Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 2 of 10
• Special categories of personal data
• The rights of data subjects, including data access requests
• Controllers and processors
While the use of Data Analytics produces excellent results, they’re commonly applied in a tactical way for specific functional areas within an organization. This tactical approach often falls short of realizing the full potential of Data Analytics. Going beyond initial results, a more systematic approach to Data Analytics can help drive organizational learning (human and machine) from the various remediation processes.
In this Webinar, we’ll discuss 3 areas of Analytics Automation: (1) Producing the findings, (2) Managing the findings, and (3) Learning from the findings.
Key takeaways:
· The value of Analytics Automation
· Understanding the various technologies (i.e. RPA, AI, etc.)
· Practical ideas for deploying and managing Analytics Automation
· Using a more structured approach to remediation exceptions
· Benefits of Root Cause Analysis
· Using Analytics Automation to get a broader, more complete view of your organization over time
This document provides an overview of data protection impact assessments (DPIAs) and the role of the data protection officer (DPO) under the General Data Protection Regulation (GDPR). It discusses when DPIAs are required, the DPIA process, how to identify and assess risks, select controls, and ensure continuous monitoring. It also outlines the DPO requirements, including the need for independence and expertise. The DPO is responsible for enabling compliance and fostering a data protection culture.
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
Artificial Intelligence (AI) is found in just about every industry today, and accounting and auditing are no exception. Auditors that aren’t already exploring the vast potential of AI-powered applications in their audit program will soon find these tools are the industry standard and will be left in the dust if they don’t adapt and adopt.
To learn how to easily use AI apps in audit today, join us as we welcome Deniz Appelbaum, Assistant Professor at Montclair State University, for this exclusive presentation. With deep experience in audit analytics, Big Data, blockchain, audit automation, and fraud detection, Appelbaum brings considerable practical experience with audit technology to the audit profession.
In this presentation, she will help guests:
● Gain a basic introductory understanding of AI in audit.
● Understand how AP applications can be used in the context of auditing.
● Learn how to use AI apps in an audit for specific, achievable, measurable results.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 3
• Data protection by design
• Securing personal data
• Reporting data breaches
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
Implementing and Auditing GDPR Series (1 of 10)
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 1 of 10
• Bands of penalties and range of awards for breaches
• Lawfulness of processing and consent
• The six data protection principles
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 8
• The security of personal data.
• An organizational risk management framework.
• Legal requirements for a DPIA.
• How to conduct a DPIA with a DPIA tool.
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 2 of 10
• Special categories of personal data
• The rights of data subjects, including data access requests
• Controllers and processors
While the use of Data Analytics produces excellent results, they’re commonly applied in a tactical way for specific functional areas within an organization. This tactical approach often falls short of realizing the full potential of Data Analytics. Going beyond initial results, a more systematic approach to Data Analytics can help drive organizational learning (human and machine) from the various remediation processes.
In this Webinar, we’ll discuss 3 areas of Analytics Automation: (1) Producing the findings, (2) Managing the findings, and (3) Learning from the findings.
Key takeaways:
· The value of Analytics Automation
· Understanding the various technologies (i.e. RPA, AI, etc.)
· Practical ideas for deploying and managing Analytics Automation
· Using a more structured approach to remediation exceptions
· Benefits of Root Cause Analysis
· Using Analytics Automation to get a broader, more complete view of your organization over time
This document provides an overview of data protection impact assessments (DPIAs) and the role of the data protection officer (DPO) under the General Data Protection Regulation (GDPR). It discusses when DPIAs are required, the DPIA process, how to identify and assess risks, select controls, and ensure continuous monitoring. It also outlines the DPO requirements, including the need for independence and expertise. The DPO is responsible for enabling compliance and fostering a data protection culture.
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
Artificial Intelligence (AI) is found in just about every industry today, and accounting and auditing are no exception. Auditors that aren’t already exploring the vast potential of AI-powered applications in their audit program will soon find these tools are the industry standard and will be left in the dust if they don’t adapt and adopt.
To learn how to easily use AI apps in audit today, join us as we welcome Deniz Appelbaum, Assistant Professor at Montclair State University, for this exclusive presentation. With deep experience in audit analytics, Big Data, blockchain, audit automation, and fraud detection, Appelbaum brings considerable practical experience with audit technology to the audit profession.
In this presentation, she will help guests:
● Gain a basic introductory understanding of AI in audit.
● Understand how AP applications can be used in the context of auditing.
● Learn how to use AI apps in an audit for specific, achievable, measurable results.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 3
• Data protection by design
• Securing personal data
• Reporting data breaches
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
Implementing and Auditing GDPR Series (1 of 10)
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 1 of 10
• Bands of penalties and range of awards for breaches
• Lawfulness of processing and consent
• The six data protection principles
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 8
• The security of personal data.
• An organizational risk management framework.
• Legal requirements for a DPIA.
• How to conduct a DPIA with a DPIA tool.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 14 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Today's fast-paced and evolving business environment requires internal audit to consider its capabilities and needs to ensure appropriate strategic planning. How can CAEs develop strategic plans that result in their stakeholders viewing the audit function as “highly effective”?
Our research has found an approach that builds on three dimensions of effectiveness that must be addressed to be highly effective:
• Meeting stakeholder expectations
• Operating core processes
• Conforming to internal audit standards and applicable regulatory requirements
Learning Objectives
In this session, participants will:
• Discuss the need for and importance of strategic planning within the internal audit function
• Explore the 3 dimensions that contribute to a highly effective internal audit function
• Populate a framework to understand how processes and expectations are aligned and where changes need to occur
• Develop an initial strategic vision based on an understanding of stakeholder expectations
From time-to-time internal auditors are faced with situations which call for them to make an ethical decision. In addition, they may, in the middle of auditing, come across circumstances which themselves appear to be violations of a corporate
code-of-conduct.
Several laws now specifically state that internal auditors, in terms of the act, will be bound by the IIA Code of Ethics.
This webinar explores the IIA Code of Ethics as it applies to everyday situations the auditor may encounter.
The module is designed to provide the participants with an in-depth knowledge of:
Ethics theory
The IIA Code of Ethics
Applicable areas within Internal Audit
Reporting of material facts
Corporate Codes of Conduct
Auditing Corporate Ethics
Webinar contents will include:
Classes of Ethics
The role of business
Employee ethics
Honesty, Objectivity and diligence
Conflicts of Interest
Reporting of Material Facts
Corporate Codes of Conduct
Corporate Social Responsibility
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
Webinar Overview - A look at duplicates testing and the inherent value of fuzzy data matching.
Identifying fuzzy duplicates has never been easier. Arbutus Analyzer’s versatile functionality enables even new users to detect possible duplicate payments, vendors sharing similar addresses among themselves or with your organization’s employees, and counter parties who may be on government watch lists. Our webinar includes nine different scenarios with detailed descriptions of the tests and their results.
You'll learn about:
• Identifying possible risks
• How to deploy Analyzer commands and functions
Key Presenter:
Michael Kano, ACDA, Data Analytics Consultant, Arbutus Analytics
Implementing and Auditing General Data Protection RegulationJim Kaplan CIA CFE
This document provides an agenda and overview of a webinar on lessons learned from the General Data Protection Regulation (GDPR) and applying the GDPR's data protection principles. The webinar agenda includes discussing common data security failures, managing personal data breaches, and the seven data protection principles. It also provides background on the webinar presenter and introduces the company hosting the webinar, AuditNet.
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 5
• Certification against GDPR
• The powers of supervisory authorities
• Lead supervisory authorities
• The role of the European Data Protection Board (EDPB)
This document summarizes a webinar about using exploratory data analytics to focus an agile audit plan on emerging risks. It discusses dispelling common myths about data analytics and using an example of analyzing employee data to identify potential issues with gender and race pay disparities. The webinar promotes using analytics to enable control owners to conduct ongoing monitoring and shifting the audit's focus to confirming controls are appropriately designed and issues are addressed.
Learning about outliers and how to detect them in transactions of all types.
Learning Objectives: This webinar will explain the significance of outliers when testing transactions, whether they are vendor invoices, GL postings, or travel & entertainment expenses. Examples using Arbutus Analyzer will demonstrate the best analytics for identifying outliers.
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 9
• Why and how to conduct a data mapping exercise.
• The rights of data subjects.
• Giving and withdrawing consent.
Cyber attacks and data breaches are increasing. Hackers are targeting smaller companies to access personal information like credit cards, social security numbers, and passwords. To reduce risk, companies should implement security measures like firewalls, encryption, training employees on security best practices, and establishing a computer security incident response team to respond effectively to any data breaches. Regular security assessments, software updates, and network monitoring can help organizations strengthen their cyber defenses.
The document discusses defensible cybersecurity strategies and practices. It notes recent large data breaches and increasing regulatory focus on data privacy and cybersecurity. It emphasizes the importance of having a comprehensive cybersecurity plan that uses industry standards and best practices, and of demonstrating executive involvement, in order to defend against potential legal liability from cyber incidents. It provides examples of business risks from cybersecurity issues and costs of data breaches. It recommends prioritizing privacy and security using standards like NIST CSF, documenting policies and procedures, and making cybersecurity part of an organization's culture.
Security and Privacy: What Nonprofits Need to KnowTechSoup
The adage says, "You can't have privacy without security, but you can have security without privacy." What does that really mean, and how can you proactively address both for your organization? With privacy scandals and data breaches grabbing headlines daily, even the smallest organizations must take responsibility for lawful custodianship and protection of personal information. In this 60-minute webinar with Michael Standard, senior corporate counsel at Symantec, we will cover the key elements of privacy and security programs. You will learn
- How privacy and security concerns intersect and differ
- Risks to assess when evaluating your privacy program
- The definition of "personal information"
- Key privacy laws that may impact your organization
- The top three privacy and security threats and how to mitigate them
This document discusses strategies for complying with the EU's General Data Protection Regulation (GDPR) which takes effect in May 2018. It outlines five key security challenges that the GDPR addresses: 1) mobile workers accessing systems remotely, 2) privileged users having broad access rights, 3) risks from ransomware and malware, 4) insecure employee onboarding and offboarding processes, and 5) lack of accurate auditing and reporting on personal data access. The document then provides recommendations for addressing each challenge through strategies like context-aware access controls, dynamic user privileges, whitelisting applications, automating user provisioning and deprovisioning, and improved logging and reporting of personal data access.
This document discusses information security professional certifications. It describes the DoD Directive 8570.01 that requires DoD personnel and contractors to obtain security certifications. The directive is being replaced by DoDD 8140.01, which identifies new cybersecurity roles. Popular vendor-neutral certifications include those from (ISC)2 like the CISSP, and GIAC certifications offered through the SANS Institute. Vendor-specific certifications also exist.
The document summarizes key statistics about data loss incidents in 2013, including that over 2,000 incidents exposed over 800 million records. It outlines the typical stages companies go through after an incident and laws requiring preparation and response. The document provides a self-assessment for companies and best practices around security, forensics, communications, and international considerations for responding to a data breach. It emphasizes that companies should plan for an incident as regulatory requirements and costs can be significant for unprepared organizations.
How to safe your company from having a security breachBaltimax
To prevent security breaches, companies must address root causes like human error, abuse/fraud, and problems in processes. The document recommends that companies get board support, identify risks, classify data, secure perimeters, implement policies, and provide user training. It also suggests choosing a security approach that fits the company's structure, finding and solving issues like access control and insider threats, and developing a culture of responsibility through openness and ongoing training.
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC
Speaker: Rajni Baliyan
As the volume of data of a personal nature and commodification of information collected and analysed increases; so is the focus on privacy and data security. Many countries are examining international and domestic laws in order to protect consumers and organisations alike.
The Australian Senate has recently passed a bill containing mandatory requirements to notify the privacy commissioner and consumers when data is at risk of causing serious harm in the case of a data breach occurring.
Europe has also announced new laws that allow consumers more control over their data. These laws allow consumers to tell companies to erase any data held about them.
These new laws will have a significant impact on organisations that store personal information.
This talk will examine some of these legislative changes and how specific PostgreSQL features can assist organisations in meeting their obligations and avoid heavy fines associated with breaching them.
The document discusses access controls, which are processes that protect resources by only allowing authorized users to use them. It covers physical and logical access controls and the four components of access control: identification, authentication, authorization, and accountability. Authentication methods like passwords, tokens, and biometrics are described. Formal access control models like discretionary access control and mandatory access control are also summarized.
The document discusses various types of malware such as viruses, worms, Trojans, spyware and ransomware. It describes how malware functions, common symptoms of infection, and methods of detection. Examples of malware tools and distribution methods like wrappers are also provided. The goal is to help identify malware threats and understand legal issues related to malware.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 6 of 10
This Webinar focuses on Application Security
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 14 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Today's fast-paced and evolving business environment requires internal audit to consider its capabilities and needs to ensure appropriate strategic planning. How can CAEs develop strategic plans that result in their stakeholders viewing the audit function as “highly effective”?
Our research has found an approach that builds on three dimensions of effectiveness that must be addressed to be highly effective:
• Meeting stakeholder expectations
• Operating core processes
• Conforming to internal audit standards and applicable regulatory requirements
Learning Objectives
In this session, participants will:
• Discuss the need for and importance of strategic planning within the internal audit function
• Explore the 3 dimensions that contribute to a highly effective internal audit function
• Populate a framework to understand how processes and expectations are aligned and where changes need to occur
• Develop an initial strategic vision based on an understanding of stakeholder expectations
From time-to-time internal auditors are faced with situations which call for them to make an ethical decision. In addition, they may, in the middle of auditing, come across circumstances which themselves appear to be violations of a corporate
code-of-conduct.
Several laws now specifically state that internal auditors, in terms of the act, will be bound by the IIA Code of Ethics.
This webinar explores the IIA Code of Ethics as it applies to everyday situations the auditor may encounter.
The module is designed to provide the participants with an in-depth knowledge of:
Ethics theory
The IIA Code of Ethics
Applicable areas within Internal Audit
Reporting of material facts
Corporate Codes of Conduct
Auditing Corporate Ethics
Webinar contents will include:
Classes of Ethics
The role of business
Employee ethics
Honesty, Objectivity and diligence
Conflicts of Interest
Reporting of Material Facts
Corporate Codes of Conduct
Corporate Social Responsibility
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
Webinar Overview - A look at duplicates testing and the inherent value of fuzzy data matching.
Identifying fuzzy duplicates has never been easier. Arbutus Analyzer’s versatile functionality enables even new users to detect possible duplicate payments, vendors sharing similar addresses among themselves or with your organization’s employees, and counter parties who may be on government watch lists. Our webinar includes nine different scenarios with detailed descriptions of the tests and their results.
You'll learn about:
• Identifying possible risks
• How to deploy Analyzer commands and functions
Key Presenter:
Michael Kano, ACDA, Data Analytics Consultant, Arbutus Analytics
Implementing and Auditing General Data Protection RegulationJim Kaplan CIA CFE
This document provides an agenda and overview of a webinar on lessons learned from the General Data Protection Regulation (GDPR) and applying the GDPR's data protection principles. The webinar agenda includes discussing common data security failures, managing personal data breaches, and the seven data protection principles. It also provides background on the webinar presenter and introduces the company hosting the webinar, AuditNet.
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 5
• Certification against GDPR
• The powers of supervisory authorities
• Lead supervisory authorities
• The role of the European Data Protection Board (EDPB)
This document summarizes a webinar about using exploratory data analytics to focus an agile audit plan on emerging risks. It discusses dispelling common myths about data analytics and using an example of analyzing employee data to identify potential issues with gender and race pay disparities. The webinar promotes using analytics to enable control owners to conduct ongoing monitoring and shifting the audit's focus to confirming controls are appropriately designed and issues are addressed.
Learning about outliers and how to detect them in transactions of all types.
Learning Objectives: This webinar will explain the significance of outliers when testing transactions, whether they are vendor invoices, GL postings, or travel & entertainment expenses. Examples using Arbutus Analyzer will demonstrate the best analytics for identifying outliers.
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 9
• Why and how to conduct a data mapping exercise.
• The rights of data subjects.
• Giving and withdrawing consent.
Cyber attacks and data breaches are increasing. Hackers are targeting smaller companies to access personal information like credit cards, social security numbers, and passwords. To reduce risk, companies should implement security measures like firewalls, encryption, training employees on security best practices, and establishing a computer security incident response team to respond effectively to any data breaches. Regular security assessments, software updates, and network monitoring can help organizations strengthen their cyber defenses.
The document discusses defensible cybersecurity strategies and practices. It notes recent large data breaches and increasing regulatory focus on data privacy and cybersecurity. It emphasizes the importance of having a comprehensive cybersecurity plan that uses industry standards and best practices, and of demonstrating executive involvement, in order to defend against potential legal liability from cyber incidents. It provides examples of business risks from cybersecurity issues and costs of data breaches. It recommends prioritizing privacy and security using standards like NIST CSF, documenting policies and procedures, and making cybersecurity part of an organization's culture.
Security and Privacy: What Nonprofits Need to KnowTechSoup
The adage says, "You can't have privacy without security, but you can have security without privacy." What does that really mean, and how can you proactively address both for your organization? With privacy scandals and data breaches grabbing headlines daily, even the smallest organizations must take responsibility for lawful custodianship and protection of personal information. In this 60-minute webinar with Michael Standard, senior corporate counsel at Symantec, we will cover the key elements of privacy and security programs. You will learn
- How privacy and security concerns intersect and differ
- Risks to assess when evaluating your privacy program
- The definition of "personal information"
- Key privacy laws that may impact your organization
- The top three privacy and security threats and how to mitigate them
This document discusses strategies for complying with the EU's General Data Protection Regulation (GDPR) which takes effect in May 2018. It outlines five key security challenges that the GDPR addresses: 1) mobile workers accessing systems remotely, 2) privileged users having broad access rights, 3) risks from ransomware and malware, 4) insecure employee onboarding and offboarding processes, and 5) lack of accurate auditing and reporting on personal data access. The document then provides recommendations for addressing each challenge through strategies like context-aware access controls, dynamic user privileges, whitelisting applications, automating user provisioning and deprovisioning, and improved logging and reporting of personal data access.
This document discusses information security professional certifications. It describes the DoD Directive 8570.01 that requires DoD personnel and contractors to obtain security certifications. The directive is being replaced by DoDD 8140.01, which identifies new cybersecurity roles. Popular vendor-neutral certifications include those from (ISC)2 like the CISSP, and GIAC certifications offered through the SANS Institute. Vendor-specific certifications also exist.
The document summarizes key statistics about data loss incidents in 2013, including that over 2,000 incidents exposed over 800 million records. It outlines the typical stages companies go through after an incident and laws requiring preparation and response. The document provides a self-assessment for companies and best practices around security, forensics, communications, and international considerations for responding to a data breach. It emphasizes that companies should plan for an incident as regulatory requirements and costs can be significant for unprepared organizations.
How to safe your company from having a security breachBaltimax
To prevent security breaches, companies must address root causes like human error, abuse/fraud, and problems in processes. The document recommends that companies get board support, identify risks, classify data, secure perimeters, implement policies, and provide user training. It also suggests choosing a security approach that fits the company's structure, finding and solving issues like access control and insider threats, and developing a culture of responsibility through openness and ongoing training.
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC
Speaker: Rajni Baliyan
As the volume of data of a personal nature and commodification of information collected and analysed increases; so is the focus on privacy and data security. Many countries are examining international and domestic laws in order to protect consumers and organisations alike.
The Australian Senate has recently passed a bill containing mandatory requirements to notify the privacy commissioner and consumers when data is at risk of causing serious harm in the case of a data breach occurring.
Europe has also announced new laws that allow consumers more control over their data. These laws allow consumers to tell companies to erase any data held about them.
These new laws will have a significant impact on organisations that store personal information.
This talk will examine some of these legislative changes and how specific PostgreSQL features can assist organisations in meeting their obligations and avoid heavy fines associated with breaching them.
The document discusses access controls, which are processes that protect resources by only allowing authorized users to use them. It covers physical and logical access controls and the four components of access control: identification, authentication, authorization, and accountability. Authentication methods like passwords, tokens, and biometrics are described. Formal access control models like discretionary access control and mandatory access control are also summarized.
The document discusses various types of malware such as viruses, worms, Trojans, spyware and ransomware. It describes how malware functions, common symptoms of infection, and methods of detection. Examples of malware tools and distribution methods like wrappers are also provided. The goal is to help identify malware threats and understand legal issues related to malware.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 6 of 10
This Webinar focuses on Application Security
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
The Avid Life Media hack is a striking example of everything that can go wrong when a company is completely breached followed by a total disclosure of the stolen information. This attack resulted in an estimated $200 million in costs, firing of the CEO, and countless lives ruined. This presentation will review the data exposed and what can be learned to prevent this from happening to your organization.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 10 of 10
This Webinar focuses on Advanced Persistent Threats and targeted cyber attacks:
• Advanced Persistent Threats – the shifting paradigm to targeted attacks
• Understanding Advanced Persistent threats
• Overview of popular types of APTs
• Impact of APTs on sensitive data as well as organisation reputation
• Characteristics and Attack sequence of APT attacks and the challenges in detecting APTs
• Assessing, Managing and Auditing APT Risks
• Data loss and Cyber intrusions
The document provides guidelines for secure coding. It discusses the evolution of software markets and increased security threats. Common web attacks like injection, broken authentication, and sensitive data exposure are explained. The OWASP Top 10 list of vulnerabilities is reviewed. The document emphasizes the importance of secure coding practices like input validation, output encoding, and using components with no known vulnerabilities. Following a secure coding lifestyle can help developers write more secure code and protect against attacks.
David Cass discusses the role of security and how best practices can be used to accelerate cloud adoption and success.
Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h
Speaker: David Cass (Vice President, Cloud and SaaS CISO)
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
This talk was presented at the 7th WCSQ World Congress for Software Quality in Lima, Perú on Wednesday, 22nd March 2017.
Writing secure code certainly is not an easy endeavor. In the book titled “Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World (Developer Best Practices)” authors Howard and LeBlanc talk about the so called attacker’s advantage and the defenders dilemma and they put into perspective the fact that developers (identified as defenders) must build better quality software because attackers have the advantage.
In this dilemma, software applications must be on a state of defense because attackers are out there taking advantage of any minor mistake, whereas the defender must be always vigilant, adding new features to the code, fixing issues, adding new engineers to the team. All this conditions are important when it comes to software security.
Sadly, strong understanding of software security principles is not always a characteristic of most software engineers but we can’t blame them. Writing code is a complex task per se, the abstraction level required, along with choosing and/or writing the accurate algorithm and dealing with tight schedules seems to be always a common denominator and the outcome when talking to developers.
This talk also includes techniques, tools and guidance that software engineers can use to perform Application Security testing during the development stage, enabling them to catch vulnerabilities at the time they are created.
Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.
The document discusses how web application hacking occurs through examples like SQL injection. It explains the basic components of a web application like the database, server, and client. It then covers the steps an attacker may take, like using tools to find hidden content or exploiting vulnerabilities in how user input is handled to access private user data or delete database tables. The document emphasizes that these types of vulnerabilities are common and provides resources for learning about different hacking techniques as well as the company's security assessment services.
Fragments-Plug the vulnerabilities in your AppAppsecco
The document provides an overview of a discussion on mobile application security testing between Riddhi Shree and Riyaz Walikar of Appsecco. They discuss common weaknesses found during mobile app testing like trusting third parties, ignoring API authentication and authorization, and not implementing proper input validation. They also cover steps developers should take like verifying third party code, implementing layered defenses, and following secure development best practices around authentication, authorization, and least privilege. The discussion includes a bonus section on setting up a mobile security testing lab.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 3 of 10
This Webinar focuses on Malware Defense
• Types of Malware
• Blended Threats
• Infection Mechanisms
• Semantic, or Heuristics Based Malware Detection
• Polymorphic Malware
• Metamorphic Malware
• Hiding techniques and Detection of Malware
This document summarizes the results of 376 penetration tests conducted over the past year across various sectors. It finds that common external vulnerabilities included the absence of two-factor authentication (68%), file upload facilities (33%), and cross-site scripting (23%). Common internal network vulnerabilities included weak passwords (66%), missing patches (56%), default credentials (47%), and default SNMP strings (44%). The document provides details on the impact and fixes for each vulnerability.
SCYBER addresses an urgent need in cybersecurity training by developing the skills needed to proactively detect and combat cyber threats. The course spends 60% of time in hands-on labs where students monitor, analyze, and respond to actual cyber attacks. It teaches 4 major competencies - monitoring security events, configuring detection/alarming, analyzing traffic for threats, and appropriately responding to incidents. Key differentiators include being system agnostic, lab-heavy, teaching an inside-out approach, ease of entry for security professionals, and helping students understand why things are threats.
Expand Your Control of Access to IBM i Systems and DataPrecisely
This document discusses expanding control of access to IBM i systems and data. It begins with some logistical information about the webcast. The presentation will discuss myths about IBM i security, exit points and access methods, examples of security issues, and how Syncsort can help with security. The agenda includes discussing the myth that IBM i is secure by nature, reviewing exit points and access methods, providing examples, and explaining how Syncsort can help manage security risks. Overall, the document aims to educate about security risks on IBM i and how third party solutions can help address vulnerabilities from various access methods and improve overall security.
Application Security-Understanding The HorizonLalit Kale
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover broader aspects of Application Security basics. This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
This document discusses how to produce more secure web applications. It identifies that the core security problem facing web applications is handling untrusted user input in a safe manner to prevent attacks like XSS and CSRF. It recommends following a secure development lifecycle that includes requirements gathering, design, development, testing, and change control phases. During these phases, activities like threat modeling, secure coding practices, code reviews, and security testing can help balance functionality and security. Training, coding standards, and resources from OWASP can also help developers build more secure applications.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Controls that are designed to mitigate the risk of fraud are not perfect. Enterprise software such as Oracle and SAP may have built-in controls, but they are limited in scope to the data and processes that the software "touches". The most successful fraudsters know how to exploit interfaces between different processes and systems. Furthermore, the typical fraud case persists for 14 months prior to detection*.
Deploying data analytics for continuous testing can overcome many of the limitations of traditional fraud detection. Timely and appropriate detection will help organizations mitigate the impact of frauds. Robust fraud detection systems will also act as powerful deterrents.
*ACFE Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse
Learning Objectives
In this session we will raise awareness of the various types of frauds and how they can be detected using automated data analysis techniques.
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 10
• Handling data subject access requests (DSARs).
• The roles of controllers and processors, and the relationships between them.
• Transferring personal data outside the EU and the mechanisms for compliance.
• How to become GDPR compliant using a compliance gap assessment
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Jim Kaplan CIA CFE
Join this webinar for an introduction to the Touchstone Research for Internal Audit, an unprecedented, global research of internal audit, from Wolters Kluwer TeamMate. This session will review study approach and scope, key initial findings, a look at benchmarking, and a preview of future insights. Find out what nearly 1,000 internal audit and controls professionals have to say across about the current and future state of internal audit.
Learning Objectives:
Learn the objective of the Touchstone Research for Internal Audit
Understand how the Touchstone Maturity Model can benefit Internal Audit teams
Learn why the Touchstone Research Benchmarks for Internal Audit can be a planning tool
A recent survey report, Fraud in the Wake of COVID-19: Benchmark Report, prepared by the ACFE, explains that recent events have opened the door to increased pressure, reasonings and opportunities that can lead to occupational fraud. Across all classes of fraud schemes 68% of survey respondents reported increases in fraudulent activity as of May 2020 and 93%o reported they expect an increase in fraud over the next 12 months.
To guide auditors in running detective controls, join Mark Nigrini, West Virginia University Professor and author, and Jeffrey Sorensen, Industry Strategist, for an exclusive review of the fingerprints of fraud numbers. This two-person team will review seven categories of fraud numbers and will demonstrate how to identify these types of numbers using audit software.
In this informative and engaging presentation, attendees will:
● Learn the seven categories of fraud numbers
● Understand which categories are linked to specific types of schemes
● Optimize the steps needed to run the tests
● Interpret the results to identify audit targets
● Apply a second layer of steps to reduce the number of false positives
How to get auditors performing basic analytics using excel Jim Kaplan CIA CFE
It has been said that the definition of crazy is doing the same thing over and over again and expecting a different result. If your audit analytics program is still not meeting your expectations, you are going to have to do something different to change that outcome. The biggest hurdle organizations need to overcome is getting auditors to think differently about what analytics is. Excel might not be the ultimate analytics tool for your organization but attend this webinar to see how you can use it as a catalyst for change throughout the audit team.
Learning Objectives
Learn non-technical skills auditors need to perform audit analytics
Learn commonly used Excel functions that can be applied to audit analytics
Learn how to get auditors started down a path of thinking about analytics vs automatically pulling samples
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 6
• The role of the data protection officer (DPO).
• What constitutes personal data.
• Accountability, the privacy compliance framework and a personal information management system (PIMS).
From time-to-time internal auditors are faced with situations which call for them to make an ethical decision. In addition, they may, in the middle of auditing, come across circumstances which themselves appear to be violations of a corporate
code-of-conduct.
Several laws now specifically state that internal auditors, in terms of the act, will be bound by the IIA Code of Ethics.
This webinar explores the IIA Code of Ethics as it applies to everyday situations the auditor may encounter.
The module is designed to provide the participants with an in-depth knowledge of:
Ethics theory
The IIA Code of Ethics
Applicable areas within Internal Audit
Reporting of material facts
Corporate Codes of Conduct
Auditing Corporate Ethics
Webinar contents will include:
Classes of Ethics
The role of business
Employee ethics
Honesty, Objectivity and diligence
Conflicts of Interest
Reporting of Material Facts
Corporate Codes of Conduct
Corporate Social Responsibility
How analytics should be used in controls testing instead of sampling Jim Kaplan CIA CFE
Sampling has existed as a standard for controls testing since controls testing began. We’ve developed algorithms to tell us how many samples we should pull and how many errors we can have and still pass the control. We’ve even developed algorithms to tell us how many more samples we can test if the control didn’t pass the first time.
If your goal is simply to do the minimum to pass a SOX audit, then these behaviors should probably continue. If your goals also include really improving the operations of the organization to make it stronger then a more holistic approach is needed, such as analysis on 100% of the population, rather than a small sample.
Most controls analytics do not require a degree in data science, but they do require the controls team begin changing its behaviors. Join us to understand what it takes to begin this change, it’s not as challenging as you might think.
Learning Objectives
Understanding the advantages of analytics vs sampling
How to Identify controls where analytics can be applied
Real life examples of controls and their associated analytics
How to effect a change
How analytics should be used in controls testing instead of samplingJim Kaplan CIA CFE
Sampling has existed as a standard for controls testing since controls testing began. We’ve developed algorithms to tell us how many samples we should pull and how many errors we can have and still pass the control. We’ve even developed algorithms to tell us how many more samples we can test if the control didn’t pass the first time.
If your goal is simply to do the minimum to pass a SOX audit, then these behaviors should probably continue. If your goals also include really improving the operations of the organization to make it stronger then a more holistic approach is needed, such as analysis on 100% of the population, rather than a small sample.
Most controls analytics do not require a degree in data science, but they do require the controls team begin changing its behaviors. Join us to understand what it takes to begin this change, it’s not as challenging as you might think.
Learning Objectives
Understanding the advantages of analytics vs sampling
How to Identify controls where analytics can be applied
Real life examples of controls and their associated analytics
How to effect a change
From time-to-time internal auditors are faced with situations which call for them to make an ethical decision. In addition, they may, in the middle of auditing, come across circumstances which themselves appear to be violations of a corporate
code-of-conduct.
Several laws now specifically state that internal auditors, in terms of the act, will be bound by the IIA Code of Ethics.
This webinar explores the IIA Code of Ethics as it applies to everyday situations the auditor may encounter.
The module is designed to provide the participants with an in-depth knowledge of:
Ethics theory
The IIA Code of Ethics
Applicable areas within Internal Audit
Reporting of material facts
Corporate Codes of Conduct
Auditing Corporate Ethics
Use Cases : Duplicate Testing & Segregation of Duties
Learning Objectives / Key Takeaways:
Learn how ATCO evolved its Internal Audit practice through embedding Data Analytics within our Audit Shop.
Identify how data-driven auditing can save time and increase audit assurance, coverage and quality.
See specific examples of how Analyzer was used to detect duplicate payments and assess Segregation of Duties.
Understand the benefits of creating procedures/scripts, to automate testing.
Re-imagining the art and science of auditing and fraud detection is coming to the forefront of risk management functions. What was seen as a “nice to have” a few years ago has become a “must have” as digital transformation and data surrounds all aspects of the organization.
Specific learning objectives include:
o See how analytics can maximize the annual audit plan and better ensure focus is placed on top organizational risks.
o Establish a framework to using analytics and automation across the entire audit lifecycle.
o Use the general ledger and revenue audit areas as a case study to provide a digital road map for analytics for detecting fraud (and errors) within the organization.
Structuring your organization for success with data analytics Jim Kaplan CIA CFE
Webinar Description: In my years leading data analytics projects and teams, I have come across several different structures for the integration of DA. Some were at large multinational corporations and others were at small- and medium-sized organizations, including government bodies. Today, we'll look at four different models for the management of data analytics in Internal Audit departments. The key characteristics of each model will be described, as well as the strengths and weaknesses.
Participant Outcomes: By the end of this session, participants will be able to identify the model which best fits their organization.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
1. 1/20/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
2019 Update 2
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 1/20/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join
link.
• We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no
partial CPE will be awarded).
• If you meet the criteria for earning CPE you will receive a link via email to download your certificate.
The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this
address. It is from this email that your CPE credit will be sent. There is a processing fee to have your
CPE credit regenerated post event.
• Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
• You must answer the survey questions after the Webinar or before downloading your certificate.
3
4
3. 1/20/2020
3
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
5
TODAY’S AGENDA
Page 6
Where are we now and Where are we going?
Current Cyberrisks
Data Breach and Cloud Misconfigurations
Shift in attack vectors
Insecure Application User Interface (API)
The growing impact of AI and ML
Malware Attack
Single factor passwords
Insider Threat
Shadow IT Systems
Crime, espionage and sabotage by rogue nation-states
IoT
CCPA and GDPR
Cyber attacks on utilities and public infrastructure
5
6
4. 1/20/2020
4
ARCHITECTURE AND
SERVICE DEFINITIONS
Three Cloud Service Delivery Models:
• 1. Infrastructure as a Service (IaaS)
• 2. Platform as a Service (PaaS)
• 3. Software as a Service (SaaS)
Four Cloud Service Deployment Models
• 1. Public
• 2. Private
• 3. Community
• 4. Hybrid
THREATS TO CLOUD
COMPUTING
Changes to business model
Abusive use of cloud computing
Insecure interfaces and API
Malicious insiders
Shared technology issues
Data loss and leakage
Service hijacking
Risk profiling
Identity theft
7
8
6. 1/20/2020
6
THE ATTACK VECTORS
Any system
Any infrastructure
Any communication
Any language
Any architecture
Any component
Any information, any data
Any physical layer
Any logical layer
Any storage device / facility
Any (communication) channel
Any interface
Any encryption
Any environment
Any site (including DR)
Any transaction
Any log and audit trail
Any archive
Any process (operations,
ongoing, development)
CONTAINING DATA
BREACHES
Need to Identify:
What type of data has been breached?
Is there any sensitive information?
How many people could be affected?
How many records?
11
12
7. 1/20/2020
7
POLLING QUESTION
DO YOU KNOW?
• 75% of attacks today happen at the Application Layer
(Gartner).
• Many “easy hacking recipes” published on web.
• Security holes in the web application layer can make a
perfectly patched and firewalled server completely
vulnerable.
The cost and reputation savings of avoiding a security breach
are “priceless”
13
14
8. 1/20/2020
8
OWASP- TOP 10 VULNERABILITIES IN
WEB APPLICATIONS
• Injection : Injection attacks occur when the user is able to input untrusted data
tricking the application/system to execute unintended commands. Injections can be
– SQL queries, PHP queries, LDAP queries and OS commands.
• Broken Authentication : Broken authentication occurs when the application
mismanages session related information such that the user’s identity gets
compromised. The information can be in the form of session cookies, passwords,
secret keys etc. to either get into someone else’s session or use a session which
has been ended by the user or steal session related information.
• Sensitive data exposure : Attackers can sniff or modify the sensitive data if not
handled securely by the application. A few examples include use if weak encryption
keys, use of weak TLS. In order to identify sensitive data bits and exploit them.
• XML External Entities (XXE) : An application is vulnerable to XXE attacks if it
enabled users to upload a malicious XML which further exploits the vulnerable code
and/or dependencies for example to execute code, steal data and perform other
malicious tasks.
OWASP- TOP 10 VULNERABILITIES IN
WEB APPLICATIONS
• Broken Access control : Applications have various account types depending on
the users: admins, operators and reporting groups etc. One common problem is that
the developers restrict the privileges just on the UI side and not on the server side.
If exploited, each user can have admin rights.
• Security misconfigurations : Developers and IT staff ensure functionality and not
the security. Many of the security requirements get missed unless identified by
experts or hackers. Security misconfigurations can include weak passwords, default
passwords, default scripts stored on the servers, default directories, default error
messages etc.
• Cross Site Scripting (XSS) : Cross-site scripting occurs when an attacker is able
to insert untrusted data/scripts into a web page. The data/scripts inserted by the
attackers get executed in the browser can steal users data, deface websites etc.
15
16
9. 1/20/2020
9
OWASP- TOP 10 VULNERABILITIES IN
WEB APPLICATIONS
• Insecure Deserialization : Many applications which rely on the client to maintain
state may allow tampering of serialized data.
• Using Components with known vulnerabilities : When components with known
vulnerabilities are used by the application, this may lead to security breaches or
server takeover. The components can be coding frameworks, libraries, vulnerable
functions, network frameworks etc.
• Insufficient logging and monitoring: Attacks still happen and get noticed only
after an incident has happened. To ensure the malicious intent of the attackers gets
noticed beforehand, it is essential to log all the activity and monitor it for any
suspicious behavior.
POLLING QUESTION
17
18
10. 1/20/2020
10
AI and ML
MACHINE LEARNING
Algorithmic ways to “describe” data
Supervised
We are giving the system a lot of
training data and it learns from that
Unsupervised
We give the system some kind of
DEEP LEARNING
A “newer” machine learning algorithm
Eliminates the feature engineering step
Explainability / verifiability issues
DATA MINING
Methods to explore data - automatically
ARTIFICIAL INTELLIGENCE
A program that doesn't simply classify
or compute model parameters, but
comes up with novel knowledge that a
security analyst finds insightful.”
ML IN SECURITY
SUPERVISED
Malware classification
Deep learning on millions of samples - 400k
new malware samples a day
Has increased true positives and decreased
false positives compared to traditional ML
Spam identification
Analyzing massive amounts of firewall data to
predict and score malicious sources (IPs)
UNSUPERVISED
DNS analytics
Domain name classification, lookup
Threat Intelligence feed curation
IOC prioritization, deduplication, …
Tier 1 analyst automation
Reducing workload from 600M raw events to
User and Entity Behavior Analytics
(UEBA)
Uses mostly regular statistics and
rule-based approaches
* See Respond Software Inc.
19
20
11. 1/20/2020
11
MALWARE ATTACKS
General misconception among people
Malware = “malicious software”
Malware is any kind of unwanted software that
is installed without your consent on your
computer.
Viruses, worms, Trojan horses, bombs,
spyware, adware are subgroups of malware.
VIRUS TYPES
22
Multipartite – a multi-part virus, a virus that attempts to attack both
the boot sector and the executable, or program, files at the same
time. When the virus attaches to the boot sector, it will in turn affect
the system files, and when the virus attaches to the files, it will in turn
infect the boot sector.
Appending - A virus that inserts a copy of its malicious code at the
end of the file. The goal of an appending virus is not to harm the host
program, but to modify it to hold the virus code and then be able to
run itself.
Overwriting - A type of computer virus that will copy its own code
over the host computer system's file data, which destroys the original
program. After your computer system has been cleaned using an
antivirus program, users will need to install the original program
again.
21
22
12. 1/20/2020
12
VIRUS TYPES
23
Polymorphic - A virus that changes its virus signature (i.e., its
binary pattern) every time it replicates and infects a new file in
order to keep from being detected by an antivirus program.
Tunneling – A type of virus that attempts installation beneath
the antivirus program by directly intercepting the interrupt
handlers of the operating system to evade detection.
Stealth – A computer virus that actively hides itself from
antivirus software by either masking the size of the file that it
hides in or temporarily removing itself from the infected file and
placing a copy of itself in another location on the drive,
replacing the infected file with an uninfected one that it has
stored on the hard drive.
VIRUS TYPES
24
Bimodal - Also called a Boot Sector Infector, a bimodal virus is
one that infects both boot records and files on the computer
system.
Self-garbling - A type of computer virus that will attempt to
hide from an antivirus program by garbling its own code. When
a self-garbling virus propagates it will change the encoding of
its own code to trick antivirus programs and stay hidden on the
computer system.
Memory resident - A virus that stays in memory after it
executes and after its host program is terminated. In contrast,
non-memory-resident viruses only are activated when an
infected application runs.
23
24
13. 1/20/2020
13
CLOUD ANTIVIRUS
New form of antivirus program
The virus scanning is done from a remote
location(not on the computer).
Why this is so popular is because it relieves
the physical computer resources.
Constant functionality (Nonstop scanning)
Security Issues
TWO-FACTOR AUTHENTICATION
OVERVIEW
26
Single Factor passwords
A major biometric hack shows the weakness of
single-factor authentication
Two-factor authentication requires the use of two of
the three authentication factors:
Something only the user:
1. Knows (e.g. password, PIN, secret answer)
2. Has (e.g. ATM card, mobile phone, hard token)
3. Is (e.g. biometric – iris, fingerprint, etc.)
25
26
14. 1/20/2020
14
POLLING QUESTION
INSIDER THREATS
Insider attacks account for as much as 80% of all
computer and Internet related crimes [1]
70% of attacks causing at least $20,000 of damage are
the direct result of malicious insiders
Majority of insiders are privileged users and majority of
attacks are launched from remote machines
27
28
15. 1/20/2020
15
TYPICAL INSIDER THREATS
Data corruption, deletion, and modification
Leaking sensitive data
Denial of service attacks
Blackmail
Theft of corporate data
Etc. Etc. Etc
INSIDER THREAT
REMEDIATION
Minimize the size of the user population to
decrease the number of possible insiders
Distribute trust amongst multiple parties to
force collusion
Most insiders act alone
Question trust assumptions made in
computing systems
Treat the LAN like the WAN
BroLAN, SANE, etc…
Others?
29
30
16. 1/20/2020
16
SHADOW IT SYSTEMS
Shadow IT
Unsanctioned apps or services in use
Shadow Data
Unmanaged content that users put into: sanctioned apps or services
meant for other purposes or unsanctioned apps or services
In GDPR terms
Shadow IT = Technology environments where there is a lack of control
over which personal data is handled by whom within the organization
Shadow Data in sanctioned apps / services may be processed out of
policy
Shadow Data in unsanctioned apps / services cannot be accounted for
SHADOW IT SYSTEMS
More than 5,000 personal devices connect to
enterprise networks every day with little or no
endpoint security enabled in one of every three
companies in the U.S., U.K., and Germany.
More than 1,000 shadow IoT devices connect to
enterprise networks every day in 30% of the U.S.,
U.K., and German companies.
12% of U.K. organizations are seeing more than
10,000 shadow IoT devices connect to their
enterprise networks every day.
Forbes
31
32
17. 1/20/2020
17
RISKS ASSOCIATED WITH
SHADOW IT
The organization loses control and visibility into the data
migrated to Shadow IT systems.
The risks include:
security and regulatory noncompliance,
data leaks and inability to perform disaster recovery
measures involving data in Shadow IT systems when
required.
CRIME, ESPIONAGE AND SABOTAGE BY
ROGUE NATION-STATES
Utilities and Industrial Control Systems targeted with
Ransomware
A Nation-State Launches a “Fire Sale” Attack
Attackers hold the Internet Hostage
US cyber security strategy is built around four tenets:
Protect the American People, the Homeland and the
American Way of Life
Promote American Prosperity
Preserve Peace through Strength
Advance American Influence
More nations developing offensive cyber capabilities
Isolationist trade policies will incentivize nation states and
corporate entities to steal trade secrets and use cyber tactics to
disrupt government, critical infrastructure, and vital industries
China's Belt and Road Initiative to drive cyber espionage activity
33
34
18. 1/20/2020
18
POLLING QUESTION
Components of IoT
IoT consists of three principal components:
The things themselves that, in most cases, represent the devices or
sensors with the ability to capture or produce data, and the time to create
an effect on the environment in which they have some influence
The communications network that interconnects the things (this network
connectivity, in most cases, is wireless)
The computing systems that process and use the data received and/or
transmitted by the things, with, in most cases, a minimal computational
capability
Source: https://www.isaca.org/journal/archives/2015/volume-2/pages/internet-of-things-offers-great-opportunities-and-much-risk.aspx
35
36
19. 1/20/2020
19
GAO Highlights INTERNET OF THINGS RISKS
What GAO Found
The Internet of Things (IoT) is the set of Internet-capable devices, such as
wearable fitness devices and smartphones, that interact with the physical
environment and typically contain elements for sensing, communicating,
processing, and actuating. Even as the IoT creates many benefits, it is important
to acknowledge its emerging security implications.
Highlights of GAO-17-668, a report to congressional committees
IT Risk Areas Deserving Increased Focus
IT Governance:
Mission: The mission of IT is not aligned to protect the
value of its existing assets and create new or future value.
IT and Business Alignment: Corporations increasingly
do not coordinate IT with business processes to realize
their true value.
Portfolio Management: The IT Portfolio is not reliable or
adequately available.
IT Risk Management: IT compliance with laws and
regulations.
37
38
20. 1/20/2020
20
IT Risk Areas Deserving Increased Focus
Enterprise Security:
Security Configuration Management: Security administration
processes are undefined.
Identity and Access Management: System Configurations are
not in line with the security policy. Access to systems is not
managed to ensure access is appropriately administered timely.
Firewalls are not properly configured or monitored to
prevent/detect unauthorized access and malicious attacks.
Security Penetration & Vulnerability Testing: Tools and
techniques are not in place or not properly configured to
periodically test and report to management.
Security Awareness & Training: Security notifications and
training do not exist to make users aware of their responsibilities
in securing corporate data.
Security Compliance: Management has not implemented a
security compliance program to address regulatory requirements
(HIPPA, GLBA, SOX, etc.)
Source: Deloitte IT Risk Awareness Presentation
IT Risk Areas Deserving Increased Focus
Crisis Management:
Business Impact Assessment: An enterprise-wide disaster
recovery plan has not been prepared or is not based on a
business impact assessment.
Communications / Crisis Management Plans: Management
has not prepared or coordinated with cross-functional business
units to ensure appropriate escalation and communication of crisis
management (declaration and ongoing communication).
Service Level Agreements: Relationships with third party
vendors do not exist to ensure IT operations continuity in case of
disaster/crisis.
Insurance: Insurance agreements do not exist for the IT
infrastructure or Business Impact
Site Reconstruction / Relocation: The disaster recovery plan
does not contain a strategy to either rebuild or relocate IT
operations permanently to ensure continuity in the case of total
loss of production systems.
Disaster Recovery Testing: Management has not periodically
tested the disaster recovery plan or has not documented results
and incorporated improvements into the disaster recovery plans.
Source: Deloitte IT Risk Awareness Presentation
39
40
21. 1/20/2020
21
POLLING QUESTION
MORE LEGISLATION
California Consumer Privacy Act Ma
State statute intended to enhance privacy rights and
consumer protection for residents of California
Took effect on January 1, 2020
Six Statutory rights:
1.To be provided with information on what personal information is collected about
them and the purposes for which that personal information is used.
2. To be provided with information on what personal information is sold or disclosed
for a business purpose and to whom.
3. To opt out of the sale of their personal information to third parties (or in the case
of minors under age 16, to require an opt in before the sale of their personal
information).
4. To request the deletion of their personal information.
5. Not to be subject to discrimination for exercising any of the above rights,
including being denied goods or services or being charged a different price, or being
subjected to a lower level of quality, of such goods or services.
6. To seek statutory damages of $100 to $750 for breaches of unencrypted personal
information that arise as a result of a business’ violation of its duty to
implement and maintain reasonable security procedures.
41
42
22. 1/20/2020
22
APPLIES TO
For profit business entities in CA that:
Gross revenue of 25 million dollar or more
Receives or share more then 50,000 consumers, households, or
devices
More than 50% of revenue from the sale of PHI Exception for
HIPAA, CMIA ( California Medical Information Act), GLBA
(Gramm Leach Bliley Act ) statues
REQUIREMENTS
Business required to post details on website or other public means
how they’re using or not using consumer data for rolling 12 months
and opt out instructions
Businesses will have to develop processes and procedures to
accommodate all consumer rights including data mapping / access
reports
Requirements for businesses to reasonably safeguard consumer
data
Significant damage implications for business if fail to comply
(enforced by CA AG)
Consumers have a private right of action but it’s limited ($100 to
$750 per violation)
Fines for business $7500 per violation
43
44
23. 1/20/2020
23
WHAT IS GDPR?
On 4 May 2016, the EU Regulation on Data Protection
(GDPR) was published in the Official Journal of the
European Union
The GDPR entered into force on 24 May 2016 to replace
the former 1995 EU Data Protection Directive and create
a harmonized data protection law across Europe
To more effectively manage data on their customers,
employees, contacts and any other relevant persons
WHAT IS DATA PROTECTION?
Data Protection is about avoiding harm to individuals by
misusing or mismanaging their personal data.
So if you collect, use, or store personal data then the Data
Protection Act applies to you. It sets out eight principles you have
to adhere to, which include:
Only collect information for specific purposes and don’t then use
it for other purposes
Only collect what you need for the specific purpose
Keep it accurate and up to date; and safe and secure
Process information lawfully and allow subject access in line with
the Act.
45
46
24. 1/20/2020
24
GDPR & WHY IT’S
IMPORTANT
Why is it important?
Significant impact for organisations and how they
manage data with some potentially very large penalties
for violations – 4% of global revenues
Impacts the storage, processing, access, transfer, and
disclosure of an individual’s data records
Who is affected?
These protections apply to any organisation (anywhere
in the world) that processes the personal data of EU
data subjects
POLLING QUESTION
47
48
25. 1/20/2020
25
CYBER ATTACKS ON UTILITIES
AND PUBLIC INFRASTRUCTURE
We are increasingly dependent on the Internet:
Directly
Communication (Email, IM, VoIP)
Commerce (business, banking, e-commerce, etc)
Control systems (public utilities, etc)
Information and entertainment
Sensitive data stored on the Internet
Indirectly
Biz, Edu, Gov have permanently replaced
physical/manual processes with Internet-based
processes
CYBERSECURITY
ROADBLOCKS
No metrics to measure (in)security
Internet is inherently international
Private sector owns most of the infrastructure
“Cybersecurity Gap”: a cost/incentive
disconnect?
Businesses will pay to meet business imperatives
Who’s going to pay to meet national security imperatives?
49
50
26. 1/20/2020
26
CORPORATE VS NATIONAL
corporate cybersecurity = availability, integrity
and secrecy of information systems and networks
in the face of attacks, accidents and failures with
the goal of protecting a corporation’s operations
and assets
national cybersecurity = availability, integrity and
secrecy of the information systems and networks
in the face of attacks, accidents and failures with
the goal of protecting a nation’s operations and
assets (preventing an electronic Pearl Harbour)
National Infrastructure Protection Plan (NIPP)
From DHS
THE NIPP PROVIDES A STRATEGIC CONTEXT
FOR INFRASTRUCTURE
PROTECTION/RESILIENCY
52
Dynamic threat environment
Natural Disasters
Terrorists
Accidents
Cyber Attacks
A complex problem, requiring a national plan and organizing framework
18 Sectors, all different, ranging from asset-focused to systems and
networks
Outside regulatory space (very few security-focused regimes)
85% privately owned
100% in State and local jurisdictions
51
52
27. 1/20/2020
27
CRITICAL INFRASTRUCTURE &
KEY RESOURCES (CIKR)
53
Critical Infrastructure: Systems and assets, whether physical or
virtual, so vital to the United States that the incapacitation or
destruction of such systems and assets would have a debilitating
impact on national security, national economic security, public health
or safety, or any combination of those matters
Key Resources: Publicly or privately controlled resources essential
to the minimal operations of the economy or government
Why is CIKR Protection Important?
Essential to the Nation’s security, public health and safety,
economic vitality, and way of life
QUESTIONS?
Any Questions?
Don’t be Shy!
53
54
28. 1/20/2020
28
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU!
Page 56
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
55
56