spring education conference securing the organization ... · spring education conference securing...

Spring Education Conference

Securing the Organization

(Ensuring Trustworthy Systems)

Ken Vander Wal, CISA, CPA

Past President, ISACA

vandeke@gmail.com 1

2012-2013 Board of Directors

Past International President

Kenneth Vander Wal

Chicago Chapter

Vice Presidents

Past International President

Emil D’Angelo

NY Metropolitan Chapter

Tony Hayes

Brisbane Chapter

International President

Greg Grocholski

Member at Large

Christos Dimitriadis

Athens Chapter

Jeff Spivey

Charlotte Chapter Allan Boardman

London Chapter

Juan Luis Carselle

Mexico City

Chapter

Ramses Gallego

Barcelona

Chapter

Marc Vael

Belgium Chapter

Appointed directors: John Ho Chi, Singapore Chapter; Krysten McCabe , Atlanta Chapter; Jo Stewart-Rattray, Adelaide

Chapter

Agenda

• IT Changing Landscape

• IT Value, Trust and Assurance

• Impact on Assurance Profession

• Questions and Discussion

3

Digital power =

Computing

Moore’s law

Doubles every

18 months

Communication

Fiber law

Doubles every

9 months

Storage

Disk law

Doubles every

12 months

Content

Community law

2n, where n

is number

of people

x x x

x x x

Source: John Seely Brown

Pace of Change of Digital Infrastructure

4

Worldwide IT Spending Forecast (Billions of US Dollars)

5

Other Gartner Predictions • Technology spend outside IT will become

almost 90% by end of the decade

• 4.4M IT jobs globally will be created to support Big Data, 1.9 M in the US

– $34B of IT spending in 2013

• In 2016 > 1.6B smart mobile devices purchases globally

• Security investments to increase by 56% in five years

– Driver: Regulatory compliance 6

Source: CIO Insight

Trends Sure to Impact CIOs in 2013

1. The increasing importance of smartphones

2. Tablets will make inroads

3. The Cloud is here to stay

4. BYOD (or is it IBMOD)

5. Big Data

6. The increasing role of Windows 8

7. Social networking security

8. Small, lighter hardware

9. Increasing employee knowledge

10. Apple love

7

We no longer speak using terms like bytes or

kilobyte (KB) or gigabytes (GB)

How many bytes in a Terabyte (TB)?

1012 (or 240)

Equivalent to roughly 1,610 CDs worth of data

Anyone heard of a Petabyte ?

Or an Exabyte?

1 Petabyte (PB) is 1,024TB

1 Exabyte (EB) is 1,024PB

1 Zettabyte (ZB) is 1,024EB

1 Yottabyte (YB) is 1,024ZB

Speaking of Big Data

8

9

2012 © ISACA. Used by permission.

• Information systems environments are continuing to

increase in complexity and impact, bringing

unprecedented value opportunities along with

significant risk.

• This requires:

– active governance and management of information

– advanced auditing practices

What Does It mean?

10

• Need to provide more value to the stakeholders of

an organization by focusing more on business and

information.

• Silos being removed: business, IT internal audit,

finance internal audit, fraud investigators, security,

governance, external audit, SLA managers.

• Era of diverse framework integration and central

management.

• New technologies introduce new skill requirements

for auditors – not solely technical ones.

What is the Impact on the Audit Profession?

11

• Securing and Auditing the Cloud requires good understanding of:

– Technologies (web services, virtualization)

– Related control frameworks

– Business requirements (linking IT with the business)

– Legal requirements (data transfer, retention, protection)

– Contractual agreements (e.g. impeding factors from moving to other providers)

Example

ISACA Cloud Computing Management Audit/Assurance Program 12

Alignment

• IT and business processes

• Organization structure

• Organization strategy

Integration

• Enterprise architecture

• Business architecture

• Process design

• Organization design

• Performance metrics

IT Resources

Business Requirements

IT Processes

Enterprise Information

drive the investment in

that are used by

which responds to

to deliver

IT Value Factors

13

• IT is not an end to itself but a means of enabling business outcomes. IT is not about implementing technology. It is about unlocking value through IT-enabled organizational change.

• Value is the total life-cycle benefits net of related costs, adjusted for risk and (in the case of financial value) for the time value of money.

• The concept of value relies on the relationship between meeting the expectations of stakeholders and the resources used to do so.

Value Defined (Val IT)

14

Definition 1: Trust is the ability to predict

what a system will do in various situations.

Definition 2: Trust is using an information

system without having full knowledge about

it.

Definition 3: Trust is giving something now

(credit card) with an expectation of some

future return or benefit (on line purchase).

Definition 4: Trust is being vulnerable

(entering private and sensitive information)

while expecting that the vulnerabilities will

not be exploited (identity theft).

Trust that:

Private and sensitive information will

remain confidential

Process integrity is maintained

Essential business processes are

available or recoverable

Trust Defined

15

• Systems should give minimum and, as much as possible,

measurable guarantees and information on related risks concerning

quality of service, security and resilience, transparency of actions

and the protection of users’ data and users’ privacy, in accordance

with predefined, acknowledged policies.

• Systems should provide tools and mechanisms (or allow third-party

service providers to do so) that enable the user to assess the risks

and audit the qualities it is claimed to possess.

• A bona fide trustworthy system must also entail quantifiable and

auditable technical and organizational aspects of delivery (policies,

architectures, service level agreements, etc.), as well as the user’s

perceptions on its operation.

Trust in an Information Society

16

Security

Privacy

Reliability

Integrity

Investment in expertise & technology

Responsible leadership and partnering

Guidance and engagement through best practices & education

Design, development and testing

Standards and policies

User sense of control over personal information

Resilient – continues in the face of internal or external disruption

Recoverable – restorable to a previously known state

Controlled – accurate and timely service

Undisruptable – changes and upgrades do not disrupt service

Production ready – minimal bugs or fixes

Predictable - works as expected or promised

Acceptance or responsibility for problems and takes action to correct them

Trustworthy Computing

17

T R U S T

V A L U E

ASSURANCE

Trust creates the opportunity for Value

Value is based on an expectation of Trust

Assurance binds Trust and Value together

Trust and Value Relationship

18

Governance

Risk Management

Info Security

Audit/Assurance

Information systems are integral enablers that:

• Achieve an organization’s strategy and business

objectives

• Provide the confidentiality, integrity, availability and

reliability of information assets

• Ensure compliance with applicable laws and

regulations

Their criticality brings to the enterprise

unprecedented potential for both value creation

and risk (creating the need for trust).

19

What does all this mean for ISACA and IIA members?

20

Learn Faster

Share Knowledge

Engage

• White papers

• IT audit/assurance programs

• Survey results

• Other research

• Journal articles

LEARN FASTER

21

Examples of Resources

ISACA

• Information Technology Assurance Framework

• Audit programs (downloadable)

• IT Risk/Reward Barometer Survey

• eLibrary

• White papers

• COBIT

IIA

• International Professional Practices Framework

• Global Technology Audit Guides

• GAIN annual benchmarking study

• Chief audit executive resources

22

COBIT 5 Principles

2012 © ISACA. Used by permission. 23

COBIT 5 Enablers

2012 © ISACA. Used by permission. 24

COBIT 5 Enabling Processes

2012 © ISACA. Used by permission. 25

• Networking at chapter, regional and international

levels

• Use of knowledge centers and collaboration

• Communicate

SHARE KNOWLEDGE

26

• Volunteer

• Share knowledge

• Attend

• Get a certification

• Comment on exposure drafts

ENGAGE

27

Certifications

ISACA

CISA

CISM

CGEIT

CRISC

IIA

CIA

CGAP

CFSA

CCSA

CRMA

28

THANK YOU

29