Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

IT Security Policy Framework
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo.
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Regulation Zoo: Dealing With Compliance Within The Firewall World
1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
REGULATIONS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
First Practice - Information Security Management System Implementation and ISO Certification.
COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Information Systems Controls for System Reliability -Information Security-
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Chapter 4 Internal Controls McGraw-Hill/Irwin
Chicagoland IASA Spring Conference
Internal Auditing and Outsourcing
Information Security Framework & Standards
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Chapter 3 Internal Controls.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
ISA 562 Internet Security Theory & Practice
GRC - Governance, Risk MANAGEMENT, and Compliance
Vijay V Vijayakumar.  SOX Act  Difference between IT Management and IT Governance  Internal Controls  Frameworks for Implementing SOX  COSO - Committee.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Chapter Three IT Risks and Controls.
Page 1 Internal Audit Outsourcing The Moss Adams Approach to Internal Audit Outsourcing Proposed SOX 404 Changes.
Roles and Responsibilities
Challenges in Infosecurity Practices at IT Organizations
Agency Risk Management & Internal Control Standards (ARMICS)
1. IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
1 Information Technology (IT) Auditing & Control Instructor: Dr. Princely Ifinedo Cape Breton University (CBU)
Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Eliza de Guzman HTM 520 Health Information Exchange.
Everyone’s Been Hacked Now What?. OakRidge What happened?
© Dr. John T. Whiting All Rights Reserved Slide 1 Achieving Compliance with GBLA & Other Laws and Regulations Impacting.
CIA Annual Meeting LOOKING BACK…focused on the future.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Chapter 9: Introduction to Internal Control Systems
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
#327 – Legal and Regulatory Risk: Silent and Possibly Deadly Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.
An Information Security Management System
IS4550 Security Policies and Implementation
IS4680 Security Auditing for Compliance
COSO Internal Control s Framework
HIPAA Security Standards Final Rule
Presentation transcript:

Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)

 Committee of Sponsoring Organization(COSO)  Control Objectives for Information and Related Technology (COBIT)  IT Infrastructure Library (ITIL)  ISO  National Security Agency INFOSEC Assessment Methodology  Frameworks and standard trends Frameworks and Standards

 Initiated in 1985  Internal control and framework formed in 1992  AICPA/AAA/FEI/IIA/IMA  Key Categories:  Effectiveness and efficiency of operations  Reliability of financial reporting  Compliance with applicable laws and regulations  The only framework for IC used by SEC, PCAOB COSO

 Internal control is a process  Internal control is affected by people  Internal control can only provide “reasonable assurance”  Internal control is geared to the achievement of objectives in one or more separate by overlapping categories Internal Control Key Concepts

COSO Cube

 Control Environment – Tone from the top  Risk Assessment – Identification and Analysis Risks  Control Activities – Policies and procedures  Information and Communication – Enable managers and staff to carry out responsibilities  Monitoring – Assess the quality of the performance  Each components are NOT isolated COSO Cube

 Internal Environment  Objective Setting  Event Identification  Risk Assessment  Risk Response  Control Activities  Information and Communication  Monitoring ERM

 General Computer Controls  IT Governance and Management  IT Infrastructure  Security Management  HW and SW Acquisition and Development  Services Delivery and Support, etc  Application Controls  SDLC  SOD  Access Control, etc. COSO’s Effect on IT Controls

 First published in April 1996  Control Objective Domains  Plan and organize  Acquisition and implementation  Delivery and support  Monitor and evaluation COBIT

 Seven Qualities of Information  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Reliability  Control Objectives and Control Activities COBIT

 Standards for good practice of IT controls  Technology platform independent  Management and process owner-oriented  A de facto standard for IT governance COBIT

 Complexity of IT environment  Fragmented or poorly performing IT infrastructure  Enterprise vs. ad hoc solution  IT cost  Reactive vs. proactive IT management  Communication gaps between IT and Business management  IT’s role in business strategies IT Governance

 Compliance with Laws and Regulations  Scarcity of skilled staff  Application ownership  Competing IT resources/priorities among business units  Flexibility and nimbleness  Risk exposure  External environment change IT Governance

 Developed by the U.K government in mid 80s Provides best practices describing how to plan, design and implement effective service management capabilities Ref. to Week 1 class information slides for more details about ITIL ITIL

 International Organization for Standards (ISO)  ISO 27001, 17799, BS 7799 – Information Security Practice  1333 security controls in 11 areas  Security policy  Information security organization  Asset management  Human resource security  Physical and environment security  Communication and operations management  Access control  Information system acquisition, development and maintenance  Security incident management  BCP  Compliance ISO 27001

 The Sarbanes-Oxley Act of 2002  The Gramm-Leach-Bliley Act  State level privacy regulations, e.g. California SB 1386  The Health Insurance Portability and Accountability Act of 1996  EU Commission and Basel II  Payment Card Industry Data Security Standard Regulations

 Regulatory Impact on IT Audit  IIA and ISACA Guidelines for establishing IT control and audit processes Regulations

 Response from the corporate scandals:  Enron/Arthur Anderson  Tyco, Adephia, Worldcom, HealthSouth…  Focus on Internal Control Over Financial Reporting  Impact on Public Corporations  Executives to attest to the adequacy and effectiveness of ICOFR  Controls must be audited externally  CEOs & CFOs are held accountable for (reports generated by systems and applications) SOX

 Section 101  Establishing of PCAOB as the governance agency to regulate accounting firms such as Big 4  Section 302  CEOs & CFOs are responsible for all internal controls  Section 404  Attestation that IA are in place, documented and effective  Section 409  Disclosure for significant changes SOX

 IT specific controls required for SOX compliance  Access control  Authentication and authorization  Physical and Logical access  Re-certification, etc.  Change control  Request/review/approval  Back-out plan/schedule  Data management  Data transfer  Database structure  Data element consistency  Physical control of data  Data backup  IT operations  Network operations  Asset management SOX

 Financial Institutions  How FIs’ customer information may be shared  Customer privacy provisions  Opt-out requirement  Section 501B  Ensuring the confidentiality of customer information  Protecting against anticipate threats to customer records  Protecting against unauthorized access to customer information that could result in substantial impact to the customer GLBA

 Interagency Guidance  Office of Currency Comptroller (OCC)  Federal Reserve (FRB)  Federal Deposit Insurance Corporation (FDIC)  Control Requirements GLBA

 Written Information Security Program  Risk Assessment and Management  Access Control for Customer Information Systems  Physical Access Control for areas containing customer information  Encryption (data at rest, data in transition, data in use)  Change control  Dual control/SOD/employee back ground check  Security Monitoring  Incident response and notification  Disposal customer information GLBA

 California SB 1386 – the most visible state laws dealing with breaches of security that cause private information to be breached: disclosure  EU Directive on the Protection of Personal Data  Canada PIPEDA Other Privacy Regulations

 Passed in 1996 by Congress  IT relevant – prescribe a standard methodology for security; standardize the format for health-related information  HIPAA Privacy and Security Rules  HIPAA Privacy Rules  HIPAA Security Rules HIPAA

 HIPAA Privacy Rules  Administration controls designed to protect patient information  Effective April 2003  HIPAA Security Rules  Technical controls: network perimeter protection, encryption, and workstation security  Ref. to page 432, Table 17-1 HIPAA Rule Requirements HIPAA

 Payment Card Industry Data Security Standard  Not a law  Mandatory compliance for participants in the card payment-processing industry  Not only adopt, but also validate the compliance of the standard PCI Data Security Standard

 Level 1/High Risk Merchant  Quarterly internal and external scan  Independent validation of compliance by a QSA  ROC  Others  Self-evaluation (SAQ)  Common Adopted data security standards and practices  Not a panacea – Recent Target Data Breach PCI Data Security Standard