Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.

Published byDinah Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking."— Presentation transcript:

1 Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking Conference

2 Who is KirkpatrickPrice? KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 400 clients in 46 states, Canada, Asia and Europe. The firm has over 10 years of experience in information assurance by performing assessments, audits, and tests that strengthen information security, and compliance controls.

3 Welcome Joseph Kirkpatrick is a Risk Management Specialist in Compliance and Information Security helping organizations anticipate and prepare against threats. – Certified Information Systems Security Professional (CISSP) – Certified Information Systems Auditor (CISA) – Certified in Risk and Information Systems Control (CRISC) – Certified in the Governance of Enterprise IT (CGEIT) – PCI Qualified Security Assessor (QSA)

4 Understanding Risks Posed By Vendors Data Breaches through vendor relationships – Goodwill’s Point of Sale vendor had malware – Home Depot’s vendor’s credentials stolen – Target’s vendor opened a virus-laden email An examination of 57 broker-dealers and 49 registered investment advisers revealed that most had experienced cyber-attacks directly or through their vendors (Securities and Exchange Commission—February 2015)

5 Understanding Risks Posed By Vendors Vendors bring unique compliance responsibilities – AT&T fined $25 million for call center vendors’ privacy practices – The HITECH Omnibus Rule extends responsibility to Business Associates

6 Understanding Risks Posed By Vendors Vendors bring unique cybersecurity risk when given remote access – “BUT, it’s a secure VPN” – You are at the mercy of their network security controls once privilege is given

7 Quantifying Vendor Risk In the past: – Vendor compliance managed contractually – Compliance risk/responsibility was transferred – Compliance activity kept at arms length

8 Quantifying Vendor Risk Now: – Full chain of custody – Oversee business relationships with service providers – Ensure compliance with the law – Institute an Effective Process

9 Quantifying Vendor Risk Policies and Procedures List of Third Parties to include activities performed Contracts with Third Parties Evidence of due diligence

10 Quantifying Vendor Risk WHAT do they do for you? WHO are they? HOW do they do it?

11 Quantifying Vendor Risk

12 Vendor Risk Management Risk assessment Develop/enhance policies & procedures Continuous Monitoring Remediation

13 Recommended Security Policy Do you address 4th party risks (your vendors’ vendors)? Do your policies define the permissible uses and disclosures of sensitive data? Do your agreements require vendors to provide evidence of "appropriate safeguards?" How should they determine what's appropriate? Do you have a defined Incident Response Procedure? Do you require the vendors to agree to provide you with all necessary documentation in case of an audit? Does your agreement have teeth? Termination if a violation?

14 Recommended Security Policy 30 percent of 40 banking organizations did not require outside vendors to notify them of breaches (New York Department of Financial Services—April 2015)

15 Let's consider some example Vendors Law firm Cleaning service Contracted on-site vendor Co-location facility Cloud service provider

16 Recommended Security Measures for Internal Audit Consideration Vendor Policies & Procedures: – Regulatory compliance – Compliance training – Consumer complaints – Information Security

17 Recommended Security Measures for Internal Audit Consideration Types of Evidence – Training logs – Third Party Security Reports – Performance Reports – Audited financials

18 Recommended Security Measures for Internal Audit Consideration Types of Evidence – If VPN connectivity is enabled, what additional controls are considered? Access Control Lists Penetration Testing Network Monitoring Security Event Logs Jump Boxes

19 Onboarding and Offboarding Control Objectives Onboarding – Security Policy – Data Types – Access Requirements – Personnel – User Accounts and Types – Required Security Controls – Training

20 Onboarding and Offboarding Control Objectives Offboarding – Removal of user accounts – Analysis of type of data accessed – Analysis of access/event logs – Confirmation of return of data

21 Example Audit Programs Collect Evidence Related to: – Due Diligence in Vendor Selection Financials Qualifications/Experience Reputation/Litigation 4 th Parties Scope of Internal Controls Business Continuity IT Management Insurance

22 Example Audit Programs Collect Evidence Related to: – Contractual Issues Scope of Services Costs/Fees Reputation Service Level Agreements Management Reports Right to Audit Confidentiality and Security Business Continuity Default and Termination Dispute Resolution Indemnification

23 Example Audit Programs Collect Evidence (Based on Risk) Related to: – Control Environment Management Control Risk Assessment Information Security Program Human Resources IT Management Network Security BCP/Disaster Recovery Physical Security Access Controls Vulnerability Management Regulatory Compliance

24 Thank you for attending! Q & A For further information contact: Joseph Kirkpatrick joseph@kirkpatrickprice.com 800.977.3154 Ext. 101

Download ppt "Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking."

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 Lifting the Fog to See the Cloud Information Security.

200 International Dr., Buffalo, NY (716) Lifting the Fog to See the Cloud Information Security.
Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.

Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Security Controls – What Works

Security Controls – What Works
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Information Security Training for Management Complying with the HIPAA Security Law.

Information Security Training for Management Complying with the HIPAA Security Law.
Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.

Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google