about compliance with global privacy requirements? Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

18 Organizations Lack High Confidence in Their Ability to Prevent a Cyberattack or Data Breach Rate your level of confidence that your organization is able to prevent a targeted external attack by a well-funded attacker. Scale of 1-10 where 10 indicates high level of confidence and 1 indicates little or no confidence Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

19 Not All Data Is Equal Does your company have a clear data classification scheme and policy in place that categorize the organization s data and information sensitive, confidential, public, etc.? Scheme Policy Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

20 Not All Data Is Equal How would you rate your management s understanding of what comprises its sensitive data and information? Excellent understanding % 27% 26% Good understanding 51% 48% 50% Limited understanding Little or no understanding 22% 22% 22% 3% 2% 1% Don t know 1% 1% 1% Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

21 CIOs Are Taking Charge of Data Governance Who is responsible for creating and overseeing data governance in your organization? Three-year trend of growth in the CIO s role in creating, overseeing and executing data governance strategy and policy Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

22 ISACA / Protiviti IT Audit Benchmarking Survey

23 A Global Look at IT Audit Best Practices About the Survey ISACA and Protiviti partnered to conduct the fourth annual IT Audit Benchmarking Survey in the third quarter of 2014 This global survey, conducted online, consisted of a series of questions grouped into five categories: Today s Top Technology Challenges IT Audit in Relation to the Internal Audit Department Assessing IT Risks Audit Plan Skills and Capabilities More than 1,300 executives and professionals, including chief audit executives as well as IT audit vice presidents and directors, completed the online questionnaire Visit the Protiviti and ISACA websites to download a copy of this benchmarking report: Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

24 Top Challenges Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

25 Key Findings Cybersecurity and privacy are primary concerns. Companies face significant IT audit staffing and resource challenges. Audit committees, as well as organizations in general, are becoming more engaged in IT audit. IT audit risk assessments are not being conducted, or updated, frequently enough. Room for growth in IT audit reports and reporting structures Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

26 Frameworks Which of the following accepted industry frameworks is the IT audit risk assessment based? (Multiple responses permitted) Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

27 IT Audit Hours and Responsibilities Which of the following activities is your IT audit function responsible for? (Multiple responses permitted) Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

28 Significant Technology Projects What level of involvement does IT audit have in significant technology projects? Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

29 Significant Technology Projects (Cont.) When does IT audit become involved in significant technology projects? Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

30 Evaluating and Assessing IT Governance If you answered no to the previous question, indicate whether you intend to complete an evaluation and assessment of your organization s IT governance process Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

31 Confidentiality Statement and Restriction for Use This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be distributed to third parties Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.