Internal Audit’s Contribution to the Effectiveness of Information Security Management in Bakirkoy Municipality
1. INTERNAL AUDIT’S CONTRIBUTION
TOTHE EFFECTIVENESS OF INFORMATION
SECURITY MANAGEMENT
IN BAKIRKOY MUNICIPALITY
Gokhan POLAT
Head of Internal Audit in Bakirkoy Municipality/TURKEY
2. TOPICS TO BE COVERED
1. Information Security
2. Information Security Efforts in Bakirkoy Municipality
3. Internal Audit’s Contribution toThe Information Security Efforts
3. The Institute of Internal
Auditors ofTurkey (TIDE)
• founded in 1995,
• member of IIA and ECIIA,
• carries out activities for recognition of
profession and assuring professional
development.
5. Bakirkoy Municipality
• 32 square kilometers land area
• 223.300 citizens
• consists of 24 directorates
• 2080 labours
• 2017 budget 106.882.000 $
6. INFORMATION
• Technology has become integral to the
organization’s operations and plays a key
role in these actions.
7. • …information technology functions as an
enabler to achieve e-government or e-business,
and to avoid or reduce relevant risks.
8. 'Information is an asset which, like
other important business assets, has value to
an organization and consequently needs
to be suitably protected’
BS ISO 27002:2005
9. Information security is the protection of
information from a wide range of threats in order
to ensure;
- business continuity,
- minimize business risk,
- and maximize return on investments and
business opportunities.
11. FAILURE TO SECURE INFORMATION COULD RESULT IN;
• Security breaches, both detected and undetected,
• Breach of trust with other organizations,
• Violations of legal and regulatory requirements,
• Damage to the enterprise’s reputation,
• Financial loss.
12. • Information Security
Management System (ISMS) is
a systematic and structured
approach to managing information
and keeping it secure.
13. Information security frameworks
ISO/IEC 27001:2013 Information Security Management
System
Security and Privacy Controls for Federal Information
Systems and Organizations NIST Special Publication 800-53
The IIA GTAG 15: Information Security Governance (2010)
ISACA Cybersecurity Nexus
15. Activities for INFOSEC in Bakirkoy Municipality
• ISMS,
• Sustainability Project,
• Continues vulnerability scanning.
16. • Bakirkoy Municipality is the first public agency
that gained ISO/IEC 27001:2013 certification.
• ISO/IEC 27001:2013 certificate was gained
for;
managing operational risks,
achieving high levels of legislative and
regulatory compliance,
and managing vulnerabilities and threats.
17. Activities conducted in
the scope of
ISO/IEC 27001:2013
• Determination of the information security risks.
• Designing and implementation a coherent and
comprehensive suite of information security
controls
• Conducting audits at planned intervals (every
three monthes)
• External audit once in a year
• Information security awareness programs for
personnel
18. SUSTAINABILITY PROJECT
• Currently a «Sustainability Project» has begun
in March 2017.
• This project aimed to ensure Bakirkoy municipality
to produce one combined financial,
environmental and governance report that can
illustrate how it is creating value over time.
25. 2017 Audit Universe
• 330 processes to audit
2015 Audit Universe
• 74 processes to audit
In 2017 Audit Plan;
• Focused on IT processes
• In all audit missions, tests
exist to check information
security controls
26. INTERNAL AUDIT DEPARTMENT
• taking part in developing of the information
security strategy and policy.
• conducting training activities on the roles
and responsibilities of senior management.
• preparing reports on risks of current
regulatory changes.
27. INTERNAL AUDIT DEPARTMENT
Audits in information security need;
integrated audit approach.
internal auditors with updated skills.
28. SPECIAL EMPHASIS OF IT AUDITING;
Uniform processing of transactions systemic effect
High percentage of key internal controls relied upon by the
organization are likely to be technology driven.
Absence of segregation of functions in IT environment
Potential for errors/frauds – no visible trace
Necessisates increased management supervision
Effectiveness of manual controls depends on controls over
computer processing
Transaction trails in digital form
29. INTERNAL AUDIT DEPARTMENT
Currently ‘Management of Enterprise
Information Technology Sources’ audit is
continuing with the scope of;
Database management
User access management
Backup management
Business continuity planning
31. INTERNAL AUDIT DEPARTMENT
Monitoring the audits of ISO/IEC 27001:2013 via;
Accompanying to the auditors,
Checking audit reports,
Checking follow-ups on the action plans for
nonconformities.
33. THE BOTTOM LINE
For an effective information security, these should be exist;
executive and senior management support.
visible and consistent actions.
employee education and awareness
a culture for protection of organizational value,
independent review of security measures and
performance by the internal audit function.