Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Internal Controls to Become a Cyber Security Watch Dog

Published byAndrás Veres Modified over 5 years ago

Similar presentations

Presentation on theme: "Using Internal Controls to Become a Cyber Security Watch Dog"— Presentation transcript:

1 Using Internal Controls to Become a Cyber Security Watch Dog
May 16, 2019 Presenter: Robert Listerman, CPA, CITRMS © Business Technology Resources, LLC

2 Robert Listerman (Bob) is a licensed Certified Public Accountant, State of Michigan and has over 30 years of experience as a process improvement business consultant.   He graduated from Michigan State University and became a CPA while employed at Touche Ross & Co., Detroit, now known as a member firm of Deloitte & Touche USA LLP Bob added the Certified Identity Theft Risk Management Specialist (CITRMS) designation issued by The Institute of Fraud Risk Management in The designation is in recognition of his knowledge and experience in identity theft risk management. Today Bob focuses his practice on data security compliance. Over 50% of identity theft can be traced back to unlawful or mishandling of non-public data within the workplace. Currently Bob serves his professional community as an active Board Member for the Institute of Management Accountants (IMA), Mid Atlantic Council “IMA-MAC.”  He is a regular seminar presenter for the IMA, Pennsylvania Institute of CPAs (PICPA), and the Michigan Association of CPAs (MICPA). Bob serves on, and is a past chair of the MICPA’s Management Information & Business Show committee which enjoys serving over 1000 CPAs in attendance each year. He is Continuing Education Chair of the PICPA’s IT Assurance Committee. Bob serves his local community as an active volunteer for Longwood Rotary Club (the club’s president in }, severing on many not-for-profit boards and committees that improve the livability of his community. He is Treasurer of the Longwood Rotary Foundation.  He also serves his Rotary District 7450 as their Area 10 Assistant Governor while being the club’s Interact Liaison for Unionville High School (Rotary in High School) since 2004. © Business Technology Resources, LLC

3 About Our Program: “Using Internal Controls to Become a Cyber Security Watch Dog”
Just because a small- or medium-sized company may not have the same budget or manpower as a large corporation, doesn’t make cyber security any less important. What can your business do to effectively protect against virtual crimes while staying within your resources? Our expert discusses internal control must-haves for small- and medium-sized entities, challenges these organizations may face and common protection errors. © Business Technology Resources, LLC

4 Too Many Choices! ISO – International Organization for Standardization NIST – National Institute of Standards and Technology (Founded in 1901 ) FFIEC - Federal Financial Institutions Examination Council PCI – Payment Card Industry FTC – Federal Trade Commission SOX - Sarbanes Oxley - HIPAA – Health Insurance Portability and Accountability Act of 1996 (HIPAA) update to 2016 AAA - American Accounting Association AICPA - American Institute of Certified Public Accountants FEI - Financial Executives International IIA - Institute of Internal Auditors IMA - Institute of Management Accountants © Business Technology Resources, LLC

5 Background of “Internal Controls”
COSO is a voluntary private sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence. Five nonprofits are COSO sponsoring organizations: AAA (American Accounting Association) AICPA (American Institute of Certified Public Accountants) FEI (Financial Executives International) IIA (Institute of Internal Auditors) IMA® (Institute of Management Accountants). © Business Technology Resources, LLC

6 Background of “Internal Controls”
Internal Control—Integrated Framework that was published in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) COSO was recently updated to COSO 2013 with implementation recommended by 2014 Management at public companies are to select an internal control framework and then assess and report on the design and operating effectiveness of their internal controls annually. The majority of U.S. publicly traded companies have adopted COSO’s 1992 Framework to do this to ensure the reliability of their financial reporting to the Security Exchange Commission (SEC) © Business Technology Resources, LLC

7 Definition of Internal Control
Broadly defined (COSO): A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance relating to the achievement of objectives related to operations, reporting, and compliance. © Business Technology Resources, LLC

8 Definition of Internal Control
Key Elements: A process Effected by people Able to provide reasonable assurance Geared to the achievement of objectives Adaptable to the entity structure © Business Technology Resources, LLC

9 Objectives of Internal Control
Effective, efficient operations Reliable, timely reporting Compliance with laws and regulations Objectives = what an entity is trying to achieve How do these objectives apply to data security? © Business Technology Resources, LLC

10 Components of Internal Control
Five Components: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Components represent what is required to achieve the Objectives Each Component applies to all three Objectives © Business Technology Resources, LLC

11 Principles of Internal Control
Principles fall under each Component, reflecting fundamental concepts 17 Principles throughout the 2013 Framework Viewed as applicable to all entities In the rare case a principle is not applicable, must document and support how the Component can still be present and functioning. Each Principle is supported by multiple Points of Focus Represent important characteristics of Principles © Business Technology Resources, LLC

12 This session is the application of COSO to ALL types of organizations using these accepted public company principles on Internal Controls for Data Security Compliance * * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

13 17 Internal Control Principles
Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority, and responsibility Demonstrates commitment to competence Enforces accountability * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

14 17 Internal Control Principles
Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

15 17 Internal Control Principles
Selects and develops control activities Selects and develops general controls over technology Deploys through policies and procedure * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

16 17 Internal Control Principles
Uses relevant information Communicates internally Communicates externally * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

17 17 Internal Control Principles
Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

18 Chief Information Security Officer
Job Description: The CISO is a senior-level executive responsible for aligning security initiatives with enterprise programs and business objectives, ensuring that information assets and technologies are adequately protected. © Business Technology Resources, LLC

19 Chief Information Security Officer
Job Description: © Business Technology Resources, LLC

20 Chief Information Security Officer
Job Description: Managing the company's Computer Security Incident Response Team Supervising identity and access management Establishing and overseeing the organization's security architecture Conducting electronic discovery and digital forensic investigations Working with other high-level executives to establish disaster recovery (DR) and business continuity plans © Business Technology Resources, LLC

21 Chief Information Security Officer
Regulators and other stakeholders have higher expectations regarding: Governance oversight, Risk management, and the Detection and prevention of fraud While advances have been made in better connecting risk management and internal control practices in pursuit of organizational strategic goals, the many changes since 1992 have significantly increased business risk, resulting in a much greater need for competence and accountability than ever before. © Business Technology Resources, LLC

22 Application to Smaller & Mid-sized Organizations
How many here work in a company with more than 1 employee? More than 10 employees? More than 50 employees? More than 100 employees? More than 500 employees? Over 1,000 Employees? © Business Technology Resources, LLC

23 Application to Smaller & Mid-sized Organizations
At SMO’s The “Compliance” Officers May Otherwise Be Known As: IT Manager Accounting Manager (Bookkeeper), Controller, or CFO Operations (COO, General Manager – GM, etc) Vice President of … Owner / President © Business Technology Resources, LLC

24 What SMO’s Are Up Against Regarding Data/Cyber Security?
Small Business subject to many of the regulations of large businesses FTC – Federal Trade Commission HIPAA – Health Insurance Portability & Accountability Act PCI – Payment Card Industry State Laws In Which You Do Business FFIEC – Financial Institutions © Business Technology Resources, LLC

25 Why SMO’s Are Significant Regarding Data/Cyber Security?
Small Business are the life blood of our economy: 64% of all new jobs 54% of all U.S. Sales Approximately 50% of all private-sector payrolls Source: HANNAH BENDER, PROPERTYCASUALTY360.COM © Business Technology Resources, LLC

26 Should SMO’s be Concerned About Data/Cyber Security?
According to a 2012 study by the National Cyber Security Alliance: 60% of small businesses close their doors within six months of a data breach, which can cost a business money, but also reputation.   Verizon 2013 Data Breach Investigations Report: Small and midsize businesses (SMB) are the top targets for cybercriminals, suffering breaches more often than larger firms. Source: HANNAH BENDER, PROPERTYCASUALTY360.COM © Business Technology Resources, LLC

27 THE MANY COSTS OF A DATA BREACH VARY
Detection or Discovery—”Activities that enable a company to reasonably detect the breach of personal data either at risk (in storage) or in motion” Escalation—”Activities necessary to report the breach of protected information to appropriate personnel within a specified time period.” Notification—physical mail, , general notice, telephone Victim Assistance—card replacement, credit monitoring offer, identity theft protection offer, access to customer service representatives Churn of existing customers / personnel Future Diminished Acquisition of customers or employees © Business Technology Resources, LLC

28 Typical Defense (Signature Based1)
A/V Web Proxy Intrusion Detection System Intrusion Prevention System Anti-Virus DLP Filter SIEM Security Information and Event Management Data Log Prevention 1 Signature Based: These programs are updated known threats, meaning somebody else had to have a zero day attack to have contributed to the known threat data base. This is why it is imperative that you keep these programs up-to-date. Don’t select update later! © Business Technology Resources, LLC

29 What SMO’s Are Up Against Regarding Data/Cyber Security?
Small Business subject to the same threats as large businesses Compromised and Stolen Credentials Zero Day Attacks Botnet Command and Control Servers PCI – Payment Card Industry State Laws In Which You Do Business Best Practices of Your Industry © Business Technology Resources, LLC

30 Email Attack on Vendor Set Up Breach at Target*
The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation. KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa. * * Source: © Business Technology Resources, LLC

31 Any Size Business Can Bring Down A Major Customer
© Business Technology Resources, LLC

32 Zero Day Attack A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.   This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. © Business Technology Resources, LLC

33 Botnet The term "botnet" can be used to refer to any group of computers, such as IRC bots, but the term is generally used to refer to a collection of computers (called zombie computers) that have been recruited by running malicious software. It could be used to send spam or participate in Denial of service attacks. The word botnet stems from the two words robot and network. © Business Technology Resources, LLC

34 Application to Smaller & Mid-sized Organizations
Whose Job “Title” at an SMO’s is responsible for Data/Cyber Security? IT Manager Accounting Manager (Bookkeeper), Controller, or CFO Operations (COO, General Manager – GM, etc) Vice President of … Owner / President © Business Technology Resources, LLC

35 EVERYONE IS RESPONSIBLE!
Application to Smaller & Mid-sized Organizations Whose Job “Title” at an SMO’s is responsible for Data/Cyber Security? IT Manager Accounting Manager (Bookkeeper), Controller, or CFO Operations (COO, General Manager – GM, etc) Vice President of … Owner / President EVERYONE IS RESPONSIBLE! © Business Technology Resources, LLC

36 Who & What To Protect Inventory Personally Identifiable Information - PII Owner(s) and the Organization’s Employee(s) Customers Vendors Guests (Job applicants, prospects, bidders, etc.) Inventory Intellectual Property – IP Contracts Licenses Formulas/Recipes Methodologies Patents © Business Technology Resources, LLC

37 Three Different Safeguards of Security
Physical Safeguards of Security Administrative Safeguards of Security Technical Safeguards of Security © Business Technology Resources, LLC

38 Physical Safeguards of Security
Premise & surroundings Physical access simple key user identifying access (key pad or card) Internal areas, floors, hallways, office doors, files, etc Document flow through the facility and at rest Storage Written procedures Environmental safeguards Computer monitor/screen guards Clean desk /empty drawer policy (suggestion) © Business Technology Resources, LLC

39 Administrative Safeguards
Employee training on handling data from its source through to storage Documented procedures Computer Usage Policy Sensitive Data Handling Policy Data Security Policy including B.Y.O.D. Employee signed acknowledgement of being trained Criminal background check on anyone who handles or has access to data Education backed by Policy & Procedures

40 Technical Safeguards of Security
Risk assessment – see handout example Encryption Strong Passwords Internal vulnerability assessment Malware/Virus checking software Spam filters Intrusion detection Credential monitoring – new through Experian or CyberID-Sleuth™ Employee education on IT security policy and procedures

41 Internal Control Tool Kit
All Software Updates Done As Soon As Possible – Most Have a Security Element (System Patches) Server /Exchange Management Includes Periodic Forced Strong Password Changes Anti-virus / Malware Kept Up-to-Date and Continuously Running © Business Technology Resources, LLC

42 Internal Control Tool Kit
Encryption of PII and IP Data Deploy Intrusion Detection Tools If Possible (Affordable) Monitor the Dark Web for Stolen Credentials Including From Outside Relationships © Business Technology Resources, LLC

43 Application of Internal Control Principles
Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority, and responsibility Demonstrates commitment to competence Enforces accountability * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

44 Application of Internal Control Principles
Tone at the Top Exercises oversight responsibility Establishes structure, authority, and responsibility Demonstrates commitment to competence Enforces accountability © Business Technology Resources, LLC

45 Application of Internal Control Principles
Tone at the Top Process Owners Monitor Specific Procedures for Handling PII Establishes structure, authority, and responsibility Demonstrates commitment to competence Enforces accountability © Business Technology Resources, LLC

46 Application of Internal Control Principles
Tone at the Top Process Owners Monitor Specific Procedures for Handling PII Written Policy and Procedures Demonstrates commitment to competence Enforces accountability © Business Technology Resources, LLC

47 Application of Internal Control Principles
Tone at the Top Process Owners Monitor Specific Procedures for Handling PII Written Policy and Procedures Applicable Continuing Education for All Employees Enforces accountability © Business Technology Resources, LLC

48 Application of Internal Control Principles
Tone at the Top Process Owners Monitor Specific Procedures for Handling PII Written Policy and Procedures Applicable Continuing Education for All Employees Performance Reviews Include Data/Cyber Security Compliance © Business Technology Resources, LLC

49 Application of Internal Control Principles
Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

50 Application of Internal Control Principles
Clear Written Message to All Employees On Risk Management Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change © Business Technology Resources, LLC

51 Application of Internal Control Principles
Clear Written Message to All Employees On Risk Management Inventory all PII and IP Assesses fraud risk Identifies and analyzes significant change © Business Technology Resources, LLC

52 Application of Internal Control Principles
Clear Written Message to All Employees On Risk Management Inventory all PII and IP Assesses data/cyber and fraud risk of PII and IP Identifies and analyzes significant change © Business Technology Resources, LLC

53 Application of Internal Control Principles
Clear Written Message to All Employees On Risk Management Inventory all PII and IP Assesses data/cyber and fraud risk of PII and IP Periodic (Annual) Review of How PII and IP Are Handled © Business Technology Resources, LLC

54 Application of Internal Control Principles
Selects and develops control activities Selects and develops general controls over technology Deploys through policies and procedure * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

55 Application of Internal Control Principles
Process of PII and IP is Never Left Unprotected Selects and develops general controls over technology Deploys through policies and procedure © Business Technology Resources, LLC

56 Application of Internal Control Principles
Process of PII and IP is Never Left Unprotected Strong Unique Passwords, Private Screens, Auto-Lock Screens Deploys through policies and procedure © Business Technology Resources, LLC

57 Application of Internal Control Principles
Process of PII and IP is Never Left Unprotected Strong Unique Passwords, Private Screens, Auto-Lock Screens Written Polices and Procedures with Comprehension Testing © Business Technology Resources, LLC

58 Application of Internal Control Principles
Uses relevant information Communicates internally Communicates externally * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

59 Application of Internal Control Principles
Purge Unnecessary PII and IP – Retention Policy for Data Communicates internally Communicates externally © Business Technology Resources, LLC

60 Application of Internal Control Principles
Purge Unnecessary PII and IP – Retention Policy for Data Limited Access of PII and IP “Need to Know” Policy Communicates externally © Business Technology Resources, LLC

61 Application of Internal Control Principles
Purge Unnecessary PII and IP – Retention Policy for Data Limited Access of PII and IP “Need to Know” Policy PII and IP Encrypted Files Only Electronically Shared/Sent © Business Technology Resources, LLC

62 Application of Internal Control Principles
Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies * Source: J u n e I S T R AT E G I C F I N A N C E By J. Stephen McNally, CPA of Campbell Soup © Business Technology Resources, LLC

63 Application of Internal Control Principles
Process Improvements Rewarded (Financially, Recognition, etc) Evaluates and communicates deficiencies © Business Technology Resources, LLC

64 Application of Internal Control Principles
Process Improvements Rewarded (Financially, Recognition, etc) Clear Method(s) Identified For New or Overlooked Risks Identified Rewarded Through Review Recognition and/or Financial Bonus © Business Technology Resources, LLC

65 Take this 20 Question Assessment to Score Your Risk Level*
* This assessment score card is available for today’s attendees © Business Technology Resources, LLC

66 Robert Listerman, CPA 610-444-5295 rlisterman@btr-security.com
© Business Technology Resources, LLC

Download ppt "Using Internal Controls to Become a Cyber Security Watch Dog"

Similar presentations

Internal Control–Integrated Framework

Internal Control–Integrated Framework
Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295.

Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
INTERNAL AUDIT PROCESS Pre-Audit Presentation. OBJECTIVES OF PRESENTATION  Provide a basic understanding of internal audit  Provide a basic awareness.

INTERNAL AUDIT PROCESS Pre-Audit Presentation. OBJECTIVES OF PRESENTATION  Provide a basic understanding of internal audit  Provide a basic awareness.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.

Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Chapter 3 Internal Controls.

Chapter 3 Internal Controls.
Transitioning to the COSO 2013 Update.  Released on May 14, 2013  Designed to build upon the foundation of the 1992 Framework  Will supersede the 1992.

Transitioning to the COSO 2013 Update.  Released on May 14, 2013  Designed to build upon the foundation of the 1992 Framework  Will supersede the 1992.

Similar presentations

Ads by Google