2. Agenda
• 2015 Major Published Cybersecurity Incidents
• 2015 Global Threat Index
• 2016 Threat Predictions
• Facts & Figures
• Potential Risks of Cyber-Attacks
• 10 Cybersecurity Areas to Consider Auditing
• Questions
2
3. 3
CrossCountry Confidential1/6/2016
What is Cybersecurity?
“Cybersecurity is the body of technologies, processes and practices
designed to protect networks, computers, programs and data from attack,
damage or unauthorized access.” - TechTarget.com
• Confidentiality: Protecting
information from unauthorized
disclosure
• Integrity: Protecting information
from being modified by an
unauthorized party
• Availability: Ensuring information is
available to authorized parties when
needed
4. 4CrossCountry Confidential1/6/2016
2015 Major Published Cybersecurity Incidents
Q1
• February – Anthem healthcare insurance firm databases hacked, containing 80 million customer’s personal data
• March – State Dept. is breached by Russian hackers and shuts down to remove malware
Q2
• June – Office of Personnel Management hearings occur as result of 21.5 million names, addresses and social security numbers
hacked, some entire background checks were stolen.
Q3
• July – Fiat Chrysler remote hack vulnerability affecting transmission and steering (recalled 1.4 million vehicles)
• July --The UCLA Health System discovered that hackers had access to 4.5 million patient’s health records
Q4
• November – Hilton acknowledges that customer’s credit card information was breached via malware on the point of sale
system
• November – Pearson VUE credential system was successfully targeted, law enforcement and forensics are still analyzing
5. 5
CrossCountry Confidential1/6/2016
World Economic Forum
2015 Global Threat Index
Technological (Purple):
• Critical Information
Infrastructure
Breakdown
• Cyber Attacks
• Misuse of
Technologies
• Data Fraud or Theft
Other:
• Failure of critical
infrastructure
• Failure of Financial
Institutions
• Terrorist Attack
6. 6
CrossCountry Confidential1/6/2016
Top Cybersecurity Risk Predictions for 2016
• Internet of Things (IoT) – Gartner predicts 21 billion online by 2020 (FitBits
to Refrigerators, Cars to Thermostats)
• Operational Technology (OT) – systems that operationalize utilities, power
systems, water, etc. increasingly networked
• Artificial Intelligence (AI) – IT cognitive functions advancing in 2016,
difficult to know human from computer communications
• Insider Threat – Roughly 75% of IT professionals are most concerned about
malicious or negligent employees, and the FBI and DHS agree
• Cloud Provider Target – Increasing hacker targets beyond businesses and
web servers
• Mobile Malware – “Malvertising”, injecting malicious adverts into
legitimate online advertising networks
• eCommerce Banking – Google Wallet, ApplePay present new targets for
hackers
• Healthcare Provider Data – Children in particular are lucrative targets,
given the long-range benefit to hackers of a lifetime of identity theft
7. 7
CrossCountry Confidential1/6/2016
Facts & Figures
• 73% - Americans who have fallen victim to cybercrime
(GadgetsAndGizmos.org)
• $3 trillion – the total global impact of cybercrime (ISACA)
• 556 million – people who fall prey to cybercrime annually,
resulting in more than 232 million identities exposed (FBI Cyber Crime)
• 15 million – mobile devices—mostly Android—that are infected
with malware (Alcatel-Lucent’s Kindsight Security Labs)
• 37.9% – US Web pages infected with malware (Inspired eLearning)
• 600,000 – Facebook accounts that are compromised each day (FBI
Cyber Crime)
• 38% – smartphone users who have been a victim of
cybercrime (2013 Norton Report)
• 1 in 5 – mature organizations that do not have a cybersecurity
framework (FINRA Cybersecurity Report, 2015)
8. 8
CrossCountry Confidential1/6/2016
Potential Risks of Cyber-Attacks
• Major Risks include:
• Loss of intellectual property
• Breach of customer data privacy
• Service and business interruptions
• Damage to Information Technology infrastructure
• Loss of brand value
• Recovery and response costs
• Loss of stock market value
• Regulatory inquiries and litigation
• Management distraction
9. 9
CrossCountry Confidential1/6/2016
Top 10 Cybersecurity Audit Considerations for 2016
1. Cybersecurity Framework
2. Vulnerability Assessments
3. Insider Threats
4. 3rd Party Management
5. Business Continuity & Disaster Recovery
6. Data Governance
7. Network Monitoring
8. Cloud Security
9. Mobile Security
10. Security Awareness & Training
11. 11
CrossCountry Confidential1/6/2016
1. Cybersecurity Framework
• What is it: A supportive cybersecurity structure that leverages and
integrates industry-leading cybersecurity practices that have been
developed by organizations like National Institute of Standards and
Technology (NIST) and the International Standardization Organization
(ISO).
• Why you should care: Cybersecurity frameworks provide an
assessment mechanism that enables organizations to determine their
current cybersecurity capabilities, set individual goals for a target
state, and establish a plan for improving and maintaining
cybersecurity programs.
12. 12
CrossCountry Confidential1/6/2016
Case Study: Cybersecurity Framework
“I thought having a cybersecurity framework would be a costly
and time consuming process to adopt and implement. Things
move so fast that we often don’t have time to consider yet
another set of processes. Instead, we sustained a major data
breach in a business area that we didn’t even realize was
vulnerable, and the costs were exponentially higher than any
framework would have been.”
Wellina Intentioned (CISO, Investment Group)
13. 13
Cybersecurity Framework Audit Considerations
Stakeholder Cybersecurity Framework – Questions to Consider
Board/Audit Committee • What is the communication plan for cybersecurity issues and “tone at the
top”?
• What cybersecurity or risk framework governs the organization?
Information Technology
(IT)
• What cybersecurity or risk framework governs IT activities related to IT
assets and staff, policies and procedures?
• How often are IT assets and documentation reviewed to ensure holistic
risk assessment occurs related to a framework?
CISO • What cybersecurity or risk framework governs CISO activities related to IT
assets and staff, policies and procedures?
• How often are IT assets and documentation reviewed to ensure holistic
risk assessment occurs related to a framework?
Business Units • When selecting new systems or tools, do you engage with a change
control board?
• What sort of approval is required to stand up new systems, tools or data
types?
14. 14CrossCountry Confidential1/6/2016
Cybersecurity Framework – Benefits & Considerations
• Benefits:
• Reduces risk by identifying areas for improvement
• Increases efficiencies and reduce the possibility of
miscommunication within your information security program
and with other organizations such as partners, suppliers,
regulators, and auditors
• Aids in holistic view of organizational cybersecurity risk
• Considerations:
• It’s a framework, not a prescription
• It provides a common language and systematic methodology for
managing cyber risk
• It does not tell a company how much cyber risk is tolerable
• Having a common lexicon to enable action across diverse set of
stakeholders
15. 15
CrossCountry Confidential1/6/2016
2. Vulnerability Assessments
• What are they: A process that defines, identifies, and classifies the
security vulnerabilities in a computer, network, or communications
infrastructure. In addition, vulnerability assessments can forecast the
effectiveness of proposed countermeasures and evaluate their actual
effectiveness after they are put into use.
(http://searchmidmarketsecurity.techtarget.com/definition/vulnerability-analysis)
• Why you should care: Hackers can exploit vulnerabilities in your
network and gain access to data. Common vulnerabilities are often
widely know and easily exploited. Data breaches and other incidents
are often crimes of opportunity, meaning hackers look for targets with
specific vulnerabilities.
16. 16
CrossCountry Confidential1/6/2016
Case Study: Vulnerability Assessments
“We didn’t think we needed to perform monthly vulnerability
assessments on all of our end user equipment, we have anti-
virus and that should have caught all issues. We didn’t realize
that there were vulnerabilities that our anti-virus software
couldn’t detect, or that specialized tools existed to perform more
in-depth security inspections.”
Ineda Clue (VP of IT, Non-Profit)
17. 17
Vulnerability Assessments Audit Considerations
Stakeholders Vulnerability Assessments – Questions to Consider
Board/Audit
Committee
• Does your organization perform periodic vulnerability assessments?
• Are you aware of any instances where vulnerabilities were exploited and
adversely affected your organization?
Information
Technology (IT)
• How often do you perform periodic vulnerability assessments?
• Are assessments performed internally or by external vendors?
• Are there separation of duties between system owners and assessment
teams?
• What mechanism are you using to keep track of open vulnerabilities?
• Do the assessments consist only of vulnerability scanning or do they include
detailed penetration testing?
CISO • Do you regularly review the results of vulnerability assessments?
• Do the results of vulnerability assessments drive changes in security
measures?
• Are there separation of duties between the system owners and assessment
teams?
• How are tools selected, relative to IT environment and CISO objectives?
Business Units • Are you aware of any open vulnerabilities in any of the systems that you
utilize?
• Are you aware of any instances where vulnerabilities were exploited and
adversely affected your group?
18. 18
CrossCountry Confidential1/6/2016
Vulnerability Assessments – Tools & Techniques
• Network Security (Routers, Firewalls, OS and Patch) Tools:
• Tenable Nessus, Retina Security Scanner
• Nmap, Wireshark
• NIST & DoD Guides and Controls
• Operating System (Windows, Unix, Linux, Mac OS) Tools:
• NIST & DoD Guides and Controls
• Various automated scripts
• Password Crackers (John the Ripper, Brutus, Medusa)
• Web Server (IIS, Apache, WebLogic, Web apps) Tools:
• WebInspect, AppScan
• NIST & DoD Guides and Controls
• Database (Oracle, MySQL, SQL) Tools:
• AppSentry, AppDetective
• NIST & DoD Guides and Controls
19. 19
CrossCountry Confidential1/6/2016
3. Insider Threats
• What is it: The risk that an internal user, maliciously or accidently,
performs an action that compromises the confidentiality, availability,
and/or integrity of an organization’s data.
• Why you should care: Since insiders inherently have easier access to
data, losses resulting from insider threats are often more damaging
than those posed by external parties.
20. 20
CrossCountry Confidential1/6/2016
Case Study: Insider Threat
“A vengeful employee recently reset a large number of our
servers to factory settings after he found out he was losing his
job. We could not conduct normal business operations for about
30 days, resulting in lost revenue totaling more than $500,000.”
Losta Lottawork (CISO, Oil and Gas Industry)
21. 21
Insider Threats Audit Considerations
Stakeholders Insider Threats – Questions to Consider
Board/Audit
Committee
• Have you been informed of the risks posed by Insider Threats?
• Does your organization perform periodic security risk assessments with
consideration of Insider Threats?
Information
Technology (IT)
• Do you utilize data loss prevention tools?
• Is logging and monitoring performed on accounts with elevated access?
• Do you have a process for controlling access to removable media?
• Do you limit administrative access based on job responsibilities?
• Is data appropriately encrypted?
CISO • Have you established a mechanism for reporting security issues?
• Have there been any security issues related to Insider Threats?
• Are you aware of common threat actors for your industry?
Business Units • Is separation of duties enforced for key activities?
• Do you perform background checks on new hires?
• Are you aware of warning signs for disgruntled employees?
• Do you have a mechanism to report concerns of insider threat warning
signs?
22. 22
CrossCountry Confidential1/6/2016
Insider Threat – Data Loss Prevention Tools
• Data Loss Prevention Tools use automated means to detect and
prevent data loss (offerings from Symantec, Intel, Websense,
etc.)
• They can assist in identifying where sensitive data is stored
and/or prevent senstive data from being transmitted via
unauthorized means (e.g., email, thumb drive)
• These tools are often used to comply with standards such as
HIPAA, PCI-DSS, and HITECH
• Tools can be perimeter-based or client-based
• Installing these tools requires a balance of cost, system
performance, and effectiveness
23. 23
CrossCountry Confidential1/6/2016
4. 3rd Party Risk
• What is it: The potential
risk that arises from
institutions relying upon
outside parties to perform
services or activities on
their behalf
• Why you should care: May
reduce management’s
direct control and can
present risks if not
properly managed
3rd Party
Relationships
Reputation
Operational
Transaction
Credit
Compliance
Other
Strategic
24. 24
CrossCountry Confidential1/6/2016
Case Study: 3rd Party Risk
“One of our outside service provider’s employees had some of
our client data on an iPad that was stolen, and now it looks like
we’re going to have to report this event to regulators in 40
countries. I hate to think what the impact of this is going to be.”
Ima Needajob (CISO, Media Company)
25. 25
3rd Party Risk Audit Considerations
Stakeholders 3rd Party Risk – Questions to Consider
Board • How are vendors selected?
• Who manages contracts, and how are cybersecurity considerations included
in contract language in event of data breach or loss?
Information
Technology (IT)
• How often do you engage vendors?
• How proactive are vendor system updates made?
• How do vendors gain access to internal systems?
• Who within IT reviews vendor systems for vulnerabilities?
CISO • Who are your vendors?
• How well do you know and understand products and contracts?
• What top risks are inherent to each vendor technology?
• Who monitors these risks?
Business Units • Who are your vendors?
• How well do you know and understand products and contracts?
• Do you engage Board, IT and CISO when making vendor buying decisions?
• What criteria is used in selecting vendors? Are criteria set across business
functions to ensure all requirements are met?
26. 26
CrossCountry Confidential1/6/2016
Managing 3rd Party Risk – Best Practices
• Develop a inventory of 3rd parties and classify them by
potential risk
• Define governance and ownership
• Build Service Level Agreements (SLAs) to hold vendors
accountable
• Clearly define what data 3rd parties can and cannot access
• Include audit rights clauses in contracts
• Obtain and review independent service auditor’s reports if
applicable
27. 27
CrossCountry Confidential1/6/2016
5. Business Continuity & Disaster Recovery
• What is it: The processes and procedures an organization puts in place
to ensure that essential functions can continue during and after a
disaster. The term Disaster Recovery is often associated with the
recovery of IT Infrastructure.
• Why you should care: Without Business Continuity and Disaster
Recovery plans, there is a risk that data could be unavailable and
potentially irretrievable in the event of a disaster, disrupting or
permanently damaging business operations.
28. 28
CrossCountry Confidential1/6/2016
Case Study: Business Continuity Plan
“Our employees are competent, and I thought they would know
what to do in an emergency. We did not have a Business
Continuity Plan and the data center was flooded during
Hurricane Sandy. It took us weeks to resume normal operations
and a large amount of company data was unrecoverable.”
Tü Confident (CIO, Software Vendor)
29. 29
Business Continuity Audit Considerations
Stakeholder Business Continuity – Questions to Consider
Board/Audit
Committee
• Is there an organization-wide Business Continuity program that involves the key business
areas?
• Have Business Continuity Plans been reviewed by management?
Information
Technology (IT)
• Do you regularly test and update Business Continuity or Disaster Recovery plans?
• Do you back up data to an offsite location, and have you tested the ability to restore from
those backups?
• Do you have an off-site location that could be used to host your organization’s IT
infrastructure?
CISO • How are security considerations integrated into the Business Continuity strategy?
• Would the integrity and/or availability of your data be compromised in the event of a
disaster?
• What is the physical distance between primary and failover/backup location?
Business Units • Are you involved in the Business Continuity planning process?
• Have you performed a business impact analysis (prioritization of business functions)?
• Do you have a plan for resuming business in the event of a disaster?
• Could your business functions resume without access to IT Infrastructure?
• Do you have a chain of command or call list for use in a disaster?
30. 30
CrossCountry Confidential1/6/2016
Creating a Business Continuity Plan
Define the Scope
Identify Critical Business Functions,
Key Processes, and Dependencies
Determine Acceptable Downtime
for Business Functions
Develop a Recovery Plan (or Plans)
Periodically Test and Update the
Plan(s)
31. 31
CrossCountry Confidential1/6/2016
6. Data Governance
• What is it: Data governance is a framework of roles and
responsibilities, decision-making models, and
standards/processes governing the management and use of
data. Data governance addresses:
• Who can take what actions
• With what types of data
• At what times
• Under what circumstances (e.g., processes, requirements)
• For what intended purposes
• Why you should care: Data is everywhere and it is important to
consistently prioritize, assess, and manage risk associated with
data across an enterprise. Consistent definitions of data and
how data can be used will help to ensure good data quality and
a balance between securing data and using data as a valuable
asset.
32. 32
CrossCountry Confidential1/6/2016
Case Study: Lack of Data Governance
“We had inconsistent systems of record (SORs) and too many
sources of data. We did not know where all of our data was
located, and who had access to what, why or when. Additionally,
historical data was determined to have been lost or disorganized
during post merger or acquisition activities.”
Sam Dataman (CISO, Exploration & Production Company)
33. 33
Data Governance Audit Considerations
Stakeholder Data Governance – Questions to Consider
Board/Audit
Committee
• Is there a clearly defined and communicated vision and objective for the
Data Governance program?
• How are the organization’s strategic mission and business objectives aligned
with Data Governance objectives?
• Are there metrics to measure the success of Data Governance?
• Has Data Ownership been clearly defined?
Information
Technology (IT)
• Do automated tools facilitate Data Governance?
• How do you ensure that Data Governance requirements and initiatives are
supported by technology?
• How do you assist business units with ensuring that third parties meet Data
Governance requirements?
CISO • How do you collaborate with the Chief Privacy Officer?
• Is security integrated into the Data Governance program?
• Is Data Governance a driver for security?
• Have Data Governance Roles and Responsibilities been clearly defined?
Business Units • Is it clear to your group what data you own?
• Do you have retention policies for data in your group?
• How do you communicate Data Governance requirements to third parties?
34. 34
CrossCountry Confidential1/6/2016
Data Governance – Best Practices
• Understand your data
• Who utilizes it (need to know, confidentiality, separation of
duties)
• What the data is (definition, integrity)
• When it is required (availability)
• Where it is located (System of Record (SOR))
• Why it is needed (need to know, role based access, value of
data and loss)
• Understand your risk
• Value of Data (Trade Secret, Loss, Corruption)
• Sensitivity (Top Secret, Confidential, Public)
35. 35
CrossCountry Confidential1/6/2016
7. Network Monitoring
• What is it: The use of a system that continuously monitors a computer
network for slow or failing components and that notifies the network
administrator (usually via alert, email or other notification
mechanism) in case of outages. Commonly measured metrics are
response time, availability and uptime. Network monitoring tools can
also be used to identify and/or prevent network security issues.
• Why you should care: Network Monitoring can save money in
network performance, employee productivity, and infrastructure cost
overruns. 24x7 monitoring and knowledge of network health and
status information is critical to many businesses. Additionally,
information gleaned from this capability area provides valuable
insights into attack vectors, threats and trends for further
investigation.
36. 36
CrossCountry Confidential1/6/2016
Case Study: Network Monitoring
“We didn’t think our network was big enough to justify using
Network Monitoring tools and staff. Our system administrators
were not able to respond rapidly enough to proactively respond
to system failures in real time. We lost two weeks of work. We
are still working on establishing lost revenue and work
productivity.”
Nat Werk (CISO, Financial Services)
37. 37
Network Monitoring Audit Considerations
Stakeholder Network Monitoring– Questions to Consider
Board/Audit
Committee
• Are you aware of any network monitoring of IT assets?
• Do you know how many times systems have failed or breaches have
succeeded?
• Are these activities outsourced to a 3rd party?
Information
Technology (IT)
• What network monitoring tools do you use?
• Do you utilize Intrusion Detection Systems and/or Intrusion Prevention
Systems?
• Have you established who will receive network alerts and defined an
escalation protocol?
• Is network monitoring holistic to the entire IT enterprise, or are aspects of
systems segmented?
CISO • Are you made aware of issues identified through network monitoring?
• How often do security and IT teams meet to discuss threats, trends and
failures related to infrastructure and network monitoring?
Business Units • To what extent do you rely on the network to function?
• Are you aware of any of your critical IT assets requiring 24x7 access?
• What impact would result in system failure?
• Are you aware of network monitoring occurring on any of your critical
systems?
38. 38
CrossCountry Confidential1/6/2016
Network Monitoring – Best Practices
• Baseline Network Behavior
• Understand normal network to tune alerts to anomalies
• Escalation Matrix
• Policies and Procedures to escalate up management chain
• Report at Every Layer
• Monitoring should occur at all layers of OSI Model
• Implement High Availability with Failover Options
• Remove single point of failure, replicate to failover site
• Configuration Management
• Proactive planning and prevention of common network
issues
• Capacity Planning for Growth
• Ensure network monitoring scales with IT as it expands
39. 39
CrossCountry Confidential1/6/2016
8. Cloud Security
• What is it: A broad set of policies, technologies, and controls
deployed to protect data, applications, and the associated
infrastructure of cloud computing.
• Why you should care: Cloud computing typically means that data will
be hosted on external servers and databases, possibly in many
physical locations and by multiple vendors. If any one of those servers
or databases is not adequately protected, your data could be in
jeopardy.
40. 40
CrossCountry Confidential1/6/2016
Case Study: Cloud Security
“We consider ourselves a technically progressive company
utilizing the latest Software as a Service (SaaS) applications.
Unfortunately, an HR employee was able to transfer confidential
employee files from our trusted, sanctioned cloud environment
(Amazon Web Services) to her own unsanctioned cloud storage
tool to work at home. We had to self-report to Legal Council that
employee information had left the company’s control, as we had
no idea where else that confidential information could have been
seen.”
Ava Pennysava (CISO, Software Vendor)
41. 41
Cloud Security Audit Considerations
Stakeholder Cloud Security – Questions to Consider
Board/Audit
Committee
• Does your company have a policy governing usage of the cloud?
• Does the company utilize private, public or a hybrid cloud environment?
Information
Technology (IT)
• How prevalent is usage of cloud computing in your organization?
• Are there plans to move assets or systems to the cloud?
• Are any 3rd Party vendors cloud-based, or have backend systems supporting
your organization that utilize the cloud?
CISO • How do you verify the security of data that is hosted in the cloud?
• Do you obtain and review external audit reports, such as Service
Organization Controls (SOC) Reports, for your cloud vendors?
• Do you utilize a framework for managing risk related to cloud providers?
Business Units • Does your business use any software that is externally hosted?
• Are you looking at any new systems or technologies that are cloud-based?
• If you did decide to procure or contract cloud-based solutions, how would
you request permission to implement the services?
42. 42
CrossCountry Confidential1/6/2016
Cloud Security Best Practices
• Learn what cloud applications are being used in the
organization, including sanctioned (approved by business) and
unsanctioned (personal or not approved)
• Understand work and data flows and information being passed
• Monitor cloud applications using commercial or custom tools
• Understand security mechanisms available, including Identity
Management, Role Based Access and Single Sign On
• Ensure that policies and procedures are understood by
organization, and extend through cloud environment
43. 43
CrossCountry Confidential1/6/2016
9. Mobile Security
• What is it: A comprehensive set of policies, procedures, and
infrastructure that manages the usage of mobile devices in a business
setting. These devices include cell phones, tablets, and PDAs.
• Why you should care: Mobile devices are becoming increasingly
prevalent, and bring your own device (BYOD) is becoming increasingly
common as well. Mobile devices provide additional means of data
loss, including additional attack points. Mobile security is a means to
harness the increased productivity that comes with mobile devices,
while minimizing the risk of their usage.
44. 44
CrossCountry Confidential1/6/2016
Case Study: Mobile Security
“We implemented BYOD at the corporate offices at our firm. We
then realized that while iPhones and other Apple devices are
widely used throughout the organization, that an iOS 9 password
hack had been released. We no longer have confidence that our
information or devices are secure. I worry at night that we have
external threat actors alive and well, in our internal
infrastructure.”
Ivanna Fon (CISO, Health Care Provider)
45. 45
Mobile Security Audit Considerations
Stakeholder Cloud Security – Questions to Consider
Board/Audit
Committee
• Does your organization have a policy for mobile device usage?
• Do you use your mobile device to download work files?
Information
Technology (IT)
• Are mobile devices controlled by enterprise-wide settings?
• Have you implemented remote management software, including the ability
to remotely wipe data and locate devices?
• Is data on mobile devices encrypted?
CISO • Have you performed a mobile security review?
• Do mobile devices require strong authentication mechanisms?
• Do you allow employees to bring their own devices and if so, how are you
managing the associated risk?
Business Units • Do your employees use mobile devices?
• Is mobile device use in line with company policies?
46. 46
CrossCountry Confidential1/6/2016
Mobile Security – Managing BYOD
• Develop a BYOD policy with input across the business
• Be sure to clearly define what the organization has control over
and what it doesn’t
• Define what devices can be used by employees
• Require employees to sign an acceptable use policy
• Consider using tools that help to manage the risk of BYOD –
these can enable remote-wipe and device tracking
• Put extra focus on upper-management and executive’s devices,
as they have more access to sensitive data
47. 47
CrossCountry Confidential1/6/2016
10. Security Awareness & Training
• What is it: Security Awareness & Training is a formal process
for educating employees about various important security
risks.
• Why you should care: Employee and contractor behavior is a
major source of costly data breaches. An effective security
awareness training program decreases the likelihood of a
number of common vulnerabilities.
48. 48
CrossCountry Confidential1/6/2016
Case Study: Security Awareness & Training
“Russian hackers gained access to the White House by way of a
phishing email. White House staff declined an optional 90-
minute training session on online security offered in advance of
the attack.”
Skip D’Training (CISO, Federal Government)
49. 49
Security Awareness & Training Audit Considerations
Internal Audit Interest
Area
Security Awareness & Training – Questions to Consider
Board/Audit
Committee
• Have you received Security Training?
• Is there an organization-wide approach to Security Awareness & Training?
Information
Technology (IT)
• Are employees required to periodically participate in Security Training?
• Are you involved in developing the content of Security Training?
CISO • Have you established a Security Awareness & Training program?
• Are roles and responsibilities defined for Security Awareness & Training?
• Do you raise security awareness through periodic reminders to employees?
• Is there is a mechanism for reporting security issues?
• Is Security Training content periodically reviewed and refreshed to confirm
that it is relevant?
Business Units • Are employees required to periodically participate in Security Training?
• Do your employees know what to do in the event of a security incident?
50. 50
CrossCountry Confidential1/6/2016
Security Awareness & Training – Phishing
• Security Awareness & Training is a preventative measure for
Phishing, Spear Phishing, and Whaling.
• Phishing is a type of fraud where the attacker masquerades as
a reputable entity vie email or other communication method in
order to gain sensitive information such as login credentials
• Spear-Phishing targets a specific individual
• Whaling targets a high profile target such as a CEO or high-
ranking politician
• Vishing, also called Voice Phishing, refers to Phishing
performed over a phone