it controls presentation
DESCRIPTION
TRANSCRIPT
What you don’t know about IT Controls can cripple your business
“Yep, son, we have met the enemy and he is us.”
- Pogo, 1971
Presented by:
Bill Lisse, CISSP, GIAC PCI, GIAC HIPAA, SSCA, Security+ SME
IT Audit Manager
“Only 1 of 10 firms are
leveraging Information
Technology (IT)
compliance (Controls)…
that could help mitigate
financial risk from lost or
stolen data.”
Source: ITpolicycompliance.com. IT Policy Compliance Group. “Why
Compliance Pays: Reputations and Revenues at Risk,” July 2007
Leading OrganizationsLeading Organizations1 of 10 are well-positioned
Normative OrganizationNormative Organization 7 out of 10 could substantially reduce financial risk
Lagging OrganizationsLagging Organizations2 out of 10 have the most to gain
Why should business Why should business leaders care?leaders care?
Leaders versus LaggardsLeaders have the fewest business disruptions – only two or fewer disruptions annuallyLaggards experience 17 disruptions or more per year
Leaders have 2 or fewer data losses or thefts per year Laggards have 22 or more data losses per year
Financial Risks
- An 8 percent decline in market value of
stock for publicly traded firms –
some never recover
- An 8 percent loss of customers
- A temporary decline in revenue of 8 percent
- Additional costs for litigation, notification,
settlements, cleanup, restoration, and
improvements averaging $100 per lost
customer record !
Source: Oxford Executive Research Briefing, Impact of Catastrophes on Shareholder Value
Average Cost $1,662,720
This does not include potential civil litigation is class action lawsuits.
Prevent or Limit Losses
• Limit exposure (proactive versus reactive)
Due diligence – “reasonable assurance” Cannot rely on laws to protect or limit liability
o Sophisticated hackers may be beyond the reach of the law
Prevent or Limit Losses
• In 2004, the Department of Justice estimated 3% of all U.S. households experienced some form of identity theft – the number is accelerating
3.6 Million People Average $1,290.00 per household Conservative annualized loss estimate was
$6.4 Billion Occurs every 79 seconds in America!
Protecting your hard earned reputation “Avoid the wrong type of branding"
• Your corporate reputation is at stake – backlash can be severe
• Making headlines TJMaxx Choicepoint
• Once you make the list, you are here forever.... http://www.sec.gov/litigation http://www.ftc.gov/os/caselist/index.shtm http://www.privacyrights.org/
Protecting your hard earned reputation “Avoid the wrong type of branding"
The Evolving Landscape
• Fair Access to Credit Transactions Act (FACTA) - June 1, 2005 Any employer whose action or inaction
results in the loss of employee information can be fined by federal and state government, and sued in civil court
• Additional fines may apply for non-compliance with contracts and regulations or statutes
• Compliance Regulations
Gramm-Leach-Bliley Act
Critical Infrastructure Protection
Payment Card Industry Digital Security Standard
International Standards Organization 27001/27002
The Evolving Landscape
• Compliance Regulations
Sarbanes-Oxley Act (§404)
Health Insurance Portability and Accountability Act (HIPAA)
Automated Teller Machine ANSI X.9
AICPA Statement on Auditing Standards
What’s next…
The Evolving Landscape
Threats are Asymmetric
• Internal Threats are accidental and intentional. Insiders are responsible for…
32% of electronic crimes1 A CFO embezzled $96,000 by fixing an electronic
payment system to pay his monthly credit card bill
70% of identify theft2
A Fidelity database administrator stole and sold bank and credit card data for 8.5 million customers
1 Software Engineering Institute Computer Emergency Response Team and U.S. Secret Service Study http://www.cert.org/insider_threat/
2 FDIC and Michigan State Study http://www.fdic.gov/consumers/consumer/idtheftstudysupp/toc.html
Threats are Asymmetric
• Natural disasters - Katrina, etc...• External threats are becoming more
sophisticated Multi-echelon and multi-vector Specialization
o Bot hearderso Phisherso Carderso Spammers
Harvesting data is good business…if you’re a criminal
The Black Market… $980-$4,900 - Trojan program to steal online
account information $490 - Credit card number with PIN $78-$294 - Billing data, including account number,
address, Social Security number, home address, and birth date
$147 - Driver's license $147 - Birth certificate $98 - Social Security card $6-$24 - Credit card number with security code
and expiration date $6 - PayPal account logon and password
Source: Trend Micro “How Does The Hacker Economy Work?”
Common Myths
• End-Point Security is effective
• Hackers are pizza-faced 13 year old script-kiddies
• Hackers can’t get from my web site to our internal network
Common Myths
• Morale will be hurt if I make control changes – employees will think we don’t trust them
• Outsourcing will transfer my risk
• IT controls will impede business efficiency
1. No or few policies and procedures
2. Reliance on manual detective controls
3. Reliance on end-point security (firewalls)
4. No Data Classification - Trusted Insiders
5. No separation of duties
6. Enforce password rules (strong passwords)
7. No periodic review of user accesses
8. Not Monitoring threats (phishing and social
engineering)
9. Insufficient wireless network protection
10. Insufficient System Auditing
Top 10 Gaps
Prescription (Best practices)
1. Implement
appropriate co
ntrol
objectives and
IT
controls
2. Consolidate
control object
ives
3. Monitor,
measure, and r
eport
controls again
st
objectives on
a
regular schedu
le
Conclusion• It seems that companies aren’t learning
anything from the front-page mistakes of competitors- We are our own worst enemy
• IT control is not just about compliance, it is a useful tool for ensuring the efficient use of organizational resources to meet business objectives and to prevent fraud
• Like any resource, IT requires a clear
linkage between business needs and requirements
Bill Lisse, IT Audit Manager Phone: (937) 853-1490Email: [email protected]