How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
Reviewing cases ranging in size from your neighborhood bar to the massive TJX case, an ex-QIRA will discuss the dirty inside secrets of the card associations and QSA's. Reviewing lessons learned from dozens of past forensic cases, this presentation will highlight how to prepare for a PCI mandated forensics investigation including; what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Material de apoyo Un replanteamiento masivo de la seguridad.Universidad Cenfotec
Material de apoyo en la presentación: Un replanteamiento masivo de la seguridad.
Mejores prácticas para el aseguramiento de identidades
Charla por Centrify, del Ing. Alvaro Ucrós en desayuno organizado por UCenfotec
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
Reviewing cases ranging in size from your neighborhood bar to the massive TJX case, an ex-QIRA will discuss the dirty inside secrets of the card associations and QSA's. Reviewing lessons learned from dozens of past forensic cases, this presentation will highlight how to prepare for a PCI mandated forensics investigation including; what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Material de apoyo Un replanteamiento masivo de la seguridad.Universidad Cenfotec
Material de apoyo en la presentación: Un replanteamiento masivo de la seguridad.
Mejores prácticas para el aseguramiento de identidades
Charla por Centrify, del Ing. Alvaro Ucrós en desayuno organizado por UCenfotec
Cyber Loss Model for the cost of a data breach.Thomas Lee
Cyber Loss Model is a rigorous statistical model based upon historical industry data, which predicts the cost of a data breach.
This valuable model can help demonstrate cyber insurance adequacy, or a no insurance stance, for CCAR/DFAST idiosyncratic scenarios. Some banks are using this model to demonstrate a stronger culture of risk management for tier 1 capital. This model could also serve as a strong Challenger Model to a banks Champion Model, or a Champion model if the bank has no method for assessing the cost of a data breach. This model complies with SR11-7 and can pass model validation.
Cloud Computing - Emerging Opportunities in the CA ProfessionBharath Rao
In the present era, everything runs in the cloud. The development of Cloud computing technology and led to a sharp decrease of Capital Expenditure for industries. It has also led to their solutions being made available everywhere and at any device.
This article provides functional knowledge as to how a Chartered Accountant may provide value addition for the development of Internal Controls that protect the Confidentiality, Integrity, Availabilty and Privacy of the data being used by the Cloud.
Quick Response Fraud Detection using Data Analytics: Hitting the Ground Runni...FraudBusters
Webinar series from FraudResourceNet LLC on Preventing and Detecting Fraud Using Data Analytics. Recordings of these Webinars are available for purchase from our Website
This Webinar focused on fraud detection using data analytic software (Excel, ACL, IDEA)
FraudResourceNet (FRN) is the only searchable portal of practical, expert fraud prevention, detection and audit information on the Web.
FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.
The two entities designed FRN as the “go-to”, easy-to-use source of “how-to” fraud prevention, detection, audit and investigation templates, guidelines, policies, training programs (recorded no CPE and live with CPE) and articles from leading subject matter experts.
FRN is a continuously expanding and improving resource, offering auditors, fraud examiners, controllers, investigators and accountants a content-rich source of cutting-edge anti-fraud tools and techniques they will want to refer to again and again.
We all know that Target-like breaches aren't completely preventable. But does that mean we're doomed and powerless? Not even close. A decisive response effort can dramatically reduce the impact of a breach, potentially stopping attacks in their tracks before sensitive data is lost.
This webinar will show you how. Using the Target breach as a case study, it will demonstrate how timely detection and threat intelligence integrated with incident response management could have stopped the attack cold.
Our featured speakers for this webinar will be:
- Tim Armstrong, Security Incident Response Specialist, Co3 Systems
- Colin Henderson, Principal Consultant Security Intelligence & Operations, HP, Enterprise Security Products
Discussion of information Security risks in current business and technology environments.
presented to ISSA Ireland conference attendees in Dublin on 12 May 2011.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides
Just as there are two sides to every coin, there are two schools of thought in risk management. One camp believes that there is never enough data to make statistically significant risk decisions, due to the unknown-unknowns and never really knowing the entire population of data breaches. Another camp believes that we have well detailed information about specific domains and using Bayesian math we can come to conclusions on how to manage risk. Regardless of the group or believe in risk management the fact is that we all manage risk. This session will discuss the two camps and propose a hybrid model that goes beyond technical details into the core of trusted knowledge relationships.
Cyber Loss Model for the cost of a data breach.Thomas Lee
Cyber Loss Model is a rigorous statistical model based upon historical industry data, which predicts the cost of a data breach.
This valuable model can help demonstrate cyber insurance adequacy, or a no insurance stance, for CCAR/DFAST idiosyncratic scenarios. Some banks are using this model to demonstrate a stronger culture of risk management for tier 1 capital. This model could also serve as a strong Challenger Model to a banks Champion Model, or a Champion model if the bank has no method for assessing the cost of a data breach. This model complies with SR11-7 and can pass model validation.
Cloud Computing - Emerging Opportunities in the CA ProfessionBharath Rao
In the present era, everything runs in the cloud. The development of Cloud computing technology and led to a sharp decrease of Capital Expenditure for industries. It has also led to their solutions being made available everywhere and at any device.
This article provides functional knowledge as to how a Chartered Accountant may provide value addition for the development of Internal Controls that protect the Confidentiality, Integrity, Availabilty and Privacy of the data being used by the Cloud.
Quick Response Fraud Detection using Data Analytics: Hitting the Ground Runni...FraudBusters
Webinar series from FraudResourceNet LLC on Preventing and Detecting Fraud Using Data Analytics. Recordings of these Webinars are available for purchase from our Website
This Webinar focused on fraud detection using data analytic software (Excel, ACL, IDEA)
FraudResourceNet (FRN) is the only searchable portal of practical, expert fraud prevention, detection and audit information on the Web.
FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.
The two entities designed FRN as the “go-to”, easy-to-use source of “how-to” fraud prevention, detection, audit and investigation templates, guidelines, policies, training programs (recorded no CPE and live with CPE) and articles from leading subject matter experts.
FRN is a continuously expanding and improving resource, offering auditors, fraud examiners, controllers, investigators and accountants a content-rich source of cutting-edge anti-fraud tools and techniques they will want to refer to again and again.
We all know that Target-like breaches aren't completely preventable. But does that mean we're doomed and powerless? Not even close. A decisive response effort can dramatically reduce the impact of a breach, potentially stopping attacks in their tracks before sensitive data is lost.
This webinar will show you how. Using the Target breach as a case study, it will demonstrate how timely detection and threat intelligence integrated with incident response management could have stopped the attack cold.
Our featured speakers for this webinar will be:
- Tim Armstrong, Security Incident Response Specialist, Co3 Systems
- Colin Henderson, Principal Consultant Security Intelligence & Operations, HP, Enterprise Security Products
Discussion of information Security risks in current business and technology environments.
presented to ISSA Ireland conference attendees in Dublin on 12 May 2011.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides
Just as there are two sides to every coin, there are two schools of thought in risk management. One camp believes that there is never enough data to make statistically significant risk decisions, due to the unknown-unknowns and never really knowing the entire population of data breaches. Another camp believes that we have well detailed information about specific domains and using Bayesian math we can come to conclusions on how to manage risk. Regardless of the group or believe in risk management the fact is that we all manage risk. This session will discuss the two camps and propose a hybrid model that goes beyond technical details into the core of trusted knowledge relationships.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Security and Audit Frameworks and Methodologies
- COSO
- CobiT
- Frameworks Relationship
- ITIL
- ISO/IEC 27000 Series
2010 06 gartner avoiding audit fatigue in nine steps 1dGene Kim
Avoiding Audit Fatigue: Achieving Compliance In A Multi-compliance World In Nine Steps
Gartner Security/Risk Management Conference
July 2010
It's common for information security managers to be held responsible for failed audits where they had little control or influence in the rest of the organization. This presentation provides nine steps that information security managers can use to break the compliance blame cycle and build an information security program that more effectively mitigates security risk. By successfully executing these steps, the information security manager will no longer continually react to and
manage the audit preparation crisis du jour. Instead, the information security manager will institute and rely upon regular, defined activities to complete the heavy lifting of preparing for a successful audit long before the audit occurs.
This session also describes how IT security managers can achieve alignment among all stakeholders so that information security and compliance activities become integrated into daily business operations.
Completing the nine steps in this presentation requires business stakeholders, IT management, and information security management to all mutually support the same goal. This session describes how to gain this alignment and defines the various compliance roles so that information
security and compliance activities become integrated into daily
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau.
About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
Businesses involved in mergers and acquisitions must exercise due diligence in ensuring that the technology environment of the future organization is robust and adequately protects their information assets and intellectual property.. Such an effort requires time and open sharing to understand the physical locations, computing environment, and any gaps to address. Lack of information sharing can lead to a problematic systems integration and hamper the building of a cohesive enterprise security posture for the merged organization.
Often the urgency of companies undergoing a merger and acquisition (M&A) impedes comprehensive due diligence, especially in cybersecurity. This creates greater challenges for the cybersecurity engineering architect, who typically leads the cybersecurity assessment effort and creates the roadmap for the new enterprise security solution for the future organization. However, the business interest and urgency in completing the merger can also represent an opportunity for CISOs to leverage additional resources and executive attention on strategic security matters.
In this project, you will create a report on system security issues during an M&A. The details of your report, which will also include an executive briefing and summary, can be found in the final step of the project.
There are nine steps to the project. The project as a whole should take two weeks to complete. Begin with the workplace scenario and then continue to Step 1.
Deliverable
Cybersecurity for a Successful Acquisition, Slides to Support Executive Briefing
Step 1: Conduct a Policy Gap Analysis
As you begin Step 1 of your system security report on cybersecurity for mergers and acquisitions, keep in mind that the networks of companies going through an M&A can be subject to cyberattack. As you work through this step and the others, keep these questions in mind:
Are companies going through an M&A prone to more attacks or more focused attacks?
If so, what is the appropriate course of action?
Should the M&A activities be kept confidential?
Now, look at the existing security policies in regard to the acquisition of the media streaming company. You have to explain to the executives that before any systems are integrated, their security policies will need to be reviewed.
Conduct a policy gap analysis to ensure the target company's security policies follow relevant industry standards as well as local, state, and national laws and regulations. In other words, you need to make sure the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies. This step would also identify what, if any, laws and regulations the target company is subject to. If those are different from the laws and regulations the acquiring company is subject to, then this document should answer the following questions:
How would you identify the differences?
How would you learn about the relevant laws and regulations?
How would .
Iiaic08 power point cs2-3_track_regulatory session v3Gene Kim
GAIT-R framework, extending beyond SOX-404 to any COSO objective
Presented by Jay Taylor and Ed Hill at 2008 Institute of Internal Auditors Internal Conference
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxjeffsrosalyn
Running Head: ZIFFCORP AUDIT PROPOSAL 1
ZiffCorp Audit IT Security Audit Proposal
Brian A. McDougall
Central Washington University
Author Note:
Final Paper – IT 677 – Summer 2018
ZIFFCORP AUDIT PROPOSAL 2
Table of Contents
Title Page .......................................................................................................................................................................... 1
Table of Contents .......................................................................................................................................................... 2
Audit Proposal ................................................................................................................................................................ 3
Entity-Level Controls .................................................................................................................................................. 4
Data Center ...................................................................................................................................................................... 8
Database ......................................................................................................................................................................... 11
Web Server .................................................................................................................................................................... 13
Cloud ................................................................................................................................................................................ 14
Disaster Preparedness Plan .................................................................................................................................. 15
References ..................................................................................................................................................................... 16
ZIFFCORP AUDIT PROPOSAL 3
Audit Proposal
July 26, 2018
Artie Ziff, CEO
ZiffCorp
1066 3rd St
Springfield, VA 22150
Dear Mr. Ziff:
Thank you for the opportunity to present my proposal to perform an informal audit of
certain critical IT security policies and controls at ZiffCorp. Because of recent changes in
privacy regulations, GDPR in particular, I feel it expedient to review certain controls in
preparation for a formal audit that will verify ZiffCorp’s compliance to GDPR across the
organization. This audit is essential to maintaining quality operations and further help in
mitigating organizational risk, which can easily end up in dollars lost (Collins, 2017).
Let me stress that this will be an informal audit to be performed in order to assess our
security footing in certain areas of the company’s IT infrastructure. Our auditors will
review security controls and issue recommendations for.
Read the article Security Controls that Work by Dwayne Melancon .pdfsales113
Read the article \"Security Controls that Work\" by Dwayne Melancon in the 2007 Issue,
Volume 4 of the Information Systems Control Journal (available
http://www.isaca.org/Journal/Past-Issues/2007/Volume-4 /Pages/Security-Controls-That-
Work1.aspx). Write a report that answers the following questions:
1. What are the differences between high-performing organizations and medium- and low-
performing organizations in terms of normal operating performance? Detection of security
breaches? Percentage of budget devoted to IT?
2. Which controls were used by almost all high-performing organizations, but were not used by
any low- or medium-performers? 3. What three things do high-performing organizations never
do?
4. What metrics can an IT auditor use to assess how an organization is performing in terms of
change controls and change management? Why are those metrics particularly useful?
Security Controls That Work By Dwayne Melançon, CISA Ask the average IT or security
manager what measures his/her organization takes to secure its networks, systems, applications
and data, and the answer will most likely involve a combination of traditional perimeter
protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together
with patch management, business continuance strategies, and access control methods and
policies. All of these measures make sense at first glance, yet the deluge of intrusions, data
thefts, worms and other attacks continues unabated, with organizations losing productivity,
revenue and customers every year. There are many reasons for this gap in controls and
effectiveness. Access controls can be taken only so far before they run into legitimate resistance
from employees who find their productivity hampered by the very controls designed to protect it.
Traditional perimeter protection and access control are not as effective at blocking attacks from
inside organizations as they are at blocking external hackers, which says a lot, since the latter
manage to breach thousands of company networks every year. And, as the number and frequency
of zero-day attacks continue to grow, the effectiveness of patch management and traditional
signature-based intrusion detection, antivirus and antispyware solutions is increasingly in doubt.
All of this begs a host of questions: How is it possible to determine whether an organization’s
security controls actually work? Of all the hundreds of practices and objectives within Control
Objectives for Information and related Technology (COBIT), IT Infrastructure Library (ITIL)
and the other frameworks an organization may implement, which ones are truly the most
effective at helping the organization block and respond to attacks—and which ones merely sound
good but do not accomplish all that much in practice? Why are some organizations vastly better
than others at preventing and responding to attacks? On which controls should auditors focus to
verify that the infrastructure is genuinely protec.
Read the article Security Controls that Work by Dwayne Melancon.pdfsales113
Read the article \" Security Controls that Work\" by Dwayne Melancon below write a report that
answers the following questions.
4. What metrics can an IT auditor use to assess how an organization is performing in terms of
change controls and change management? Why are those metrics particularly useful?
Security Controls That Work By Dwayne Melançon, CISA Ask the average IT or security
manager what measures his/her organization takes to secure its networks, systems, applications
and data, and the answer will most likely involve a combination of traditional perimeter
protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together
with patch management, business continuance strategies, and access control methods and
policies. All of these measures make sense at first glance, yet the deluge of intrusions, data
thefts, worms and other attacks continues unabated, with organizations losing productivity,
revenue and customers every year. There are many reasons for this gap in controls and
effectiveness. Access controls can be taken only so far before they run into legitimate resistance
from employees who find their productivity hampered by the very controls designed to protect it.
Traditional perimeter protection and access control are not as effective at blocking attacks from
inside organizations as they are at blocking external hackers, which says a lot, since the latter
manage to breach thousands of company networks every year. And, as the number and frequency
of zero-day attacks continue to grow, the effectiveness of patch management and traditional
signature-based intrusion detection, antivirus and antispyware solutions is increasingly in doubt.
All of this begs a host of questions: How is it possible to determine whether an organization’s
security controls actually work? Of all the hundreds of practices and objectives within Control
Objectives for Information and related Technology (COBIT), IT Infrastructure Library (ITIL)
and the other frameworks an organization may implement, which ones are truly the most
effective at helping the organization block and respond to attacks—and which ones merely sound
good but do not accomplish all that much in practice? Why are some organizations vastly better
than others at preventing and responding to attacks? On which controls should auditors focus to
verify that the infrastructure is genuinely protected? Come budget approval time, where should
the company concentrate its security money, and how can it be demonstrated to senior
management that those proposed investments will actually do the job? These are the types of
questions the IT Process Institute (ITPI) set out to answer when it was founded in 2000. One of
the results of ITPI’s work, the “IT Controls Performance Benchmark Study,”1 proves with
empirical evidence that not only are some organizations vastly better than the rest of the pack at
preventing and responding to attacks, but also that the difference between these.
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
Advanced exploitation on social networks. Not a social engineering talk, nor a talk about technological exploitation: the combination of exploits against people and technology all in one place.
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products (GRC) guess what? We're doing it wrong. Fundamentally wrong. This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendancy towards failure, and how to match that up with what management will stomach.
In the beginning, people inherently distrusted the Internet, however, Social Networking has changed this. People now enter information without even thinking of how it will affect them. This presentation will explain the shift in trust, with real-life examples, and what we as the security community need to do to change.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Security B-Sides
Scoring methods are highly reliant on mathematics but what do the numbers really mean? W3C semantic standards allow us to create a more direct meaning-based model. Through set theory and description logics, we can compute classification and ranking through ontological-based reasoning. This method finally addresses the multiple viewpoints and perspectives often found within a large enterprise.
1. Mobilizing The PCI Resistance:Lessons Learned From Previous Wars (SOX-404) Gene Kim, CISACTO, Tripwire@realgenekim, http://www.realgenekim.me#BSidesLV 2010
2.
3. Problem Definition Success of any PCI DSS compliance initiative is very dependent on accurate definition and scoping of the Cardholder Data Environment. There is a wide variance in practice, experience and guidance in merchant and QSA community. These contribute to scoping errors that result in: Overly narrow scope that jeopardizes cardholder data Overly broad scope that adds unnecessary cost and effort for compliance Decreased confidence in and frustration with the PCI DSS standard
4. What This Really Means Incredible amount of discontent and growing disenchantment with PCI DSS Complaints that DSS is too specific or too vague Like Michelle Klinger, I have a love/hate relationship with PCI DSS The reach of PCI DSS is awesomely breathtaking, and is relevant to all PII But in the worst case, it's a total waste of time, at enormous cost to the organization
5. Agenda Describe the problems around SOX-404 What we did about it at the Institute of Internal Auditors The GAIT concepts, politics, tools and outcomes Show how we can use this as a model to change the state of the practice around PCI DSS Share with you the best formulation of the plan I have Get your help improving the plan And ideally… Share my biggest a-ha moments the GAIT experience Excite you enough to do something about it Tell you some interesting stories
7. The Problem The IT portions of SOX-404 compliance has frustrated auditors and management Significant key controls reside inside IT and IT processes as well as in the business processes No well-established guidance for scoping IT work results in inconsistency and the process being overly subjective Sometimes result in overly broad scope and excessive testing costs Significant risks to financial assertions may be left unaddressed Suboptimal use of scarce resources
8. Why Is There A Problem? No clear guidance exists to define how IT processes and activities can invalidate financial application processing or financial assertions COSO provides an accepted construct for defining overall internal control objectives, assertions, risks and controls, but its application to the IT environmet is ambiguous COBIT doesn’t provide a clear mechanism to scope IT processes and controls to the achievement of specific internal control objectives (e.g., COSO objective for internal control over financial reporting) Something else is needed…
10. Vision: Create Equivalence to Nine Firm Document on IT Control Exceptions GAIT takes the approach used in the nine firm document.GAIT represents the upfront scoping exercise to appropriately identify the IT controls work relevant to overall internal controls objectives Chart 3: Evaluating Information Technology General Control (ITGC) Deficiencies, “A Framework for Evaluating Control Exceptions and Deficiencies” (December 20, 2004)
11. What were/are people worried about? Holy cow!!! Enron wasn’t caused by a DBA. So, why are the auditors digging here?? --gk IT controls dominate the deficiencies, significant deficiencies, and material weaknesses identified through the S-O 404 assessment. The estimated percentage of deficiencies identified show IT controls accounting for the most (34 percent), followed distantly by revenue (13 percent), procure to pay (10 percent), and fixed assets (10 percent). The estimated percentage of significant deficiencies identified again shows IT controls leading the way (23 percent), followed by financial reporting and close (14 percent), procure to pay (13 percent), and revenue (12 percent). The estimated percentages of material weaknesses identified include IT controls (27 percent), revenue (18 percent), taxes (11 percent), and financial reporting and close (10 percent). It is important to note that the results presented here are based on self-reporting by the companies that participated in the survey. Conclusions may be affected by the differing methods companies use to report on various elements of Sarbanes-Oxley compliance.
20. Thought Experiment Auditors vs. Management We can agree that there are two extremes in spectrum of financial reporting risk eBay auction settlement business process Grain elevators Extremes are easy… Middle is hard…
21. PCI Scoping Exercises (Show Your Work!) Question 1: Is the Cardholder Data Environment (CDE) equivalent to the PCI Scope of Assessment? Question 2: Is a domain controller (e.g., Windows Active Directory server) that is being relied upon by CDE applications for authentication and security services in the PCI Scope Of Assessment? Question 3: How about a domain controller (e.g., Windows Active Directory server) that is not relied upon by any CDE applications? Question 4: Is a network attached stapler that happens to be on the same network segment as a CDE system component always also in the CDE? Question 5: Does it matter if a workstation that a customer service representative uses a thin- or thick-client? Question 6: When should it be acceptable that if a virtualization hypervisor hosting a production application in the CDE be also able to host another VM without it being part of the CDE, as well? Question 7: If you have a domain controller that is not in the CDE, but in the scope of PCI assessment, is a print server on the same network segment as that domain controller also in the scope of PCI assessment? Bonus Exercise: For each of the questions where you answered "in scope of the PCI assessment," describe a strategy to contain the scope, such that systems connected to that system are not in scope. (See Michelle Klinger's great post on the "PCI Contagion Dilemma.")
24. Language Is Often An Obstacle In Newton’s time, there were not concrete terms for several critical concepts: Force, acceleration, mass, inertia In the following slide, note how difficult it was for Newton to frame the “three laws of motion” without these concepts…
25. Early Drafts Of Three Laws Of Motion 1. If a quantity once move it will never rest unless hindered by some externall cause. 2. A quantity will always move on in the same straight line (not changing the determination nor celerity of its motion) unless some externall cause divert it. 3. There is exactly so much required and no more force to reduce a body to rest as there was to put it upon motion. Axiom 100: A body once moved will always keep the same celerity, quantity and determination of its motion Axiom 103: ...as the body (a) is to the body (b0), so must the power of efficacy vigor strength or virtue of the cause which begets the same quantity of velocity Source: Isaac Newton, James Gleick.
26. Benchmarks Pythagorean theorem: 24 words Archimedes' Principle: 67 words Newton’s Three Laws Of Motion: 91 words The 10 Commandments: 179 words GAIT Proposed Principles v3.0: 168 words The Gettysburg Address: 286 words The Declaration of Independence: 1,300 words GAIT Principles v1.3: 6,856 words GAIT Methodology v2.2: 11,348 words The US Government regulations on the sale of cabbage: 26,911 words
27. Solution: GAIT… Released in Feb 2007, Establishes four principles that Defines the relevance of IT infrastructure elements to financial reporting integrity Define the three types of IT processes that can affect them: change management and systems development, operations and security Defines an end-to-end process view of these three processes Defines an approach to defining objectives and key controls within those three processes Provides a methodology and thinking process that continues the top down, risk based approach started in AS2 to scope IT general controls Provides a common context for management and auditors to support and test management’s assessment that the necessary IT controls exist and are effective Initial target is internal control objectives for financial reporting, but should extend to operating effectiveness and complying with laws and regulations (as defined by COSO)
28. GAIT Principle #1 The only IT infrastructure elements (e.g., databases, operating systems, networks) relevant to ITGC assessment are those that support financially-significant applications and data. (“What are the relevant IT infrastructure elements?”)
29. GAIT Principle #2 The IT processes primarily relevant to ITGC assessment are those that directly impact the integrity of financially-significant applications and data: Change management and systems development: the processes around developing, implementing, and maintaining financially significant applications and supporting IT infrastructure Operations management: the processes around managing the integrity of production data and program execution Security management: the processes around limiting access to information assets (“What are the relevant end-to-end IT processes?”)
30. GAIT Principle #3 Implications to the reliability of financially-significant applications and data, including controls, are based upon the achievement or failure of IT process objectives, not the design and operating effectiveness of the individual controls within those processes. (“What are the relevant objectives of those IT processes? In other words, we shouldn’t get carried away when reaching a conclusion when testing a control.”)
31. GAIT Principle #4 The basis for identifying key controls in the three IT processes is based on: Inherent risk of not achieving the IT process objectives IT process risk indicators (“How do we select key controls within those IT processes?”)
35. Conclusions and Lessons Learned, Continued Improved audit comment wording helps to connect to things management cares about: “We noted poor change control procedures and were unable to obtain comfort that all changes were authorized and tested as required” -- vs. -- “Poor change control practices introduced the risk of unauthorized or untested changes to key data such as annual threshold amounts for toxic chemical releases. Given the level of precision applied to reviewing the final report downstream, it is unlikely management would detect such errors. Our testing disclosed numerous “break/fix” changes had been made to code or data without supervisory review and approval or notifying the users.”
36. GAIT Evolution Elements of GAIT was incorporated into PCAOB AS-5 GAIT-R for Business Risk To me, it's the first really well thought out way of linking IT to any COSO internal control objective Unlike ITIL, COBIT: it helps focus on what matters Which is very much unlike PCI… The Integrated Auditing Project (“Magic Glasses”)
37. Wait, You’re Lowering The PCI Bar! Until you get scoping right, you can't raise the bar Unless you correctly identify the scope of PCI assessment correctly, any work on the controls is potentially wasted
38. My PCI Mission And Crusade Create guidance to be able to scope correctly Enable a risk based way to not only scope, but to evaluate controls Prioritized PCI DSS is a disappointment What controls for the PCI Scope of Assessment? First, to earn the right to do all of this, we must enable correct scoping first
39. Participants Leads Kent Fox (Intermountain Healthcare) Brandon Green (T-Mobile) Gretchen Forsyth (Southwest Airlines) Mike Dahn (Verizon) Tabitha Greiner (Verizon) Ian White (Verizon) James Summers (Nike)
40. Extend Concepts In PCI DSS Page 4: DSS 1.2: “System components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment.
41. Before vs. After Before: Prior to creating a structured method, we needed over 40 hours to come to a scoping conclusion. After: With the model under development, we generated consensus on 15 scoping conclusions in less than 2 hours.
42. Proposed Deliverables Define and deliver the following, in a manner that clarifies and supports the spirit and intent of protecting cardholder data: Scoping principles A structured scoping methodology A library of scoping scenarios demonstrating its usage for educational and clarification purposes Create useful tools and guidance that will assist in the scoping effort for both merchants and QSAs.
44. Proposed Timeline Submit a set of guidance to the PCI SSC for approval before the PCI Community meeting in September 2010 Desired outcome: PCI SSC and Board of Advisors agree with problem and its significant, have confidence in the approach Assign a staff member to validate guidance and integrate it into the PCI practice
45. Also TODO Identify attributes of effective segmentation to contain PCI contagion Encrypted PIN device Citrix Thin Client Virtualization Where necessary, fix the words, "segment", "connected to,"
46. Next Up: Scoping Category vs. Control Consideration ????? ControlConsiderations
47. Next: Alternate Control Procedures Create a framework to evaluate alternate control procedures -- for that you need risk Right now, PCI is 220+ control activities: create the framework to state what the control objectives are, so you can evaluate whether the objective is being met COSO construct Objective, risk, control objective THEN control activities and controls!
48. Top A-Ha Moments Auditors rock: they have a comprehensive vocabulary that we need – otherwise, we’re stuck in Flatland We need more people who can see the sphere Auditors have seen the dead people longer than anyone These auditors will eventually go crazy, and need friends After a long detour into IT operations and audit, I’m returning to information security, in the guise of compliance
49. We Can Change The State Of The Practice It’s an important problem There are models we can replicate Do you want to get involved?
52. What I’m Working On 50% with my family 50% on When IT Fails: The Novel Figure out the methods, procedures and tools needed to enable the transformation Collaborate with communities of practice to help mobilize these transformations BSides, DevOps, ITIL, IIA, SEI
53. When IT Fails: The Novel: Day 1 Steve Masters, CEO Dick Landry, CFO Parts Unlimited$4B revenue/year
54. When IT Fails: The Novel: Day 2 Bill Palmer, VP IT Operations (new) Wes Davis, Director, Distributed Systems Patty McKee, Director, Support and Process Improvement
55. When IT Fails: The Novel: Day 3 Norman Merz, Chief Audit Executive John Kirkland, CISO
56. When IT Fails: The Novel: Day 4 Chris Anderson, VP Application Development Sarah Moulton, SVP Retail Products The outsourcing sales rep
58. When IT Fails: The Novel: The Two Critical Projects Project Phoenix: designed to close the gap with the retail competition: $20M project Project Argo: designed to integrate POS systems with accounting systems to reduce time to close books, manufacturing order-to-cash, restock intervals
Editor's Notes
There are many ways to react to this: like, fear, horror, trying to become invisible… All understandable, given the circumstances…