Next-generation AAM aircraft unveiled by Supernal, S-A2
Does audit make us more secure
1. http://www.enterprisegrc.com
Does Audit Make us Secure?
Presented at ISACA SV Spring Conference
May 15th 2015
Robin Basham, M.Ed, M.IT, CISA, CRISC, CGEIT, HISP, CRP, VRP
Founder EnterpriseGRC Solutions
2. Companies that passed audit and had a major breach
March 18, 2015 “Three weeks before hackers infiltrated
Premera Blue Cross, federal auditors warned the company
that its network-security procedures were inadequate.”
The Heartland intrusion began in May 2008, even though the
company had passed multiple audits, including one
conducted on Apr. 30. At the time, the Princeton (N.J.)
company was in compliance with industry standards for data
security, Carr says. Still, shortly afterward, 13 pieces of
malware that capitalize on weaknesses in Microsoft (MSFT)
software infiltrated one or more network servers.
"We get pinged 200,000 times per day by people trying to hack into
our system," Carr says. "You do everything you can to make sure one
of those pings doesn't get through, and we thought we had done
everything we could do."
5. Is it just me?
We establish “scope” and imply permission for less
secure practices on lower impact systems
We audit what we understand and miss the most
important areas of risk
We expose a wide range of people to known areas of
weakness
We distract people from their core responsibilities
We create a false sense of security by under
representing complex and broken processes
6. Did I Pick the Right form of Risk Assessment?
If our goal is to determine if we are secure,
pick the right risk assessment methods
If our goal is to enable a more secure
enterprise, engage business partners to
provide meaningful metrics that inform
choices and decisions about the architecture
Integrated Audit (GRC) assists management to
set compliance goals, track where process
evidence is stored, and enable continuous
improvement through internal control self
assessment.
7. GRC Contributes by using a Cyber Security Model
Identify – CMDB, People, Process, Technology, relationships,
alignment to controls
Protect – Architecture, Infrastructure, Monitoring
Detect – Defined Sources, Collection, Interpretation, Reporting
Methods
Respond – RCA, Corrective Action, Management Meetings, Plans,
Optimization Targets
Recover – Configuration baselines, response plans, lessons
learned, Wiki, documentation, BIA
9. GRC Team Tracks to Inform Control Design & Risk
Intrusion Detection Systems (IDS) events
Virus Alerts and corresponding HelpDesk cases
to clean infected systems
DLP events and confirmation on false positives,
loss events and corrective actions
Vulnerabilities Identified, risk ranking, effort and
plan to remediate, status to remediate
Patch requirements and mean time to remediate
MTTR
Daily Anti-Virus status (Red, Yellow, Green), # of
events blocked, cleaned, definition updates
Daily end point patching, # of systems in and out
of compliance
Daily system backups – systems not backed up
Number of Volume copies made, saved, purged
Security Project Plans, Milestones, Issues or
Blockers
Infrastructure remediation through tickets and
change requests
Post Implementation Effectiveness for
corrected security problems (ROI)
Template Configurations
NON template configurations
Systems Monitored
Services per systems
10. Confirm Incident Definitions, Review, Response
Scheduled outputs to central mailbox (restrict delete)
Track incident notifications
Establish and RUN Rules for follow up
Set Flags to communicate closed corrective action
11. People and Access – Focus on Integrated Reporting
Access Governance
Use PowerShell to gather all local
Admin accounts on all systems
Use ADManager or other tools to
pull all members in all groups
Compare active users in HR
Systems to Roles granted to all
identities
Track effectiveness of department
security roles and access grants
Publish exception policy and have
management sign off at least
quarterly
12. How can audit drive security? Manage Corrective Actions!
13. Data System Relationships to Audit, Classification, Risk
Assets include
Applications, Products,
Services, File Shares,
Devices, OS,
Infrastructure
Assets are owned,
administered,
developed, supported,
classified, documented
Data and transactions
source audit
information
14. Get The Data – Trend and Report – Examples of Data Sources
15. Inversion of Control v. Faith
– Managing Complexity through Framework
Each control is a data point with related Information Security
Governance Processes – Policies - SOP, Corporate Strategic
Objectives, Department Strategic and Tactical Objectives, Business
Risks, Control RACI, Control Programs, Initiatives, People, Tools,
Access Profiles and Asset Profiles.
The GRC must Collectively represent reliable information to inform
our management shareholders and customers that we manage our
risks.
GRC has to Help Management to make us more secure
16. Document and Follow a Data Collection Practice
Implement a meaningful output process
Data collection strategy
Source coverage – the architecture stack
Test mapping
Validation process
Imports, Reference Tables, Audit Queries
Output to Corrective Actions tracking
19. Risk Reporting – Tie Controls to Corporate Risks (The 10K)
Use the data collection
strategy to inform corporate
risk
Make all reports “personal” by
assigning programs,
departments and key
initiatives
Incorporate notification
strategies
Maintain and gain consensus
21. REMEMBER: It’s always about money – (Materiality)
Financial statement audits measure materiality in monetary terms
Integrated Audit provides IT assurance on non-financial items and,
requiring alternative measures (maturity models and process assurance
methodology).
We meet objectives so we can make money or retain money.
22. Focus on Effectiveness GAP v. Audit Bar
Control
IDJ15J2A1:J
19
Control Objective Control
Effectiveness
Test ID Heat
In place GAP
Accountable
DS5 DS5 Ensure Systems
Security
Needs
Strengthening
(Important)
DS5 5.1 Management ofITSecurity;#143;#DS5
5.2 ITSecurity Plan;#144;#DS5 5.3 Identity
Management;#145;#DS5 5.4 User Account
Asset Provisioning and De-
Provisioning;#146;#DS5 5.5 Security Testing,
36 3/31/2015 -2
240;#170000 IT:Sr. VP, IT &
CIO;#586;#170000 IT:Chief
Security
Officer;#209;#740000 Saas
Operations:VP, SAAS
DS2 DS2 Manage Third-party
Services
Needs
Strengthening
(Minor)
DS2 2.1 Identification Supplier
Relationships;#124;#DS2 2.3 Supplier Risk
Management;#126 34 3/31/2015 -2
692;#170000 IT;#215;#170000
IT:Director, Information
Risk Mgt
AI1 AI Identify Automated
Solutions
Needs
Strengthening
(Important)
AI1 1.1 Definition Maintenance Business
Functional Technical Requirement;#75;#AI1
1.4 Requirements and Feasibility Decision
and Approval;#78;#ISMS_6.1.5 Information
security in project management;#654
27 3/31/2015 -2
240;#170000 IT:Sr. VP, IT &
CIO;#293;#310000 Product
Development:EVP, CTO
DS10 DS10 Manage Problems Needs
Strengthening
(Minor)
DS10 10.1 Identification and Classification of
Problems;#169;#DS10 10.2 Problem Tracking
and Resolution;#170;#DS10 10.3 Problem
Closure;#171;#DS10 10.4 Integration of
Change, Configuration and Problem
26 3/31/2015 -2
209;#740000 Saas
Operations:VP, SAAS
Operations
DS4 DS4 Ensure Continuous
Service
Needs
Strengthening
(Minor)
DS4 4.1 ITContinuity Framework;#133;#DS4
4.2 Continuity Plans for Accounting and MIS
Transaction Services;#134;#DS4 4.3 Critical IT
Resources;#135;#DS4 4.4 Maintenance ofthe
ITContinuity Plan;#136;#DS4 4.5 Testing of
26 3/31/2015 -2
240;#170000 IT:Sr. VP, IT &
CIO
DS9 DS9 Manage the
Configuration
Needs
Strengthening
(Minor)
DS9 9.1 Configuration Repository and
Baseline Servers and Standard
desktop;#166;#DS9 9.2 Identification and
Maintenance ofConfiguration
Items;#167;#DS9 9.3 Configuration Integrity
14 3/31/2015 -2
209;#740000 Saas
Operations:VP, SAAS
Operations
AI5 AI5 Procure IT Resources Needs
Strengthening
(Minor)
AI5 5.4 Software Acquisition;#100;#AI5 5.3
Supplier Selection;#99;#AI5 5.2 Supplier
Contract Management;#98;#AI5 5.1
Procurement Control;#97
12 3/31/2015 -2
215;#170000 IT:Director,
Information Risk Mgt
DS13 DS13 Manage IT
Operations
Needs
Strengthening
(Minor)
DS13 13.5 Preventive Maintenance for
Hardware;#188;#DS13 13.4 Sensitive
Documents and Output Devices;#187;#DS13
13.3 Infrastructure Monitoring;#186;#DS13
13.2 Event Monitoring data Transaction
12 3/31/2015 -1
209;#740000 Saas
Operations:VP, SAAS
Operations
AI7 AI7 Install and Accredit
Solutions and Changes
Needs
Strengthening
(Minor)
AI7 7.1 Release Planning and Training
;#106;#AI7 7.2 Release Test Plan;#107;#AI7
7.3 Implementation Plan;#108;#AI7 7.4 Test
Environment;#109;#AI7 7.5 System and Data
Conversion;#110;#AI7 7.6 Testing ofProduct
10 3/31/2015 -2
316;#720000 Technical
Support:VP, Technical
Support
DS1 DS1 Define and Manage
Service Levels
Needs
Strengthening
(Minor)
DS1 1.1 Service Level Management
Framework -Encompass;#118;#DS1 1.2
Definition ofServices -PSAand
Encompass;#119;#DS1 1.3 Service Level
Agreements -SBP -PSAand
9 3/31/2015 -1
237;#740000 Saas
Operations:Sr. IT Services
Manager
Use control effectiveness to predict and prepare for external audit
Have detailed corrective actions plan
Measure heat, impact, likelihood, controllability, plus GAP to strategic maturity
If a control isn’t owned, find out how important it is to the board
24. Management uses Executive Strategy to determine Risk Response
Avoid - Action
• PROHIBIT unacceptable
high risk activities,
transactions, financial
losses, and asset exposures
through appropriate limit
structures and corporate
standards.
• STOP specific activities by
redefining objectives,
refocusing strategies or
redirecting resources.
• ELIMINATE at the source by
designing and
implementing internal
preventive processes.
Accept and Control
• ACCEPT risk at its present
level taking no further
action.
• PLAN for well-defined
contingencies by
documenting a responsive
plan and empowering
people to make decisions
and periodically test and, if
necessary, execute the plan.
• CONTROL risk through
internal processes that
reduce the likelihood of
events occurring to an
acceptable level.
Share - Directions
• SHARE risk/rewards of
investing in new markets
and products by entering
into alliances or joint
ventures.
• CREATE new value-adding
products, services and
channels.
• RENEGOTIATE existing
contractual agreements to
reshape risk profile, i.e.
transfer or reduce.