IT Controls Presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IT Controls Presentation

  1. 1. What you don’t know about IT Controls can cripple your business Presented by: Bill Lisse, CISSP, GIAC PCI, GIAC HIPAA, SSCA, Security+ SME IT Audit Manager “Yep, son, we have met the enemy and he is us.” - Pogo, 1971
  2. 2. Why should business leaders care? Leading Organizations 1 of 10 are well-positioned Normative Organization 7 out of 10 could rm s are substantially reduce of 10 fi ation financial risk “O nly 1 ng Inform i lev erag gy (IT) rols)… Lagging Organizations o t hnol ce (Con igate Tec lian 2 out of 10 have the most it p com ould he om lp m lost or to gain c r that ial risk f c f inan data.” s tolen Source: IT Policy Compliance Group. “Why Compliance Pays: Reputations and Revenues at Risk,” July 2007
  3. 3. Leaders versus Laggards Leaders have the fewest business Leaders have 2 or fewer data losses or disruptions – only two or fewer thefts per year disruptions annually Laggards have 22 or more data losses per Laggards experience 17 disruptions or year more per year
  4. 4. Financial Risks f ket value o ne i n ma r en t decli ded firms – - An 8 perc blicly tra pu ck f o r er st o ev e r recov f customers of 8 percent some n cent loss o e revenu tification, er in - An 8 p rary decline igation, no po lit nd - A tem al costs for estoration, a st on ,r lo - Additi ts, cleanup ng $100 per n se ttleme ents averagi provem im o rd ! alue holder V rec n Share to mer ophes o Catastr cus rch Brie fing, Im ea pact of ve Res Executi Oxford Source:
  5. 5. Average Cost $1,662,720 This does not include potential civil litigation is class action lawsuits.
  6. 6. Prevent or Limit Losses • Limit exposure (proactive versus reactive)  Due diligence – “reasonable assurance”  Cannot rely on laws to protect or limit liability o Sophisticated hackers may be beyond the reach of the law
  7. 7. Prevent or Limit Losses • In 2004, the Department of Justice estimated 3% of all U.S. households experienced some form of identity theft – the number is accelerating  3.6 Million People  Average $1,290.00 per household  Conservative annualized loss estimate was $6.4 Billion  Occurs every 79 seconds in America!
  8. 8. Protecting your hard earned reputation “Avoid the wrong type of brandingquot; • Your corporate reputation is at stake – backlash can be severe • Making headlines  TJMaxx  Choicepoint
  9. 9. Protecting your hard earned reputation “Avoid the wrong type of brandingquot; • Once you make the list, you are here forever....   
  10. 10. The Evolving Landscape • Fair Access to Credit Transactions Act (FACTA) - June 1, 2005  Any employer whose action or inaction results in the loss of employee information can be fined by federal and state government, and sued in civil court • Additional fines may apply for non- compliance with contracts and regulations or statutes
  11. 11. The Evolving Landscape • Compliance Regulations  Gramm-Leach-Bliley Act  Critical Infrastructure Protection  Payment Card Industry Digital Security Standard  International Standards Organization 27001/27002
  12. 12. The Evolving Landscape • Compliance Regulations  Sarbanes-Oxley Act (§404)  Health Insurance Portability and Accountability Act (HIPAA)  Automated Teller Machine ANSI X.9  AICPA Statement on Auditing Standards  What’s next…
  13. 13. Threats are Asymmetric • Internal Threats are accidental and intentional. Insiders are responsible for…  32% of electronic crimes1  A CFO embezzled $96,000 by fixing an electronic payment system to pay his monthly credit card bill  70% of identify theft2  A Fidelity database administrator stole and sold bank and credit card data for 8.5 million customers 1 Software Engineering Institute Computer Emergency Response Team and U.S. Secret Service Study 2 FDIC and Michigan State Study
  14. 14. Threats are Asymmetric • Natural disasters - Katrina, etc... • External threats are becoming more sophisticated  Multi-echelon and multi-vector  Specialization o Bot hearders o Phishers o Carders o Spammers
  15. 15. Harvesting data is good business… if you’re a criminal The Black Market…  $980-$4,900 - Trojan program to steal online account information  $490 - Credit card number with PIN  $78-$294 - Billing data, including account number, address, Social Security number, home address, and birth date  $147 - Driver's license  $147 - Birth certificate  $98 - Social Security card  $6-$24 - Credit card number with security code and expiration date  $6 - PayPal account logon and password Source: Trend Micro “How Does The Hacker Economy Work?”
  16. 16. Common Myths • End-Point Security is effective • Hackers are pizza-faced 13 year old script-kiddies • Hackers can’t get from my web site to our internal network
  17. 17. Common Myths • Morale will be hurt if I make control changes – employees will think we don’t trust them • Outsourcing will transfer my risk • IT controls will impede business efficiency
  18. 18. Top 10 Gaps ures and proced policies trols or f ew et ec tive con lls) 1. No on m anual d rity (firewa 2. R eliance nd-po int secu d Insid er s on e ruste 3. R eliance sifica tion - T a ta Clas ds) 4. No D ion o f duties ng p asswor 5. No separat r d ru les (stro passwo esses Enfor ce w of u ser acc nd soci al 6. revie ing a eriodic reat s (phish 7. No p oring th onit 8 . Not M ing) k prote ction enginee r wor wire less net nsu fficient Auditin g 9. I ystem ff icient S 10. Insu
  19. 19. Prescription (Best practices) nt 1. I mpleme control ate ap propri IT iv es and object ls contro lidate so 2. Con objectives l contro or, it 3. Mon nd rep ort e, a measur inst ls aga a contro es on iv object schedule r regula
  20. 20. Conclusion • It seems that companies aren’t learning anything from the front-page mistakes of competitors - We are our own worst enemy • IT control is not just about compliance, it is a useful tool for ensuring the efficient use of organizational resources to meet business objectives and to prevent fraud • Like any resource, IT requires a clear linkage between business needs and requirements
  21. 21. Bill Lisse, IT Audit Manager Phone: (937) 853-1490 Email: