IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC

Slides:



Advertisements
Similar presentations
HIPAA Regulations What do you need to know?.
Advertisements

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Security Controls – What Works
Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Internal Auditing and Outsourcing
Protecting Sensitive Information PA Turnpike Commission.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
PCI: As complicated as it sounds? Gerry Lawrence CTO
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Data management in the field Ari Haukijärvi 2nd EHES training seminar.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
Instructional & Information Technology Services Fall, Activities and Updates Teresa Macklin Information Security Officer Information Security.
SPH Information Security Update September 10, 2010.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Frontline Enterprise Security
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Chapter 11 Management Control of Information Technology.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Grant Management Seminar Session 3 1 Session 3 Oversight and Reporting 10/13/2012.
Chapter 8 Auditing in an E-commerce Environment
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Records Management Reality
Safeguarding CDI - compliance with DFARS
Information Technology Acceptable Use An Overview
Performing Risk Analysis and Testing: Outsource or In-house
Subrecipient Monitoring
To Encrypt or Not Encrypt
The Demand for Audit and Other Assurance Services
CPA Gilberto Rivera, VP Compliance and Operational Risk
Dinesh Mirchandani University of Missouri – St. Louis
The Demand for Audit and Other Assurance Services
Discovering Computers 2010: Living in a Digital World Chapter 14
Protection of CONSUMER information
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Page 1 Fundamentals of Information Systems.
Leverage What’s Out There
Session 11 Other Assurance Services
Data Compromises: A Tax Practitioners “Nightmare”
Current ‘Hot Topics’ in Information Security Governance Auditing
The Client/Server Database Environment
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
LATIHAN MID SEMINAR AUDIT hiday.
Virtual Private Networks (VPN)
Information System and Management
With IvSign, Office 365 Users Can Digitally Sign Word Documents in the Cloud from Any Device Without Having to Install Any Digital Certificates OFFICE.
Computer-Based Processing: Developing an Audit Assessment Approach
Pack Your Park by Modernizing Your Business Online
Purchases and Cash Disbursements Procedures
County HIPAA Review All Rights Reserved 2002.
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
Protect data in core business applications
Comodo Dome Data Protection
Presentation transcript:

IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC Here! Know Your Data! IIA District Conference Seminar October 29, 2018 Presenter David Cole, CPA, CISA, CRISC dcole@sysaudits.com 1

Copyright © SysAudits. All rights reserved. Here! Briefing Points High Level – Gain Understanding of Critical Data Points and Technology Protection Controls Data Categorization Data Media Storage Regulatory Requirements Data Governance - Role of the CPA Information System Controls Technical Controls System Architecture Data Controls Risk Assessments Wrap Up Copyright © SysAudits. All rights reserved. 2

Copyright © SysAudits. All rights reserved. Here! Data Categorization What is “Knowing Your Data” Data Inventory and Data Categorization Process of identifying the different types of data your business: Receives through engagements Created from engagements Obtained through day-to-day business operations (procurement, human resources, medical) Copyright © SysAudits. All rights reserved. 3

Data Categorization What is “Knowing Your Data” Here! Data Categorization What is “Knowing Your Data” Data Received through engagements Audit engagements Details from payables and receivables Financial transactions and supporting financial data details – business name, bank accounts, bank statements, etc Client Data Healthcare data Copyright © SysAudits. All rights reserved. 4

Data Categorization What is “Knowing Your Data” Here! Data Categorization What is “Knowing Your Data” Data Received through engagements Obtained through day-to-day business operations (procurement, human resources, medical) How your data is received? Email attachments – hopefully through encryption File transfer – hopefully through secure access controls and encryption Onsite – USB external drives – hopefully with an encrypted drive Copyright © SysAudits. All rights reserved. 5

Copyright © SysAudits. All rights reserved. Here! Data Media Storage Media Storage Typically involves the form of where data is stored: Electronic Disc – Storage (SAN), Hard Drive, Removal Drives Backup Tape Mobile Devices – Phones, Tablets System/Application Storage Database Reports – often separate servers used for report preparation Transaction Servers – systems used for transaction processing Copyright © SysAudits. All rights reserved. 6

Regulatory Requirements Here! Regulatory Requirements Knowing your data also requires knowing if there are any regulatory and protection responsibilities Although your firm may not fall clearly within the credit card payment card industry (PCI) requirements If during engagements, credit card transactions are obtained as part of audit evidence or verification testing Where and how you store, protect, and purge such data would require having data protection controls Audit WPs; electronic storage (shared drives), emails/attachments Copyright © SysAudits. All rights reserved. 7

Regulatory Requirements Here! Regulatory Requirements Regulatory Requirements Relate to these: Personally Identifiable Information (PII) Financial Records Credit Card Records Medical Records We are all well aware of and been a victim a time or two of compromises of our: Credit cards Background clearances PII Copyright © SysAudits. All rights reserved. 8

Data Governance – Role of the CPA Here! Data Governance – Role of the CPA How do and should CPAs play a role in Data Governance And Risk Management CPAs, Auditors, and Business Risk Advisors CPA is a respected profession with a corner stone trademark as: Financial conservative – well thought out financial decisions Experts in internal controls Experts in establishing sound repeatable processes, and Ultimately risk advisors Data Governance fits right into the trademarks of the CPA profession Copyright © SysAudits. All rights reserved. 9

Information System Controls Here! Information System Controls Knowing your data leads into the following main points What are the standard industry recognized controls for protecting data within an organization and its systems The three main set of controls are known as: Management Controls Policies, such as computer security, access controls, security awareness, Operational Controls Procedures- backup processes, process for granting, monitoring, and removing user access Copyright © SysAudits. All rights reserved. 10

Information System Controls Here! Information System Controls Knowing your data leads into the following main points Technical Controls Technical solutions to implement management and operational controls Having unique user accounts created for application access, VPN, 2FA, DB, encryption, auditing and logging Copyright © SysAudits. All rights reserved. 11

Copyright © SysAudits. All rights reserved. Here! Technical Controls Encryption Controls Encryption in transit Encrypting the connection from a user’s PC to the application or onto a network Typically a VPN connection establishes a secure tunnel from the users PC to a corporate network where the user can access an application or data This only establishes a tunnel connection not encrypting the data Encryption at rest Encrypting data residing in applications, where data is stored, within an application database Copyright © SysAudits. All rights reserved. 12

Interconnection Controls Here! Technical Controls Interconnection Controls Often there are system connections between trusted business partners, subsidiary offices, or government systems Typically 2 types Periodic Connections Connection is not persistent; opened up or enabled periodically; data may only travel in one direction – to us or from us Permanent Connections Connection needed 24x7; data often flows both directions Copyright © SysAudits. All rights reserved. 13

Interconnections – Risks Here! Technical Controls Interconnections – Risks Persistent or not we want to make sure our data or data entrusted to us is protected Our data going out We want the same level of protection at the site 2 location Articulated data controls to be agreed upon We want to be notified in the event if there is a data compromise – even if apparent compromise We want a formal agreement in place – often called an interconnection service agreement (ISA) Copyright © SysAudits. All rights reserved. 14

Copyright © SysAudits. All rights reserved. Here! System Architecture Data Controls Multi-tier architectures Copyright © SysAudits. All rights reserved. 15

System Architecture Data Controls Here! System Architecture Data Controls General Walk Through of Key Technical Components Copyright © SysAudits. All rights reserved. 16

Copyright © SysAudits. All rights reserved. Here! Risk Assessments What can you do to determine if you have adequate data protection controls Internal Self-Assessment Policy Assessment Operational and Process Assessment Technical Assessment Incident Management Communication Plans External Assessments Client and Partner Assessments MOUs, MOAs Copyright © SysAudits. All rights reserved. 17

Copyright © SysAudits. All rights reserved. Here! Wrap Up Benefits in Knowing Your Data What is the type? Where is data stored? Is the data regulated? Where do we apply data protection controls? How do we perform internal and external assessments? Fundamental understanding of Regulatory Audit scope. Copyright © SysAudits. All rights reserved. 18

Copyright © SysAudits. All rights reserved. Here! QUestions? ? Copyright © SysAudits. All rights reserved. 19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.