Presentation is loading. Please wait.

Presentation is loading. Please wait.

Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)

Published byJameson Churn Modified over 9 years ago

Similar presentations

Presentation on theme: "Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)"— Presentation transcript:

1 Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)

2  Committee of Sponsoring Organization(COSO)  Control Objectives for Information and Related Technology (COBIT)  IT Infrastructure Library (ITIL)  ISO 27001  National Security Agency INFOSEC Assessment Methodology  Frameworks and standard trends Frameworks and Standards

3  Initiated in 1985  Internal control and framework formed in 1992  AICPA/AAA/FEI/IIA/IMA  Key Categories:  Effectiveness and efficiency of operations  Reliability of financial reporting  Compliance with applicable laws and regulations  The only framework for IC used by SEC, PCAOB COSO

4  Internal control is a process  Internal control is affected by people  Internal control can only provide “reasonable assurance”  Internal control is geared to the achievement of objectives in one or more separate by overlapping categories Internal Control Key Concepts

5 COSO Cube

6  Control Environment – Tone from the top  Risk Assessment – Identification and Analysis Risks  Control Activities – Policies and procedures  Information and Communication – Enable managers and staff to carry out responsibilities  Monitoring – Assess the quality of the performance  Each components are NOT isolated COSO Cube

7  Internal Environment  Objective Setting  Event Identification  Risk Assessment  Risk Response  Control Activities  Information and Communication  Monitoring ERM

8

9  General Computer Controls  IT Governance and Management  IT Infrastructure  Security Management  HW and SW Acquisition and Development  Services Delivery and Support, etc  Application Controls  SDLC  SOD  Access Control, etc. COSO’s Effect on IT Controls

10  First published in April 1996  Control Objective Domains  Plan and organize  Acquisition and implementation  Delivery and support  Monitor and evaluation COBIT

11  Seven Qualities of Information  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Reliability  Control Objectives and Control Activities COBIT

12  Standards for good practice of IT controls  Technology platform independent  Management and process owner-oriented  A de facto standard for IT governance COBIT

13  Complexity of IT environment  Fragmented or poorly performing IT infrastructure  Enterprise vs. ad hoc solution  IT cost  Reactive vs. proactive IT management  Communication gaps between IT and Business management  IT’s role in business strategies IT Governance

14  Compliance with Laws and Regulations  Scarcity of skilled staff  Application ownership  Competing IT resources/priorities among business units  Flexibility and nimbleness  Risk exposure  External environment change IT Governance

15  Developed by the U.K government in mid 80s Provides best practices describing how to plan, design and implement effective service management capabilities Ref. to Week 1 class information slides for more details about ITIL ITIL

16  International Organization for Standards (ISO)  ISO 27001, 17799, BS 7799 – Information Security Practice  1333 security controls in 11 areas  Security policy  Information security organization  Asset management  Human resource security  Physical and environment security  Communication and operations management  Access control  Information system acquisition, development and maintenance  Security incident management  BCP  Compliance ISO 27001

17  The Sarbanes-Oxley Act of 2002  The Gramm-Leach-Bliley Act  State level privacy regulations, e.g. California SB 1386  The Health Insurance Portability and Accountability Act of 1996  EU Commission and Basel II  Payment Card Industry Data Security Standard Regulations

18  Regulatory Impact on IT Audit  IIA and ISACA Guidelines for establishing IT control and audit processes Regulations

19  Response from the corporate scandals:  Enron/Arthur Anderson  Tyco, Adephia, Worldcom, HealthSouth…  Focus on Internal Control Over Financial Reporting  Impact on Public Corporations  Executives to attest to the adequacy and effectiveness of ICOFR  Controls must be audited externally  CEOs & CFOs are held accountable for (reports generated by systems and applications) SOX

20  Section 101  Establishing of PCAOB as the governance agency to regulate accounting firms such as Big 4  Section 302  CEOs & CFOs are responsible for all internal controls  Section 404  Attestation that IA are in place, documented and effective  Section 409  Disclosure for significant changes SOX

21  IT specific controls required for SOX compliance  Access control  Authentication and authorization  Physical and Logical access  Re-certification, etc.  Change control  Request/review/approval  Back-out plan/schedule  Data management  Data transfer  Database structure  Data element consistency  Physical control of data  Data backup  IT operations  Network operations  Asset management SOX

22  Financial Institutions  How FIs’ customer information may be shared  Customer privacy provisions  Opt-out requirement  Section 501B  Ensuring the confidentiality of customer information  Protecting against anticipate threats to customer records  Protecting against unauthorized access to customer information that could result in substantial impact to the customer GLBA

23  Interagency Guidance  Office of Currency Comptroller (OCC)  Federal Reserve (FRB)  Federal Deposit Insurance Corporation (FDIC)  Control Requirements GLBA

24  Written Information Security Program  Risk Assessment and Management  Access Control for Customer Information Systems  Physical Access Control for areas containing customer information  Encryption (data at rest, data in transition, data in use)  Change control  Dual control/SOD/employee back ground check  Security Monitoring  Incident response and notification  Disposal customer information GLBA

25  California SB 1386 – the most visible state laws dealing with breaches of security that cause private information to be breached: disclosure  EU Directive on the Protection of Personal Data  Canada PIPEDA Other Privacy Regulations

26  Passed in 1996 by Congress  IT relevant – prescribe a standard methodology for security; standardize the format for health-related information  HIPAA Privacy and Security Rules  HIPAA Privacy Rules  HIPAA Security Rules HIPAA

27  HIPAA Privacy Rules  Administration controls designed to protect patient information  Effective April 2003  HIPAA Security Rules  Technical controls: network perimeter protection, encryption, and workstation security  Ref. to page 432, Table 17-1 HIPAA Rule Requirements HIPAA

28  Payment Card Industry Data Security Standard  Not a law  Mandatory compliance for participants in the card payment-processing industry  Not only adopt, but also validate the compliance of the standard PCI Data Security Standard

29  Level 1/High Risk Merchant  Quarterly internal and external scan  Independent validation of compliance by a QSA  ROC  Others  Self-evaluation (SAQ)  Common Adopted data security standards and practices  Not a panacea – Recent Target Data Breach PCI Data Security Standard

Download ppt "Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
IT Security Policy Framework

IT Security Policy Framework
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo.

Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Regulation Zoo: Dealing With Compliance Within The Firewall World

The Regulation Zoo: Dealing With Compliance Within The Firewall World
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
REGULATIONS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.

REGULATIONS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Similar presentations

Ads by Google