Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity: Audit Considerations

Published byAngela Morgan Modified over 5 years ago

Similar presentations

Presentation on theme: "Cybersecurity: Audit Considerations"— Presentation transcript:

1 Cybersecurity: Audit Considerations
Virginia Local Government Auditors Association May 3, 2019

2 Introductions Anthony DiGiulian, CISA
Principal 14 years of experience Specializing in Information Technology (IT) internal audits, consulting services, risk assessments, control reviews, systems implementations, business process analyses, third party SOC reports, and compliance audits for government and commercial organizations Samuel Fitzgerald, ITIL, CISA, CISM Manager 11 years of experience Specializing in IT risk assessments, IT internal controls reviews, IT infrastructure reviews, system implementation reviews, disaster recovery and business continuity reviews, and IT security reviews for government and commercial organizations

3 Today’s Objectives 01. 02. 03. 04. 05. Cybersecurity’s Affect on Business Linkage to Business Process Emerging Cybersecurity Threats Training Goals Importance of Cybersecurity

4 Background What is Cybersecurity? “Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” -Merriam Webster “Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.” -NIST Cybersecurity Framework Version 1.1

5 Why Does a Cybersecurity Attack Occur?
Cybersecurity affect on business Why Does a Cybersecurity Attack Occur? Traditional cyber attacks Data theft Extortion Vandalism Denial of Service (DoS) Cyber attackers are launching sophisticated agendas Espionage Disinformation Market manipulation Disruption of infrastructure “Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds by 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016.”

6 Cybersecurity affect on business
Who Does it Affect? Big Businesses Facebook (April 2019) World’s biggest social network 540 million user records were in plain sight Two 3rd party companies improperly storing data Schools San Diego Unified School District (January to October 2018) Data breach that exposed 500,000 students and staff personally identifiable information (PII) Affects students as far back as school year Unauthorized access through phishing s The 5 most cyber-attacked industries  over the past 5 years are: Healthcare Manufacturing Financial Services Government Transportation

7 Cybersecurity affect on business
Who Does it Affect? Government Entities Federal Emergency Management Agency (March 2019) 2.5 million disaster victims had PII unprotected that was shared with contractor Oregon Department of Human Services (March 2019) 9 employees clicked on phishing s exposing information to 1.6 million clients Oklahoma Department of Securities (January 2019) Millions of government files left unprotected on an open storage server ALMOST EVERY INDUSTRY

8 No Longer Just a Technology Issue
Cybersecurity affect on business No Longer Just a Technology Issue Attention from Senior Leadership Cost High profile data breaches Reputational impact Job loss Business leaders forced to think about cyber risk Cyber attacks included in Business Continuity Plan Thwarting cyber attacks training given to non-IT employees Operational risk and cyber risk are being aligned Realization that cybersecurity expands beyond IT Cybersecurity practices should be embedded across all departments

9 Linkage to business process
Six Key Dimensions of Organizational Cyber Maturity Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance

10 Linkage to business process
Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance Leadership and Governance Tone at the top Demonstrating due diligence Taking ownership Effectively managing known risk Organizational policies and procedures Human Factors Cybersecurity culture Training and knowledge First line of defense

11 Linkage to business process
Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance Information Risk Management Critical information security Supply partners Business Continuity Cybersecurity events are included in Business Continuity Plan Minimizing or preventing impact of a successful cyber attack

12 Linkage to business process
Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance Operations and Technology Appropriate control measures Addresses identified risk Minimizes impact of compromise Legal and Compliance Regulatory standards International certification standards

13 Linkage to business process
Leadership and governance Human factors Information risk management Business continuity Operations and technology Legal and Compliance Addressing Each Key Dimension Minimizes risk of a successful cyber attack Limits impact of successful cyber attack Enables employees to know his/her responsibility when incident occurs Reduces negative impact on reputation

14 Key Questions for Business
Linkage to business process Key Questions for Business How big is the risk and who is at risk? Organizational attractiveness to criminals Dependencies on service partners Processes and/or systems that represent greatest cybersecurity asset Acceptable level of risk for specific processes and/or systems Partners are in agreement on risk appetite and cybersecurity measures

15 Key Questions for Business
Linkage to business process Key Questions for Business How do culture and governance enable effective risk management? Culture contributes or hampers good cybersecurity Board/ senior leadership communicates importance of cybersecurity Ready to act in the event of a cybersecurity crisis Communication plan and who should do it Stakeholder assurance on cybersecurity policy can be provided

16 Key Questions for Business
Linkage to business process Key Questions for Business How large should your cybersecurity budget be? Ranges vary depending on risk profile, 3% to 5% of total IT budget Cybersecurity budget should address: Solving past problems Structural investments in improved security systems Systems and tool investments Awareness and culture change

17 NIST Cybersecurity Framework
Identify, assess, and manage cyber risk NIST Cybersecurity Framework

18 Emerging cybersecurity threats
Internet of Things (IoT) System of computing devices and objects with unique identifiers and the ability to transfer data over networks w/o human interaction Smart refrigerators Webcams SmartTVs Thermostats Issue: Prioritizing convenience over security Risk: Unmanaged/ unsecured devices allowing unauthorized access Spying through cameras or listening devices Gateway to a secured network Distributed denial of service attack (DDoS)

19 Image courtesy of Beecham Research

20 Emerging cybersecurity threats
Artificial Intelligence (AI) Systems Machines that can learn algorithms and techniques, that mimics cognitive functions associated with humans No sleep Processes data faster than humans Issue: The intent of use Risk: AI can infiltrate an IT infrastructure but then stay on for an extended period of time, undetected, launching powerful effective and efficient attacks in: Identity theft Denial-of-service (DoS) Password cracking

21 Emerging cybersecurity threats
Artificial Intelligence (AI) Systems Current Attacks: Automation of attacks limited Humans must target and trigger the attacks Virus programs can self-replicate w/o human interaction Future Attacks: Sophisticated spear phishing AI can gather, organize, and process database information Less time in database, may not be noticed by security Timely attacking Pulling information from several sources to identify best time to attack Bank account attacks are launched when person is in hospital Improved adaptation Adapts quicker when met with resistance or weakness if fixed

22 PREVENT PROTECT PROGRESS
Emerging cybersecurity threats Call to Action PREVENT PROTECT PROGRESS

23 Contact information Anthony DiGiulian, CISA Principal  Samuel Fitzgerald, ITIL, CISA, CISM  Manager

Download ppt "Cybersecurity: Audit Considerations"

Similar presentations

David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Session 3 – Information Security Policies

Session 3 – Information Security Policies
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Friday, October 23, 2015. Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.

Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.
Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH.

Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.

FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.
WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore.

WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore.
Trinity Industries, Inc. FEI Presentation May 31, 2012.

Trinity Industries, Inc. FEI Presentation May 31, 2012.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
Business Continuity and Disaster Recovery

Business Continuity and Disaster Recovery
Security and resilience for Smart Hospitals Key findings

Security and resilience for Smart Hospitals Key findings
Defining your requirements for a successful security (and compliance

Defining your requirements for a successful security (and compliance

Similar presentations

Ads by Google