IT-Risks-for-Non-profits-September-18SEPT17.pptx

Accounting | Tax | Consulting
IT Risks for Non-Profits
September 2017

 Technology Is Pervasive
 Almost all organizations use some type of electronic
system to initiate, process, and record accounting
related transactions.
 Use of the internet to send/receive e-mail and research
information is second nature in today’s world. It is a
must-have in order to do business.
2
Reasons to Have a Better
Understanding of IT Controls and Risk

 Technology Is Complex
 Technology is always evolving in complexity and
coverage. What is considered “simple” technology
today relies on complex interactions of systems,
networks, and applications to process and store
information.
3

 Technology Is Vital to the Business
 In many organizations, technology is a vital component
of the business. Without a solid technology
infrastructure to support the business, the business
operations would be significantly impacted or not
possible.
4

5
What Is Cybersecurity?
Cybersecurity is the body of
One of the most problematic elements of cybersecurity is the
quickly and constantly evolving nature of security risks.
 Cybersecurity is the body of technologies, processes and practices designed to protect
networks, computers, programs and data from attack, damage or unauthorized access. In
a computing context, the term security implies cybersecurity.
 Ensuring cybersecurity requires coordinated efforts throughout an information system.
Components of cybersecurity include:
 Application security
 Information security
 Network security
 Disaster recovery / business continuity planning
 End-user education
 One of the most problematic components of cybersecurity is the rapid and constantly
evolving nature of security risks.

6
What is Cybersecurity?
Cybersecurity is the body of
 According to a November 2016 paper prepared by the ERISA Advisory
Council on Employee Benefit Plans:
“Cyber threats cannot be eliminated but they can be managed. Cyber
experts say that it is not a question of if you will have a cyber-attack, rather
it is a question of when.”
https://www.dol.gov/sites/default/files/ebsa/about-ebsa/about-us/erisa-
advisory-council/2016-cybersecurity-considerations-for-benefit-plans.pdf
on page 30.
 70% of all breaches or stolen data are from an insider threat –KPMG
2016 Consumer Loss Barometer.

7
 In order to understand how to protect against cybersecurity risks, it is important
to understand what is meant by a vulnerability and what are some common
types of vulnerabilities.
What is a vulnerability?
 A vulnerability is a system susceptibility or flaw. An exploitable vulnerability is
one for which at least one working attack or "exploit" exists.
 Although cybersecurity is in the news a lot nowadays, the concept has been
around since computers were first linked together in the 1960s.
 “The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage ” by
Clifford Stoll, details a spy ring using cyberattacks in the 1980s.
U n d e r s t a n d i n g V u l n e r a b i l i t i e s

8
Common Types of Vulnerabilities:
Backdoors
 Backdoors in a computer system are any secret method of bypassing
normal authentication or security controls. They may exist for a number
of reasons, including by original design or from poor configuration. They
may have been added by an authorized party to allow some legitimate
access, or by an attacker for malicious reasons.
 Think about the movie “War Games”. The backdoor password was
Joshua.

9
Denial-of-Service Attack
 Denial of Service attacks (“DoS”) are designed to make a machine or
network resource unavailable to its intended users. Attackers can deny
service by overloading the capabilities of a machine or network and
block all users at once. While a network attack from a single IP address
can be blocked by adding a new firewall rule, many forms of distributed
denial of service (“DDoS”) attacks are possible, where the attack comes
from a large number of points – and defending is much more difficult.
 A common attack in today’s environment.

10
Direct-Access Attacks
 An unauthorized user gaining physical access to a computer is most likely
able to directly copy data from it. They may also compromise security by
making operating system modifications, installing software worms, key
loggers and covert listening devices.
 Even when the system is protected by standard security measures, these
may be able to be by passed by booting another operating system or
tool from a CD-ROM or other bootable media. Disk encryption is
designed to prevent these attacks.

11
Direct-Access Attacks
 Ransomware is a form of a direct-access attack that holds the target
data “hostage” until a “ransom”, usually in the form of an untraceable
crypto currency such as Bitcoins, is paid.
 See next page for an example. Source: AICPA - “Cybersecurity Pitfalls
and Information Risk Management for Not-for-Profits” presentation given
by Anthony Hargreaves and G. Bliss Jones, for the Not-for-Profit section.

12

13
Eavesdropping
 The act of surreptitiously listening to a private conversation, typically
between hosts on a network. For instance, programs such as Carnivore
have been used by the FBI and NSA to eavesdrop on the systems of
internet service providers.
Tampering
 This describes a malicious modification of products such as the planting
of surveillance capability into routers firewalls, and workstations.

14
Spoofing
 A fraudulent or malicious practice in which communication is sent from an
unknown source disguised as a source known to the receiver. Examples of
spoofing include:
– CEO request for copies of all W-2s
– CEO request for wire transfers out of the country
– Vendor request for change of remittance address
– Request by prospective donor or vendor (including CPAs) to review attached
tax or account information
 See next page for an example. Source: AICPA - “Cybersecurity Pitfalls and
Information Risk Management for Not-for-Profits” presentation given by Anthony
Hargreaves and G. Bliss Jones, for the Not-for-Profit section.

15
Spoofing

16
Privilege Escalation
 Describes a situation where an attacker with some level of restricted
access is able to, without authorization, elevate their privileges or access
level. For example, a standard computer user may be able to fool the
system into giving them access to restricted data, or even to "become
root” and have full unrestricted access to a system.
Social Engineering
 This attack aims to convince a user to disclose secrets, such as
passwords, card numbers, etc., by, for example, impersonating a bank, a
contractor, a customer, or IT support person.

U N D E R S T A N D I N G V U L N E R A B I L I T I E S
17
Phishing
 This is an attempt to acquire sensitive information, such as usernames,
passwords, and credit card details directly from users.
 Phishing is typically carried out by e-mail spoofing or instant messaging,
and it often directs users to enter details at a fake website whose look
and feel are almost identical to the legitimate one.
 Phishing can also be considered a form of social engineering.
 See next page for an example. Source: AICPA - “Cybersecurity Pitfalls
and Information Risk Management for Not-for-Profits” presentation given
by Anthony Hargreaves and G. Bliss Jones, for the Not-for-Profit section.

18

19
Clickjacking
 This is a malicious technique in which an attacker tricks a user into
clicking on a button or link on another webpage while the user intended
to click on the top level page. The attacker is basically "hijacking” the
clicks meant for the top level page and routing them to some other
irrelevant page, most likely owned by someone else.
 A similar technique can be used to hijack keystrokes. A user can be led
into believing that they are typing the password or other information on
some authentic webpage while it is being channeled into an invisible
frame controlled by the attacker.

20
 Expansion of new technologies cause overall cyber security risk increase
year after year.
 New technologies include the following:
– Mobile devices and applications
– Virtualization
– Cloud-based technologies
– Remote access to data
– Multi-location work flows
– “Internet of Things”

H o w C a n T h i s A f f e c t N o n - P r o f i t s ?
21
 NFP’s brand
 Donors/grantees
 Management/employees
 Accounting software
 Third-party administrators/record keepers
 Auditors, tax preparers, HR, facility managers
 Trustees, beneficiaries’ data
 Insurance providers
 Accounting firms’ clients
 And ANY third-party vendor you use in the course of business
A broad range of effects on potential organizations.

H o w C a n T h i s A f f e c t N o n - P r o f i t s ?
22
 Donor registration forms
 Financial database/system configurations/passwords
 Checks/transaction logs/wire transfers
 W-2, 1099 & I-9 forms
 Employee information
 Quarterly participants’ statements, credit reports
 E-mail/digital media/text messages
 Any device (system and/or database) you use in daily operations

N o n - P r o f i t s R i s k F a c t o r s
23
 NFP’s are often using skeleton staffing models
 Organic growth is faster than IT security strength
 A lack of awareness of level of sensitivity of data passing through the
organization
 Three of the top five breach incidents by industry over the last four years
impact the NFP sector
– Healthcare
– Government
– Education
 Laws and regulations

K e y D a t a L a w s a n d R e g u l a t i o n s
24
 In the U.S. you need to be aware of:
– The Federal Trade Commission (“FTC” Act)
– The Financial Services Modernization Act (“Gramm-Leach-Bliley
Act”)
– Health Insurance Portability and Accountability Act (“HIPAA”)
– The Fair Credit Reporting Act
 EU will enact General Data Protection Regulation (“GDPR”).
– Is a very vast and complicated act – it will impact the U.S.
– Goes into force May 25, 2018
 The directive affects all companies that hold or use European personal
data, whether that company is located in Europe or not.

A N o t e o n C y b e r L i a b i l i t y
I n s u r a n c e
25
 Cyber insurance has become a growing part of insurance coverage for
many organizations. The issuance of cyber insurance in the United
States is believed to have evolved from the mid to late 1990s, and is still
considered to be a developing segment of the insurance industry.
 Cyber policies cover both third-party liability for losses, lawsuits, and
other damages, as well as first-party packages that may provide data
breach response experts, credit monitoring, public relations and
technical assistance for response and recovery.
 The use of cyber liability insurance can be part of the organization, but
due to most plan’s coverage limitations, should not be the only option
employed.

 As defined by Merriam-Webster online:
 1: possibility of loss or injury : peril, 2: someone or
something that creates or suggests a hazard, 3 (a): the
chance of loss or the perils to the subject matter of an
insurance contract; also : the degree of probability of
such loss (b): a person or thing that is a specified hazard
to an insurer <a poor risk for insurance> (c): an insurance
hazard from a specified cause or source <war risk>,
4: the chance that an investment (as a stock or
commodity) will lose value.
26
What is Risk?

 Therefore, risk can be:
 A. Negative
 B. Positive
 C. Detrimental
 D. All of the Above
 But risk needs to be managed or addressed!
27
What is Risk?

 Internal control over financial reporting consists of
company policies and procedures that are designed and
operated to provide reasonable assurance about the
reliability of a company's financial reporting and its
process for preparing and fairly presenting financial
statements in accordance with generally accepted
accounting principles. It includes policies and
procedures for maintaining accounting records,
authorizing receipts and disbursements, and the
safeguarding of assets. (AS #2).
28
What are Controls?

 Controls are implemented to help manage and
mitigate risk.
 The following slides will present basic IT risks and
detail how standard IT controls can mitigate the
documented risk.
 The controls are not overly technical in nature and
are the basic building blocks for a solid IT control
environment.
29
Risk and Controls

 Lack of IT oversight by management
 Lack of, or informal IT policies on security and operations
 Compliance with laws and regulations regarding
information security and privacy
 Lack of IT infrastructure inventory, including software and
hardware used (both onsite and remotely)
 Lack of an incident response plan to respond to any
information security incidents
 Monitoring of third-party service providers
30
IT Risks – Entity Level Controls

 Develop an IT Steering Committee to prioritize, review and
monitor information technology needs
 Formalize IT policies and train staff on their content
 Identify and ensure compliance with laws and regulations
regarding information security and privacy
 Develop an IT infrastructure inventory
 Adopt an incident response plan and establish a team to
respond to any information security incidents
 If relying on third-party service providers, obtain the service
auditor’s (“SOC”) report and ensure all recommended
security, availability and privacy controls are in place
31
IT Controls – Entity Level Controls

 Change Management Risks
 Integrity of production environment
 Changes that haven’t been well tested can have an
unexpected impact on systems
 Integrity of the financial information
 Inaccurate data mapping can cause inaccurate
reporting
 Unintended changes to financial data
 Availability of the systems
 Can cause business process disruptions and loss of
revenue
32
IT Risks – Change Management

 Change Management Controls
 Processes and procedures for changes
 Documented requirements
 Tracking of all requests
 Analysis of systems that will be impacted
 Security implications
 Testing
 Developer
 User
 Approvals prior to implementation of management
 Segregation of duties
 Can’t approve and implement changes
 Developers do not have update access to the production
environment
33
IT Controls – Change Management

 Logical Access Risks
 Access to financial applications
 Fraud
 Inaccurate information - poor business decisions
 Inappropriate access (e.g., payroll, intellectual
property)
 Access to key production applications
 All of the above and…
 Disruption of the business processes
 Access to the network
 Disruption of the business processes
 Reputation risk
34
IT Risks – Logical Access

 Logical Access Controls
 Approval process for requesting access
 Document approval from HR and/or manager
 Grant access only to appropriate personnel based on business
needs. See next slide as adapted from the AICPA -
“Cybersecurity Pitfalls and Information Risk Management for
Not-for-Profits” presentation given by Anthony Hargreaves and
G. Bliss Jones, for the Not-for-Profit section.
 Unique user IDs for accountability
 Periodic review of access
 Job/function changes
 Removal of access
 Timely notification
 Encrypt data on servers, workstations, and mobile devices
35
IT Controls – Logical Access

 Data Classification
36

 Logical Access Controls
 Passwords
 Complexity, change frequency, reuse, minimum
length, lockout provisions, etc.
 Application controls
 Segregation of duties
 File and folder level restrictions
 Ensure proper level of physical/environmental controls
 Access controls to office/server room
 Ensure cooling, fire suppression, UPS for servers and
key workstations
 Limit administrator access to systems and applications
37

38
IT Risks – Network Security
 Lack of network infrastructure documentation
 Lack of firewalls, intrusion detection systems
 Improper review of the content of internet messages for
appropriateness and to detect misuse of network resources
 Processes over the updating of operating system “patches”
 Use of a reputable anti-virus, anti-spyware and anti-spam
software
 Not performing vulnerability scans and penetration tests of
critical systems

 Develop and maintain up-to-date network diagrams
 Implement firewalls and intrusion detection systems
 Use content filtering controls to review the content of
internet messages for appropriateness and to detect
misuse of network resources
 Implement controls over the updating of operating system
“patches”
 Use a reputable anti-virus, anti-spyware and anti-spam
software and routinely install updates as they become
available
 Perform vulnerability scans and penetration tests of critical
systems
39
IT Controls – Network Security

 Computer Operations Risks
 Problems and Incidents
 Identification
 Recording
 Tracking
 Reporting
 Job Processing
 Unprocessed information
 Operations Monitoring
 “Not Watching the Store”
40
IT Risks – Computer Operations

 Computer Operations Controls
 Problems and Incidents
 Define and implement a problem management
system to ensure that operational events are
recorded, analyzed, escalated and resolved in a
timely manner.
 Job Processing
 System processing jobs and batch feeds are
documented in the IT Operations Manual.
 Operations Monitoring
 Daily operations checklists are used to assist in
monitoring systems processing.
41
IT Controls – Computer Operations

 Backup and Disaster Recovery Risks
 Loss of data
 Customer information
 Financial records
 Intellectual property
 Failure of key systems
 Hardware failure
 Loss of primary site
 Nature disaster
 Human error
 Malicious activity
 Access to backup data
42
IT Risks – Backup and Disaster Recovery

 Backup and Disaster Recovery Controls
 Develop backup policy and disaster recovery plans
 Backups
 Tapes and disk arrays
 Testing of backups and disaster recovery plan
 Ensure files can be recovered when needed
 Off-site storage
 Tape shipment and replication
 Disaster recovery sites
 Hot, cold, other office location
 Encrypt backup data and ensure access to media is
limited to authorized personnel
43
IT Controls – Backup and Disaster
Recovery

 ??????????
44
Questions

 Audits
Financial statement audits are the core of our firm. Our technical experience,
knowledge of non-profits and approach will help ensure that a timely, thorough audit is
delivered with minimum disruption to your business.
 Preparation of Form 990
Our partners and staff provide high technical expertise and extensive knowledge in all
areas of tax and accounting for non-profit organizations.
 Advisory and Consulting
We know regulations and requirements are increasingly becoming more stringent and
complex, thus magnifying the need for specialized services. At Buchbinder, we will help
you navigate through today’s business world so you can achieve your growth
expectations.
45
Buchbinder NFP Practice

 Buchbinder Articles:
 When Should You Report Grant and Contribution Revenues
 The Nonprofit Life Cycle
 Tips for Creating a Whistleblower Policy
 Buchbinder Social Media Channels:
 Facebook
 Twitter
 LinkedIn
46
Buchbinder NFP Practice

Ted Kirshenbaum, CPA
E-mail:
tkirshen@buchbinder.com
Phone: 212-896-1931
LinkedIn
Michael Pinna, CPA
E-mail:
mpinna@buchbinder.com
Phone: 212-896-1896
LinkedIn
47
Contact Information

IT-Risks-for-Non-profits-September-18SEPT17.pptx

Recommended

Recommended

More Related Content

Similar to IT-Risks-for-Non-profits-September-18SEPT17.pptx

Similar to IT-Risks-for-Non-profits-September-18SEPT17.pptx (20)

Recently uploaded

Recently uploaded (20)

IT-Risks-for-Non-profits-September-18SEPT17.pptx