1) Many businesses are not properly leveraging IT controls and compliance, which could help mitigate financial risks from data loss or theft. Only 1 in 10 firms have strong IT controls in place. 2) Those with strong controls experience fewer disruptions to their business and data losses than companies with weak controls. Companies with weak controls can face declines in revenue, customers, and stock price due to data breaches. 3) Implementing proper IT controls is important for protecting a company's reputation and limiting liability. Controls can help prevent data theft and the high costs associated with it.

1. What you don’t know about IT Controls can cripple your business “ Yep, son, we have met the enemy and he is us.” - Pogo, 1971 Presented by: Bill Lisse , CISSP, GIAC PCI, GIAC HIPAA, SSCA, Security+ SME IT Audit Manager

2. “ Only 1 of 10 firms are leveraging Information Technology (IT) compliance (Controls)…that could help mitigate financial risk from lost or stolen data.” Source: ITpolicycompliance.com. IT Policy Compliance Group. “Why Compliance Pays: Reputations and Revenues at Risk,” July 2007 Leading Organizations 1 of 10 are well-positioned Normative Organization 7 out of 10 could substantially reduce financial risk Lagging Organizations 2 out of 10 have the most to gain Why should business leaders care?

3. Leaders versus Laggards Leaders have the fewest business disruptions – only two or fewer disruptions annually Laggards experience 17 disruptions or more per year Leaders have 2 or fewer data losses or thefts per year Laggards have 22 or more data losses per year

4. Financial Risks - An 8 percent decline in market value of stock for publicly traded firms – some never recover - An 8 percent loss of customers - A temporary decline in revenue of 8 percent - Additional costs for litigation, notification, settlements, cleanup, restoration, and improvements averaging $100 per lost customer record ! Source: Oxford Executive Research Briefing, Impact of Catastrophes on Shareholder Value

5. Average Cost $1,662,720 This does not include potential civil litigation is class action lawsuits.

6. Prevent or Limit Losses Limit exposure (proactive versus reactive) Due diligence – “reasonable assurance” Cannot rely on laws to protect or limit liability Sophisticated hackers may be beyond the reach of the law

7. Prevent or Limit Losses In 2004, the Department of Justice estimated 3% of all U.S. households experienced some form of identity theft – the number is accelerating 3.6 Million People Average $1,290.00 per household Conservative annualized loss estimate was $6.4 Billion Occurs every 79 seconds in America!

8. Protecting your hard earned reputation “Avoid the wrong type of branding" Your corporate reputation is at stake – backlash can be severe Making headlines TJMaxx Choicepoint

9. Once you make the list, you are here forever.... http://www.sec.gov/litigation http://www.ftc.gov/os/caselist/index.shtm http://www.privacyrights.org/ Protecting your hard earned reputation “Avoid the wrong type of branding"

10. The Evolving Landscape Fair Access to Credit Transactions Act (FACTA) - June 1, 2005 Any employer whose action or inaction results in the loss of employee information can be fined by federal and state government, and sued in civil court Additional fines may apply for non-compliance with contracts and regulations or statutes

11. Compliance Regulations Gramm-Leach-Bliley Act Critical Infrastructure Protection Payment Card Industry Digital Security Standard International Standards Organization 27001/27002 The Evolving Landscape

12. Compliance Regulations Sarbanes-Oxley Act (§404) Health Insurance Portability and Accountability Act (HIPAA) Automated Teller Machine ANSI X.9 AICPA Statement on Auditing Standards What’s next… The Evolving Landscape

13. Threats are Asymmetric Internal Threats are accidental and intentional. Insiders are responsible for… 32% of electronic crimes 1 A CFO embezzled $96,000 by fixing an electronic payment system to pay his monthly credit card bill 70% of identify theft 2 A Fidelity database administrator stole and sold bank and credit card data for 8.5 million customers 1 Software Engineering Institute Computer Emergency Response Team and U.S. Secret Service Study http://www.cert.org/insider_threat/ 2 FDIC and Michigan State Study http://www.fdic.gov/consumers/consumer/idtheftstudysupp/toc.html

14. Threats are Asymmetric Natural disasters - Katrina, etc... External threats are becoming more sophisticated Multi-echelon and multi-vector Specialization Bot hearders Phishers Carders Spammers

15. Harvesting data is good business… if you’re a criminal The Black Market… $980-$4,900 - Trojan program to steal online account information $490 - Credit card number with PIN $78-$294 - Billing data, including account number, address, Social Security number, home address, and birth date $147 - Driver's license $147 - Birth certificate $98 - Social Security card $6-$24 - Credit card number with security code and expiration date $6 - PayPal account logon and password Source: Trend Micro “How Does The Hacker Economy Work?”

16. Common Myths End-Point Security is effective Hackers are pizza-faced 13 year old script-kiddies Hackers can’t get from my web site to our internal network

17. Common Myths Morale will be hurt if I make control changes – employees will think we don’t trust them Outsourcing will transfer my risk IT controls will impede business efficiency

18. Top 10 Gaps No or few policies and procedures 2. Reliance on manual detective controls 3. Reliance on end-point security (firewalls) 4. No Data Classification - Trusted Insiders 5. No separation of duties 6. Enforce password rules (strong passwords) 7. No periodic review of user accesses Not Monitoring threats (phishing and social engineering) 9. Insufficient wireless network protection 10. Insufficient System Auditing

19. Prescription (Best practices) 1. Implement appropriate control objectives and IT controls 2. Consolidate control objectives 3. Monitor, measure, and report controls against objectives on a regular schedule

20. Conclusion It seems that companies aren’t learning anything from the front-page mistakes of competitors We are our own worst enemy IT control is not just about compliance, it is a useful tool for ensuring the efficient use of organizational resources to meet business objectives and to prevent fraud Like any resource, IT requires a clear linkage between business needs and requirements

21. Bill Lisse, IT Audit Manager Phone: (937) 853-1490 Email: wlisse@battellecpas.com Questions?