spring education conference securing the organization ... · spring education conference securing...
TRANSCRIPT
Spring Education Conference
Securing the Organization
(Ensuring Trustworthy Systems)
Ken Vander Wal, CISA, CPA
Past President, ISACA
2012-2013 Board of Directors
Past International President
Kenneth Vander Wal
Chicago Chapter
Vice Presidents
Past International President
Emil D’Angelo
NY Metropolitan Chapter
Tony Hayes
Brisbane Chapter
International President
Greg Grocholski
Member at Large
Christos Dimitriadis
Athens Chapter
Jeff Spivey
Charlotte Chapter Allan Boardman
London Chapter
Juan Luis Carselle
Mexico City
Chapter
Ramses Gallego
Barcelona
Chapter
Marc Vael
Belgium Chapter
Appointed directors: John Ho Chi, Singapore Chapter; Krysten McCabe , Atlanta Chapter; Jo Stewart-Rattray, Adelaide
Chapter
Agenda
• IT Changing Landscape
• IT Value, Trust and Assurance
• Impact on Assurance Profession
• Questions and Discussion
3
Digital power =
Computing
Moore’s law
Doubles every
18 months
Communication
Fiber law
Doubles every
9 months
Storage
Disk law
Doubles every
12 months
Content
Community law
2n, where n
is number
of people
x x x
x x x
Source: John Seely Brown
Pace of Change of Digital Infrastructure
4
Worldwide IT Spending Forecast (Billions of US Dollars)
5
Other Gartner Predictions • Technology spend outside IT will become
almost 90% by end of the decade
• 4.4M IT jobs globally will be created to support Big Data, 1.9 M in the US
– $34B of IT spending in 2013
• In 2016 > 1.6B smart mobile devices purchases globally
• Security investments to increase by 56% in five years
– Driver: Regulatory compliance 6
Source: CIO Insight
Trends Sure to Impact CIOs in 2013
1. The increasing importance of smartphones
2. Tablets will make inroads
3. The Cloud is here to stay
4. BYOD (or is it IBMOD)
5. Big Data
6. The increasing role of Windows 8
7. Social networking security
8. Small, lighter hardware
9. Increasing employee knowledge
10. Apple love
7
We no longer speak using terms like bytes or
kilobyte (KB) or gigabytes (GB)
How many bytes in a Terabyte (TB)?
1012 (or 240)
Equivalent to roughly 1,610 CDs worth of data
Anyone heard of a Petabyte ?
Or an Exabyte?
1 Petabyte (PB) is 1,024TB
1 Exabyte (EB) is 1,024PB
1 Zettabyte (ZB) is 1,024EB
1 Yottabyte (YB) is 1,024ZB
Speaking of Big Data
8
9
2012 © ISACA. Used by permission.
• Information systems environments are continuing to
increase in complexity and impact, bringing
unprecedented value opportunities along with
significant risk.
• This requires:
– active governance and management of information
– advanced auditing practices
What Does It mean?
10
• Need to provide more value to the stakeholders of
an organization by focusing more on business and
information.
• Silos being removed: business, IT internal audit,
finance internal audit, fraud investigators, security,
governance, external audit, SLA managers.
• Era of diverse framework integration and central
management.
• New technologies introduce new skill requirements
for auditors – not solely technical ones.
What is the Impact on the Audit Profession?
11
• Securing and Auditing the Cloud requires good understanding of:
– Technologies (web services, virtualization)
– Related control frameworks
– Business requirements (linking IT with the business)
– Legal requirements (data transfer, retention, protection)
– Contractual agreements (e.g. impeding factors from moving to other providers)
Example
ISACA Cloud Computing Management Audit/Assurance Program 12
Alignment
• IT and business processes
• Organization structure
• Organization strategy
Integration
• Enterprise architecture
• Business architecture
• Process design
• Organization design
• Performance metrics
IT Resources
Business Requirements
IT Processes
Enterprise Information
drive the investment in
that are used by
which responds to
to deliver
IT Value Factors
13
• IT is not an end to itself but a means of enabling business outcomes. IT is not about implementing technology. It is about unlocking value through IT-enabled organizational change.
• Value is the total life-cycle benefits net of related costs, adjusted for risk and (in the case of financial value) for the time value of money.
• The concept of value relies on the relationship between meeting the expectations of stakeholders and the resources used to do so.
Value Defined (Val IT)
14
Definition 1: Trust is the ability to predict
what a system will do in various situations.
Definition 2: Trust is using an information
system without having full knowledge about
it.
Definition 3: Trust is giving something now
(credit card) with an expectation of some
future return or benefit (on line purchase).
Definition 4: Trust is being vulnerable
(entering private and sensitive information)
while expecting that the vulnerabilities will
not be exploited (identity theft).
Trust that:
Private and sensitive information will
remain confidential
Process integrity is maintained
Essential business processes are
available or recoverable
Trust Defined
15
• Systems should give minimum and, as much as possible,
measurable guarantees and information on related risks concerning
quality of service, security and resilience, transparency of actions
and the protection of users’ data and users’ privacy, in accordance
with predefined, acknowledged policies.
• Systems should provide tools and mechanisms (or allow third-party
service providers to do so) that enable the user to assess the risks
and audit the qualities it is claimed to possess.
• A bona fide trustworthy system must also entail quantifiable and
auditable technical and organizational aspects of delivery (policies,
architectures, service level agreements, etc.), as well as the user’s
perceptions on its operation.
Trust in an Information Society
16
Security
Privacy
Reliability
Integrity
Investment in expertise & technology
Responsible leadership and partnering
Guidance and engagement through best practices & education
Design, development and testing
Standards and policies
User sense of control over personal information
Resilient – continues in the face of internal or external disruption
Recoverable – restorable to a previously known state
Controlled – accurate and timely service
Undisruptable – changes and upgrades do not disrupt service
Production ready – minimal bugs or fixes
Predictable - works as expected or promised
Acceptance or responsibility for problems and takes action to correct them
Trustworthy Computing
17
T R U S T
V A L U E
ASSURANCE
Trust creates the opportunity for Value
Value is based on an expectation of Trust
Assurance binds Trust and Value together
Trust and Value Relationship
18
Governance
Risk Management
Info Security
Audit/Assurance
Information systems are integral enablers that:
• Achieve an organization’s strategy and business
objectives
• Provide the confidentiality, integrity, availability and
reliability of information assets
• Ensure compliance with applicable laws and
regulations
Their criticality brings to the enterprise
unprecedented potential for both value creation
and risk (creating the need for trust).
19
What does all this mean for ISACA and IIA members?
20
Learn Faster
Share Knowledge
Engage
• White papers
• IT audit/assurance programs
• Survey results
• Other research
• Journal articles
LEARN FASTER
21
Examples of Resources
ISACA
• Information Technology Assurance Framework
• Audit programs (downloadable)
• IT Risk/Reward Barometer Survey
• eLibrary
• White papers
• COBIT
IIA
• International Professional Practices Framework
• Global Technology Audit Guides
• GAIN annual benchmarking study
• Chief audit executive resources
22
COBIT 5 Principles
2012 © ISACA. Used by permission. 23
COBIT 5 Enablers
2012 © ISACA. Used by permission. 24
COBIT 5 Enabling Processes
2012 © ISACA. Used by permission. 25
• Networking at chapter, regional and international
levels
• Use of knowledge centers and collaboration
• Communicate
SHARE KNOWLEDGE
26
• Volunteer
• Share knowledge
• Attend
• Get a certification
• Comment on exposure drafts
ENGAGE
27
Certifications
ISACA
CISA
CISM
CGEIT
CRISC
IIA
CIA
CGAP
CFSA
CCSA
CRMA
28
THANK YOU
29