IT risks and controls

Similar documents
COBIT 5. COBIT 5 Online Collaborative Environment

Information Security Policy

COBIT 5. COBIT 5 Online Collaborative Environment

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Annex 1 (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5

Internal Control and the Computerised Information System (CIS) Environment. CA A. Rafeq, FCA

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

External Supplier Control Obligations. Records Management

External Supplier Control Obligations. Information Security

Document Ref: Issue Date: March 2018 Review Date: March 2020 Policy Lead: Stephanie Vasey, Data Governance Manager

falanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance?

General Personal Data Protection Policy

Consulting Champions

PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

Supplier Security Directives

Computerised Systems. Alfred Hunt Inspector. Wholesale Distribution Information Day, 28 th September Date Insert on Master Slide.

CITY UNIVERSITY OF HONG KONG

TECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

Introduction. Case for SAP Cybersecurity Framework

Policy Outsourcing and Cloud-Based File Sharing

External Supplier Control Obligations. Information Security

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

COBIT 5. COBIT 5 Online Collaborative Environment

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

Privacy and Data Protection Policy

Brasenose College Data Protection Policy Statement v1.2

SOLUTION BRIEF HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

What is GDPR and Should You Care?

SOFTWARE LICENSING POLICY

Data protection in light of the GDPR

SAP and SAP Ariba Solution Support for GDPR Compliance

Humber Information Sharing Charter

The implications of the EU General Data Protection Regulation 2016 for ICT Disposal

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

National Disclosure Summit

An overview of EU Data Protection Regulation 2016 in terms of asset recovery / disposal.

POLICY. Data Breach Notification Policy. Version Version 1.0. Equality Impact Assessment Status. Date approved 23 rd May 2018

Data Breach Notification Policy

Total Cost Management and Cloud Computing

IT Audit Process. Prof. Mike Romeu. February 13, IT Audit Process. Prof. Mike Romeu

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

1 Management Responsibility 1 Management Responsibility 1.1 General 1.1 General

ERP Validation: War stories from the Front. Presented by Terry Jeanes 4 July, 2016

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Information governance strategy

Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013

Data Protection Policy

DATA BREACH NOTIFICATION POLICY. Last Updated: Review Date:

Please read the following carefully in order to understand our policies and practices regarding your personal data and how we process them.

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

Outsourcing and the Need for Supplier Audits

GDPR: Is it just another strict regulation or a great opportunity for operational excellence?

September 17, 2012 Pittsburgh ISACA Chapter

ISO/IEC 27001:2005 BASED INFORMATION SECURITY MANAGEMENT SYSTEM INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL

A PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS

How to Stand Up a Privacy Program: Privacy in a Box

CUSTOMER AND SUPPLIER ROLES AND RESPONSIBILITIES FOR 21 CFR 11 COMPLIANCE ASSESSMENT. 21 CFR Part 11 FAQ. (Frequently Asked Questions)

Selftestengine COBIT5 36q

Ensuring Organizational & Enterprise Resiliency with Third Parties

Preparation Guide to the New European General Data Protection Regulation

Preparing for the GDPR

Proactively Managing ERP Risks. January 7, 2010

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

Records Management Policy

Sample Data Management Policy Structure

A tool for assessing your agency s information and records management

DATA PROTECTION POLICY

Accountability under the GDPR: What does it mean for Boards & Senior Management?

ISACA San Francisco Chapter

Part 0: Overview and vocabulary

Humber Information Sharing Charter

Changes Reviewed by Date. JO Technology Manager - Samer Huwwari JO Manager, Risk & Control Technology: Issa Laty. CIO, Jordan- Mohammad Aburoub

Data protection (GDPR) policy

BPO Asia In ormation Security Domains & Controls

Guidance on Arrangements to Support Operational Continuity in Resolution

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

TOP 6 SECURITY USE CASES

1010 La Trobe Street Docklands Victoria

COMPUTERISED SYSTEMS

ONR GUIDE. LC 6 Documents, records, authorities and certificates. Nuclear Safety Technical Inspection Guide. NS-INSP-GD-006 Revision 0

CHAPTER -10 CIS AUDIT

New Development Bank Information Technology Policy

Statement on Risk Management and Internal Control

Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Guidelines and supervision on the use of IT tools of the University College

Information Security in ITES & BPO I T S E R V I C E S B P O S O L U T I O N S

ISMS AUDIT CHECKLIST

(5) May carry out maintenance of the database (6) May carry out monitoring and organizing daily uploading of data and automatic issue of reports

EU GMP - Annex 11 Computerised systems Versione corrente Nuova versione per commenti (emessa 8 aprile 2008)

Preparing for the General Data Protection Regulation (GDPR)

JOB DESCRIPTION. Director of Finance and Corporate Services. Starting at 26,977 with progression to 31,576 per annum

University Business Classification Scheme

Information and Technology. Governance. System for

Ready for GDPR? Five steps to turn compliance into your advantage

Information Governance Clauses Clinical and Non Clinical Contracts

GDPR: What Every MSP Needs to Know

Transcription:

Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2017

Agenda I IT GOVERNANCE IT evolution, objectives, roles and process model of an IT governance framework II IT RISK MANAGEMENT Risk context, key elements of an IT Risk management framework, risk and measure examples III IT AUDIT CASE STUDY Approach, planning and results of a real IT audit activity IV NEW EU PRIVACY REGULATION RISK APPROACH The new regulation risk based approach and applicable risk scenario examples 2

Section I IT GOVERNANCE 1. Main references adopted 2. IT evolution 3. IT governance definition and objectives 4. Governance enablers 5. Governance roles 6. Process reference model 3

IT governance Main references adopted 4

BUSINESS ENABLEMENT IT governance IT evolution 1 2 3 5

IT governance Why IT Governance? 1. High-quality information 2. Business value 3. Operational excellence 4. IT-related risk 5. Cost of IT 6. Compliance 6

IT governance the responsibility of the board of directors and executive management. It is an integral part of entrprise governance and consist of the leadership and organisational structures and processes that ensure that the organisation s IT sustains and extends the organisation s strategies and objectives.» 7

IT governance Drivers for IT Governance Activities ITGI - Global Status Report on the Governance of Enterprise IT 8

IT governance Governance objective 1 3 2 9

IT governance Governance enablers 10

IT governance Governance roles 11

IT governance Process reference model 1 2 3 4 12

IT governance 13

IT governance 14

Section II IT RISK MANAGEMENT 1. Key points of context 2. Risk / IT risk definitions 3. IT risk categories 4. IT risk evaluation 5. IT risk and organisational structures 6. Information items and risk management 7. Risk management process 8. Risk scenario structure and risk factors 9. Risk scenario and response examples 15

IT risk management Key points of context 1. IT as a key element for creating value 2. Regulations govern information technology 3. Growing need to manage risks related to IT 4. IT risk management requires to address the full scope of strategic impacts 16

IT risk management IT risk levels MoR - Management of Risk - Office of Government Commerce (UK) 17

IT-related Issues Experienced in the Past 12 Months IT risk management ITGI - Global Status Report on the Governance of Enterprise IT 18

IT risk context Global Risks Report 2017 The Global Risks Landscape 2017 19

IT risk management Risk / IT risk definitions RISK Risk is the combination of the probability of an event and its consequence. Consequences are that enterprise objectives are not met. INFORMATION and related Technologies (IT) RISK IT risk is a business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. 20

IT risk management IT risk categories 1. IT Benefit / Value Enablement 2. IT Programme and Project Delivery 3. ITOperations and Service Delivery 21

IT risk management IT risk evaluation 1 2 22

IT risk management IT risk and business value BUSINESS VALUE Fail to Gain / Lose Gain / Preserve 23

IT risk management IT risk and organisational structures RISK 24

IT risk management IT risk and organisational structures Business process owners IT process / service owners 1. Risk evaluation 2. Risk ownership Risk owner - Person or entity with the accountability and authority to manage a risk ISO 31000 Risk management Principles and guidelines 25

Information items and risk management IT risk management 7. Risk profile 3. Risk universe 1. Risk scenarios 2. Risk analysis results 4. Risk action plan 6. Risk factors 5. Loss events 26

IT risk management Risk management process Practices 1. Collect data 2. Analyse risk Main outputs Data on the operating environment relating to risk Data on risk events and contributing factors IT risk scenarios Risk analysis results 3. Mantain a risk profile Aggregated risk profile, including status of risk management actions 4. Articulate risk Risk analysis and risk profile reports for stakeholders 5. Define an action portfolio Project proposals for reducing risk 6. Respond to risk Risk-related incident response plans 27

IT risk management Risk scenario structure 3 2 4 1 5 28

IT risk management Risk factors Risk factors 1. Internal context 2. External context 29

IT risk management Risk factors Category 1. Internal context Risk factor 1. Enterprise goals and objectives 2. Strategic importance of IT for the business 3. Complexity of IT 4. Complexity of the entity 5. Degree of change 6. Change management capability 7. Operating model 8. Strategic priorities 9. Culture of the enterprise 10. Financial capacity 11. Risk management capability 12. IT-related capabilities 30

IT risk management Risk factors Category 1. External context Risk factor 1. Market and economic factors 2. Rate of change in the market/product life cycle 3. Industry and competition 4. Geopolitical situation 5. Regulatory environment 6. Technology status and evolution 31

IT risk management Risk scenario examples from COBIT Risk Category Risk scenario Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management 3. IT investment decision making 4. IT expertise and skills 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) There is duplication between initiatives. 0102 There is an IT project budget overrun. 0202 The wrong software, in terms of cost, performance, features, compatibility, etc., is selected for implementation. There is a lack of or mismatched IT-related skills within IT, e.g., due to new technologies. 0302 0401 Hardware components were configured erroneously. 0508 Portable media containing sensitive data (CD, USB drives, portable disks, etc.) is lost/disclosed. The enterprise architecture is complex and inflexible, obstructing further evolution and expansion leading to missed business opportunities. 8. Infrastructure The systems cannot handle transaction volumes when user volumes increase. 0802 9. Software Intentional modification of software leading to wrong data or fraudulent actions. 0906 0603 0701 32

IT risk management Risk scenario examples from COBIT Risk Category Risk scenario Cobit Ref 10. Business ownership of IT 11. Supplier selection/performance, contractual compliance, termination of service and transfer 12. Regulatory compliance 13. Infrastructure theft or destruction Business does not assume accountability over those IT areas it should, e.g., functional requirements, development priorities, assessing opportunities through new technologies. Support and services delivered by vendors are inadequate and not in line with the SLA. There is non-compliance with regulations, e.g., privacy, accounting, manufacturing. 1001 1103 1201 Destruction of the data centre (sabotage, etc.) occurs. 1403 14. Malware Regularly, there is infection of laptops with malware. 1502 15. Logical attacks There is a service interruption due to denial-of-service attack. 1602 16. Industrial action Facilities and building are not accessible because of a labour union strike. 1701 17. Acts of nature There is flooding 1905 33

IT risk management Risk scenarios by category IT Programme and Project Delivery 15% IT Operations and Service Delivery IT Benefit / Value Enablement 36% RISK SCENARIOS 50% 13% Cybersecurity 87% Others 34

IT risk management Risk response examples from COBIT Risk Category Risk responses (Cobit Processes) Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management Prioritise resource allocation. Maintain a standard approach for programme and project management. APO06.02 BAI01.01 3. IT investment decision making Manage stakeholder engagement. BAI01.03 4. IT expertise and skills Plan and track the usage of IT and business human resources. APO07.05 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) Manage contract staff. Ensure traceability of Information events and accountabilities. Define reference architecture. APO07.06 DSS06.05 APO03.02 8. Infrastructure Monitor and scan the technology environment. APO04.03 9. Software Evaluate, prioritise and authorise change requests. BAI06.01 35

IT risk management Risk response examples from COBIT Risk Category Risk responses (Cobit Processes) Cobit Ref 10. Business ownership of IT Monitor and report service levels. APO09.04 11. Supplier selection/performance, contractual compliance, termination of service and transfer Monitor supplier performance and compliance. APO10.05 12. Regulatory compliance Identify external compliance requirements. MEA03.01 13. Infrastructure theft or destruction Manage physical access to IT assets. DSS05.05 14. Malware Monitor the infrastructure for security-related events. DSS05.07 15. Logical attacks Monitor IT infrastructure. DSS01.03 16. Industrial action Identify key IT personnel. APO07.02 17. Acts of nature Exercise, test and review the Business Continuity Plan. DSS04.04 36

Section III IT AUDIT CASE STUDY 1. IT audit approach 2. Needs of the key players 3. Audit scope and planning 4. Risk assessment 5. Audit areas 6. Methods adopted 7. Audit report and improvement points 8. Key points 37

IT audit Case study IT audit approach 1. Overall analysis 2. Effective checks 3. Search of logic vulnerabilities 38

IT audit Case study Needs of the key players 1. Management 2. Audit and control functions 3. IT department 39

IT audit Case study Audit scope 1. Foreign branch of a leading company in the industrial sector 2. Internal control system against cybercrimes 3. Company has 20 foreign branches on several continents 40

IT audit Case study Information system audited Audited branch Applications: Tenders Design Production Support processes Headquarter 41

IT audit Case study Audit planning 1. Preliminary survey 2. Risk assessment 3. Audit plan Documentation analysis Interviews IT systems IT management processes Cybercrimes Audit areas Checks 42

IT audit Case study Risk assessment Cybercrimes (as of Italian Penal Code) Unauthorized access to an IT system art.615-ter c.p. (Cobit risk scenario 1601) Risk Scenarios 1. Competitors IT system violation in order to acquire, for industrial espionage purposes, documentation regarding products/projects 2. Unauthorized access to IT protected systems, by company internal users, to activate services that were not solicited by customers. 3. Unauthorized access to invoice systems in order to alter information and programs with the aim to achieve illicit profits. Risk Evaluation 43

IT audit Case study Audit areas Area Cobit Ref 1. System administrators DSS05.04 2. Management of users and authorisations DSS05.04 3. Software licensing management BAI09.05 4. Security of IT workstations DSS05.03 5. Electronic signature DSS05.06 44

IT audit Case study Audit area 1 - System Administrators Audits Population / Sample 1 - Identification of administrators Contract documents 2 - Name-registered administrator accounts List of users in the administrators authentication group 3 - Rules of minimum complexity of passwords Settings for authentication of administrator accounts 45

IT audit Case study Audit area 2 - Management of User Accounts Audits 1 - Correspondence between user accounts and the employees 2 - Traceability of the requests relating to user accounts 3 - Minimum complexity of passwords 4 - Name-registered accounts Population / Sample List of user accounts and employees / collaborators of the branch-office Procedure adopted for the traceability of the subjectmatter requests Settings for the authentication of user in the centralized authentication system List of user accounts in the centralized authentication system 46

IT audit Case study Audit area 3 - Management of access authorizations 1 - Use of the folder Public Audits Population / Sample List of the folders and files contained in the shared folder Public 2 - Shared folders in the PCs Sample of PCs 3 - Adequacy of the authorizations List of the authorization and users for a selected sample of shared folders 47

IT audit Case study Audit area 4 - Software Licences Audits Population / Sample 1 - Inventory of software licences - 2 - Archiving of software setup supports - 3 - Software licences Sample of PCs and software licences 48

IT audit Case study Audit area 5 - Cybersecurity of PCs Audits Population / Sample 1 - Update of antivirus software 2 - Security updates Sample of PCs 3 Installing authorizations 49

IT audit Case study Audit area 6 - Electronic signature Audits Population / Sample 1 - Electronic signature devices - 2 - Signature authorizations - 3 - Revocation of the electronic certificate - 50

IT audit Case study Methods adopted 1. Analysis of company regulations 2. Surveying practices and IT systems 3. Process walk-throughs 4. Verifying IT system 51

IT audit Case study Audit report 1. Methods used to plan and carry out the activities 2. Improvement points 3. Suggestions for action 52

IT audit Case study Improvement points 1. Contractual definition of System Administrators 2. Use of shared folders 3. Inventory of software in use 4. Traceability of new user requests 53

IT audit Case study Critical factors 1. Co-existence of local and central IT systems 2. Outsourced IT administration 3. Temporary nature of the production sites 4. Specific needs of each production site 54

IT audit Case study Key points 1. Value of information / dimension of infrastructures 2. IT risk & control policy 55

Section IV NEW EU PRIVACY REGULATION RISK APPROACH 1. Brief introduction to regulation 2. Risk based approach adopted 3. Key concepts 4. COBIT Risk scenarios applicable 56

GDPR risk based approach The new european data protection regulation (GDPR) 1. Data protection legislation unchanged since 1995 (current Directive) 2. GDPR adopted on May 2016 3. GDPR directly applicable from May 2018 4. New concepts (e.g. profiling, right to be forgotten), obligations on businesses and rights for individuals 5. Fines are increased exponentially (to 20 M / 4% of turnover) 57

GDPR risk based approach GDPR and risk based approach implement protective measures corresponding to the level of risk of data processing activities 58

GDPR risk based approach GDPR risk based approach Key concept 1 - ACCOUNTABILITY Article 24 1. Taking into account the [ ] risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing [of data] is performed in accordance with this Regulation. 59

GDPR risk based approach GDPR risk based approach Key concept 2 - DATA PROTECTION BY DESIGN Article 25 1.Taking into account [ ] the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures [ ] 60

GDPR risk based approach GDPR risk based approach Key concept 3 PERSONAL DATA SECURITY Article 32 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 61

GDPR risk based approach Example Data security risk categories from 1. IT investment decision making 2. IT expertise and skills 3. Staff operations (human error and malicious intent) 4. Information (data breach: damage, leakage and access) 5. Infrastructure 6. Software 7. Supplier selection, performance, contractual compliance, termination and transfer 8. Malware & Logical attacks 9. Acts of nature 62

DISCUSSION 63

Discussion Assessing the risk connected to personal data security see article 32 of GDPR below which are the risk scenarios to consider among the ones detailed in the following slide? Article 32 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 64

Discussion Risk Category Risk scenario Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management There is duplication between initiatives. 0102 There is occasional late IT project delivery by an internal development department. 3. IT investment decision making Redundant software is purchased. 0304 4. IT expertise and skills 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) There is a lack of or mismatched IT-related skills within IT, e.g., due to new technologies. 0203 0401 Hardware components were configured erroneously. 0508 Portable media containing sensitive data (CD, USB drives, portable disks, etc.) is lost/disclosed. 0603 There is a failure to adopt and exploit new infrastructure in a timely manner. 0703 8. Infrastructure The systems cannot handle transaction volumes when user volumes increase. 0802 65

Thank you! Alessandro Salibra Bove Partner a.salibra@macfin-group.net www.macfin-group.net 66

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback