Presentation to ISACA SV May 2015 - apply NIST 53.v4, CyberSecurity Framework and Cobit 5 to adequate governance and risk programs

1. http://www.enterprisegrc.com
Does Audit Make us Secure?
Presented at ISACA SV Spring Conference
May 15th 2015
Robin Basham, M.Ed, M.IT, CISA, CRISC, CGEIT, HISP, CRP, VRP
Founder EnterpriseGRC Solutions

2. Companies that passed audit and had a major breach
 March 18, 2015 “Three weeks before hackers infiltrated
Premera Blue Cross, federal auditors warned the company
that its network-security procedures were inadequate.”
 The Heartland intrusion began in May 2008, even though the
company had passed multiple audits, including one
conducted on Apr. 30. At the time, the Princeton (N.J.)
company was in compliance with industry standards for data
security, Carr says. Still, shortly afterward, 13 pieces of
malware that capitalize on weaknesses in Microsoft (MSFT)
software infiltrated one or more network servers.
 "We get pinged 200,000 times per day by people trying to hack into
our system," Carr says. "You do everything you can to make sure one
of those pings doesn't get through, and we thought we had done
everything we could do."

3. Does audit make us secure?
Why not?

4. “We get pinged more than 200,000 times per day”
So what?

5. Is it just me?
 We establish “scope” and imply permission for less
secure practices on lower impact systems
 We audit what we understand and miss the most
important areas of risk
 We expose a wide range of people to known areas of
weakness
 We distract people from their core responsibilities
 We create a false sense of security by under
representing complex and broken processes

6. Did I Pick the Right form of Risk Assessment?
 If our goal is to determine if we are secure,
pick the right risk assessment methods
 If our goal is to enable a more secure
enterprise, engage business partners to
provide meaningful metrics that inform
choices and decisions about the architecture
 Integrated Audit (GRC) assists management to
set compliance goals, track where process
evidence is stored, and enable continuous
improvement through internal control self
assessment.

7. GRC Contributes by using a Cyber Security Model
 Identify – CMDB, People, Process, Technology, relationships,
alignment to controls
 Protect – Architecture, Infrastructure, Monitoring
 Detect – Defined Sources, Collection, Interpretation, Reporting
Methods
 Respond – RCA, Corrective Action, Management Meetings, Plans,
Optimization Targets
 Recover – Configuration baselines, response plans, lessons
learned, Wiki, documentation, BIA

8. Configuration Management using Cobit®5

9. GRC Team Tracks to Inform Control Design & Risk
 Intrusion Detection Systems (IDS) events
 Virus Alerts and corresponding HelpDesk cases
to clean infected systems
 DLP events and confirmation on false positives,
loss events and corrective actions
 Vulnerabilities Identified, risk ranking, effort and
plan to remediate, status to remediate
 Patch requirements and mean time to remediate
MTTR
 Daily Anti-Virus status (Red, Yellow, Green), # of
events blocked, cleaned, definition updates
 Daily end point patching, # of systems in and out
of compliance
 Daily system backups – systems not backed up
 Number of Volume copies made, saved, purged
 Security Project Plans, Milestones, Issues or
Blockers
 Infrastructure remediation through tickets and
change requests
 Post Implementation Effectiveness for
corrected security problems (ROI)
 Template Configurations
 NON template configurations
 Systems Monitored
 Services per systems

10. Confirm Incident Definitions, Review, Response
 Scheduled outputs to central mailbox (restrict delete)
 Track incident notifications
 Establish and RUN Rules for follow up
 Set Flags to communicate closed corrective action

11. People and Access – Focus on Integrated Reporting
Access Governance
 Use PowerShell to gather all local
Admin accounts on all systems
 Use ADManager or other tools to
pull all members in all groups
 Compare active users in HR
Systems to Roles granted to all
identities
 Track effectiveness of department
security roles and access grants
 Publish exception policy and have
management sign off at least
quarterly

12. How can audit drive security? Manage Corrective Actions!

13. Data System Relationships to Audit, Classification, Risk
 Assets include
Applications, Products,
Services, File Shares,
Devices, OS,
Infrastructure
 Assets are owned,
administered,
developed, supported,
classified, documented
 Data and transactions
source audit
information

14. Get The Data – Trend and Report – Examples of Data Sources

15. Inversion of Control v. Faith
– Managing Complexity through Framework
 Each control is a data point with related Information Security
Governance Processes – Policies - SOP, Corporate Strategic
Objectives, Department Strategic and Tactical Objectives, Business
Risks, Control RACI, Control Programs, Initiatives, People, Tools,
Access Profiles and Asset Profiles.
 The GRC must Collectively represent reliable information to inform
our management shareholders and customers that we manage our
risks.
 GRC has to Help Management to make us more secure

16. Document and Follow a Data Collection Practice
Implement a meaningful output process
 Data collection strategy
 Source coverage – the architecture stack
 Test mapping
 Validation process
 Imports, Reference Tables, Audit Queries
 Output to Corrective Actions tracking

17. Give Management Knowledge – Fact based observations
Answer Their Questions

18. Continuous Feedback – GAP in ISMS

19. Risk Reporting – Tie Controls to Corporate Risks (The 10K)
 Use the data collection
strategy to inform corporate
risk
 Make all reports “personal” by
assigning programs,
departments and key
initiatives
 Incorporate notification
strategies
 Maintain and gain consensus

20. The risks identified have actual probability – get the lessons
learned

21. REMEMBER: It’s always about money – (Materiality)
 Financial statement audits measure materiality in monetary terms
 Integrated Audit provides IT assurance on non-financial items and,
requiring alternative measures (maturity models and process assurance
methodology).
 We meet objectives so we can make money or retain money.

22. Focus on Effectiveness GAP v. Audit Bar
Control
IDJ15J2A1:J
19
Control Objective Control
Effectiveness
Test ID Heat
In place GAP
Accountable
DS5 DS5 Ensure Systems
Security
Needs
Strengthening
(Important)
DS5 5.1 Management ofITSecurity;#143;#DS5
5.2 ITSecurity Plan;#144;#DS5 5.3 Identity
Management;#145;#DS5 5.4 User Account
Asset Provisioning and De-
Provisioning;#146;#DS5 5.5 Security Testing,
36 3/31/2015 -2
240;#170000 IT:Sr. VP, IT ＆
CIO;#586;#170000 IT:Chief
Security
Officer;#209;#740000 Saas
Operations:VP, SAAS
DS2 DS2 Manage Third-party
Services
Needs
Strengthening
(Minor)
DS2 2.1 Identification Supplier
Relationships;#124;#DS2 2.3 Supplier Risk
Management;#126 34 3/31/2015 -2
692;#170000 IT;#215;#170000
IT:Director, Information
Risk Mgt
AI1 AI Identify Automated
Solutions
Needs
Strengthening
(Important)
AI1 1.1 Definition Maintenance Business
Functional Technical Requirement;#75;#AI1
1.4 Requirements and Feasibility Decision
and Approval;#78;#ISMS_6.1.5 Information
security in project management;#654
27 3/31/2015 -2
240;#170000 IT:Sr. VP, IT ＆
CIO;#293;#310000 Product
Development:EVP, CTO
DS10 DS10 Manage Problems Needs
Strengthening
(Minor)
DS10 10.1 Identification and Classification of
Problems;#169;#DS10 10.2 Problem Tracking
and Resolution;#170;#DS10 10.3 Problem
Closure;#171;#DS10 10.4 Integration of
Change, Configuration and Problem
26 3/31/2015 -2
209;#740000 Saas
Operations:VP, SAAS
Operations
DS4 DS4 Ensure Continuous
Service
Needs
Strengthening
(Minor)
DS4 4.1 ITContinuity Framework;#133;#DS4
4.2 Continuity Plans for Accounting and MIS
Transaction Services;#134;#DS4 4.3 Critical IT
Resources;#135;#DS4 4.4 Maintenance ofthe
ITContinuity Plan;#136;#DS4 4.5 Testing of
26 3/31/2015 -2
240;#170000 IT:Sr. VP, IT ＆
CIO
DS9 DS9 Manage the
Configuration
Needs
Strengthening
(Minor)
DS9 9.1 Configuration Repository and
Baseline Servers and Standard
desktop;#166;#DS9 9.2 Identification and
Maintenance ofConfiguration
Items;#167;#DS9 9.3 Configuration Integrity
14 3/31/2015 -2
209;#740000 Saas
Operations:VP, SAAS
Operations
AI5 AI5 Procure IT Resources Needs
Strengthening
(Minor)
AI5 5.4 Software Acquisition;#100;#AI5 5.3
Supplier Selection;#99;#AI5 5.2 Supplier
Contract Management;#98;#AI5 5.1
Procurement Control;#97
12 3/31/2015 -2
215;#170000 IT:Director,
Information Risk Mgt
DS13 DS13 Manage IT
Operations
Needs
Strengthening
(Minor)
DS13 13.5 Preventive Maintenance for
Hardware;#188;#DS13 13.4 Sensitive
Documents and Output Devices;#187;#DS13
13.3 Infrastructure Monitoring;#186;#DS13
13.2 Event Monitoring data Transaction
12 3/31/2015 -1
209;#740000 Saas
Operations:VP, SAAS
Operations
AI7 AI7 Install and Accredit
Solutions and Changes
Needs
Strengthening
(Minor)
AI7 7.1 Release Planning and Training
;#106;#AI7 7.2 Release Test Plan;#107;#AI7
7.3 Implementation Plan;#108;#AI7 7.4 Test
Environment;#109;#AI7 7.5 System and Data
Conversion;#110;#AI7 7.6 Testing ofProduct
10 3/31/2015 -2
316;#720000 Technical
Support:VP, Technical
Support
DS1 DS1 Define and Manage
Service Levels
Needs
Strengthening
(Minor)
DS1 1.1 Service Level Management
Framework -Encompass;#118;#DS1 1.2
Definition ofServices -PSAand
Encompass;#119;#DS1 1.3 Service Level
Agreements -SBP -PSAand
9 3/31/2015 -1
237;#740000 Saas
Operations:Sr. IT Services
Manager
 Use control effectiveness to predict and prepare for external audit
 Have detailed corrective actions plan
 Measure heat, impact, likelihood, controllability, plus GAP to strategic maturity
 If a control isn’t owned, find out how important it is to the board

23. Risk Reports distributed to VP and executives

24. Management uses Executive Strategy to determine Risk Response
Avoid - Action
• PROHIBIT unacceptable
high risk activities,
transactions, financial
losses, and asset exposures
through appropriate limit
structures and corporate
standards.
• STOP specific activities by
redefining objectives,
refocusing strategies or
redirecting resources.
• ELIMINATE at the source by
designing and
implementing internal
preventive processes.
Accept and Control
• ACCEPT risk at its present
level taking no further
action.
• PLAN for well-defined
contingencies by
documenting a responsive
plan and empowering
people to make decisions
and periodically test and, if
necessary, execute the plan.
• CONTROL risk through
internal processes that
reduce the likelihood of
events occurring to an
acceptable level.
Share - Directions
• SHARE risk/rewards of
investing in new markets
and products by entering
into alliances or joint
ventures.
• CREATE new value-adding
products, services and
channels.
• RENEGOTIATE existing
contractual agreements to
reshape risk profile, i.e.
transfer or reduce.

25. Thank You for your time