More Related Content
Similar to Cybersecurity It Audit Services Gt April2012 (20)
More from Danny Miller (7)
Cybersecurity It Audit Services Gt April2012
- 1. Cyber Security Consulting, IT Audit & Assessment
Services
Protecting Information in the Enterprise
Grant Thornton, LLP
A QSA Company
Danny Miller, CISA, CGEIT, CRISC, ITIL
April 2012
-1- © Grant Thornton LLP. All rights reserved.
- 2. Grant Thornton overview
At-a-glance
Founded in 1924, Grant Thornton LLP is the U.S. member firm of Grant
Thornton International. Through member firms in more than 80 countries
including 50 offices in United States, the partners of Grant Thornton provide
personalized attention and the highest quality of service to companies around the
globe.
Grant Thornton Grant Thornton
Statistics
International Ltd LLP
Revenues $ 4 billion $ 1.2 billion
Personnel 29,890 5,505
Partners 2,539 540
Offices 498 52
Statistics as of Sept. 30, 2008 July 31, 209
-2- © Grant Thornton LLP. All rights reserved.
- 3. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Grant Thornton's Cyber Security Solution Practice
Grant Thornton's Cyber Security practice is focused on protecting the enterprise's information no
matter where it is. In this age of distributed, mobile and cloud-based systems and data, it is vitally
important to understand how information is created, processed, transmitted and stored.
We address our client's complex security requirements through a variety of consulting support,
including strategy, information protection, data leakage, assessing security vulnerabilities, advising
on establishing or improving the operations of a security organization, remediating compliance
failures or gaps – including gaps related to PCI and HIPAA/HITECH compliance and developing
approaches and programs to effectively assess and manage risk by implementing appropriate
security countermeasures through the entire life cycle of information in the enterprise.
-3- © Grant Thornton LLP. All rights reserved.
- 4. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Our IT Audit Services
Our approach to technology risk is compatible with all major frameworks, including COSO,
the latest Risk IT framework from ISACA and fills the gaps that other frameworks do not
provide. We also cover application risk with a lens from the Global Technology Audit Guides
(GTAG) from the IIA.
The team that will be managing and executing this engagement have more than 90 years of
combined technology experience in industry, Big-4 consultancy and as practitioners. Their
credentials include one or more of CPA, CIA, CISA, CISM, CISSP, GAWN, GCWN, CCNP,
CCNA, or MCSE, ITIL, CGEIT
Grant Thornton has a long history of consulting in the Oil, Gas and Chemicals Industry.
Relevant clients include:
Sunoco Lyondell Chemical
Quaker Chemical Amerigas
Philadelphia Gas Works Airgas
Donegal Insurance Valspar Corporation
-4- © Grant Thornton LLP. All rights reserved.
- 5. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
©2010 ISACA. All rights reserved.
-5- © Grant Thornton LLP. All rights reserved.
- 6. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Guiding Principles of IT Risk Management
Ensure a connection to enterprise objectives and enterprise risk
Align the management of IT-related business risk with overall enterprise risk
management
Balance the costs and benefits of managing risk
Establish the right tone from the top while defining and enforcing personal
accountability for operating within acceptable and well-defined tolerance levels
Risk is a continuously changing landscape and risk management acknowledges that it
is a continuous process
-6- © Grant Thornton LLP. All rights reserved.
- 7. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Grant Thornton Cyber Security services
- Information protection at all levels
- Data Leakage detection and prevention
- Security Strategy and Design
- Threat Analysis
- Vulnerability Assessments
- Penetration Testing
- Anti-phishing consulting
- Risk-event consulting
- Data Privacy & Protection
- PCI Data Security Standards QSA Consulting
- HIPAA
-7- © Grant Thornton LLP. All rights reserved.
- 8. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Grant Thornton's Cyber Security Services
• Experienced and dedicated cyber security personnel
– Deep technical background – real expertise in cybersecurity
– Experience across industries
– Practical and cost effective strategies to mitigate risk
• Address the security risk within the context of business risk
– Understand the relationship of IT risk management within overall
enterprise risk management
– Communicate technical risks using layman terms and business impact
• Proven cyber security methodologies, tools, and techniques
-8- © Grant Thornton LLP. All rights reserved.
- 9. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Cybersecurity Life Cycle and Service Components
Life Cycle ITIL* Framework
Solution Set Activities/Scope
Component Component
Policy Strategy and Assessment Develop and test policy, best practices Plan/Maintain
Risk, Data privacy and classification,
Breaches, Programs, Monitoring, PCI,
Strategy and Design, HIPAA, Vulnerability and Penetration
Assess Threats testing, Cloud, Agreements with third
Evaluate
parties, Service Level Agreements (SLA),
Operational Level Agreements (OLA)
Threat Profiling, PCI, HIPAA, IDS/IPS,
VPN, Firewalls, SIM/SEM, Application
Plan, Design and
Implement Implement
(including Cloud-based), SDLC, Data Implement
classification, Data privacy (state, federal,
international)
Threats, Incidents, Master Data
Risk, Policy, Standards, Management (MDM),IT Audits, Self
Manage Procedures, Programs Assessment, Penetration and
Control/Maintain
Vulnerability, Communication, Response
Threat reduction, Countermeasures, Data
Investigate, Respond,
Respond Remediate
leakage and breaches, PCI breaches, Control/Maintain
HIPAA information exposure
* - The IT Infrastructure Library (ITIL) is a global framework for service management and is the most widely accepted approach to managing
information technology. Services are assets from which the customer gains value, hence cybersecurity is one of those services.
-9- © Grant Thornton LLP. All rights reserved.
- 10. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Cyber Security Strategy & Design
Based upon the IT Infrastructure Library (ITIL)
framework of best practices in IT, the ITIL
Information Security Management's (ISM) strategy
goal is the alignment of IT security with business security
to ensure that information security is effectively managed
in all service and Service Management activities.
This strategy includes managing risk and security over
information assets while balancing the needs of the
business for:
• Availability of information and assets
• Confidentiality of information
• Integrity of information
- 10 - © Grant Thornton LLP. All rights reserved.
- 11. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
The problem with "Big Data"
Attribution: Cloud Security Alliance (CSA)
- 11 - © Grant Thornton LLP. All rights reserved.
- 12. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Vulnerability assessment vs. Penetration test
• The terms "vulnerability assessment" and "penetration test" are
sometimes used interchangeably, so it's important to define and
distinguish them.
• Vulnerability assessment
– a service that provides a comprehensive prioritized identification of
vulnerabilities, but does not attempt to exploit them.
• Penetration test
– a goal oriented service that attempts to gain unauthorized access to a
specified target by exploiting one or more vulnerabilities.
- 12 - © Grant Thornton LLP. All rights reserved.
- 13. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Other assessment services
Wireless Assessment
− a service that assesses the security mechanisms (e.g.,
authentication, encryption) of a wireless network, and
attempts to identify rogue access points.
Web Application Security Assessment
− a service that assesses the security of a web application,
including session management, authentication, authorization,
and input validation.
Voice Over IP (VoIP) Security Assessment
− a service that assesses the security of a deployed VoIP
infrastructure, including the infrastructure support, the VoIP
components, and the VoIP protocols.
Data Leakage Prevention Assessment
− a service that measures an organization's risk of information
leakage.
- 13 - © Grant Thornton LLP. All rights reserved.
- 14. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Privacy
Information Trends
• Every day, companies collect, use, profile, disclose, and analyze customer
information
• Employees who have access to sensitive information inside an
organization also represent a key risk – we see this as the fastest rising
threat
• Unfortunately, some of this information is:
• Misused
• Stolen
• Sold , traded or given to organizations (e.g., WikiLeaks)
• This has led to a trust gap among customers, employees and corporate
leadership
- 14 - © Grant Thornton LLP. All rights reserved.
- 15. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Privacy
Personally Identifiable Information (PII)
Personal information is any information that is, or reasonably could be,
attributable to a specific individual. The information can be either factual or
subjective, and recorded in any form or even unrecorded. Some examples
include:
Social Security number
Driver's license number or state-issued identification card number
financial account number, credit card number, or debit card number
Name, address, email address
Credit records
Buying history
Employee records
Much of this information is sensitive and greater cause for concern.
- 15 - © Grant Thornton LLP. All rights reserved.
- 16. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Privacy
Information stakeholder concerns
• Customers
– Concerned with how and why their information is collected, used,
disclosed, and retained
– Want businesses to earn trust
• Businesses
– Trying to strike a balance between collection and use of information
– Concerned with reducing privacy risk of poor privacy practices
– Want to leverage good privacy practices and retain trust of customers
• Government
– Taking increased action on growing concerns about privacy to:
– Protect rights of citizens
– Better manage its own data stores
- 16 - © Grant Thornton LLP. All rights reserved.
- 17. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
HIPAA
GT Healthcare IT Security Offerings:
• IT Security Risk Assessment
• IT Security Program Implementation Assistance
• IT Security/HIPAA Review and Recommendations
• HIPAA Compliance Attestation Report
- 17 - © Grant Thornton LLP. All rights reserved.
- 18. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
HIPAA
IT Security Risk Assessment
- 18 - © Grant Thornton LLP. All rights reserved.
- 19. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
HIPAA
IT Security Program Implementation Assistance
• Based on HIPAA/ISO/CobiT/NIST
• IT Security Risk Assessment
• Policies
• Procedures
• Business Impact Analysis
• Incident Management Program
• Security Awareness Program
• IT Contingency Plans/Updated DRP
• Vulnerability Assessment/Pen Tests
• Controls Testing
- 19 - © Grant Thornton LLP. All rights reserved.
- 20. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
HIPAA
IT Security/HIPAA Review and Recommendations
• Evaluate and test:
– Administrative safeguards,
– Physical safeguards
– Technical safeguards
– Organizational safeguards
– Policies, Procedures and
Documentation Requirements
- 20 - © Grant Thornton LLP. All rights reserved.
- 21. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
HIPAA
HIPAA Compliance Attestation Report and Readiness Review
Similar to SAS70, except opinion on HIPAA Compliance
• Evaluate and reaffirm the appropriateness of the
design of processes and controls with management
Criterion Observation Reporting
Definition and testing • Evaluate and reaffirm management’s interpretation of
compliance to ensure that the defined criterion are
measurable, objective and will be understood by any
Management Checkpoints readers of the report
• Test the operating effectiveness of identified controls for the testing period
• Determine whether controls were operating effectively throughout the testing period
• Confirm the validity of identified findings with the process owner and inform management of validated findings
• Evaluate the significance of any instances of non-compliance with the specified criterion
- 21 - © Grant Thornton LLP. All rights reserved.
- 22. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Privacy Assessment Approach
1 2 3 4
Information Identify Scope Gap Analysis Remediation Planning &
Collection Reduction Roadmap
Opportunities
Identify entry points Reduce / modify data Conducted Gap Recommendation
Develop process collection Analysis with remediation projects
flows Reduce data storage Enhanced Privacy Develop prioritized
Map flows onto IT Modify business Framework approach
infrastructure processes
Leverage DLP to
validate
Gained an understanding of Reduced Scope and Risk Created Gap analysis Remediation plan
the environment document with gap
prioritization
- 22 - © Grant Thornton LLP. All rights reserved.
- 23. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Major payment card security
Security Standard (PCI-DSS) is a set breaches since 2005
of comprehensive requirements for the
protection of payment card • Card Systems
information. 2005 • 40 Million Cards, Processing Ability
Revoked by Visa and MasterCard
The PCI-DSS is managed by the PCI • TJX
Security Standards Council (PCI-SSC) 2007 • At least 45.7 Million Customers Affected,
Over $250 Million in costs
and sponsored by the major card
brands. • Hannaford Foods
2008 • 4.2 Million Cards, Validated Compliant at time
of breach, Liability and Results Pending
The PCI-DSS is applicable to any
organization that stores, processes or • Heartland Payment Systems
transmits cardholder data (CHD). 2009 • Potentially more than 100 Million cards
compromised and untold amounts of resulting
damages
- 23 - © Grant Thornton LLP. All rights reserved.
- 24. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS high level requirements
The PCI DSS prescribes requirements that any business of any size must adhere to in order to
accept payment cards.
- 24 - © Grant Thornton LLP. All rights reserved.
- 25. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
What information must be protected?
Storage Protection Encryption
Data Element
Permitted Required Required
Primary Account Number (PAN) Yes Yes Yes
Cardholder Name Yes Yes No
Cardholder Data
Service Code Yes Yes No
Expiration Date Yes Yes No
Full Magnetic Stripe Data No N/A N/A
Sensitive Authentication Data CAV2/CVC2/CVV2/CID No N/A N/A
PIN/PIN Block No N/A N/A
- 25 - © Grant Thornton LLP. All rights reserved.
- 26. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Payment Card Industry Data Security Standard (PCI DSS)
Some common PCI DSS myths:
• PCI doesn’t apply to us because:
– We don’t take enough credit cards, or
– It only applies to retailers and ecommerce
• PCI makes us store cardholder data
• We are compliant because we:
– Encrypt our cardholder data, or
– Use vendor/product ABC, or
– Outsource our credit card processing
• PCI compliance is an IT project
• PCI will make us secure
• We completed our SAQ so we’re compliant
- 26 - © Grant Thornton LLP. All rights reserved.
- 27. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Payment Card Industry Data Security Standard (PCI DSS)
Grant Thornton PCI DSS Capabilities
Current capabilities:
• An experienced Qualified Security Assessor Company (QSAC) with a significant
number of QSA's in our practice across two countries
• Client base that we can reference from in the QSA space
• Extensive PCI DSS consulting experience
• Performing PCI DSS penetration testing and risk assessments
• Performing PCI DSS readiness assessments for all merchant levels
- 27 - © Grant Thornton LLP. All rights reserved.
- 28. Cyber Security Strategy & Vulnerability & Other assessment
Privacy PCI Contact
& IT Audit Design Services Penetration Services services
Contact information
Danny Miller
Grant Thornton LLP
Principal & Practice Leader
Tel: 215.376.6010 | email: Danny.Miller@us.gt.com
Or e-mail cybersecurity@us.gt.com
- 28 - © Grant Thornton LLP. All rights reserved.