Your SlideShare is downloading. ×
  • Like
Cybersecurity It Audit Services Gt April2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cybersecurity It Audit Services Gt April2012

  • 345 views
Published

IT Audit and Cybersecurity Services with Grant Thornton, LLP.

IT Audit and Cybersecurity Services with Grant Thornton, LLP.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
345
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cyber Security Consulting, IT Audit & AssessmentServicesProtecting Information in the EnterpriseGrant Thornton, LLPA QSA CompanyDanny Miller, CISA, CGEIT, CRISC, ITILApril 2012 -1- © Grant Thornton LLP. All rights reserved.
  • 2. Grant Thornton overviewAt-a-glanceFounded in 1924, Grant Thornton LLP is the U.S. member firm of GrantThornton International. Through member firms in more than 80 countriesincluding 50 offices in United States, the partners of Grant Thornton providepersonalized attention and the highest quality of service to companies around theglobe. Grant Thornton Grant Thornton Statistics International Ltd LLP Revenues $ 4 billion $ 1.2 billion Personnel 29,890 5,505 Partners 2,539 540 Offices 498 52 Statistics as of Sept. 30, 2008 July 31, 209 -2- © Grant Thornton LLP. All rights reserved.
  • 3. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thorntons Cyber Security Solution PracticeGrant Thorntons Cyber Security practice is focused on protecting the enterprises information nomatter where it is. In this age of distributed, mobile and cloud-based systems and data, it is vitallyimportant to understand how information is created, processed, transmitted and stored.We address our clients complex security requirements through a variety of consulting support,including strategy, information protection, data leakage, assessing security vulnerabilities, advisingon establishing or improving the operations of a security organization, remediating compliancefailures or gaps – including gaps related to PCI and HIPAA/HITECH compliance and developingapproaches and programs to effectively assess and manage risk by implementing appropriatesecurity countermeasures through the entire life cycle of information in the enterprise. -3- © Grant Thornton LLP. All rights reserved.
  • 4. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Our IT Audit Services Our approach to technology risk is compatible with all major frameworks, including COSO, the latest Risk IT framework from ISACA and fills the gaps that other frameworks do not provide. We also cover application risk with a lens from the Global Technology Audit Guides (GTAG) from the IIA. The team that will be managing and executing this engagement have more than 90 years of combined technology experience in industry, Big-4 consultancy and as practitioners. Their credentials include one or more of CPA, CIA, CISA, CISM, CISSP, GAWN, GCWN, CCNP, CCNA, or MCSE, ITIL, CGEIT Grant Thornton has a long history of consulting in the Oil, Gas and Chemicals Industry. Relevant clients include:  Sunoco  Lyondell Chemical  Quaker Chemical  Amerigas  Philadelphia Gas Works  Airgas  Donegal Insurance  Valspar Corporation -4- © Grant Thornton LLP. All rights reserved.
  • 5. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services ©2010 ISACA. All rights reserved. -5- © Grant Thornton LLP. All rights reserved.
  • 6. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesGuiding Principles of IT Risk Management Ensure a connection to enterprise objectives and enterprise risk Align the management of IT-related business risk with overall enterprise risk management Balance the costs and benefits of managing risk Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels Risk is a continuously changing landscape and risk management acknowledges that it is a continuous process -6- © Grant Thornton LLP. All rights reserved.
  • 7. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesGrant Thornton Cyber Security services - Information protection at all levels - Data Leakage detection and prevention - Security Strategy and Design - Threat Analysis - Vulnerability Assessments - Penetration Testing - Anti-phishing consulting - Risk-event consulting - Data Privacy & Protection - PCI Data Security Standards QSA Consulting - HIPAA -7- © Grant Thornton LLP. All rights reserved.
  • 8. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesGrant Thorntons Cyber Security Services• Experienced and dedicated cyber security personnel – Deep technical background – real expertise in cybersecurity – Experience across industries – Practical and cost effective strategies to mitigate risk• Address the security risk within the context of business risk – Understand the relationship of IT risk management within overall enterprise risk management – Communicate technical risks using layman terms and business impact• Proven cyber security methodologies, tools, and techniques -8- © Grant Thornton LLP. All rights reserved.
  • 9. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesCybersecurity Life Cycle and Service Components Life Cycle ITIL* Framework Solution Set Activities/Scope Component Component Policy Strategy and Assessment Develop and test policy, best practices Plan/Maintain Risk, Data privacy and classification, Breaches, Programs, Monitoring, PCI, Strategy and Design, HIPAA, Vulnerability and Penetration Assess Threats testing, Cloud, Agreements with third Evaluate parties, Service Level Agreements (SLA), Operational Level Agreements (OLA) Threat Profiling, PCI, HIPAA, IDS/IPS, VPN, Firewalls, SIM/SEM, Application Plan, Design and Implement Implement (including Cloud-based), SDLC, Data Implement classification, Data privacy (state, federal, international) Threats, Incidents, Master Data Risk, Policy, Standards, Management (MDM),IT Audits, Self Manage Procedures, Programs Assessment, Penetration and Control/Maintain Vulnerability, Communication, Response Threat reduction, Countermeasures, Data Investigate, Respond, Respond Remediate leakage and breaches, PCI breaches, Control/Maintain HIPAA information exposure * - The IT Infrastructure Library (ITIL) is a global framework for service management and is the most widely accepted approach to managing information technology. Services are assets from which the customer gains value, hence cybersecurity is one of those services. -9- © Grant Thornton LLP. All rights reserved.
  • 10. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesCyber Security Strategy & Design Based upon the IT Infrastructure Library (ITIL) framework of best practices in IT, the ITIL Information Security Managements (ISM) strategy goal is the alignment of IT security with business security to ensure that information security is effectively managed in all service and Service Management activities. This strategy includes managing risk and security over information assets while balancing the needs of the business for: • Availability of information and assets • Confidentiality of information • Integrity of information - 10 - © Grant Thornton LLP. All rights reserved.
  • 11. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesThe problem with "Big Data" Attribution: Cloud Security Alliance (CSA) - 11 - © Grant Thornton LLP. All rights reserved.
  • 12. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesVulnerability assessment vs. Penetration test• The terms "vulnerability assessment" and "penetration test" are sometimes used interchangeably, so its important to define and distinguish them.• Vulnerability assessment – a service that provides a comprehensive prioritized identification of vulnerabilities, but does not attempt to exploit them.• Penetration test – a goal oriented service that attempts to gain unauthorized access to a specified target by exploiting one or more vulnerabilities. - 12 - © Grant Thornton LLP. All rights reserved.
  • 13. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesOther assessment services Wireless Assessment − a service that assesses the security mechanisms (e.g., authentication, encryption) of a wireless network, and attempts to identify rogue access points. Web Application Security Assessment − a service that assesses the security of a web application, including session management, authentication, authorization, and input validation. Voice Over IP (VoIP) Security Assessment − a service that assesses the security of a deployed VoIP infrastructure, including the infrastructure support, the VoIP components, and the VoIP protocols. Data Leakage Prevention Assessment − a service that measures an organizations risk of information leakage. - 13 - © Grant Thornton LLP. All rights reserved.
  • 14. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesPrivacy Information Trends • Every day, companies collect, use, profile, disclose, and analyze customer information • Employees who have access to sensitive information inside an organization also represent a key risk – we see this as the fastest rising threat • Unfortunately, some of this information is: • Misused • Stolen • Sold , traded or given to organizations (e.g., WikiLeaks) • This has led to a trust gap among customers, employees and corporate leadership - 14 - © Grant Thornton LLP. All rights reserved.
  • 15. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesPrivacy Personally Identifiable Information (PII) Personal information is any information that is, or reasonably could be, attributable to a specific individual. The information can be either factual or subjective, and recorded in any form or even unrecorded. Some examples include: Social Security number Drivers license number or state-issued identification card number  financial account number, credit card number, or debit card number Name, address, email address Credit records Buying history Employee records Much of this information is sensitive and greater cause for concern. - 15 - © Grant Thornton LLP. All rights reserved.
  • 16. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesPrivacy Information stakeholder concerns • Customers – Concerned with how and why their information is collected, used, disclosed, and retained – Want businesses to earn trust • Businesses – Trying to strike a balance between collection and use of information – Concerned with reducing privacy risk of poor privacy practices – Want to leverage good privacy practices and retain trust of customers • Government – Taking increased action on growing concerns about privacy to: – Protect rights of citizens – Better manage its own data stores - 16 - © Grant Thornton LLP. All rights reserved.
  • 17. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesHIPAA GT Healthcare IT Security Offerings: • IT Security Risk Assessment • IT Security Program Implementation Assistance • IT Security/HIPAA Review and Recommendations • HIPAA Compliance Attestation Report - 17 - © Grant Thornton LLP. All rights reserved.
  • 18. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesHIPAAIT Security Risk Assessment - 18 - © Grant Thornton LLP. All rights reserved.
  • 19. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAAIT Security Program Implementation Assistance• Based on HIPAA/ISO/CobiT/NIST• IT Security Risk Assessment• Policies• Procedures• Business Impact Analysis• Incident Management Program• Security Awareness Program• IT Contingency Plans/Updated DRP• Vulnerability Assessment/Pen Tests• Controls Testing - 19 - © Grant Thornton LLP. All rights reserved.
  • 20. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesHIPAAIT Security/HIPAA Review and Recommendations• Evaluate and test: – Administrative safeguards, – Physical safeguards – Technical safeguards – Organizational safeguards – Policies, Procedures and Documentation Requirements - 20 - © Grant Thornton LLP. All rights reserved.
  • 21. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesHIPAAHIPAA Compliance Attestation Report and Readiness ReviewSimilar to SAS70, except opinion on HIPAA Compliance • Evaluate and reaffirm the appropriateness of the design of processes and controls with management Criterion Observation Reporting Definition and testing • Evaluate and reaffirm management’s interpretation of compliance to ensure that the defined criterion are measurable, objective and will be understood by any Management Checkpoints readers of the report• Test the operating effectiveness of identified controls for the testing period• Determine whether controls were operating effectively throughout the testing period• Confirm the validity of identified findings with the process owner and inform management of validated findings• Evaluate the significance of any instances of non-compliance with the specified criterion - 21 - © Grant Thornton LLP. All rights reserved.
  • 22. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesPrivacy Assessment Approach 1 2 3 4 Information Identify Scope Gap Analysis Remediation Planning & Collection Reduction Roadmap Opportunities Identify entry points Reduce / modify data Conducted Gap Recommendation Develop process collection Analysis with remediation projects flows Reduce data storage Enhanced Privacy Develop prioritized Map flows onto IT Modify business Framework approach infrastructure processes Leverage DLP to validate Gained an understanding of Reduced Scope and Risk Created Gap analysis Remediation plan the environment document with gap prioritization - 22 - © Grant Thornton LLP. All rights reserved.
  • 23. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesPayment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Major payment card security Security Standard (PCI-DSS) is a set breaches since 2005 of comprehensive requirements for the protection of payment card • Card Systems information. 2005 • 40 Million Cards, Processing Ability Revoked by Visa and MasterCard The PCI-DSS is managed by the PCI • TJX Security Standards Council (PCI-SSC) 2007 • At least 45.7 Million Customers Affected, Over $250 Million in costs and sponsored by the major card brands. • Hannaford Foods 2008 • 4.2 Million Cards, Validated Compliant at time of breach, Liability and Results Pending The PCI-DSS is applicable to any organization that stores, processes or • Heartland Payment Systems transmits cardholder data (CHD). 2009 • Potentially more than 100 Million cards compromised and untold amounts of resulting damages - 23 - © Grant Thornton LLP. All rights reserved.
  • 24. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesPayment Card Industry Data Security Standard (PCI DSS)PCI DSS high level requirementsThe PCI DSS prescribes requirements that any business of any size must adhere to in order toaccept payment cards. - 24 - © Grant Thornton LLP. All rights reserved.
  • 25. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesWhat information must be protected? Storage Protection Encryption Data Element Permitted Required Required Primary Account Number (PAN) Yes Yes Yes Cardholder Name Yes Yes No Cardholder Data Service Code Yes Yes No Expiration Date Yes Yes No Full Magnetic Stripe Data No N/A N/A Sensitive Authentication Data CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A - 25 - © Grant Thornton LLP. All rights reserved.
  • 26. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesPayment Card Industry Data Security Standard (PCI DSS) Some common PCI DSS myths: • PCI doesn’t apply to us because: – We don’t take enough credit cards, or – It only applies to retailers and ecommerce • PCI makes us store cardholder data • We are compliant because we: – Encrypt our cardholder data, or – Use vendor/product ABC, or – Outsource our credit card processing • PCI compliance is an IT project • PCI will make us secure • We completed our SAQ so we’re compliant - 26 - © Grant Thornton LLP. All rights reserved.
  • 27. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesPayment Card Industry Data Security Standard (PCI DSS) Grant Thornton PCI DSS Capabilities Current capabilities: • An experienced Qualified Security Assessor Company (QSAC) with a significant number of QSAs in our practice across two countries • Client base that we can reference from in the QSA space • Extensive PCI DSS consulting experience • Performing PCI DSS penetration testing and risk assessments • Performing PCI DSS readiness assessments for all merchant levels - 27 - © Grant Thornton LLP. All rights reserved.
  • 28. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services servicesContact information Danny Miller Grant Thornton LLP Principal & Practice Leader Tel: 215.376.6010 | email: Danny.Miller@us.gt.com Or e-mail cybersecurity@us.gt.com - 28 - © Grant Thornton LLP. All rights reserved.