Presentation is loading. Please wait.

Presentation is loading. Please wait.

Current ‘Hot Topics’ in Information Security Governance Auditing

Published byJoshua Anderson Modified over 6 years ago

Similar presentations

Presentation on theme: "Current ‘Hot Topics’ in Information Security Governance Auditing"— Presentation transcript:

1 Current ‘Hot Topics’ in Information Security Governance Auditing
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03 March 2011

2 WHAT DOES MUTUAL ONE DO ? We facilitate collective action amongst mutuals across 4 broad areas: Internal audit Compliance, risk and governance Events Collective procurement We are very committed to supporting the mutual sector so that it thrives, not just survives More details on the above can be found on

3 Current ‘Hot Topics’ in Information Security Governance Auditing
Contents Definition of ‘Information Security’ What Information do we need to secure? Why do we need to secure information? Auditing Information Security Frameworks Emerging Themes Questions

4 Information Security….
….protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction. Wikipedia – Nov 2010

5 What information needs protecting?
Customer Company Employee Confidential Bank / card Product / ideas

6 But why….? Regulatory Requirements Financial Services Authority

7 But why….? Regulatory Requirements Reputation Damage Financial Cost

8 Estimated Cost of a Data Breach:
Data Loss incidents cost between £365k and £3.92m to manage Average cost per lost record = £64 Biggest cost per lost record is lost business - £29 Other costs include: customer communication recompense operational costs financial penalty Increased 7% in past year, 36% in past two years Source: Ponemon Institute / PGP 2009 Annual Study - Global Cost of a Data Breach report

9 Auditing InfoSec Dependent upon: Organisation
Operating environment – regulated firm? Compliance to external requirements (e.g. PCI-DSS)? Size and nature of IT environment i.e. is control requirement proportionate? Risk appetite

10 Auditing InfoSec - Frameworks
ISO27001 / 2 ISO/IEC 27001:2005 – Information Security Management Systems – Requirements ISO/IEC 27002:2005 – Code of Practice for Information Security Management COBIT FSA Paper – Data Security in Financial Services (Apr 2008) Payment Card Industry – Data Security Standards

11 Auditing InfoSec Emerging Themes:
FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)

12 Data Security in Financial Services (April 2008) – New Regulation ??
Governance – managing systems and controls Training and Awareness Staff Recruitment & Vetting Controls Physical Security Disposing of Customer Data Managing Third-party Suppliers Internal Audit and Compliance Monitoring

13 Auditing InfoSec Emerging Themes:
FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

14 FSA Fines…. Zurich fined £2.3m over customers’ data loss, August 2009
Result of a lack of oversight on key outsourced service Third Party Assurance

15 Third Party Assurance Due diligence Relationship management
Contracts / service level agreements Ongoing review of security arrangements Third party assurance

16 Auditing InfoSec Emerging Themes:
FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees?

17 Who are our employees? Initial recruitment process background checks
CRB checks credit checks Recruitment of temporary staff Ongoing vetting of staff

18 Auditing InfoSec Emerging Themes:
FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees? Internal Threats – how is the internet used?

19 “To block or not to block….?”
Reasons to block…. Introduction of malware, spyware, virus Bandwidth usage ‘Time-wasting’ Data Leakage Accidental Intentional Data aggregation REPUTATION!

20 “To block or not to block….?”
Reasons to allow…. Networking opportunities Knowledge sharing Communication with staff Marketing ability / customer engagement Increased staff morale

21 “To block or not to block….?”
Controls to consider (if allowing social networking sites) Solid risk assessment Training and awareness Usage policies Granular web-site controls (next-gen firewalls) Data leakage software

22 Auditing InfoSec Emerging Themes:
FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees? Internal Threats – how is the internet used? Portable Media Devices – Encrypted?

23 Ongoing Problem

24 Laptop Security Encryption Laptop policy – cannot rely on adherence
Asset Register Laptop sharing

25 Auditing InfoSec Emerging Themes:
FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees? Internal Threats – how is the internet used? Portable Media Devices – Encrypted? Smart Phones

26 Auditing InfoSec Emerging Themes:
FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees? Internal Threats – how is the internet used? Portable Media Devices – Encrypted? Smart Phones What next….? Cloud Computing?

27 Cloud Computing Security Regulatory Compliance Location Segregation
Recovery Auditability Longevity Costs

28 ANY QUESTIONS ?

29 Communicate Clearly At all levels, to achieve the optimum outcome
Work Together Respect each other and our clients and through teamwork achieve a common goal Share Knowledge Our aim is to enlighten and add value through experience Communicate Clearly At all levels, to achieve the optimum outcome Deliver Quality Service We can be relied upon and trusted to meet agreed objectives Anticipate and Respond to Change We aim to be proactive and innovative; by being adaptable we address tomorrow's challenges today

Download ppt "Current ‘Hot Topics’ in Information Security Governance Auditing"

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
Discovery – The Next Generation!: Business Context of Risk Presentation to the North London Branch British Computer Society 19 March, 2008 Dr. Victoria.

Discovery – The Next Generation!: Business Context of Risk Presentation to the North London Branch British Computer Society 19 March, 2008 Dr. Victoria.
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
IOR Scottish Chapter Annual Conference Glasgow Caledonian University – 1 st November 2013 Relevance of Operational Risk to the FCA Jill Savager Manager,

IOR Scottish Chapter Annual Conference Glasgow Caledonian University – 1 st November 2013 Relevance of Operational Risk to the FCA Jill Savager Manager,
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Information Security Risk Management

Information Security Risk Management
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Consultancy.

Consultancy.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Enterprise Computing Community June 13 - 15, 2010February 27, 2010 1 Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Presentation to Senior Management 2007. MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.

Presentation to Senior Management MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.

Similar presentations

Ads by Google