it audit and security compliance
play

IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR - PowerPoint PPT Presentation

O'Connor & Drew, P.C. www.ocd.com @ocdcpa 1 IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR 2014-15 IT Audit and Security OConnor & Drew, P.C. www.ocd.com @ocdcpa Jake McAleer @johnjakem March 2014


  1. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 1 IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR 2014-15 IT Audit and Security O’Connor & Drew, P.C. www.ocd.com @ocdcpa Jake McAleer @johnjakem March 2014

  2. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 2 Jake McAleer, CISA jmcaleer@ocd.com @johnjakem Professional Profile • Senior IT Audit and Security Manager, O’Connor & Drew, P.C. • Director of Operations, Dyn • Senior IT Auditor, State Street Bank • Network and Systems Engineer, Raytheon Company Industry Expertise • Internet Services and Infrastructure (IaaS, PaaS, SaaS, Colocation, Data Center) • Financial Services • Manufacturing • Government • Not-for-Profit Organizations • Family-Owned Businesses

  3. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 3 INFORMATION SECURITY PROGRAM An Overview Of A Security Program and Review of IT Control Terminology

  4. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 6 Risk Rating • Many people confuse the risk event for the risk rating • Risk Event = The description of the risk • Risk Rating = Likelihood + Impact Prioritizing your audit program by risk is called a “Risk-Based Audit Approach”

  5. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 8 Security Programs Vary By Business • Every business is different • No one framework or law will completely protect you • Vendors can help, but don’t rely entirely on them You know your business better than anyone, so your input is key! • Internal owners manage and enforce the process • Employees must be provided direction and training • All programs need proper ownership, employee education, and enforcement

  6. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 11 • The password must be exactly 8 characters long. • It must contain at least one letter, one number, and one special character. • The only special characters allowed are: @ # $ • A special character must not be located in the first or last position. • Two of the same characters sitting next to each other are considered to be a “set.” No “sets” are allowed. • Avoid using names, such as your name, user ID, or the name of your company or employer. • Other words that cannot be used are Texas, child, and the months of the year. • A new password cannot be too similar to the previous password. • Example: previous password - abc#1234, acceptable new password - acb$1243 • Characters in the first, second, and third positions cannot be identical. (abc*****) • Characters in the second, third, and fourth positions cannot be identical. (*bc#****) • Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234) • A password can be changed voluntarily (no Help Desk assistance needed) once in a 15-day period. If needed, the Help Desk can reset the password at any time. • The previous 8 passwords cannot be reused. http://portal.cs.oag.state.tx.us/OAGStaticContent/portal/login/help/listPasswordRules.htm

  7. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 13 Focus On The Objective • Prevent guessing • 8+ Characters and some basic variation (upper and lower case, number, special character, etc.) to prevent just a word as the password • Prevent brute force • Lock out after 5-10 attempts and lock out across the organization! • Protect the encrypted/hashed values • Prevent reuse • Check against DB of old passwords • Prevent compromise • User education (don’t reuse passwords, don’t write them on your laptop, etc.) • Force a change every 90-180 days • Enforce use • Automatic password/PIN enforcement on devices • Automatic screen locks after 10 minutes • Review how password resets are managed

  8. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 15 IT AUDITING IN 2014-2015 Focusing on the three inputs: Business Needs Legal and Regulatory Customers and Partners

  9. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 17 Legal And Regulatory Requirements • Focuses on a specific: • Industry • Consumer • Type of data • Geographic region • Often: • Long and complex • Cross-references other sections or laws • Subjective and broadly worded • Reference dated (now outdated) terms Intended to protect someone else, not your business

  10. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 18 Regulatory Examples • Credit card account information Payment Card Industry (PCI) • Electronic patient health information Health Insurance Portability and Accountability Act (HIPAA) • Consumers private banking information Gramm–Leach–Bliley Act (GLBA) • Government data and systems Federal Information Security Management Act (FISMA) • Public company accounting Sarbanes-Oxley Act (SOX)

  11. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 19 Legal, Regulatory, Industry-Specific • What laws must the business comply with? • Is there a legal/compliance group to rely on? • Do you have an international presence? International customers? What laws apply? • Are these areas being reviewed for changes? • Are there periodic requirements? • Example: PCI – Quarterly Scans, Yearly Attestation • Can the work be done by another group or external resource?

  12. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 20 PCI-DSS v3.0 Enforcement Date • Version 3.0 will introduce more changes than Version 2.0. The core 12 security areas remain the same, but the updates will include several new sub-requirements that did not exist previously. Recognizing that additional time may be necessary to implement some of these sub-requirements, the Council will introduce future implementation dates accordingly. This means until 1 July 2015 some of these sub-requirements will be best practices only , to allow organizations more flexibility in planning for and adapting to these changes. Additionally, while entities are encouraged to begin implementation of the new version of the Standards as soon as possible, to ensure adequate time for the transition, Version 2.0 will remain active until 31 December 2014. https://www.pcisecuritystandards.org/documents/DSS and PA-DSS Change Highlights.pdf

  13. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 21 Examples - PCI v3.0 Requirements • 2.4 - New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards. • 9.3 - New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination. • 11.3 - New requirement to implement a methodology for penetration testing • Perhaps use a standard such as NIST SP 800-115. • 12.9 - New requirement for service providers to provide the written agreement/acknowledgment to their customers. https://www.pcisecuritystandards.org/documents/PCI DSS v3 Summary of Changes.pdf

  14. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 24 M.G.L. c. 93H and MA 201 CMR 17 • Requires: • Designated program owner/maintainer • Identifying where PII might be within the organization • Encryption • Monitoring and effectiveness testing • Anti-virus and patching • Employee training • 3 rd party service provider compliance • Timely disclosure of a breach • Written Information Security Program (WISP) • Documents your methodologies, processes, procedures, technologies, PII data types, etc

  15. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 25 MA 201 CMR 17 – Definition of PII • Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number , with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly.

  16. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 26 HR Rep: “Welcome To The Company!” We need an ID for your I-9 Form. We need your routing number so we can pay you. http://www.theonion.com/articles/manny-being-manny-during-massachusetts-state-drive,9801/ http://www.psdgraphics.com/psd/blue-check-psd-template/

  17. O'Connor & Drew, P.C. www.ocd.com @ocdcpa 28 Computer Access Nearly every employee has access to a PC at work • Lawyer’s Office • Doctor’s Office • Accountant • Car Repair Shop • Retail • Banks • Restaurants • Grocery Store • Non-profit • Call Center http://www.blogcdn.com/jobs.aol.com/articles/media/2009/04/ptw12target.jpg

Recommend


More recommend