Cybersecurity: Audit Considerations

Slides:



Advertisements
Similar presentations
David A. Brown Chief Information Security Officer State of Ohio
Advertisements

Session 3 – Information Security Policies
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.
Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.
WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore.
Trinity Industries, Inc. FEI Presentation May 31, 2012.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
Business Continuity and Disaster Recovery
Security and resilience for Smart Hospitals Key findings
Defining your requirements for a successful security (and compliance
Society for Maintenance and Reliability Professionals (SMRP)
Cyber Insurance Risk Transfer Alternatives
Cybersecurity as a Business Differentiator
Law Firm Data Security: What In-house Counsel Need to Know
Broadband Challenges 2017 Christopher Tamarin
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
CYBERSECURITY INCIDENCE IN THE FINANCIAL SERVICES SECTOR March 28, 2017 Presented by Osato Omogiafo Head IT Audit.
Information Security Program
An Overview on Risk Management
Presenter: Mohammed Jalaluddin
Cybersecurity - What’s Next? June 2017
Team 1 – Incident Response
Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.
Cyber Security: State of the Nation
Cybersecurity Policies & Procedures ICA
Current ‘Hot Topics’ in Information Security Governance Auditing
Introduction to the Federal Defense Acquisition Regulation
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Hello, Today we will look at cyber security and the Internet of Things and how it could impact our business.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.
San Francisco IIA Fall Seminar
San Francisco IIA Fall Seminar
Information Security: Risk Management or Business Enablement?
Data Security Team 1.
I have many checklists: how do I get started with cyber security?
Cyber Security in the Mortgage Industry
Threat Landscape for Data Security
IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC
Cybersecurity compliance for attorneys
Contact Center Security Strategies
Cybersecurity ATD technical
The State of Cybersecurity in State Government NAST March 26, 2019
Computer Science and Engineering
Strategic threat assessment
Cyber Security: What the Head & Board Need to Know
Tom Murphy Chief Information Security Officer
Cyber Security in a Risk Management Framework
DSC Contract Management Committee Meeting
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
Session 8: Innovative Uses of Captives: Cyber and Beyond
Presented to Information Systems Security Association of Orange County
DSC Contract Management Committee Meeting
SECURITY IN THE DIGITAL AGE
What is Cybersecurity Office of Information Technology
The state of digital supplier risk management: In partners we trust
Protecting Knowledge Assets – Case & Method for New CISO Portfolio
IoT in Healthcare: Life or Death
Presentation transcript:

Cybersecurity: Audit Considerations Virginia Local Government Auditors Association May 3, 2019

Introductions Anthony DiGiulian, CISA Principal 14 years of experience Specializing in Information Technology (IT) internal audits, consulting services, risk assessments, control reviews, systems implementations, business process analyses, third party SOC reports, and compliance audits for government and commercial organizations Samuel Fitzgerald, ITIL, CISA, CISM Manager 11 years of experience Specializing in IT risk assessments, IT internal controls reviews, IT infrastructure reviews, system implementation reviews, disaster recovery and business continuity reviews, and IT security reviews for government and commercial organizations

Today’s Objectives 01. 02. 03. 04. 05. Cybersecurity’s Affect on Business Linkage to Business Process Emerging Cybersecurity Threats Training Goals Importance of Cybersecurity

Background What is Cybersecurity? “Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” -Merriam Webster “Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.” -NIST Cybersecurity Framework Version 1.1

Why Does a Cybersecurity Attack Occur? Cybersecurity affect on business Why Does a Cybersecurity Attack Occur? Traditional cyber attacks Data theft Extortion Vandalism Denial of Service (DoS) Cyber attackers are launching sophisticated agendas Espionage Disinformation Market manipulation Disruption of infrastructure “Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds by 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016.”

Cybersecurity affect on business Who Does it Affect? Big Businesses Facebook (April 2019) World’s biggest social network 540 million user records were in plain sight Two 3rd party companies improperly storing data Schools San Diego Unified School District (January to October 2018) Data breach that exposed 500,000 students and staff personally identifiable information (PII) Affects students as far back as 2008-2009 school year Unauthorized access through phishing emails The 5 most cyber-attacked industries  over the past 5 years are: Healthcare Manufacturing Financial Services Government Transportation

Cybersecurity affect on business Who Does it Affect? Government Entities Federal Emergency Management Agency (March 2019) 2.5 million disaster victims had PII unprotected that was shared with contractor Oregon Department of Human Services (March 2019) 9 employees clicked on phishing emails exposing information to 1.6 million clients Oklahoma Department of Securities (January 2019) Millions of government files left unprotected on an open storage server ALMOST EVERY INDUSTRY

No Longer Just a Technology Issue Cybersecurity affect on business No Longer Just a Technology Issue Attention from Senior Leadership Cost High profile data breaches Reputational impact Job loss Business leaders forced to think about cyber risk Cyber attacks included in Business Continuity Plan Thwarting cyber attacks training given to non-IT employees Operational risk and cyber risk are being aligned Realization that cybersecurity expands beyond IT Cybersecurity practices should be embedded across all departments

Linkage to business process Six Key Dimensions of Organizational Cyber Maturity Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance

Linkage to business process Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance Leadership and Governance Tone at the top Demonstrating due diligence Taking ownership Effectively managing known risk Organizational policies and procedures Human Factors Cybersecurity culture Training and knowledge First line of defense

Linkage to business process Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance Information Risk Management Critical information security Supply partners Business Continuity Cybersecurity events are included in Business Continuity Plan Minimizing or preventing impact of a successful cyber attack

Linkage to business process Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance Operations and Technology Appropriate control measures Addresses identified risk Minimizes impact of compromise Legal and Compliance Regulatory standards International certification standards

Linkage to business process Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance Addressing Each Key Dimension Minimizes risk of a successful cyber attack Limits impact of successful cyber attack Enables employees to know his/her responsibility when incident occurs Reduces negative impact on reputation

Key Questions for Business Linkage to business process Key Questions for Business How big is the risk and who is at risk? Organizational attractiveness to criminals Dependencies on service partners Processes and/or systems that represent greatest cybersecurity asset Acceptable level of risk for specific processes and/or systems Partners are in agreement on risk appetite and cybersecurity measures

Key Questions for Business Linkage to business process Key Questions for Business How do culture and governance enable effective risk management? Culture contributes or hampers good cybersecurity Board/ senior leadership communicates importance of cybersecurity Ready to act in the event of a cybersecurity crisis Communication plan and who should do it Stakeholder assurance on cybersecurity policy can be provided

Key Questions for Business Linkage to business process Key Questions for Business How large should your cybersecurity budget be? Ranges vary depending on risk profile, 3% to 5% of total IT budget Cybersecurity budget should address: Solving past problems Structural investments in improved security systems Systems and tool investments Awareness and culture change

NIST Cybersecurity Framework Identify, assess, and manage cyber risk NIST Cybersecurity Framework

Emerging cybersecurity threats Internet of Things (IoT) System of computing devices and objects with unique identifiers and the ability to transfer data over networks w/o human interaction Smart refrigerators Webcams SmartTVs Thermostats Issue: Prioritizing convenience over security Risk: Unmanaged/ unsecured devices allowing unauthorized access Spying through cameras or listening devices Gateway to a secured network Distributed denial of service attack (DDoS)

Image courtesy of Beecham Research

Emerging cybersecurity threats Artificial Intelligence (AI) Systems Machines that can learn algorithms and techniques, that mimics cognitive functions associated with humans No sleep Processes data faster than humans Issue: The intent of use Risk: AI can infiltrate an IT infrastructure but then stay on for an extended period of time, undetected, launching powerful effective and efficient attacks in: Identity theft Denial-of-service (DoS) Password cracking

Emerging cybersecurity threats Artificial Intelligence (AI) Systems Current Attacks: Automation of attacks limited Humans must target and trigger the attacks Virus programs can self-replicate w/o human interaction Future Attacks: Sophisticated spear phishing AI can gather, organize, and process database information Less time in database, may not be noticed by security Timely attacking Pulling information from several sources to identify best time to attack Bank account attacks are launched when person is in hospital Improved adaptation Adapts quicker when met with resistance or weakness if fixed

PREVENT PROTECT PROGRESS Emerging cybersecurity threats Call to Action PREVENT PROTECT PROGRESS

Contact information Anthony DiGiulian, CISA Principal  703-852-5607 adigiulian@schgroup.com Samuel Fitzgerald, ITIL, CISA, CISM  Manager 703-287-5985 sfitzgerald@schgroup.com 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.