Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Emerging Technology Challenges and Solutionsfor Internal Audit and ComplianceA Focus on Cloud Computing and Mobile Platfor...
Topics • Emerging Technology          – Cloud computing          – Mobile computing          – Cybersecurity trends • Pote...
Emerging Technology Trends   Spending on public IT cloud services will grow at more than five times the rate   of the IT i...
Cloud computing overview Grant Thorntons CAE Survey      • More than 300 CAEs surveyed responded that          – 77% are a...
Cloud computing overview Global Public Cloud Market Size© Grant Thornton. All rights reserved.
Emerging Technology • Cloud computing          – Saas, PaaS, IaaS, DaaS • Mobile computing          – Mobile platforms tha...
Emerging Technology Platforms (cont.) Types of Clouds                                      Models of Cloud: •      Public ...
Emerging Technology Platforms (cont.)         Public Cloud                    Private Cloud© Grant Thornton. All rights re...
Emerging Technology Platforms (cont.) • Mobile computing is:          –     Wireless          –     Utilizes tablet platfo...
Potential New IA Complexity Cloud computing          –     Availability & performance          –     Business continuity  ...
Potential New IA Complexity (cont.) Cloud computing (cont.)    – Compliance                   •   FISMA                   ...
Potential New IA Complexity (cont.) Mobile computing          –     Security (physical and virtual)          –     Data ow...
Potential New IA Complexity (cont.) Mobile computing          –     WiFi/3G/4G security          –     Surveillance and ac...
Risks and audit strategies for the Cloud Six risk areas          •     Security          •     Multi-tenancy          •   ...
Risks and audit strategies 1. Security - risks       • The cloud provider’s security policies are not         as strong as...
Risks and audit strategies 1. Security – audit strategy           • Determine if the cloud provider meets or             e...
Risks and audit strategies 2. Multi-tenancy – risks       • Organization data is not appropriately         segregated on s...
Risks and audit strategies 2. Multi-tenancy – audit strategy           • Inquire of the cloud service provider’s method   ...
Risks and audit strategies 3. Data location – risks       • Organization is not aware of all of the cloud         service ...
Risks and audit strategies 3. Data location – audit strategy            • Inquire of the cloud provider the specific      ...
Risks and audit strategies 4. Reliability – risks           • The cloud service provider has quality of             servic...
Risks and audit strategies 4. Reliability – audit strategy          • Inquire of the cloud service provider to determine  ...
Risks and audit strategies 5. Sustainability – risks           • In the event the cloud service provider goes out of      ...
Risks and audit strategies 5. Sustainability – audit strategy           • Inquire of the cloud service provider to        ...
Risks and audit strategies 6. Scalability – risks         • The cloud service provider’s systems           cannot scale to...
Risks and audit strategies 6. Scalability – audit strategy           • Determine if the cloud provider’s system can scale ...
Cybersecurity Trends (What’s Next?) • Distributed computing (the Cloud) • Cybersecurity & Privacy focus • Virtualization •...
Questions?© Grant Thornton. All rights reserved.
Emerging Technology Challenges for Internal                   Audit and Compliance                   Danny Miller, CISA, C...
Upcoming SlideShare
Loading in …5
×

Nfp Seminar Series Danny November 18 Emerging Technology Challenges And Solutions For Internal Audit Final2

795 views

Published on

Seminar on emerging technology, focusing on cloud technology.

  • Be the first to comment

  • Be the first to like this

Nfp Seminar Series Danny November 18 Emerging Technology Challenges And Solutions For Internal Audit Final2

  1. 1. Emerging Technology Challenges and Solutionsfor Internal Audit and ComplianceA Focus on Cloud Computing and Mobile PlatformsGrant Thornton Breakfast Seminar SeriesThe Union League – Philadelphia, PANovember 2011Presented by:Danny Miller, CGEIT, CISA, ITIL, CRISC, QSAPrincipal, Business Advisory ServicesNational Solutions Lead - Cyber Security & Privacy© Grant Thornton. All rights reserved.
  2. 2. Topics • Emerging Technology – Cloud computing – Mobile computing – Cybersecurity trends • Potential IA Complexities • Risks and Mitigating Risk (strategies) • What’s Next?© Grant Thornton. All rights reserved.
  3. 3. Emerging Technology Trends Spending on public IT cloud services will grow at more than five times the rate of the IT industry in 2011-2012 Enterprise IT planners begin to include cloud-computing expertise in some of their job searches to be prepared for the projects of the short-term and mid-term future Hosted private clouds will outnumber internal clouds 3:1… But service providers have been incrementally ready. Cloud management and monitoring will fuel enterprise cloud adoption 32% of CIOs expect virtualization to be their top investment in 2011© Grant Thornton. All rights reserved.
  4. 4. Cloud computing overview Grant Thorntons CAE Survey • More than 300 CAEs surveyed responded that – 77% are at least somewhat familiar with cloud computing – 69% use cloud computing; many expect cloud computing use to increase (45%) or stay the same (55%) in the next 12 months • When asked to describe their view as to the security, governance, risk and controls implications in moving to a cloud environment, 43% responded "I haven’t really given it much thought." • 64% of respondents do not include cloud computing in their audit plan© Grant Thornton. All rights reserved.
  5. 5. Cloud computing overview Global Public Cloud Market Size© Grant Thornton. All rights reserved.
  6. 6. Emerging Technology • Cloud computing – Saas, PaaS, IaaS, DaaS • Mobile computing – Mobile platforms that are blurring the line between a hand-held and complex computing • Risks and Strategies for Cloud Computing • Cybersecurity – Trends© Grant Thornton. All rights reserved.
  7. 7. Emerging Technology Platforms (cont.) Types of Clouds Models of Cloud: • Public • Software as a Service (SaaS) - Shared computer resources provided - Software applications delivered over by an off-site third-party provider the Internet • Private • Platform as a Service (PaaS) - Dedicated computer resources - Full or partial operating provided by an off-site third-party or system/development environment use of Cloud technologies on a private delivered over the Internet internal network • Infrastructure as a Service (IaaS) • Hybrid - Computer infrastructure delivered over - Consisting of multiple public and the Internet private Clouds • Desktop as a Service (DaaS) - Virtualization of desktop systems serving thin clients, delivered over the Internet or a private Cloud© Grant Thornton. All rights reserved.
  8. 8. Emerging Technology Platforms (cont.) Public Cloud Private Cloud© Grant Thornton. All rights reserved.
  9. 9. Emerging Technology Platforms (cont.) • Mobile computing is: – Wireless – Utilizes tablet platforms and smartphones – Internet-based – Communication via 3G/4G and WiFi – Scaled applications© Grant Thornton. All rights reserved.
  10. 10. Potential New IA Complexity Cloud computing – Availability & performance – Business continuity – Cybersecurity – Data encryption – Privacy (especially in Healthcare & Life Sciences)© Grant Thornton. All rights reserved.
  11. 11. Potential New IA Complexity (cont.) Cloud computing (cont.) – Compliance • FISMA • HIPAA • SOX • PCI DSS (card payments) • EU Data Protection Directive, et al.© Grant Thornton. All rights reserved.
  12. 12. Potential New IA Complexity (cont.) Mobile computing – Security (physical and virtual) – Data ownership – Service interruption and recovery – Data archiving – Availability© Grant Thornton. All rights reserved.
  13. 13. Potential New IA Complexity (cont.) Mobile computing – WiFi/3G/4G security – Surveillance and access control – Availability – Data ownership and recovery – Auditability – Bluetooth “hijacking” – AIDC© Grant Thornton. All rights reserved.
  14. 14. Risks and audit strategies for the Cloud Six risk areas • Security • Multi-tenancy • Data location • Reliability • Sustainability • Scalability© Grant Thornton. All rights reserved.
  15. 15. Risks and audit strategies 1. Security - risks • The cloud provider’s security policies are not as strong as the organizations data security requirements (mis-alignment) • Cloud systems (servers, other devices) which store organization data are not updated or patched when necessary (vulnerability) • Security vulnerability assessments or penetration tests are not performed on a regular basis to ensure logical and physical security controls are in place • The physical location of company data is not properly secured© Grant Thornton. All rights reserved.
  16. 16. Risks and audit strategies 1. Security – audit strategy • Determine if the cloud provider meets or exceeds the Organizations security requirements • Determine if the cloud provider’s security posture is based on a security standard (i.e., ISO27001, Cloud Security Alliance, PCI DSS, etc.) • Determine if the cloud provider has a security assessment performed • For your organization, have a baseline security assessment done. • Determine if the cloud provider’s Service Organization Report (i.e., SSAE 16, SOC Reports) addresses specific security controls© Grant Thornton. All rights reserved.
  17. 17. Risks and audit strategies 2. Multi-tenancy – risks • Organization data is not appropriately segregated on shared hardware resulting in Company data being inappropriately accessed by third parties • The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit • The cloud service provider cannot determine the specific location of the organizations data on its systems • Organization data resides on shared server space which might conflict with regulatory compliance requirements for the organization© Grant Thornton. All rights reserved.
  18. 18. Risks and audit strategies 2. Multi-tenancy – audit strategy • Inquire of the cloud service provider’s method used to secure the Company’s data from being accessed by other customers/third parties • Review the cloud service provider’s SLA to determine if the SLA addresses security of the organizations data • Review independent audit report(s) related to the Cloud provider’s security posture (i.e., security settings, data encryption methods, etc.) and/or exercise the organizations "right-to-audit" clause • Gain access to cloud system(s) and perform limited auditing procedures from the Company’s location© Grant Thornton. All rights reserved.
  19. 19. Risks and audit strategies 3. Data location – risks • Organization is not aware of all of the cloud service provider’s physical location(s) • Organization does not know where their data is physically or virtually stored – implies potential issue with sensitive data being stored outside the country, violating certain laws and regulations • The Cloud service provider moves organization data to another location without informing the Organization or gaining its consent • Organization data is stored in international locations and falls under foreign business or national laws/regulations (Data Protection Directive – EU 95/46/EC, Mass Data Privacy Law 201 CMR 17, state Breach Laws and there is some additional U.S. national proposed legislation coming soon)© Grant Thornton. All rights reserved.
  20. 20. Risks and audit strategies 3. Data location – audit strategy • Inquire of the cloud provider the specific physical and virtual location of the organizations data • Work with the organizations legal group to fully understand the impact and potential risks of the organizations data residing in a foreign country • Ensure regulatory compliance is maintained if data resides in multiple locations© Grant Thornton. All rights reserved.
  21. 21. Risks and audit strategies 4. Reliability – risks • The cloud service provider has quality of service standards which conflict with business requirements (do you have an SLA/OLA?) • During peak system activity times, the cloud service provider experiences system performance issues that result in the following: - Organization employees cannot access the organizations data when needed - Customers are unable to use the organizations systems (such as placing an order on the organizations web site) because of performance problems with the cloud provider© Grant Thornton. All rights reserved.
  22. 22. Risks and audit strategies 4. Reliability – audit strategy • Inquire of the cloud service provider to determine the controls in place to ensure the reliability of the cloud solution • Obtain an SLA/contract from the cloud service provider which details the specific reliability agreement for the organization. Compare this information to actual performance • Determine the times that the cloud provider performs system upgrades and/or patches to ensure data availability during peak business hours is not affected • Review the organizations business continuity plan and determine if the plan addresses interruptions with the cloud systems used by the Company© Grant Thornton. All rights reserved.
  23. 23. Risks and audit strategies 5. Sustainability – risks • In the event the cloud service provider goes out of business, the organization might not be able to retrieve the organizations data. In addition, another third party might gain access/control of the organizations data • The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster • The organizations business continuity plan does not address the cloud’s service offering being unavailable • Organization data is compromised as a result of a disaster© Grant Thornton. All rights reserved.
  24. 24. Risks and audit strategies 5. Sustainability – audit strategy • Inquire of the cloud service provider to determine if they have adequate controls in place to recover and protect the organizations data even in the event of a disaster • Review the organizations business continuity plan and determine if the plan addresses interruptions with the cloud solution • Inquire of the cloud service provider to determine how the organization would gain access to its data in the event the cloud service provider goes out of business© Grant Thornton. All rights reserved.
  25. 25. Risks and audit strategies 6. Scalability – risks • The cloud service provider’s systems cannot scale to meet the organizations anticipated growth, both for a short-term spike and/or to meet a long-term strategy • If the organization decides to migrate all or part of the organizations system and/or data back in-house (or to another provider), the cloud service provider cannot (or will not) provide the data© Grant Thornton. All rights reserved.
  26. 26. Risks and audit strategies 6. Scalability – audit strategy • Determine if the cloud provider’s system can scale to meet the organizations expected short-term spikes and/or growth over the next five years • Determine if the organization has a contingency plan in the event the cloud provider’s systems cannot scale to meet the organizations needs • Determine who is the “owner” of the organizations data • Determine if the cloud provider would allow the organization to move data back in house and/or to another provider. Determine the specific procedures and associated costs needed to perform this task© Grant Thornton. All rights reserved.
  27. 27. Cybersecurity Trends (What’s Next?) • Distributed computing (the Cloud) • Cybersecurity & Privacy focus • Virtualization • Advanced IA tools – Analytics – Provenance engines – Enhanced hardware firewalls – Advanced encryption technology – New data segregation and security standards – Secure digital communications • Standards such as ITIL, COBIT and PCI are integrating and are now complimentary© Grant Thornton. All rights reserved.
  28. 28. Questions?© Grant Thornton. All rights reserved.
  29. 29. Emerging Technology Challenges for Internal Audit and Compliance Danny Miller, CISA, CGEIT, CRISC, ITIL, QSA National Solutions Lead – Cybersecurity Regional Solutions Lead – Business Consulting Principal, Grant Thornton LLP Danny.Miller@us.gt.com http://grantthornton.com/© Grant Thornton. All rights reserved.

×