kpmgeISSA

Atul GuptaManagerInformation Risk Management

kpmg, India.Mail: atulgupta@kpmg.com

iSAC 200521 July 2005

ICT ManagementIT audit and general controls

Writing on the wall

kpmgeISSA

Progress

IT audit

Potential threats– IT risks

Risk Management– IT Controls

Acts/ Standards/ Guidelines– Impact on IT controls and audit

kpmgeISSA

IT audit

History of IT audit– Began as EDP auditing

– Developed largely as result of rise in technology in accounting systems

– Typically carried with

• Financial statement audit

• Internal audit

• Other attestation engagement

kpmgeISSA

IT audit

History of IT audit

– Initial computerized accounting system

• Used in 1954

• Primarily mainframe based systems

– Changes in 1960s

• Increased usage of computing environment

– EDP auditing

• Formalized in 1968 by AICPA along with big eight

• Formation of EDPAA

• COBIT - 1977

kpmgeISSA

IT audit

Major events– Equity Funding Corporation of America (1964 – 1973)– AT&T (1998)– Popularity of Internet and adoption by corporates– Enron Debacle– 9/11 attacks– Acts/ Regulations

• GLBA• HIPAA• SAS70• UK DPA• EU – Directive on Data protection

kpmgeISSA

Murphy’s Laws

kpmgeISSA

IT audit

Review of controls in an entity’s technology infrastructure

Review the Information systems• Safeguard assets

• Maintains data integrity

• Operating effectively

• Aligned with business objectives and organization’s goals

kpmgeISSA

The Prime Motive

Information

Availability

Confidentiality

Integrity

Potential threats

IT Risks

kpmgeISSA

The Clock is Ticking

Changing IT environment – High Octane Fuel for Disaster???

Is your neighborhood safe???

Is security a costly proposition???

kpmgeISSA

Changing IT environment – High Octane Fireball

Complex Information Systems

Systems enabled businesses andInternet grow @ the speed of light– More & more businesses processes are getting

technology enabled

– Decentralized operations and connectivity to business partners

– Remote connectivity to corporate network

– Increased virus attacks

kpmgeISSA

Changing IT environment

Internet

Hosts running unnecessary services

Information leakage

Incorrect trust relationships

Misconfigured firewalls and routers Weak

Passwords

Improperly defined shares

Misconfigured or unpatched OS

Inadequate logging, monitoring or detection

Unsecured remote

access points

Misconfigured Web servers

Unpatched, outdated or

default configured software

Old anti virus definition

Representative network diagram

kpmgeISSA

Reality Check – The Unsafe Neighborhood

Increased threats due to– Sophisticated social engineering methods

– Building technical knowledge and skills

– Gaining leverage through automation

– Exploiting network interconnections &moving easily through infrastructure

– Becoming more skilled at maskingtheir behavior

kpmgeISSA

Changing Paradigm

anti-detection

passwordguessing

self-replicatingcode password

cracking

exploitingknown

vulnerabilities

disablingaudits

backdoors

hijackingsessions

stealthdiagnostics

packet forging,spoofing

HackingTools

IntruderSkill

Web-crawlerattacks

kpmgeISSA

Reality Check – The Cost Factor

Market growth is driving technology vendors to– Decrease time to market while keeping cost,

performance and features as primary

– Invisibles such as security many times remain SECONDARY

• SERVICE PACKS & HOT FIXES are not the optimum solution

The Profit Margin vs. SecurityParadox – Is it really a paradox??

kpmgeISSA

Suppliers

BusinessPartners

CustomerData

PersonalData

Customers

THE WORLD

TransactionsContent

AttackersCompetition

EnforcementAgencies

Where does that leave today’s Organisation

CorporateData

Employees

Just a mouse click away…………….

Just aboutANYONE

kpmgeISSA

The Stake

Business reputation

A 100 points off your share price

Loss of customer personal identity and privacy,if not credit card numbers and hard cash

Solvency

Survival

kpmgeISSA

Deciphering it further

Identification

Authentication

Can we find out who is trying to reach us?

Can we ensure that the users are who they pretend to be?

Can we limit/control their actions?

Can we ensure that the privacy of sensitive information is maintained?

Can we ensure that the data has not been manipulated during or after the transmission?

Can we ensure that the sender and receiver are accountable/ responsible for their actions?

Can we ensure the ability to trace actions?

Can we detect any unauthorised access attempts?

Can we correct the errors as soon as they are detected?

Authorization

Confidentiality

Integrity

Non repudiation

Auditability

Intrusion Detection

Error Correction

Risk Management

IT Controls

kpmgeISSA

kpmgeISSA

What is there in IT controls?

“It’s what keeps the hackers out.”

“It’s managing access to systems through the use of IDs and passwords.”“It’s the process of encrypting data so others can’t read it.”“It’s a barrier, preventing me from doing what I need to do.”“It’s unnecessary overhead.”

kpmgeISSA

Murphy’s Laws

kpmgeISSA

Comprehensive approach to IT controls

kpmgeISSA

IT controls

Key facets of IT controls include:– People – organization, responsibility, accountability,

and leadership

– Process – policies, procedures, and practices

– Technology – scalable technical support for automation, integration, and enabling of information security operations.

Bottom line: It’s NOT just a technology problem.

kpmgeISSA

IT controls

IT Controls– General IT controls

• Derived from the security policy

• Addresses IT controls environment for the organization

– Business system application controls

• Aligned with the business processes

• Addresses the system based controls requirement for effective usage of IT systems

kpmgeISSARecommended Controls

Residual Risks

Comparative Analysis

Existing Controls

Expected Controls

Controls environment/ Business Processes • Understand the controls environment/ business process requirements

• Establish control objectives• Identify control parameters

• Risk assessment• Assess the controls requirement

– Management controls– Application controls– Manual controls

• Identify the existing controls• Evaluate the effectiveness and compliance to existing controls

• Assess adequacy of implemented controls vis-à-vis the risks to which organization and business processesare exposed

• Assess control effectiveness• Identify the residual risk• Risk rating• Risk exposure• Identify the required controls

IT Controls

kpmgeISSA

General IT controls

– Management of IT

– Continuity of systems

– Physical security and environmental control

– Security of information and systems

– Systems development

– Change management

– Control assurance

kpmgeISSA

Business system application controlsIntegrated Application System Controls Framework

ASSESSMENT PHASE FOLLOW UP AND EVALUATE PHASE CLOSE OUT PHASE

1 2 3 4 5

INITIATE PHASE DESIGN PHASE

• System administration

• Change management

• Business continuity

• Disaster recovery• Support

Adequate maintenance and support

• User access rights• Infrastructure security

(Network, O/S & Dbs)• Monitoring and

detection• Security policies &

procedures• User security

administration

Facilitate processes and support key platforms

• Process documentation

• Control risk analysis

• Control design

Effective, efficient

controls that maximize

functionality

• Data mapping• Data

Conversion• Interfaces• Audit trail

Accurate, complete and timely data for

decision-making

kpmgeISSA

Murphy’s Laws

Acts/ Standards/ Guidelines

Impact on IT Audit and Controls

kpmgeISSA

kpmgeISSA

Enforcement of IT controls

Sarbanes Oxley 404– Management of Internal Controls (including IT controls)

• Internal control report (based on controls framework)

– General IT controls

– Business system application controls

• Report – validated and signed off

• Material weakness in controls is documented and reported

kpmgeISSA

Enforcement of IT controls

BS 7799/ ISO 27001– Information Security Management System

– Only standard against which certification is possible

– Covers the information assets

• Including the IT infrastructure

kpmgeISSA

Enforcement of IT controls

Statement on Auditing Standard (SAS) 70– Audit of third party service provider– Primarily covers

• General IT controls• Transaction processing and application system controls

– Main differences• SAS 70 is an examination standard• Governed by AICPA guidelines• Certification can not be carried out• Reorting

– Type 1– Type 2

kpmgeISSA

Enforcement of IT controls

Various data privacy/ information security acts– Gramm-Leach-Bliely Act, 1999 (for financial institutes)

• Inform customer about the information practices with respect to gathering, use and disclosure of customer’s non-public personal financial information

– Health Insurance Portability and Accountability Act (HIPAA) • Safeguard identifiable health information from inappropriate disclosure

– UK Data Privacy Act, 1998• Individual has certain rights regarding information held about them

– EU directive on data protection• Directive 95/46/EC

– India IT Act 2000• Provides legal infrastructure for e-commerce in India

kpmgeISSA

The way forward

Seven Habit for Effective Information Controls

Strategic Focus towards Information Controls

Risk Management -> Information Controls

Process, Not a End Destination

Top Management Presence and Authority in Decision Making

Recognizing that the Weakest Link will cause Maximum Exposure

Continuous Improvement, Periodic Assessment

Line Management Responsibility for Information Controls

1

2

3

4

5

6

7

kpmgeISSA

Murphy’s Laws

kpmg