Technology

 

 

Risk Readyhttps://iaonline.theiia.org/2015/risk-readyRisk Ready<h2>What IT risks are you most concerned about? </h2><p>Cyberthreats, data, and legacy technology are our current areas of focus. Cybersecurity is a hot topic within Citi and with our regulators globally, so our focus on cybersecurity i​s around how the company gathers threat intelligence and responds to that information, as well as how it reacts to incidents. The data governance coverage is targeted to maintaining the quality and integrity of data. Finally, we maintain a view on how the legacy technology and systems are being controlled.</p><h2>​How is Citi’s internal audit department addressing the increasing number of sophisticated attacks? </h2><p>Citi Internal Audit has a strong base of knowledgeable IT auditors with extensive technology expertise. That said, we recognize the difficulty in maintaining the same level of expertise as the attackers, or even security professionals. Therefore, we maintain close contact with the Citi Information Security Office and the processes that they operate to identify threats and respond to them proactively. We assess those processes for effectiveness, rather than trying to identify all of the emerging risks ourselves.</p><h2>How is internal audit reviewing the security of third-party providers when you are facing more regulatory pressure? ​</h2><p>​Citi uses a large number of third-party providers, and Citi Internal Audit carefully assesses the processes that are used by the organization to review third parties such as the information security assessment. Additionally, we audit the end-to-end processes as operated by these vendors. Finally, internal audit selects a sample of critical vendors and conducts on-site audits of their controls on a cyclical basis.​</p>Staff1889
Editor's Note: Are You Cyber Literate?https://iaonline.theiia.org/2015/editors-note-are-you-cyber-literateEditor's Note: Are You Cyber Literate?<p>​As organizations adopt new approaches to information management and access, internal audit departments face increasingly complex challenges in helping address the related risks. In fact, a new report from The IIA’s Global Internal Audit CBOK research, Navigating Technology’s Top Risks: Internal Audit’s Role, identifies several of those risk areas, including IT governance, use of mobile devices, and social media. It also highlights the importance of increased internal audit awareness of these areas, and of strengthening IT audit capabilities.<br></p><p>These two priorities are stressed as well in this month’s cover story, “<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=9cba8f3b-4e90-4d76-bb66-741d6f7aed60">The Cybersecurity Imperative</a>." The rising number of cyberattacks against well-known companies — and the changing nature and source of those attacks — has gotten the board’s attention. Boards now want to know what the risks are to their organization, how it is protecting cyber assets, and whether it is capable of stopping attacks. In many cases, they’re turning to the internal audit function for assurance. If auditors are going to provide that assurance, says author Tim McCollum, they’ll need to increase their awareness of the latest threats and ensure they have the right skills. <br></p><p>Similarly, “<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=ea9b2d02-d619-4a8b-b8e0-b9adff1dfc6b">Protecting Customer Data</a>," by Michael Levy, discusses the role auditors must play in ensuring data privacy. Levy examines internal audit’s involvement in terms of risk assessment, governance, and security benchmarking, as well as training. He says auditors can leverage guidance material and other resources to help familiarize themselves with these areas and perform data security audits.<br></p><p>Organizational IT risks, however, are only part of the technology learning curve many auditors face. Practitioners may also struggle to stay abreast of technology specific to the profession, some of which has become essential to their work. As author Dave Coderre says of data analytics, the technology is “no longer a nice-to-have, but a requirement” (see “<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=b563274d-a398-408f-afa7-1bf4df829fad">Gauge Your Analytics</a>”). In discussing the “people” side of analytics, Coderre’s feature emphasizes the importance of having the right technical skills in the audit department, as well as business process knowledge.<br></p><p>The need for technology expertise — in both audit tools and organizational IT — will only increase. Cyberattacks are on the rise, privacy is becoming more and more difficult to protect, and the volume and complexity of data internal auditors must analyze continues to grow. All of these factors point to the importance of awareness and education. In fact, IIA Global Chairman Larry Harrington’s theme for the coming year, “<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=a4f929b7-68eb-411c-bf74-d5f414ee1120">Invest in Yourself</a>," centers on that very notion. He stresses the importance of skill-building and lifelong learning — even if it requires an investment of one’s own time and money. The message seems especially apt for technology, where change and the need to adapt are an organizational constant.</p>David Salierno0741
The Cybersecurity Imperativehttps://iaonline.theiia.org/2015/the-cybersecurity-imperativeThe Cybersecurity Imperative<p>​They were warned. Computer hackers, nations, organized criminals, and malicious employees were after their data — using malware, email phishing, social engineering, and old-sch​ool hacking. But whenever an organization fell victim, the response of their peers often was, "It couldn't happen here."</p><p>Then the biggest prey began to fall — the Target breach in December 2013, then Home Depot, JPMorgan Chase, Sony, Anthem, the U.S. Internal Revenue Service, and U.S. Office of Personnel Management. Now cybersecurity has the attention of corporate boards. Now directors want to know whether the business' data and digital assets are protected, what the threats are, and whether the organization can respond. "Virtually any organization can be hacked by a determined adversary," says Eddie Schwartz, chief operating officer of cybersecurity firm WhiteOps in New York and chairman of ISACA's Cybersecurity Task Force. "These attacks have reaffirmed to directors and C-level executives that cybersecurity has to be top-of-mind for themselves and for their people."</p><p>But the answers to the board members' questions may not be what they want to hear: It's not a matter of whether the organization has had a breach; it's a matter of when and whether it was detected in time. Information security research firm Ponemon Institute reports that the mean time for large organizations to detect a security breach is 206 days, while information security firm Trustwave says up to 71 percent of incidents go undetected. Equally troubling, less than half of IT professionals and IT auditors surveyed recently by ISACA and RSA Conference are confident their organization could detect and respond to a serious breach.  </p><p>In many organizations, boards and senior executives are turning to internal audit for assurance about the strength of their cybersecurity defense and response capabilities to protect against financial, operational, and reputational damage. If internal audit is going to meet this need, auditors will need to quickly get up to speed on the latest threats and raise their cybersecurity skills.</p><h2>The Board Is Asking Questions</h2><p>This year for the first time, cybersecurity broke into the top 10 risk priorities of respondents to Aon's Global Risk Management Survey, coming in ninth. Travelers Business Risk Index ranks it No. 2. Small wonder then that 80 percent of public company board members report their board discusses cybersecurity at most or all board meetings, according to a recent survey by New York Stock Exchange Governance Services and security vendor Veracode.</p><p>Such discussions have been a regular part of the board agenda at Huntington Ingalls Industries since the company spun off from defense contractor Northrop Grumman Corp. in 2011, says Scott Stabler, vice president of internal audit for the Newport News, Va.-based company. Because the bulk of its business is government defense contracting, the company has long been concerned with ensuring tight control over data, information systems, and access. "It's something that's central to the way we think about the business," he explains. </p><p>These days the board is asking Stabler and the company's IT leaders how the cybersecurity threat is evolving and what is being done to protect data, respond to the latest threats, and ensure the company's ability to continue to do business. More recently, as Huntington Ingalls has expanded beyond its two shipyards into environmental and energy markets, management has been considering how to come up with a common organizationwide approach to cybersecurity in a more diverse operating environment and tailor market-appropriate cybersecurity solutions for each business. "The board wants to understand how our audit program gets at these issues," Stabler says. "They ask about what kinds of things we find as we do our audit and what kinds of recommendations and corrective actions we are putting into play with our counterparts in IT."</p><p>Michael Corey, U.S. internal technology audit services leader at PricewaterhouseCoopers (PwC) in San Francisco, says in today's risk environment, board members should be asking their organization's executives, IT leaders, and internal auditors three basic questions: What is the organization's risk? What is it doing about that risk? And, is it doing enough? "Most of the boards that we interact with are trying to understand one of those three questions," he says.</p><table cellspacing="0" class="ms-rteiaTable-default" style="width:100%;"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;"><p>​<strong>​The Cost of Cybersecurity​</strong></p><p>As with all risk considerations, the cyberrisk discussion ultimately must address costs. How much should the organization invest in cybersecurity controls and other measures? How much will a serious breach cost the organization? Organizations often struggle to determine whether the cost of cybersecurity is worth the investment.</p><p>Consider Sony. In a 2007 interview with <em>CIO Magazine</em>, the Sony Pictures’ executive director of information security at that time said, “I will not invest US$10 million to avoid a possible US$1 million loss.” Sony now estimates that the financial cost of investigating and remedying last year’s breach so far is US$15 million, according to a March 30​ <em>Fortune</em> article.</p><p>Not surprisingly, organizations are expected to spend US$76.9 billion on cybersecurity this year worldwide, up from US$71.1 billion in 2014, according to research firm Gartner. However, in its latest Global State of Information Security Survey, PricewaterhouseCoopers (PwC) reports that cybersecurity budgets decreased 4 percent in 2014, with companies with less than US$100 million in revenues spending 20 percent less than in 2013.</p><p>Meanwhile, Ponemon Institute’s 2015 Cost of Data Breach Study puts the average cost of an information security breach at a large company at US$154 per record. A similar study by Verizon, however, estimates the cost at just 58 U.S. cents per record.</p><p>One trend PwC’s Michael Corey sees is a move away from investing in preventing incidents and toward quicker detection. In today’s threat environment, prevention can be like “putting another deadbolt lock on a screen door,” he says. Some of the headline-making breaches weren’t detected for as long as 15 months. “If you can identify the threat actor in your environment and shut it down in a short period of time, it doesn’t give that threat actor time to learn about the information flow and where it resides,” he says. “They’re significantly hampered in their ability to extract value.”</p></td></tr></tbody></table><p>The organization's cyberrisk profile drives resource allocation decisions (see "The Cost of Cybersecurity" at right). "Ultimately what boards, audit committees, and executive management teams are faced with is understanding what the risk profile is and determining how many resources they're going to allocate to manage those risks," he explains.</p><p>The National Association of Corporate Directors' (NACD's) 2014 handbook, Cyber-risk Oversight, discusses five principles that should guide boards' cyberrisk discussions. Chief among these is treating cybersecurity as an enterprisewide risk, rather than an IT risk. Additional principles cover the legal implications of cyberrisks, seeking advice from cybersecurity experts, establishing a cyberrisk management framework, and discussions with management about which risks to avoid, mitigate, or transfer. A 2014 IIA/ISACA research report, Cybersecurity: What the Board of Directors Needs to Ask, uses the NACD's cyberrisk principles as the basis for board inquiries about cyberrisk (see "Six Questions From the Board,​" below right).</p><h2>A Common Language</h2><p>Just because boards are asking questions about cybersecurity doesn't mean they are getting the information they seek or understanding the answers they receive. In a recent Raytheon survey, 78 percent of information security officers say their board hasn't been briefed about cybersecurity in the past 12 months. And just 62 percent of C-level executives of large U.S. companies surveyed by Tripwire consider their board to be "cybersecurity literate," with 32 percent saying the board has a good understanding of information security issues. </p><p>But knowledge gaps work both ways, says David Meltzer, chief research officer at Tripwire, based in Portland, Ore. "Most boards and C-level executives would say they are cybersecurity literate today, and they probably wouldn't have said that five years ago," he explains. "But if you ask that question at the risk level — 'How much do the IT professionals know about risk and governance?' — it may not be as much."</p><p>Bridging those gaps is difficult because there is no generally accepted cybersecurity framework, Meltzer says. Instead the board, management, IT, information security, and internal audit may all have their own points of reference. Meltzer and other security experts recommend establishing a common framework that enables everyone in the organization to speak the same language about cyberrisk. Among the many frameworks are the U.S. National Institute of Standards and Technology's (NIST's) Cybersecurity Framework, the International Organization for Standardization's ISO 27001, and ISACA's COBIT. Organizations may also be subject to specific cybersecurity requirements included in the U.S. Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard, and similar industry regulations or standards.</p><p>Late last year, Travis Finstad and his internal audit team at Zions Bancorporation in Salt Lake City used the NIST Cybersecurity Framework to perform an organizationwide cybersecurity health check. The auditors rated the company's maturity in each of the framework's five domains on a five-point scale, noting what security controls were in place and whether there were any opportunities for improvement. Finstad, Zion's senior vice president and director of internal audit, shared their report with the board, management, and the IT department. The health check and a common framework helped the board and management have a common understanding of the organization's cybersecurity risk landscape, strategy, and controls. "Cybersecurity is a business risk," Finstad says. "Once an incident happens, then it's about how you are going to respond and communicate with the public and your customers. These are things you want to have discussed and practiced before an event occurs."</p><p>The framework also provides a basis for working with the information security team. "Having a framework gives them a way to measure their progress, and it gives us a way to comment on it," he says. "Just as the hackers are constantly evolving with their methods and technology, we need to do the same."</p><h2>Getting at Cyberrisk</h2><p>As the NACD guidance recommends, organizations increasingly are treating cybersecurity as an enterprisewide risk. Pervez Bamji, vice president and general auditor at technology company Pitney Bowes in Stamford, Conn., says cybersecurity is firmly part of its enterprise risk management program and internal audit universe. "There is no audit or review that you do in this day and age that is not security related," he explains. </p><p>Like many boards, Pitney Bowes' directors are concerned with protecting the company's data (see "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=ea9b2d02-d619-4a8b-b8e0-b9adff1dfc6b">Protecting Customer Data</a>"). Its internal auditors start by looking at cyberrisk at an organizational level. They conduct an inventory of the company's data assets to determine what data needs to be protected and how it is currently being protected. Another consideration is who the data must be protected from — both outside and inside the company. From there, auditors review policies and procedures over data and how the organization monitors compliance with them. Another general concern is how the company educates employees about data security, an area where many organizations fall short (see "The Trouble With Awareness Training" at the end of this article). Next, they drill down to the specific technical details such as whether the organization is updating patches, performing reviews of firewalls and data centers, and reviewing the security that third parties have in place.</p><p>This detailed approach requires ongoing collaboration and discussions with the IT and information security functions. "You can't work without having a close relationship," Bamji says. "That's not to say we don't have different points of view now and then. But we can learn from them and they can learn from us."</p><p>That collaboration needs to extend to cybersecurity stakeholders throughout the organization. At Huntington Ingalls cybersecurity involves information security, human resources, and compliance personnel. "IT alone is not going to solve the cyber riddle," Stabler says. </p><p>Another good practice is benchmarking cybersecurity against other organizations in the same industry or that are of the same size. Industries such as energy, financial services, and technology have information sharing and analysis centers where companies can share information about the latest information security threats and benchmark their practices against others. Moreover, the U.S. government has announced plans to create centers that encourage companies to share threat and breach information with the government in hopes of improving cybersecurity nationally. "There's a lot of interest in hearing what other organizations are doing and ultimately using that information to better protect U.S. companies," says PwC's Corey, who participated in discussions about the centers at the RSA Conference in April. </p><p>Meltzer suggests another tactic: war-gaming. When a breach happens to another company, internal auditors and cybersecurity professionals should perform simulations to see how those attacks succeeded, whether a similar attack could happen to their organization, what it would have cost the organization, and whether the organization would have responded differently. "That can give you some concrete information that the board understands," he says. </p><h2>Facing the Talent Shortage​</h2><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​ <p>​<strong>Six Questions From the Board</strong></p><p>The joint IIA/ISACA research report, Cybersecurity: What the Board of Directors Needs to Ask, uses the NACD’s Cyber-risk Oversight guide as a starting point for determining what boards should be asking management and internal audit. Author Sajay Rai, CEO of Securely Yours, lists six questions:</p><ul><li> Does the organization use a cybersecurity frame​work?<br></li><li> What are the organization’s top five cybersecurity risks?<br></li><li> How are employees made aware of their role in cybersecurity?<br></li><li> Does the organization consider external and internal threats when planning cybersecurity program activities?<br></li><li> How does the organization manage information security governance?<br></li><li> In the event of a serious breach, has management developed a robust response protocol?<br></li></ul><p> In August, The IIA and ISACA will release a new research report, the Cyber-resilient Enterprise: What the Board of Directors Needs to Ask.​</p></td></tr></tbody></table><p>One issue CAEs are talking about with their peers is how challenging it is to hire and retain auditors with cybersecurity knowledge. "When I go to industry forums, I hear the moaning of the damned as people describe the search to find those experts," Stabler says.</p><p>That's a problem they share with IT executives. There are an estimated 600,000 unfilled information security jobs worldwide. Nearly half of the respondents to the ISACA/RSA Conference Security survey say 25 percent or fewer of candidates for information security jobs are highly qualified for those positions, and job openings can remain unfilled for as long as six months. </p><p>Stabler suspects he'll be testing the waters soon, while Finstad says he's always on the lookout for IT audit talent at Zions. Recruiting qualified IT auditors is less of a worry for Bamji at Pitney Bowes, because candidates often are attracted to working at technology companies.</p><p>While there is a shortage of candidates with advanced security skills, one of the biggest shortcomings of security professionals is business skills, Schwartz notes. This can make it hard for IT security personnel to communicate technical issues to the board and management. "There's often a perception that there's not a relationship between what really matters to business leaders and C-level executives and what constitutes success in the technical IT realm," he says.  </p><p>Enlisting the communication function to help translate can be of value, as the internal audit and IT functions at Pitney Bowes have done. But Schwartz says this is an area where internal audit can build a bridge between organizational leaders and the IT function. To do this, internal audit will need to find and enhance its cybersecurity knowledge. </p><p> <strong>Training and Certification</strong> Internal audit functions can obtain cybersecurity training through webinars, seminars, and conferences. Cybersecurity is among the training auditors at Huntington Ingalls must pursue as part of their annual continuing education, which helps the department supplement the expertise of its one IT specialist. Pitney Bowes has the luxury of five IT auditors, but Bamji is now considering having all of his team members pursue IT certifications. ​<br><br><strong>Recruit Cybersecurity Specialists</strong> Internal audit departments that lack IT auditors can gain expertise by hiring cybersecurity experts and then training them in internal audit. In some cases, they may bring in experts from their organization's IT function on a rotational basis, as Stabler is considering doing at his company. <br><br><strong>Outsourcing/cosourcing</strong> Similarly, internal audit departments can bring in expertise from outside firms. This can enable them to benefit from economies of scale, as the outside advisers often possess knowledge about current threats and control strategies culled from working with other clients, Schwartz says. Organizations may assign some pieces of cybersecurity audits such as operational aspects to outside experts, while keeping more sensitive aspects in-house. <br><br><strong>Automate</strong> Much of the information security audit process can be very manual, involving going through logs and gathering information for analysis. Increased use of audit analytics and other technologies can streamline the work and time involved, enabling auditors to focus on their analysis, Meltzer says.​</p><h2>Making It Top of Mind</h2><p>With security breaches becoming more common and striking bigger targets, it's easy to think the public will become desensitized to them and the reputational risk might be diminished. "The Target breach made big news," Meltzer says. "But will the 50th retailer to have millions of records breached still be big news?"</p><p>That still leaves the financial and operational damage from losing data and remedying security breaches. But Meltzer is optimistic that more organizations will begin to tie their cybersecurity programs to real risks and implement more effective security controls. This may enable them to detect breaches more quickly before the damage is done and perhaps even prevent future attacks. </p><p>Internal audit's readiness to advise and provide assurance on cybersecurity isn't likely to abate. The cyberthreats are coming from all sides, and the attackers only have to be successful once. "Don't let down your guard," Bamji says. "Cybersecurity has to become second nature — and not just for technology audits, but with everything we do." ​</p><p><br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-6"><tbody><tr class="ms-rteiaTableEvenRow-6"><td class="ms-rteiaTableEvenCol-6" style="width:100%;">​ <br><style> div.WordSection1 { } </style> <p><strong>The Trouble With Awareness Training</strong></p><p>Nonmalicious insiders are one of the biggest cyber threats organizations face. Employees mean well, but they often fall prey to phishing emails and social media messages that can provide a gateway for an attack on the organization. </p><p>Historically one of the first things cybersecurity companies and advocates advise organizations to do to protect themselves is establish an information security awareness and training program for employees, contractors, business partners, and even customers. But the recent ISACA/RSA Security survey reveals a troubling finding: Organizations that have such programs actually suffer more security breaches.</p><p>Eddie Schwartz, chairman of ISACA’s Cybersecurity Task Force, says the problem may be that some awareness programs don’t provide much training at all. Instead, many may ask participants to read some information online or sit through a session on security, answer a few questions, and then sign off that they’ve completed the program. “That’s great, but that’s no evidence that a person is going to behave properly in a situation where they receive an email with some malware in it,” he says.</p><p>Instead, Schwartz says training should take participants through various types of security scenarios such as receiving a phishing message. Then, the organization should test what they’ve learned by sending users phishing emails that are targeted at someone in their job position and measuring whether they respond to them. Targeting employees with messages based on their actual job function is important, because the way the organization will address an attack may differ depending on the sensitivity of the department, Schwartz says. If participants fail the test, the organization should provide remedial training and explain why they went wrong. “Continue to hammer at that until it really does improve,” he advises.</p><p> PwC’s Michael Corey says he’s beginning to see some of his clients perform this kind of training and that it delivers positive results. “What I like about these types of exercises is you’re touching the user base and you can get back to them with very specific data,” he says. “That’s a powerful statement that connects back to a specific behavior that you’re trying to modify.” </p></td></tr></tbody></table><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p>The shortage of information security professionals has many organizations looking to high schools and middle schools. Read "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=24b209b2-0bd3-4585-a800-acdc6ff9d08b">The Next Generation of Cybersecurity Experts</a>." <br></p>Tim McCollum14424
The Next Generation of Cyber Expertshttps://iaonline.theiia.org/2015/the-next-generation-of-cyber-expertsThe Next Generation of Cyber Experts<p>​<span style="line-height:1.6;">The text messages come flying fast any time there is a cybersecurity scare, but James Brahm and his friends can't always respond as quickly as their employer would like. They're still in class. "Sometimes they forget we're in high school," the Huntsville, Ala. teen recently told CBS News.</span></p><p>That's a sign of how much demand there is for information security professionals. Increasingly organizations are looking to universities and high schools to help fill that need. Alarmed by the shortage, new initiatives aim to increase the pipeline of cybersecurity talent by developing people as young as possible. </p><p>"When young people are considering which way they want their career to go, cybersecurity is a challenging and rewarding area," says Eddie Schwartz, chief operating officer with security firm WhiteOps in New York and chairman of ISACA's Cybersecurity Task Force. "The criminals and bad guys aren't going to let up anytime in the foreseeable future."</p><p>The shortage of security professionals has both national security and corporate security implications, says Ret. Gen. Bernie Skoch, commissioner for the CyberPatriot program at the Air Force Association (AFA), a Washington, D.C. organization that advocates for the U.S. Air Force. "This isn't just a Department of Defense issue," he says. "This is a Wal-Mart issue, a General Motors issue, and a Delta Air Lines issue." </p><p>Skoch says it's important to attract students into science, technology, engineering, and mathematics (STEM) programs at an early age, perhaps even before high school. By the time they reach college, it's too late because they may not have taken the needed math an​d science courses. But these students often face a peer pressure barrier ¾ STEM isn't considered cool. "We've learned that students in high school are already predisposed when they walk into their freshman year," Skoch says. "They say 'I'm not a geek.' They want to do other things. But we need that talent."</p><h2>Discovering Security Talent</h2><p>The AFA started its CyberPatriot competition for high school and middle school students in 2008 in response to reports that U.S. high school students were falling behind the rest of the world in math and science, skills that are crucial to jobs in technology-oriented professions. But the program is stimulating students to pursue cybersecurity in particular, Skoch says. </p><p>From a pilot competition involving just eight schools in 2009, the program has grown to  2,175 teams from the U.S. and Canada at both the high school and middle school levels. Teams compete in three divisions: one for teams from public and private high schools, Boys and Girls Scouts, Boys and Girls Clubs, and similar organizations; another for middle school students; and a third for students at U.S. Defense Department-affiliated schools. </p><p>The early rounds take place online on weekends at the local and state level. In these rounds, teams try to fix security problems on a virtual network, earning points for problems solved successfully. AFA flies the top 28 teams to the national finals, where they compete in four areas: configuring a network, investigating a simulated cybercrime scene, extracting deleted data, and protecting a network against live attacks. </p><p>Brahm's Huntsville team recently won the high school division of the finals in Washington, D.C. The winners of the high school divisions earn college scholarships. Thus far, AFA has awarded US$250,000 in scholarships, Skoch says. </p><p>For many of the students, the competition is the first time they have been part of a team, a necessary skill for cybersecurity jobs. Team members take on specialized roles, such as firewalls or user permissions, but they learn bigger lessons, as well. "For a lot of these kids, this is the first time they've been asked to exhibit any leadership, which is what employers want to see," Skoch explains. "They develop unique skills, and they contribute as a team."</p><h2>A New Take on Summer Camp</h2><p>The latest addition to the CyberPatriot program reaches out to students who weren't able to participate in the competition during the school year. This summer, AFA started a summer camp program in 22 locations. The five-day CyberCamps use interactive exercises to teach cybersecurity principles, ethics, and safety. On the fifth day, participants take part in a mini-CyberPatriot competition.</p><p>The same concerns that inspired the CyberPatriot and CyberCamps program are driving the GenCyber program launched last year by the U.S. National Security Agency and National Science Foundation. This summer the two agencies sponsored free camp programs at 29 university campuses in 18 states. The camps enable middle and high school students to learn cybersecurity safety and problem-solving skills, as well as ethical behavior. </p><h2>Solving Problems With Fresh Thinking</h2><p>Programs like CyberPatriot and GenCyber are beginning to bear fruit. Skoch says nearly 90 percent of CyberPatriot alums are pursuing STEM degrees. Among those still in high school, 93 percent plan to pursue a four-year college program, with more than half planning to major in cybersecurity or computer science. Eighty percent plan to go into STEM careers, compared to just 13 percent of students overall. And 20 percent of participants are girls, compared to the national average for STEM programs of 14 percent. CyberPatriot waves its regis​tration fee for all-girl teams to encourage greater participation.</p><p>Moreover, many current participants are working as interns even before graduation, and some have graduated high school and gone directly into good-paying cybersecurity jobs. Forty-two percent of alumni who are already in the workforce are working in cybersecurity or computer science. "The kids who go through our program get jobs, and they end up in the programs that pay very well," Skoch says, noting that cybersecurity positions pay about US$1,000 a month more than other IT jobs.</p><p>Skoch says these young people may bring the fresh thinking that can help solve costly cybersecurity problems for their future employers. "They aren't constrained by the way we've always done business because they haven't done business," he says. "I'm convinced there's some solution out there that a high school aged or young college student is going to say 'Why don't we try this?'"</p>Tim McCollum11305
Six Audit Analytics Success Factorshttps://iaonline.theiia.org/2015/six-audit-analytics-success-factorsSix Audit Analytics Success Factors<p>​Data analysis technology has enabled many audit teams to achieve success and return on investment. A large car rental company transformed audit processes and reportedly reduced traditional audit work by 10,000 hours annually by using automated analysis to test all revenue transactions on an ongoing basis. Additional tests identified nearly US$1 million a year in incorrect commission payments and multiple instances of payroll fraud that may not have been discovered through manual methods.<br></p><p>Data analytics has helped such organizations increase the productivity of the audit function and improve the quality and value of audit findings by giving auditors the ability to examine and test entire populations of transactions and balances that underlie an audit area. Because internal audit has access to processes and data from across the organization, data analysis often enables auditors to provide insights into risk, control, and performance issues that no other function can provide.<br></p><h3>Realizing the Benefits</h3><p>Despite data analytics’ benefits, most internal audit departments are still in the early stages of usage and are far from achieving their full potential. This often stems from a lack of understanding of what is involved in the audit analytics process. However, six success factors can help internal audit departments overcome obstacles and realize the benefits of analytics.<br><br><strong>Strategy and Leadership</strong> Many internal audit departments fail to make progress in implementing audit analytics because they do not treat it as a strategic initiative, overall objectives are unclear, and the department lacks necessary resources. Defining the strategic objectives for audit analytics is a vital starting point. For example, The IIA’s Global Technology Audit Guides 3 and 16 discuss how combining responsibilities for continuous auditing and monitoring can enable internal audit and the organization to achieve the strategic goal of continuous assurance. Moreover, using data analysis to support both audit objectives and management’s maintenance of effective controls aligns closely with The IIA’s Three Lines of Defense in Effective Risk Management and Control model.<br></p><p>The CAE’s active support and involvement in an audit analytics implementation adds to its strategic importance and can help it deliver significant, sustainable benefits. The CAE should lead the effort by communicating the vision, strategy, and expectations.<br><br><strong>Goals and Metrics</strong> Underlying the overall strategic objective, internal audit departments can establish specific objectives by prioritizing the expected benefits. Goals and metrics could include:<br></p><ul><li>Data analysis to be used on x percent of audits within a y-month time frame.</li><li>Reduction in audit hours of x percent because of use of data analysis compared to the hours spent on the same audit using manual methods. </li><li>Data analysis results in an x percent increase in positive feedback from audit client departments about value added by internal audit.</li></ul><p>Establishing metrics and communicating progress helps align the audit team, provide a basis for managing the implementation process, and facilitate benchmarking with other organizations. It also can communicate value to senior management.<br><br><strong>Planning and Project Management</strong> Audit analytics implementations often are undermined by poor management. As with any important technology-driven initiative, effective planning and project management are critical to success. A well-managed implementation program helps ensure the use of analytics is sustainable and not overly dependent on any one individual. <br></p><p>To achieve greater benefits, audit analytics needs to be integrated into the overall audit process. This means understanding at what point in the audit cycle different forms of audit analytics are best used. All members of the audit team should be aware of when and how audit analytics are to be used, together with their own role in the process. Audit analytics can be used in virtually every stage of the audit process, including audit planning and risk assessment, controls testing, substantive procedures, reporting and quantifying audit findings, and continuous auditing. <br><br><strong>A Knowledgeable and Organized Team</strong> The success of implementing and maintaining an audit analytics program depends heavily on the extent of knowledge and skills available within the internal audit department and how the team is organized. Primary knowledge and skill requirements include:<br></p><ul><li>Data access and extraction.</li><li>Design of analysis tests to meet specific audit objectives.</li><li>Familiarity with using selected technologies.</li><li>Understanding of the overall audit analytics process.</li></ul><p>Training plans should reflect individual roles and related levels of knowledge. Those involved directly in data access and test development may require specialized training in specific software. Auditors performing simple analysis and tests may only require training in basic analysis concepts and introductory-level software usage. Managers and reviewers should be trained in audit analytics processes overall.<br></p><p>A variety of roles are involved throughout the analytics process, including data access specialist, data analysis specialist, and follow-up analyst to confirm any findings. Audit team leaders should understand how to best organize the different roles within their teams. In most audit departments, many of the roles may be combined in one or two individuals. In large departments, roles may be allocated across different team members, which allows for specialization and focus.<br><br><strong>The Business Case for Resources</strong> Internal audit departments that achieve the most success in using analytics develop a business case to identify investment costs and expected benefits and to measure progress in achieving objectives. In compiling its case, the department should consider benefits such as reducing audit staff hours, increasing productivity, increasing the value of advisory findings for audit clients, and achieving cost savings or revenue gains. Potential costs include specialist resources and implementation assistance, software, training, and startup funds. The business case also can consider the effect of cost sharing with risk management, compliance, and other related functions.<br><br><strong>Technology</strong> A wide range of data analysis software can be used to support audit analytics. Surveys indicate that more internal auditors use Microsoft Excel for analysis than any other software. However, specialized audit data analysis software is also popular, especially in organizations that are more advanced in using analytics. Other analysis technologies can play a role, although these products may not support all aspects of the audit analytics process.<br></p><h3>Leadership Is Key</h3><p>Simply acquiring software and sending a few people to a training course is not a recipe for success. Data analysis can help transform much of the audit process for the better, but it takes leadership, vision, commitment, and management execution to achieve sustainable benefits. <br></p>John Verver12022
Health Care Targetedhttps://iaonline.theiia.org/2015/health-care-targetedHealth Care Targeted<h3>​Why are hackers targeting health-care companies? </h3><p>Individual patient records are loaded with private data that can be used for medical fraud, including buying drugs for resale and submitting false claims. We’re not just talking about financial data, but also the details of patient diagnoses, treatment plans, and medications. Some estimates place the value of this information at US$5 per patient record compared to US$1 per credit card record because patient records not only specifically link this medical information to a patient identity, but also the theft is often not immediately identified like credit card fraud can be by financial institutions.<br></p><h3>How can internal auditors help boards turn their concern about cybersecurity into concrete action? </h3><p>Internal auditors need to discuss with their boards not only the cost to recover from such an exposure but also the reputational risk from these types of incidents. They need to know what actions can be managed internally and when a third-party review is needed to objectively evaluate an organization’s policies, procedures, controls, risk assessment, and intrusion detection.</p><h3>How can internal auditors help boards turn their growing concern about cybersecurity into concrete action? </h3><p>A major data security breach can have a deep and lasting impact on the future viability of an organization. Internal auditors need to discuss with their boards not only the cost to recover from such an exposure — including loss of business and prospective fines/penalties from the U.S. Office for Civil Rights — but also the reputational risk from these types of incidents. They need to know what actions can be managed internally and when a third-party review is needed to objectively evaluate an organization's policies, procedures, controls, risk assessment, and intrusion detection. Third-party reviews can also be valuable in assessing and auditing physical sites where protected health information is stored or exchanged. This includes both covered entities and business associates such as offshore and cloud service providers.<br></p>Staff0662
Difficulties Assessing and Addressing Cyberriskhttps://iaonline.theiia.org/blogs/marks/2015/difficulties-assessing-and-addressing-cyberriskDifficulties Assessing and Addressing Cyberrisk<p>Two of the attributes traditionally used in assessin​g risk are likelihood/probability or frequency* (P) and impact/consequence (I). Some limit themselves to evaluating the level of risk based on a single value of P x I. That is a mistake (<a href="https://normanmarks.wordpress.com/2015/05/17/a-huge-problem-with-risk-appetite-and-risk-levels/">see this earlier post on risk levels</a>) and I will touch on an issue or two here.</p><p>Let's look at (P) and (I).</p><p>I have seen reports that predict that 80%-90% of organizations will suffer a breach in the next 12 months (based on the level of breaches in the last 12 months). But, some will have a breach that affects non-sensitive information and only causes embarrassment – such as changes to their web page – while others will have very serious intrusions with significant damage.</p><p>How can you estimate which consequence your organization will suffer (going on the 90% likelihood that your organization will be breached)? How do you know that you won't have <em>multiple</em> breaches, by different actors, with different impacts in the next twelve months?</p><p>I think, if I were doing it, I would ask the information security professionals to consider the assets we are trying to protect, assess the strength of the defenses, and then estimate the likelihoods (plural) of severe, moderate, and lower impact (but still at least embarrassing) sets of consequences.</p><p>The estimation of 'damage' must be based on the impact to the <em>business</em>, not simply on some IT valuation of the information assets 'at risk'. How will the ability of the business to continue with its planned activities, including new initiatives, be affected? Can a value be placed on any reputation damage?</p><p>A troubling and complicating factor in the assessment is the duration of the breach and, possibly, the continuing damage it can be causing.</p><p>According to several reports, many breaches are not detected until months after they occur – and often detected by third parties, not by the breached organization! </p><p>Further, it can take months to expel the invader and repair the defenses. I understood it took something like 6 months for JP Morgan Chase to get the intruders out of its system.</p><p>A new report, <a href="http://www.scmagazine.com/financial-services-industry-education-take-half-a-year-to-remediate-vulnerabilities/article/418244/?DCMP=EMC-SCUS_Newswire&spMailingID=11546069&spUserID=MzEyNTk5NzMzNjUS1&spJobID=560193656&spReportId=NTYwMTkzNjU2S0">discussed in SC Magazine</a>, has this to say:</p><p>"On average, nearly half a year passes by the time organizations in the financial services industry and the education sector remediate security vulnerabilities, according to new research from NopSec."</p><p>"According to the findings, organizations in the financial services industry and the education sector remediate security vulnerabilities in 176 days, on average. Meanwhile, the healthcare industry takes roughly 97 days to address bugs, and cloud providers fix flaws in about 50 days."</p><p>This has to be taken into account when assessing cyberrisk.</p><p>So, I would not limit the risk assessment to a single possible level of impact: there are multiple, each with a different likelihood/frequency. The impact level can be seriously affected by the duration of the intrusion and continuing damage to the enterprise – which needs to be built into the (I).</p><p>I don't know whether it is possible to place a precise value on either (I) or its (P). The likelihood and severity of a breach are constantly changing.</p><p>What should not change, however, is the level of cyberrisk that an organization is willing to take. Since cyberrisk cannot be eliminated, and business has to continue, management and the board must accept that some level of risk will remain and must be accepted. This needs to be known so that management can determine (a) whether the current level of risk requires treatment, and (b) how much investment should be made in prevention and detection.</p><p>Two points come immediately to mind when it comes to treating cyberrisk:</p><ol><li>It is essential to beef up the ability of the organization to detect an intruder who has succeeded in breaching the defenses</li><li>It is critical to have response processes that can work promptly to limit any damage (including the duration of the breach and its effect), expel the intruder, understand what damage has occurred and how the defenses were breached, and communicate with all necessary and appropriate parties</li></ol><p>ComputerWeekly.com published a piece on "<a href="http://www.computerweekly.com/opinion/The-cyber-security-outlook-for-2015">the cyber security outlook for 2015</a>" in which they identified, as a serious mistake organizations are making:</p><p>"Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones."</p><p>When the organization does not have effective, tested, response capabilities, the (I) increases significantly.</p><p><a href="http://www.zdnet.com/article/stolen-data-on-the-data-dark-web-matchlight/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61">An article on ZDNet</a> got me thinking. It talks about a software product that helps with the response by searching for corporate data that has made its way onto the "dark ​web."</p><p>Once an organization has identified the information it wants to protect, should it proactively monitor the dark web to see if any of it appears – even before they are aware of a breach?</p><p>Do you have thoughts on this topic of ​assessing and treating cyberrisk?</p><p>​<br></p><p><span style="font-size:11px;">*Frequency is used when there is a likelihood of an event multiple times a year.</span></p>Norman Marks01640
Cybersecurity Aftermath: What Is Next?https://iaonline.theiia.org/2015/cybersecurity-aftermath-what-is-nextCybersecurity Aftermath: What Is Next?<p>Given the daily deluge of cyber threat reports, cybersecurity awareness continues to increase among senior executives and audit committees. As organizations implement more practical response strategies, they are becoming more focused on crisis management and response planning, security approach, and disaster recovery. </p><p>In the Ponemon Institute's 2012 report, <a target="_blank" href="http://www.experian.com/assets/data-breach/brochures/ponemon-aftermath-study.pdf">Aftermath of a Data Security Breach Study</a> (PDF),<sup> </sup>63 percent of IT professionals who responded to the global survey said their senior leadership viewed privacy and data protection as a greater priority after a breach occurred in their organizations (see "Picking Up the Pieces" below right). In respondent organizations, sensitive data was not encrypted, data breach response strategies required improvement, and privacy and data protection practices needed improvement. Since the survey was published, organizations have increased their cybersecurity posture, applying an organizationwide response to security breaches, rather than an IT response. Acting in a consulting role, internal auditors can help their organization's executives and business-unit leaders understand what is involved in developing such an organizationwide response. </p><h2>Crisis Management and Response Planning</h2><p>This shift to a more organizationwide response to cybersecurity incidents is reflected in a 2014 PricewaterhouseCoopers (PwC) report, <a target="_blank" href="http://www.pwc.com/en_CA/ca/technology-consulting/security/publications/pwc-cyber-security-crisis-management-2013-05-en.pdf">Cybersecurity Crisis Management: A Bold Approach to a Shadowy Nemesis</a> (PDF), which suggests organizations use a new philosophy to incident response aimed at bringing order to chaos. The report notes that a fiscally viable, coordinated response could mean the difference between cyber breach and cyber peace. Moreover, a well-thought-out solution can help ensure the organization's long-term survival as it manages a data breach situation. </p><p>The PwC report discusses an eight-phase approach to a structured and orderly cyber crisis response:</p><ul><li>Implementing an information security program.</li><li>Cyber event detected.</li><li>Incident response.</li><li>Internal investigation.</li><li>Third-party forensic investigation.</li><li>Contacting law endorsement.</li><li>Customer notification.</li><li>Containment and remediation plan.</li><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​ <p> <strong>Picking Up the Pieces</strong></p><p>IT respondents to the Ponemon Institute's 2012 study of the aftermath of a data breach indicated: </p><ul><li>They have more confidence than senior leadership that they can secure customer data from future security breaches.</li><li>Training and awareness programs and enforcing security policies should be a priority for organizations.</li><li>Their organizations have increased IT security budgets as privacy and data protection have become a greater priority for senior leadership.</li><li>Identity theft would result from stolen customer data.</li><li>Their organization should limit the quantity of customers' personally identifiable data it collects and what it shares with third parties.</li><li>Their organization should reduce the negative consequences of a data breach by hiring legal counsel, assessing the harm to victims, and employing forensic experts. </li></ul></td></tr></tbody></table> </ul><p>The report points out that a key element of an organization's overall cyber crisis response strategy must include a good communication plan that incorporates an integrated public relations strategy. This communication should be decisive and occur through various channels. </p><h2>Security Approach</h2><p>A new Accenture study, <a target="_blank" href="http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Cyber-Security-Leap-2015-Report.pdf">The Cyber Security Leap: From Laggard to Leader</a> (PDF), compares companies that have taken a security leap forward to companies that remain somewhat stagnant in their security practices. Researchers at Accenture interviewed senior IT leaders and tracked the security effectiveness progress of 247 companies that are benchmarked in the Ponemon Institute's database. </p><p>The study observes that a sound security strategy is a clear priority for more forward-thinking organizations — defined as having increased their security effectiveness by at least 25 percent over a two-year period. Sixty-eight percent of survey respondents have significantly changed their approach to security management in recent years. These changes include creating a chief information security officer (CISO) role, allocating a dedicated security budget, and significantly expanding the security team. Forward-thinking companies also align their security strategy with their overall business objectives to improve security across strategy, technology, and governance. The study notes that by implementing these security best practices, organizations improved their security effectiveness by 53 percent.  </p><p>Accenture says organizations also can make cybersecurity a competitive advantage by:</p><ul><li>Eliminating security silos.</li><li>Evolving the C-suite into security champions.</li><li>Embracing innovative solutions.</li><li>Streamlining their IT security infrastructure.</li><li>Creating greater visibility into security processes.</li></ul><h2>Disaster Recovery Planning</h2><p>Disaster recovery planning focuses on business impact scenarios, risk management, and response and recovery from business disruptions. For a long time, organizations' disaster recovery planning efforts focused on business impacts from natural or physical disasters. More recently, they incorporated potential terrorist activities into business impact scenarios. Now those scenarios should include cyber threats, as well. </p><p>Inherently, this is a natural progression of threats over time. Crisis management and response planning are really elements of disaster recovery planning. Because disaster recovery planning for most organizations is an enterprise-level activity, it would be more efficient to incorporate cybersecurity into this established process. </p><h2>Other Advancements</h2><p>Organizations are implementing several strategies to manage cybersecurity threats. Besides the ones discussed previously, others include: </p><ul><li>Incorporating the cybersecurity strategy into the organization's enterprise risk management (ERM) process.</li><li>Establishing a structured, well-thought-out, crisis management strategy. </li><li>Regularly updating the board on the organization's information security posture and current cybersecurity landscape.</li><li>Incorporating into the disaster recovery planning activities cybersecurity scenarios that disrupt the organization's business, including effects on reputation, loss of data, and business.</li><li>Having the CISO report directly to the board. </li><li>Creating standard question-and-answer documents for customer organizations that inquire about the organization's data security and privacy practices, such as data encryption, two-factor authentication, and data loss prevention processes.</li></ul><h2>Additional Opportunities</h2><p>As the cybersecurity threat landscape evolves and as organizations improve their approach to managing these threats, internal audit can play an active role in helping the organization address these issues. Many organizations see cybersecurity as a new threat and create new processes to mitigate the new risk. However, internal audits could suggest incorporating the new risk mitigation strategies into existing enterprisewide processes such as ERM and disaster recovery planning efforts. These long-time processes typically have well-designed methodologies that provide a cost-effective means to manage cyber threats. </p>James Reinhard01350
Digital Signatures Decipheredhttps://iaonline.theiia.org/2015/digital-signatures-decipheredDigital Signatures Deciphered<p>​In today’s digital business environment, internal auditors have to assess the risk and security of large volumes of digitally originated transactions and documents. Among the many methods, protocols, and products for securing online transactions are digital signatures. For example, the mortgage industry uses digital signatures for approving real estate negotiations by affixing them to price or contract changes until both parties agree on terms and a price. Once they have reached an agreement, the parties execute the title transfers with a notarized ink signature.<br></p><p>Digital signatures improve efficiency, provide security around transactions, and enhance collective approvals in a fraction of the time compared to conventional ink signatures. Nonetheless, there is always the danger and fear of unauthorized or malicious use of digital signatures. Internal auditors and organizations need to assess the level of risk and to what extent the organization should secure its digital signature platform. Moreover, auditors should consider the trade-off between the level of risk digital signatures pose and the level of authentication required to provide desired levels of assurance while accepting them.<br></p><h2>Proof of Authenticity</h2><p>A digital signature is an electronic sound, symbol, or process attached to or logically associated with a record and executed by a person with the intent to sign the record. In layman’s terms, it is a person’s electronic expression of agreement to the terms of a particular document with the intent to sign. A scanned or photographed image of a written signature does not constitute a digital signature, as it is analogous to affixing a rubber stamp of the signature that can be duplicated or misused without the signer’s knowledge. Instead, digital signatures provide a secure encryption environment for the data associated with a signed document and verify the authenticity of a signed record.<br></p><p>To authorize transactions, digital signatures use a combination of content capture, method of signing, data, and user authentication. They use electronic authentication to establish confidence in user identities that are electronically presented to an information system. Individual authentication is the process of establishing an accepted level of confidence and assurance for an accepted level of risk.<br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​<strong>How Digital Signatures Work</strong><br><br>Digital signatures use private/public keys and hash results of the original and destination documents. The digital representation or summary of the document unique to a message <em>origin-hash result</em> (OHR) is created by the hash function of the digital signature software. In turn, this software uses the signer’s <em>private key</em> to transform the hash result into a digital signature that is unique to the message. Upon receipt of the document, the transmitted message computes a new <em>destination- hash result</em> (DHR) by using the same hash function used to create the digital signature. Using the corresponding <em>public key</em> and DHR, the receiving computer confirms whether the affixed digital signature was created using the matching private key and whether both the OHR and DHR match. If both the keys and hash results are a match and confirmed, the validity of the message, signer, and receiver are verified.<br></td></tr></tbody></table><p>There is a direct relationship between the associated risk and the complexity of authentication needed to provide a higher degree of assurance in the use of digital signatures. Higher levels of assurance need complex, multifactor authentication methods that, in turn, require a secure IT infrastructure and user training. This correlation poses a trade-off challenge to auditors and organizations willing to accept digital signatures, thereby compelling them to identify those business processes that require an optimum level of authentication to offset risks.<br></p><p>Digital signatures are built on an encryption/decryption technology that a) collects evidence of the document such as metadata and IP address, b) verifies the identity of a signer and receiver, and c) provides an audit trail of the transactions. This technology uses a public key infrastructure (PKI) in which the signer uses his or her private key to encrypt the document and the recipient uses the corresponding public key to decrypt it (see “How Digital Signatures Work” at right). A digital signature requires a signer to establish a certificate-based digital ID, commonly enclosed in a token, smart card, or other physical device, to provide a high level of authentication, integrity, and security to the transaction and the identity of the parties signing. The executor or signer is presumed to be legally responsible for any document signed with a private key.<br></p><p>The important consideration when assessing the risk for digital signatures is their provisioning through e-mail communications, which makes Internet security critical. If the e-mail platform is compromised, the digital signature and PKI lose their authenticity and validity.<br></p><h2>The Risk–Assurance Trade-off</h2><p>“Digital Signature Risk to Authentication” on this page depicts the trajectory for risk tolerance versus level of authentication for a typical business process. The trajectory slope may vary with the nature of the business process. For example, financial transactions, approvals, or decisions generally have a higher degree of risk, based on their monetary value, than administrative functions such as leave requests.<br></p><p><img class="ms-rteiaPosition-2" src="/2015/PublishingImages/Hullavarad-Digital%20Signature%20Risk%20to%20Authentication.jpg" alt="" style="margin:5px;width:450px;height:380px;" />The digital signature risk-to-authentication (SRA) model depicted in the chart provides a framework for internal auditors to establish the desired level of trust for an electronic transaction, as well as the authenticity, integrity, and reliability of such transactions. This can be accomplished through a quantitative risk assessment for each transaction specific to a functional unit by estimating the risk and the likelihood of occurrence. Use of the SRA model can give internal auditors an understanding of internal controls and security needed when their organization implements digital signatures.<br></p><p>The SRA model provides a semi-quantitative approach to assessing the risk associated with a given level of authentication used to provide a digital signature. As a general rule, the higher the level of authentication, the lower the likelihood that an incident, or breach, will occur and the lower the risk. Although the nature of the risk versus authentication curve may be different for different business processes, the pattern will tend to follow the path of reduced risks for higher authentication. Internal auditors or management can develop a risk chart based on the formula: <em>Risk (R) = Likelihood of occurrence of event (L) x Magnitude (M)</em>.<br></p><p>To illustrate the formula, assume that one in 30 email accounts are hacked. Based on this assumption, the risk can be calculated by assessing the monetary magnitude of the effect of hacked emails on an organization. The trade-off zone depicted in the chart provides an opportunity window to secure the digital signature environment to achieve the desired level of assurance, thereby enabling organizations to identify those processes that require optimum levels of authentication to offset risks.<br></p><p>The key factor to consider in implementing digital signatures is to identify the level of risk tolerance and the associated risk for a business process. Institutional risks may involve financial, brand-value reputation, and other key administrative communication. Based on the various types of business processes and the level of severity, the assurance levels — which are a combination of authentication and validation — as well as the trust levels must be established by the appropriate business-unit management. To secure an electronically signed document as evidence, auditors should consider the risks associated with the signing process and with the significance of the information. Security must be approached with the objective of managing potential risks and should be weighed against the level of authentication needed to achieve the desired level of risk tolerance (see “Authentication Levels” below).<br></p><p>Internal auditors can use this model to assess the risk/assurance needed for digital signatures. Because systems are imperfect, auditors should consider the reliability of the information obtained through the digital signature validation process. For example, they should consider whether digital signatures can enhance internal control over online sales orders by authenticating the validity of customers.</p><p><img class="ms-rteiaPosition-4" src="/2015/PublishingImages/Hullavarad-Authentication-Levels.jpg" alt="" style="margin:5px;width:750px;height:303px;" /><br></p><h2>Digital Assurance</h2><p>As the Internet is an essential tool for transmitting digital signatures, it is necessary to have a secure transmission process that ensures a document signed through a digital signature is not tampered with by a third person and reaches the recipient in the form in which it left the signatory. Organizations also need to determine which business processes are not appropriate for digital signatures, such as creating wills, testamentary results, and certain types of contracts.<br></p><p>Internal auditors and their organizations need to identify the various processes for which they plan to use digital signatures, as well as perform a comprehensive risk assessment of those processes. The digital signature risk to authentication model can help auditors assess the level of authentication suggested for a specific business process to ensure it provides the desired level of assurance. <br> <span class="ms-rteiaStyle-authorbio">Shiva Hullavarad, PHD, is statewide ECM/ERM System Administrator with the University of Alaska System in Fairbanks.<br>Russell O’Hare, EDD, CRM, is chief records officer with the University of Alaska System.<br>Ashok Roy, PHD, CIA, CFSA, CBA, is vice president for finance and administration with the University of Alaska System.</span></p>Shiva Hullavarad02396
Securing Broker-dealershttps://iaonline.theiia.org/2015/securing-broker-dealersSecuring Broker-dealers<p>​Financial firms have been prime targets for network and data attacks. A recent U.S. Financial Industry Regulatory Authority (FINRA) <a href="https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf" target="_blank">report</a> (PDF) describes how securities firms such as broker-dealers are protecting themselves from cyberrisks and provides recommendations for improving their security measures. </p><p>"Broker-deals face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program," says Susan Axelrod, executive vice president for regulatory operations at the independent regulator. </p><p>The Report on Cybersecurity Practices is based on a 2014 examination of U.S. securities firms and a 2011 survey of 224 firms. FINRA's research reveals that the top three threats broker-dealers face are hackers penetrating their systems, insiders compromising firm or client data, and operational risks. To help firms mitigate these threats, the report provides observations and guidance in eight areas.</p><h2>Governance</h2><p>The FINRA report recommends that firms implement an information security governance framework to help identify risks, determine their severity, and support decisions on managing them based on the organization's risk appetite. The framework should encompass policies, processes, structures, and relevant controls. </p><p>An organization's framework should emphasize management and board involvement in cybersecurity issues, FINRA advises. Insufficient involvement can make organizations more vulnerable to data and network breaches, as well as regulatory risks such as being cited under the U.S. Securities and Exchange Commission's "Red Flags Rule."</p><p>Beyond the board and top management, the framework also should incorporate views from business units, IT, risk management, and internal audit, the report states. Internal audit should assess the implementation and effectiveness of the cybersecurity program, especially its controls and processes.</p><h2>Risk Assessment</h2><p>The FINRA report recommends organizations perform risk assessments regularly to identify information security risks associated with their assets and vendors. The first step should be creating an asset inventory to identify the assets the organization has and their importance for protection. </p><p>Next, FINRA recommends that organizations maintain a risk assessment program to identify asset vulnerabilities, review threat and vulnerability information, document internal and external threats, determine their potential impact and likelihood, and come up with risk responses. In the agency's 2014 sweep of securities firms, more than 80 percent of firms had such programs, with many drawing on ISACA's COBIT or the ISO/IEC 27001 framework. Firms typically viewed these risk assessments as part of the organization's broader risk management process. </p><h2>Technical Controls</h2><p>The report advises organizations to implement technical controls to protect their data, as well as the hardware and software on which it is stored and processed. Key to this is a defense-in-depth strategy that applies multiple layers of security controls throughout an IT infrastructure. These layers include users, application, network and physical perimeter, server, database, and data and asset.</p><p>One of the most important controls that need to be in place is identity and access management, especially now that organizations are allowing customers and vendors access to systems, as well as access through mobile devices. Other important controls are encryption and third-party penetration testing. </p><h2>Incident Response Planning</h2><p>With security breaches becoming more common, organizations need policies and procedures for responding to incidents, the FINRA report advises. Response plans should detail the roles and responsibilities of individuals in the event of an incident. Some organizations have dedicated computer security incident response teams for such situations, the report notes. </p><p>Response plans should prepare for incidents that organizations are most likely to encounter, including compromises of customer personal data, data corruption, denial-of-service attacks, network intrusions, and malware. Moreover, plans should spell out the organization's strategy for containing or mitigating various types of incidents, recovery plans for systems and data, processes for investigating and assessing damage, and communication. </p><h2>Vendor Management</h2><p>The growing use of third-party vendors raises information security risks throughout the relationship's life cycle that some organizations may not be addressing. According to <em>The New York Times</em>, nearly one-third of banks surveyed by the New York Department of Financial Services don't require such vendors to inform them of information security breaches, and less than half perform on-site assessments of vendors. </p><p>The FINRA report recommends organizations manage vendor risks by performing due diligence on both prospective and existing service providers, and ensuring that contract terms are appropriate given the sensitivity of systems and data to which vendors may have access. Moreover, it advises organizations to make vendor relationships part of the organization's ongoing risk assessment and to have procedures for terminating vendor access at the end of the contract.</p><h2>Staff Training</h2><p>To address employee risk, organizations need to train personnel about information security risks, the report says. In FINRA's reviews, 95 percent of securities firms provided mandatory cybersecurity training to employees at least annually, which usually consisted of awareness training for all staff and targeted training for specific staff members. FINRA recommends organizations update training often to reflect changing threats.</p><h2>Cyber Intelligence and Information Sharing</h2><p>The report advises organizations to gather intelligence information about cybersecurity threats to better detect and respond to them. Organizations should assign someone responsibility for collecting and analyzing threat information and have ways to communicate that information to appropriate groups. </p><p>One source of intelligence is through an information sharing and analysis center (ISAC), such as the financial services industry's FS-ISAC. In its sweeps, FINRA found that 72 percent of securities firms shared information through FS-ISAC, while half shared it with the U.S. Computer Emergency Readiness Team. Additionally, many large firms have established in-house threat intelligence centers.</p><h2>Insurance</h2><p>Finally, many firms reviewed by FINRA have turned to cyber insurance to transfer some of the risk or to obtain coverage for gaps that aren't addressed in their existing insurance policies. That may accelerate this year, as Lloyds of London reports there has been a 90 percent increase in cyber insurance applications in just the first quarter of 2015 compared to last year. </p><p>FINRA recommends organizations that need coverage evaluate how insurance plans would enhance their ability to manage the financial impact of a security incident. Organizations that already have cyber insurance should assess the adequacy of their coverage in light of their risk assessment.​</p>Tim McCollum0816

  • KPMG_Aug2015
  • CaseWare Analytics_Aug2015
  • IIA AllStarFtLauderdale_Aug2015

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
When Culture Is the Culprit: Lessons From Toshiba, Hertz, and FIFAhttps://iaonline.theiia.org/blogs/chambers/2015/when-culture-is-the-culprit-lessons-from-toshiba-hertz-and-fifaWhen Culture Is the Culprit: Lessons From Toshiba, Hertz, and FIFA2015-08-24T04:00:00Z2015-08-24T04:00:00Z
6 Defining Events in an Internal Audit Careerhttps://iaonline.theiia.org/blogs/chambers/2015/6-defining-events-in-an-internal-audit-career6 Defining Events in an Internal Audit Career2015-08-17T04:00:00Z2015-08-17T04:00:00Z
Do Board Members Understand Internal Audit?https://iaonline.theiia.org/blogs/marks/2015/do-board-members-understand-internal-auditDo Board Members Understand Internal Audit?2015-08-17T04:00:00Z2015-08-17T04:00:00Z