Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
What you don’t know
 about IT Controls can
 cripple your business

  Presented by:
  Bill Lisse, CISSP, GIAC PCI, GIAC HIP...
Why should business
leaders care?                                Leading Organizations
                                   ...
Leaders versus Laggards
Leaders have the fewest business        Leaders have 2 or fewer data losses or
disruptions – only ...
Financial Risks

                                                                       f
                                ...
Average Cost
$1,662,720


This does
not include
potential
civil
litigation is
class
action
lawsuits.
Prevent or Limit Losses

• Limit exposure (proactive versus
  reactive)

   Due diligence – “reasonable assurance”
   Ca...
Prevent or Limit Losses
• In 2004, the Department of Justice
  estimated 3% of all U.S. households
  experienced some form...
Protecting your hard earned reputation
“Avoid the wrong type of brandingquot;

• Your corporate reputation is at
  stake –...
Protecting your hard earned reputation
“Avoid the wrong type of brandingquot;

• Once you make the list, you are
  here fo...
The Evolving Landscape
• Fair Access to Credit Transactions
  Act (FACTA) - June 1, 2005
   Any employer whose action or ...
The Evolving Landscape

• Compliance Regulations

   Gramm-Leach-Bliley Act

   Critical Infrastructure Protection

   ...
The Evolving Landscape

• Compliance Regulations

   Sarbanes-Oxley Act (§404)

   Health Insurance Portability and
    ...
Threats are Asymmetric
• Internal Threats are accidental and
  intentional. Insiders are responsible for…
   32% of elect...
Threats are Asymmetric
• Natural disasters - Katrina, etc...
• External threats are becoming more
  sophisticated
   Mult...
Harvesting data is good business…
if you’re a criminal
The Black Market…
   $980-$4,900 - Trojan program to steal online
...
Common Myths

• End-Point Security is effective

• Hackers are pizza-faced 13 year old
  script-kiddies

• Hackers can’t g...
Common Myths

• Morale will be hurt if I make control
  changes – employees will think we don’t
  trust them

• Outsourcin...
Top 10 Gaps

                                                 ures
                                 and    proced
        ...
Prescription (Best practices)

                           nt
             1. I  mpleme control
                        ate...
Conclusion
• It seems that companies aren’t learning
  anything from the front-page mistakes of
  competitors
  - We are o...
Bill Lisse, IT Audit Manager
Phone: (937) 853-1490
Email: wlisse@battellecpas.com
Upcoming SlideShare
Loading in …5
×

IT Controls Presentation

585 views

Published on

  • Be the first to comment

  • Be the first to like this

IT Controls Presentation

  1. 1. What you don’t know about IT Controls can cripple your business Presented by: Bill Lisse, CISSP, GIAC PCI, GIAC HIPAA, SSCA, Security+ SME IT Audit Manager “Yep, son, we have met the enemy and he is us.” - Pogo, 1971
  2. 2. Why should business leaders care? Leading Organizations 1 of 10 are well-positioned Normative Organization 7 out of 10 could rm s are substantially reduce of 10 fi ation financial risk “O nly 1 ng Inform i lev erag gy (IT) rols)… Lagging Organizations o t hnol ce (Con igate Tec lian 2 out of 10 have the most it p com ould he om lp m lost or to gain c r that ial risk f c f inan data.” s tolen Source: ITpolicycompliance.com. IT Policy Compliance Group. “Why Compliance Pays: Reputations and Revenues at Risk,” July 2007
  3. 3. Leaders versus Laggards Leaders have the fewest business Leaders have 2 or fewer data losses or disruptions – only two or fewer thefts per year disruptions annually Laggards have 22 or more data losses per Laggards experience 17 disruptions or year more per year
  4. 4. Financial Risks f ket value o ne i n ma r en t decli ded firms – - An 8 perc blicly tra pu ck f o r er st o ev e r recov f customers of 8 percent some n cent loss o e revenu tification, er in - An 8 p rary decline igation, no po lit nd - A tem al costs for estoration, a st on ,r lo - Additi ts, cleanup ng $100 per n se ttleme ents averagi provem im o rd ! alue holder V rec n Share to mer ophes o Catastr cus rch Brie fing, Im ea pact of ve Res Executi Oxford Source:
  5. 5. Average Cost $1,662,720 This does not include potential civil litigation is class action lawsuits.
  6. 6. Prevent or Limit Losses • Limit exposure (proactive versus reactive)  Due diligence – “reasonable assurance”  Cannot rely on laws to protect or limit liability o Sophisticated hackers may be beyond the reach of the law
  7. 7. Prevent or Limit Losses • In 2004, the Department of Justice estimated 3% of all U.S. households experienced some form of identity theft – the number is accelerating  3.6 Million People  Average $1,290.00 per household  Conservative annualized loss estimate was $6.4 Billion  Occurs every 79 seconds in America!
  8. 8. Protecting your hard earned reputation “Avoid the wrong type of brandingquot; • Your corporate reputation is at stake – backlash can be severe • Making headlines  TJMaxx  Choicepoint
  9. 9. Protecting your hard earned reputation “Avoid the wrong type of brandingquot; • Once you make the list, you are here forever....  http://www.sec.gov/litigation  http://www.ftc.gov/os/caselist/index.shtm  http://www.privacyrights.org/
  10. 10. The Evolving Landscape • Fair Access to Credit Transactions Act (FACTA) - June 1, 2005  Any employer whose action or inaction results in the loss of employee information can be fined by federal and state government, and sued in civil court • Additional fines may apply for non- compliance with contracts and regulations or statutes
  11. 11. The Evolving Landscape • Compliance Regulations  Gramm-Leach-Bliley Act  Critical Infrastructure Protection  Payment Card Industry Digital Security Standard  International Standards Organization 27001/27002
  12. 12. The Evolving Landscape • Compliance Regulations  Sarbanes-Oxley Act (§404)  Health Insurance Portability and Accountability Act (HIPAA)  Automated Teller Machine ANSI X.9  AICPA Statement on Auditing Standards  What’s next…
  13. 13. Threats are Asymmetric • Internal Threats are accidental and intentional. Insiders are responsible for…  32% of electronic crimes1  A CFO embezzled $96,000 by fixing an electronic payment system to pay his monthly credit card bill  70% of identify theft2  A Fidelity database administrator stole and sold bank and credit card data for 8.5 million customers 1 Software Engineering Institute Computer Emergency Response Team and U.S. Secret Service Study http://www.cert.org/insider_threat/ 2 FDIC and Michigan State Study http://www.fdic.gov/consumers/consumer/idtheftstudysupp/toc.html
  14. 14. Threats are Asymmetric • Natural disasters - Katrina, etc... • External threats are becoming more sophisticated  Multi-echelon and multi-vector  Specialization o Bot hearders o Phishers o Carders o Spammers
  15. 15. Harvesting data is good business… if you’re a criminal The Black Market…  $980-$4,900 - Trojan program to steal online account information  $490 - Credit card number with PIN  $78-$294 - Billing data, including account number, address, Social Security number, home address, and birth date  $147 - Driver's license  $147 - Birth certificate  $98 - Social Security card  $6-$24 - Credit card number with security code and expiration date  $6 - PayPal account logon and password Source: Trend Micro “How Does The Hacker Economy Work?”
  16. 16. Common Myths • End-Point Security is effective • Hackers are pizza-faced 13 year old script-kiddies • Hackers can’t get from my web site to our internal network
  17. 17. Common Myths • Morale will be hurt if I make control changes – employees will think we don’t trust them • Outsourcing will transfer my risk • IT controls will impede business efficiency
  18. 18. Top 10 Gaps ures and proced policies trols or f ew et ec tive con lls) 1. No on m anual d rity (firewa 2. R eliance nd-po int secu d Insid er s on e ruste 3. R eliance sifica tion - T a ta Clas ds) 4. No D ion o f duties ng p asswor 5. No separat r d ru les (stro passwo esses Enfor ce w of u ser acc nd soci al 6. revie ing a eriodic reat s (phish 7. No p oring th onit 8 . Not M ing) k prote ction enginee r wor wire less net nsu fficient Auditin g 9. I ystem ff icient S 10. Insu
  19. 19. Prescription (Best practices) nt 1. I mpleme control ate ap propri IT iv es and object ls contro lidate so 2. Con objectives l contro or, it 3. Mon nd rep ort e, a measur inst ls aga a contro es on iv object schedule r regula
  20. 20. Conclusion • It seems that companies aren’t learning anything from the front-page mistakes of competitors - We are our own worst enemy • IT control is not just about compliance, it is a useful tool for ensuring the efficient use of organizational resources to meet business objectives and to prevent fraud • Like any resource, IT requires a clear linkage between business needs and requirements
  21. 21. Bill Lisse, IT Audit Manager Phone: (937) 853-1490 Email: wlisse@battellecpas.com

×