Presentation is loading. Please wait.

Presentation is loading. Please wait.

IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC

Published byJohnathan Walker Modified over 5 years ago

Similar presentations

Presentation on theme: "IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC"— Presentation transcript:

1 IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC
Here! Know Your Data! IIA District Conference Seminar October 29, 2018 Presenter David Cole, CPA, CISA, CRISC 1

2 Copyright © SysAudits. All rights reserved.
Here! Briefing Points High Level – Gain Understanding of Critical Data Points and Technology Protection Controls Data Categorization Data Media Storage Regulatory Requirements Data Governance - Role of the CPA Information System Controls Technical Controls System Architecture Data Controls Risk Assessments Wrap Up Copyright © SysAudits. All rights reserved. 2

3 Copyright © SysAudits. All rights reserved.
Here! Data Categorization What is “Knowing Your Data” Data Inventory and Data Categorization Process of identifying the different types of data your business: Receives through engagements Created from engagements Obtained through day-to-day business operations (procurement, human resources, medical) Copyright © SysAudits. All rights reserved. 3

4 Data Categorization What is “Knowing Your Data”
Here! Data Categorization What is “Knowing Your Data” Data Received through engagements Audit engagements Details from payables and receivables Financial transactions and supporting financial data details – business name, bank accounts, bank statements, etc Client Data Healthcare data Copyright © SysAudits. All rights reserved. 4

5 Data Categorization What is “Knowing Your Data”
Here! Data Categorization What is “Knowing Your Data” Data Received through engagements Obtained through day-to-day business operations (procurement, human resources, medical) How your data is received? attachments – hopefully through encryption File transfer – hopefully through secure access controls and encryption Onsite – USB external drives – hopefully with an encrypted drive Copyright © SysAudits. All rights reserved. 5

6 Copyright © SysAudits. All rights reserved.
Here! Data Media Storage Media Storage Typically involves the form of where data is stored: Electronic Disc – Storage (SAN), Hard Drive, Removal Drives Backup Tape Mobile Devices – Phones, Tablets System/Application Storage Database Reports – often separate servers used for report preparation Transaction Servers – systems used for transaction processing Copyright © SysAudits. All rights reserved. 6

7 Regulatory Requirements
Here! Regulatory Requirements Knowing your data also requires knowing if there are any regulatory and protection responsibilities Although your firm may not fall clearly within the credit card payment card industry (PCI) requirements If during engagements, credit card transactions are obtained as part of audit evidence or verification testing Where and how you store, protect, and purge such data would require having data protection controls Audit WPs; electronic storage (shared drives), s/attachments Copyright © SysAudits. All rights reserved. 7

8 Regulatory Requirements
Here! Regulatory Requirements Regulatory Requirements Relate to these: Personally Identifiable Information (PII) Financial Records Credit Card Records Medical Records We are all well aware of and been a victim a time or two of compromises of our: Credit cards Background clearances PII Copyright © SysAudits. All rights reserved. 8

9 Data Governance – Role of the CPA
Here! Data Governance – Role of the CPA How do and should CPAs play a role in Data Governance And Risk Management CPAs, Auditors, and Business Risk Advisors CPA is a respected profession with a corner stone trademark as: Financial conservative – well thought out financial decisions Experts in internal controls Experts in establishing sound repeatable processes, and Ultimately risk advisors Data Governance fits right into the trademarks of the CPA profession Copyright © SysAudits. All rights reserved. 9

10 Information System Controls
Here! Information System Controls Knowing your data leads into the following main points What are the standard industry recognized controls for protecting data within an organization and its systems The three main set of controls are known as: Management Controls Policies, such as computer security, access controls, security awareness, Operational Controls Procedures- backup processes, process for granting, monitoring, and removing user access Copyright © SysAudits. All rights reserved. 10

11 Information System Controls
Here! Information System Controls Knowing your data leads into the following main points Technical Controls Technical solutions to implement management and operational controls Having unique user accounts created for application access, VPN, 2FA, DB, encryption, auditing and logging Copyright © SysAudits. All rights reserved. 11

12 Copyright © SysAudits. All rights reserved.
Here! Technical Controls Encryption Controls Encryption in transit Encrypting the connection from a user’s PC to the application or onto a network Typically a VPN connection establishes a secure tunnel from the users PC to a corporate network where the user can access an application or data This only establishes a tunnel connection not encrypting the data Encryption at rest Encrypting data residing in applications, where data is stored, within an application database Copyright © SysAudits. All rights reserved. 12

13 Interconnection Controls
Here! Technical Controls Interconnection Controls Often there are system connections between trusted business partners, subsidiary offices, or government systems Typically 2 types Periodic Connections Connection is not persistent; opened up or enabled periodically; data may only travel in one direction – to us or from us Permanent Connections Connection needed 24x7; data often flows both directions Copyright © SysAudits. All rights reserved. 13

14 Interconnections – Risks
Here! Technical Controls Interconnections – Risks Persistent or not we want to make sure our data or data entrusted to us is protected Our data going out We want the same level of protection at the site 2 location Articulated data controls to be agreed upon We want to be notified in the event if there is a data compromise – even if apparent compromise We want a formal agreement in place – often called an interconnection service agreement (ISA) Copyright © SysAudits. All rights reserved. 14

15 Copyright © SysAudits. All rights reserved.
Here! System Architecture Data Controls Multi-tier architectures Copyright © SysAudits. All rights reserved. 15

16 System Architecture Data Controls
Here! System Architecture Data Controls General Walk Through of Key Technical Components Copyright © SysAudits. All rights reserved. 16

17 Copyright © SysAudits. All rights reserved.
Here! Risk Assessments What can you do to determine if you have adequate data protection controls Internal Self-Assessment Policy Assessment Operational and Process Assessment Technical Assessment Incident Management Communication Plans External Assessments Client and Partner Assessments MOUs, MOAs Copyright © SysAudits. All rights reserved. 17

18 Copyright © SysAudits. All rights reserved.
Here! Wrap Up Benefits in Knowing Your Data What is the type? Where is data stored? Is the data regulated? Where do we apply data protection controls? How do we perform internal and external assessments? Fundamental understanding of Regulatory Audit scope. Copyright © SysAudits. All rights reserved. 18

19 Copyright © SysAudits. All rights reserved.
Here! QUestions? ? Copyright © SysAudits. All rights reserved. 19

Download ppt "IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC"

Similar presentations

HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Protecting Sensitive Information PA Turnpike Commission.

Protecting Sensitive Information PA Turnpike Commission.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Data management in the field Ari Haukijärvi 2nd EHES training seminar.

Data management in the field Ari Haukijärvi 2nd EHES training seminar.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.

Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.

Similar presentations

Ads by Google