VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
IT-Risks-for-Non-profits-September-18SEPT17.pptx
1. Accounting | Tax | Consulting
IT Risks for Non-Profits
September 2017
2. Accounting | Tax | Consulting
Technology Is Pervasive
Almost all organizations use some type of electronic
system to initiate, process, and record accounting
related transactions.
Use of the internet to send/receive e-mail and research
information is second nature in today’s world. It is a
must-have in order to do business.
2
Reasons to Have a Better
Understanding of IT Controls and Risk
3. Accounting | Tax | Consulting
Technology Is Complex
Technology is always evolving in complexity and
coverage. What is considered “simple” technology
today relies on complex interactions of systems,
networks, and applications to process and store
information.
3
Reasons to Have a Better
Understanding of IT Controls and Risk
4. Accounting | Tax | Consulting
Technology Is Vital to the Business
In many organizations, technology is a vital component
of the business. Without a solid technology
infrastructure to support the business, the business
operations would be significantly impacted or not
possible.
4
Reasons to Have a Better
Understanding of IT Controls and Risk
5. Accounting | Tax | Consulting
5
What Is Cybersecurity?
Cybersecurity is the body of
One of the most problematic elements of cybersecurity is the
quickly and constantly evolving nature of security risks.
One of the most problematic elements of cybersecurity is the
quickly and constantly evolving nature of security risks.
Cybersecurity is the body of technologies, processes and practices designed to protect
networks, computers, programs and data from attack, damage or unauthorized access. In
a computing context, the term security implies cybersecurity.
Ensuring cybersecurity requires coordinated efforts throughout an information system.
Components of cybersecurity include:
Application security
Information security
Network security
Disaster recovery / business continuity planning
End-user education
One of the most problematic components of cybersecurity is the rapid and constantly
evolving nature of security risks.
6. Accounting | Tax | Consulting
6
What is Cybersecurity?
Cybersecurity is the body of
One of the most problematic elements of cybersecurity is the
quickly and constantly evolving nature of security risks.
One of the most problematic elements of cybersecurity is the
quickly and constantly evolving nature of security risks.
According to a November 2016 paper prepared by the ERISA Advisory
Council on Employee Benefit Plans:
“Cyber threats cannot be eliminated but they can be managed. Cyber
experts say that it is not a question of if you will have a cyber-attack, rather
it is a question of when.”
https://www.dol.gov/sites/default/files/ebsa/about-ebsa/about-us/erisa-
advisory-council/2016-cybersecurity-considerations-for-benefit-plans.pdf
on page 30.
70% of all breaches or stolen data are from an insider threat –KPMG
2016 Consumer Loss Barometer.
7. Accounting | Tax | Consulting
Accounting | Tax | Consulting
7
In order to understand how to protect against cybersecurity risks, it is important
to understand what is meant by a vulnerability and what are some common
types of vulnerabilities.
What is a vulnerability?
A vulnerability is a system susceptibility or flaw. An exploitable vulnerability is
one for which at least one working attack or "exploit" exists.
Although cybersecurity is in the news a lot nowadays, the concept has been
around since computers were first linked together in the 1960s.
“The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage ” by
Clifford Stoll, details a spy ring using cyberattacks in the 1980s.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
8. Accounting | Tax | Consulting
Accounting | Tax | Consulting
8
Common Types of Vulnerabilities:
Backdoors
Backdoors in a computer system are any secret method of bypassing
normal authentication or security controls. They may exist for a number
of reasons, including by original design or from poor configuration. They
may have been added by an authorized party to allow some legitimate
access, or by an attacker for malicious reasons.
Think about the movie “War Games”. The backdoor password was
Joshua.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
9. Accounting | Tax | Consulting
Accounting | Tax | Consulting
9
Denial-of-Service Attack
Denial of Service attacks (“DoS”) are designed to make a machine or
network resource unavailable to its intended users. Attackers can deny
service by overloading the capabilities of a machine or network and
block all users at once. While a network attack from a single IP address
can be blocked by adding a new firewall rule, many forms of distributed
denial of service (“DDoS”) attacks are possible, where the attack comes
from a large number of points – and defending is much more difficult.
A common attack in today’s environment.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
10. Accounting | Tax | Consulting
Accounting | Tax | Consulting
10
Direct-Access Attacks
An unauthorized user gaining physical access to a computer is most likely
able to directly copy data from it. They may also compromise security by
making operating system modifications, installing software worms, key
loggers and covert listening devices.
Even when the system is protected by standard security measures, these
may be able to be by passed by booting another operating system or
tool from a CD-ROM or other bootable media. Disk encryption is
designed to prevent these attacks.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
11. Accounting | Tax | Consulting
Accounting | Tax | Consulting
11
Direct-Access Attacks
Ransomware is a form of a direct-access attack that holds the target
data “hostage” until a “ransom”, usually in the form of an untraceable
crypto currency such as Bitcoins, is paid.
See next page for an example. Source: AICPA - “Cybersecurity Pitfalls
and Information Risk Management for Not-for-Profits” presentation given
by Anthony Hargreaves and G. Bliss Jones, for the Not-for-Profit section.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
12. Accounting | Tax | Consulting
Accounting | Tax | Consulting
12
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
13. Accounting | Tax | Consulting
Accounting | Tax | Consulting
13
Eavesdropping
The act of surreptitiously listening to a private conversation, typically
between hosts on a network. For instance, programs such as Carnivore
have been used by the FBI and NSA to eavesdrop on the systems of
internet service providers.
Tampering
This describes a malicious modification of products such as the planting
of surveillance capability into routers firewalls, and workstations.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
14. Accounting | Tax | Consulting
Accounting | Tax | Consulting
14
Spoofing
A fraudulent or malicious practice in which communication is sent from an
unknown source disguised as a source known to the receiver. Examples of
spoofing include:
– CEO request for copies of all W-2s
– CEO request for wire transfers out of the country
– Vendor request for change of remittance address
– Request by prospective donor or vendor (including CPAs) to review attached
tax or account information
See next page for an example. Source: AICPA - “Cybersecurity Pitfalls and
Information Risk Management for Not-for-Profits” presentation given by Anthony
Hargreaves and G. Bliss Jones, for the Not-for-Profit section.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
15. Accounting | Tax | Consulting
Accounting | Tax | Consulting
15
Spoofing
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
16. Accounting | Tax | Consulting
Accounting | Tax | Consulting
16
Privilege Escalation
Describes a situation where an attacker with some level of restricted
access is able to, without authorization, elevate their privileges or access
level. For example, a standard computer user may be able to fool the
system into giving them access to restricted data, or even to "become
root” and have full unrestricted access to a system.
Social Engineering
This attack aims to convince a user to disclose secrets, such as
passwords, card numbers, etc., by, for example, impersonating a bank, a
contractor, a customer, or IT support person.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
17. Accounting | Tax | Consulting
Accounting | Tax | Consulting
U N D E R S T A N D I N G V U L N E R A B I L I T I E S
17
Phishing
This is an attempt to acquire sensitive information, such as usernames,
passwords, and credit card details directly from users.
Phishing is typically carried out by e-mail spoofing or instant messaging,
and it often directs users to enter details at a fake website whose look
and feel are almost identical to the legitimate one.
Phishing can also be considered a form of social engineering.
See next page for an example. Source: AICPA - “Cybersecurity Pitfalls
and Information Risk Management for Not-for-Profits” presentation given
by Anthony Hargreaves and G. Bliss Jones, for the Not-for-Profit section.
18. Accounting | Tax | Consulting
Accounting | Tax | Consulting
18
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
19. Accounting | Tax | Consulting
Accounting | Tax | Consulting
19
Clickjacking
This is a malicious technique in which an attacker tricks a user into
clicking on a button or link on another webpage while the user intended
to click on the top level page. The attacker is basically "hijacking” the
clicks meant for the top level page and routing them to some other
irrelevant page, most likely owned by someone else.
A similar technique can be used to hijack keystrokes. A user can be led
into believing that they are typing the password or other information on
some authentic webpage while it is being channeled into an invisible
frame controlled by the attacker.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
20. Accounting | Tax | Consulting
Accounting | Tax | Consulting
U n d e r s t a n d i n g V u l n e r a b i l i t i e s
20
Expansion of new technologies cause overall cyber security risk increase
year after year.
New technologies include the following:
– Mobile devices and applications
– Virtualization
– Cloud-based technologies
– Remote access to data
– Multi-location work flows
– “Internet of Things”
21. Accounting | Tax | Consulting
Accounting | Tax | Consulting
H o w C a n T h i s A f f e c t N o n - P r o f i t s ?
21
NFP’s brand
Donors/grantees
Management/employees
Accounting software
Third-party administrators/record keepers
Auditors, tax preparers, HR, facility managers
Trustees, beneficiaries’ data
Insurance providers
Accounting firms’ clients
And ANY third-party vendor you use in the course of business
A broad range of effects on potential organizations.
22. Accounting | Tax | Consulting
Accounting | Tax | Consulting
H o w C a n T h i s A f f e c t N o n - P r o f i t s ?
22
Donor registration forms
Financial database/system configurations/passwords
Checks/transaction logs/wire transfers
W-2, 1099 & I-9 forms
Employee information
Quarterly participants’ statements, credit reports
E-mail/digital media/text messages
Any device (system and/or database) you use in daily operations
23. Accounting | Tax | Consulting
Accounting | Tax | Consulting
N o n - P r o f i t s R i s k F a c t o r s
23
NFP’s are often using skeleton staffing models
Organic growth is faster than IT security strength
A lack of awareness of level of sensitivity of data passing through the
organization
Three of the top five breach incidents by industry over the last four years
impact the NFP sector
– Healthcare
– Government
– Education
Laws and regulations
24. Accounting | Tax | Consulting
Accounting | Tax | Consulting
K e y D a t a L a w s a n d R e g u l a t i o n s
24
In the U.S. you need to be aware of:
– The Federal Trade Commission (“FTC” Act)
– The Financial Services Modernization Act (“Gramm-Leach-Bliley
Act”)
– Health Insurance Portability and Accountability Act (“HIPAA”)
– The Fair Credit Reporting Act
EU will enact General Data Protection Regulation (“GDPR”).
– Is a very vast and complicated act – it will impact the U.S.
– Goes into force May 25, 2018
The directive affects all companies that hold or use European personal
data, whether that company is located in Europe or not.
25. Accounting | Tax | Consulting
Accounting | Tax | Consulting
A N o t e o n C y b e r L i a b i l i t y
I n s u r a n c e
25
Cyber insurance has become a growing part of insurance coverage for
many organizations. The issuance of cyber insurance in the United
States is believed to have evolved from the mid to late 1990s, and is still
considered to be a developing segment of the insurance industry.
Cyber policies cover both third-party liability for losses, lawsuits, and
other damages, as well as first-party packages that may provide data
breach response experts, credit monitoring, public relations and
technical assistance for response and recovery.
The use of cyber liability insurance can be part of the organization, but
due to most plan’s coverage limitations, should not be the only option
employed.
26. Accounting | Tax | Consulting
As defined by Merriam-Webster online:
1: possibility of loss or injury : peril, 2: someone or
something that creates or suggests a hazard, 3 (a): the
chance of loss or the perils to the subject matter of an
insurance contract; also : the degree of probability of
such loss (b): a person or thing that is a specified hazard
to an insurer <a poor risk for insurance> (c): an insurance
hazard from a specified cause or source <war risk>,
4: the chance that an investment (as a stock or
commodity) will lose value.
26
What is Risk?
27. Accounting | Tax | Consulting
Therefore, risk can be:
A. Negative
B. Positive
C. Detrimental
D. All of the Above
But risk needs to be managed or addressed!
27
What is Risk?
28. Accounting | Tax | Consulting
Internal control over financial reporting consists of
company policies and procedures that are designed and
operated to provide reasonable assurance about the
reliability of a company's financial reporting and its
process for preparing and fairly presenting financial
statements in accordance with generally accepted
accounting principles. It includes policies and
procedures for maintaining accounting records,
authorizing receipts and disbursements, and the
safeguarding of assets. (AS #2).
28
What are Controls?
29. Accounting | Tax | Consulting
Controls are implemented to help manage and
mitigate risk.
The following slides will present basic IT risks and
detail how standard IT controls can mitigate the
documented risk.
The controls are not overly technical in nature and
are the basic building blocks for a solid IT control
environment.
29
Risk and Controls
30. Accounting | Tax | Consulting
Lack of IT oversight by management
Lack of, or informal IT policies on security and operations
Compliance with laws and regulations regarding
information security and privacy
Lack of IT infrastructure inventory, including software and
hardware used (both onsite and remotely)
Lack of an incident response plan to respond to any
information security incidents
Monitoring of third-party service providers
30
IT Risks – Entity Level Controls
31. Accounting | Tax | Consulting
Develop an IT Steering Committee to prioritize, review and
monitor information technology needs
Formalize IT policies and train staff on their content
Identify and ensure compliance with laws and regulations
regarding information security and privacy
Develop an IT infrastructure inventory
Adopt an incident response plan and establish a team to
respond to any information security incidents
If relying on third-party service providers, obtain the service
auditor’s (“SOC”) report and ensure all recommended
security, availability and privacy controls are in place
31
IT Controls – Entity Level Controls
32. Accounting | Tax | Consulting
Change Management Risks
Integrity of production environment
Changes that haven’t been well tested can have an
unexpected impact on systems
Integrity of the financial information
Inaccurate data mapping can cause inaccurate
reporting
Unintended changes to financial data
Availability of the systems
Can cause business process disruptions and loss of
revenue
32
IT Risks – Change Management
33. Accounting | Tax | Consulting
Change Management Controls
Processes and procedures for changes
Documented requirements
Tracking of all requests
Analysis of systems that will be impacted
Security implications
Testing
Developer
User
Approvals prior to implementation of management
Segregation of duties
Can’t approve and implement changes
Developers do not have update access to the production
environment
33
IT Controls – Change Management
34. Accounting | Tax | Consulting
Logical Access Risks
Access to financial applications
Fraud
Inaccurate information - poor business decisions
Inappropriate access (e.g., payroll, intellectual
property)
Access to key production applications
All of the above and…
Disruption of the business processes
Access to the network
Disruption of the business processes
Reputation risk
34
IT Risks – Logical Access
35. Accounting | Tax | Consulting
Logical Access Controls
Approval process for requesting access
Document approval from HR and/or manager
Grant access only to appropriate personnel based on business
needs. See next slide as adapted from the AICPA -
“Cybersecurity Pitfalls and Information Risk Management for
Not-for-Profits” presentation given by Anthony Hargreaves and
G. Bliss Jones, for the Not-for-Profit section.
Unique user IDs for accountability
Periodic review of access
Job/function changes
Removal of access
Timely notification
Encrypt data on servers, workstations, and mobile devices
35
IT Controls – Logical Access
36. Accounting | Tax | Consulting
Data Classification
36
IT Controls – Logical Access
37. Accounting | Tax | Consulting
Logical Access Controls
Passwords
Complexity, change frequency, reuse, minimum
length, lockout provisions, etc.
Application controls
Segregation of duties
File and folder level restrictions
Ensure proper level of physical/environmental controls
Access controls to office/server room
Ensure cooling, fire suppression, UPS for servers and
key workstations
Limit administrator access to systems and applications
37
IT Controls – Logical Access
38. Accounting | Tax | Consulting
38
IT Risks – Network Security
Lack of network infrastructure documentation
Lack of firewalls, intrusion detection systems
Improper review of the content of internet messages for
appropriateness and to detect misuse of network resources
Processes over the updating of operating system “patches”
Use of a reputable anti-virus, anti-spyware and anti-spam
software
Not performing vulnerability scans and penetration tests of
critical systems
39. Accounting | Tax | Consulting
Develop and maintain up-to-date network diagrams
Implement firewalls and intrusion detection systems
Use content filtering controls to review the content of
internet messages for appropriateness and to detect
misuse of network resources
Implement controls over the updating of operating system
“patches”
Use a reputable anti-virus, anti-spyware and anti-spam
software and routinely install updates as they become
available
Perform vulnerability scans and penetration tests of critical
systems
39
IT Controls – Network Security
41. Accounting | Tax | Consulting
Computer Operations Controls
Problems and Incidents
Define and implement a problem management
system to ensure that operational events are
recorded, analyzed, escalated and resolved in a
timely manner.
Job Processing
System processing jobs and batch feeds are
documented in the IT Operations Manual.
Operations Monitoring
Daily operations checklists are used to assist in
monitoring systems processing.
41
IT Controls – Computer Operations
42. Accounting | Tax | Consulting
Backup and Disaster Recovery Risks
Loss of data
Customer information
Financial records
Intellectual property
Failure of key systems
Hardware failure
Loss of primary site
Nature disaster
Human error
Malicious activity
Access to backup data
42
IT Risks – Backup and Disaster Recovery
43. Accounting | Tax | Consulting
Backup and Disaster Recovery Controls
Develop backup policy and disaster recovery plans
Backups
Tapes and disk arrays
Testing of backups and disaster recovery plan
Ensure files can be recovered when needed
Off-site storage
Tape shipment and replication
Disaster recovery sites
Hot, cold, other office location
Encrypt backup data and ensure access to media is
limited to authorized personnel
43
IT Controls – Backup and Disaster
Recovery
45. Accounting | Tax | Consulting
Audits
Financial statement audits are the core of our firm. Our technical experience,
knowledge of non-profits and approach will help ensure that a timely, thorough audit is
delivered with minimum disruption to your business.
Preparation of Form 990
Our partners and staff provide high technical expertise and extensive knowledge in all
areas of tax and accounting for non-profit organizations.
Advisory and Consulting
We know regulations and requirements are increasingly becoming more stringent and
complex, thus magnifying the need for specialized services. At Buchbinder, we will help
you navigate through today’s business world so you can achieve your growth
expectations.
45
Buchbinder NFP Practice
46. Accounting | Tax | Consulting
Buchbinder Articles:
When Should You Report Grant and Contribution Revenues
The Nonprofit Life Cycle
Tips for Creating a Whistleblower Policy
Buchbinder Social Media Channels:
Facebook
Twitter
LinkedIn
46
Buchbinder NFP Practice