Current Trends in Information

Technology: Which way for

Modern IT Auditors?
Joseph Akoki, ACA, MCP,
CISA, AMIMC

Information Security & Risk Insights

Africa Accra 2014

Quotes

Technology is like a fish. The longer it stays on

the shelf the less desirable it becomes
Andrew Heller
What I did in my youth is hundred times easier
today technology breeds crimeFrank Abagnate
There will come a time when it isnt they are
spying on me through my phone anymore.
Eventually it will be my phone is spying on
me Philip K. Dick
Information Security & Risk Insights Africa
Accra 2014

Reality!!!
Technology

changes twice every year,

the only way not be left behind is to
respond to changes if not you will be
twice behind Anonymous
We are going closer and closer to the
year when cars will run with water BANK
PHB Nigeria

Information Security & Risk Insights Africa

Accra 2014

 With

a 13% increase in identity fraud between

2010 and 2011, a study conducted by Javelin
Strategy &Research showed that consumers may
be putting themselves at a higher risk for identity
theft as a result of their increasingly intimate
social media behaviors.

Information Security & Risk Insights Africa

Accra 2014

Point to note
Audit failure most times is not caused by
receiving brown envelopes but most times
it is not adhering to audit quality control
process

Information Security & Risk Insights Africa

Accra 2014

5/27/2014

KNOWING YOUR
ENVIRONMENTS
So it is said that if you know your enemies and
know yourself, you can win a hundred battles
without a single loss.
If you only know yourself, but not your
opponent, you may win or may lose.
If you know neither yourself nor your enemy,
you will always endanger yourself
- Quotation from The Art Of War by Sun
Tzu's
IS CONTROL IS CORPORATE CONTROL.......

KNOWING YOUR
ENVIRONMENTS

5/27/2014

Yourself(auditor)

Tools
Competency( human resources) Danger/audit
failure
Methodology
Time & deadlines
Enemies(auditee)
Law & regulation
Business process of the auditee
Danger/ audit
Risk assessment by magt
failure
Changing technology

Quality
Audit

NB: Audit failure is where audit has failed to fulfill its objective of providing reliable
evidence upon which audit opinion could be based.

Trend Drivers

Customers
Regulators
Competitors
Cost/Revenue
Information Security & Risk Insights Africa
Accra 2014

Training Objectives:
1.

Identify the technologies that will have the greatest impact on

banking business and audit functions

2.

Explain why understanding trends and new technologies can

help an organization prepare for the future

3.

Explore the risk inherent in these emerging technologies and

audit planning can respond adequately

Information Security & Risk Insights Africa

Accra 2014

Obtaining a broad view of

Introduction
emerging
trends and new
technologies as they relate
to business can help an
organization anticipate and
prepare for the future

Organizations that can most

effectively grasp the deep currents
of technological evolution can use
their knowledge to protect
themselves against sudden and fatal
technological obsolescence

Information Security & Risk Insights Africa

Accra 2014

Quote from
Quote
from
The
McKinsey
Trend
Drivers

example
The McKinsey
Quarterly
Customers
Quarterly
The

emerging affluent segmentyoung,

educated, and consumption-oriented urban
professionalscould account for up to a third of
all retail-banking revenues in the coming three to
five years:

They are tech savvy, preferring online-banking and

smartphone applications; reluctant users of branches

(bricks and mortal) ; and price conscious and service
oriented.
(February 2012, Mikls Dietz, dm Homonnay, and Irene Shvakman)

News: Headline
IBM Develops NFC Authentication Technology
Gartner: Majority of
Banks Will Turn to
Cloud for Processing
Transactions By 2016.

Barclays Puts the Safety Deposit

Box in the Cloud. Barclays online
banking customers will now be
able to scan and upload
important documents a cloudbased document storage
system.
What Banks Should Know About
Disaster Recovery in the Cloud.
The cloud offers faster recovery
from disasters, but banks need to
be on the same page with their
providers on issues like data
ownership and interoperability.
Information Security & Risk Insights Africa
Accra 2014

The need to know the trend:

The jagged economic landscape complicated by
advancing technologies, such as cloud, social media
and mobile devices can challenge the ability of an
IT auditor to provide comfort to executives already
overwhelmed with rapidly expanding opportunities
and pressures caused by shrinking margins.
Information Security & Risk Insights
Africa Accra 2014

Pace of technological innovation is

increasing

Medical knowledge is doubling every eight

years
50% of what students learn in their freshman
year of college is obsolete, revised, or taken
for granted by their senior year
All of todays technical knowledge will
represent only 1 percent of the knowledge that
will be available in 2050

Potential business impact:

Shortened time-to-market for products and
services
Tighter competition based on new technologies
Tighter monitoring requirements
Information Security & Risk Insights Africa
Accra 2014

The Digital Disruption

The digital revolution is disrupting every industry.
Creating new possibilities and changing the ways
business is done.
The only way to compete is to evolve !!!
The five post digital
forces affecting business:

cloud, mobile, social, analytics and

cyber

Information Security & Risk Insights Africa

Accra 2014

News: Headline
IBM Develops NFC Authentication Technology
IBM announced it has developed a new
mobile payments authentication security
technology based on near-field
communication(NFC) technology.
According to IBM, a user engaging in a mobile
transaction would hold a contactless smartcard
next to the NFC reader of the mobile device and
after keying in their PIN, a one-time code would
be generated by the card and sent to the server
by the mobile device. The technology is based
on end-to-end encryption between the
smartcard and the server using the National
Institute of Standards & Technology (NIST) AES
(Advanced Encryption Standard) scheme.
CurrentInformation
technologies
on &
the
Security
Riskmarket
Insights require
Africa users
Accra
to carry an additional device, such
as2014
a random
password generator, IBM stated

News: Headline
IBM Develops NFC Authentication Technology
Gartner: Majority of
Banks Will Turn to
Cloud for Processing
Transactions By 2016.

Barclays Puts the Safety Deposit

Box in the Cloud. Barclays online
banking customers will now be
able to scan and upload
important documents a cloudbased document storage
system.
What Banks Should Know About
Disaster Recovery in the Cloud.
The cloud offers faster recovery
from disasters, but banks need to
be on the same page with their
providers on issues like data
ownership and interoperability.
Information Security & Risk Insights Africa
Accra 2014

Continuity Across
With more users working
Devices
across multiple devices, we

see a move to provide the

missing link in todays
computing experience the
ability to pick up the session
on a different device in
exactly the same place you
left off.
Innovation will occur behind
the scenes, to provide a
continuous experience for
Information Security & Risk Insights Africa
2014
users across call logs,Accra
text
messages, notes and

All Encompassing Smartphones

Nowadays, consumers
are increasingly relying
on their smartphones for
just about everything.
From researching
purchasing decisions to
mobile commerce,
expect to see more
brands start to innovate
and cater to the needs
of mobile audiences,
both customers and
staff,Security
to allow
for Africa
more
Information
& Risk Insights
Accra 2014
seamless use and
integration of

IPv6: Major surgery for the

Internet
IPv6 is the new

Internet protocol
replacing IPv4.
Protecting IPv6 is not
just a question of
porting IPv4
capabilities. There are
fundamental
Information Security & Risk Insights Africa
changes
to the Accra 2014
protocol which need

IPv6: Major surgery for the

Internet contd

The Difference Between IPv6 and IPv4 IP Addresses

An IP address is binary numbers but can be stored
as text for human readers. For example, a 32-bit
numeric address (IPv4) is written in decimal as four
numbers separated by periods. Each number can
be zero to 255. For example, 1.160.10.240 could be
an IP address.
IPv6 addresses are 128-bit IP address written in
hexadecimal and separated by colons. An
example IPv6 address could be written like this:
3ffe:1900:4545:3:200:f8ff:fe21:67cf
Information Security & Risk Insights Africa
Accra 2014

Others are:
T+3 becoming T
Instant transfers
ATM accepting cash and cheques
Cheques scanned with mobile phones
Wearable technologies
Virtualisation of all kinds- virtual customers , staff

and projects

Etc.
Information Security & Risk Insights Africa
Accra 2014

Cloud Computing

Information Security & Risk Insights Africa

Accra 2014

Contending With Cloud Services

Small, medium and large enterprises
are beginning to adopt cloud services
PaaS and SaaS at a greater rate. This
trend presents a big challenge for
network security, as traffic can go
around traditional points of inspection.
Additionally, as the number of
applications available in the cloud
grows, policy controls for Web
applications and cloud services will
also need to evolve.

Security & Risk Insights Africa

But as theInformation
cloud
evolves,
so
Accra 2014
too must network security.

What is cloud computing?

Cloud Computing is not:

Any specific technology, such as VMware or SalesForce

Virtualization
Outsourcing
Grid computing
Web hosting

Cloud Computing is:

An IT delivery approach that binds together technology infrastructure,
applications, and internet connectivity as a defined, managed service that
can be sourced in a flexible way
Cloud computing models typically leverage scalable and dynamic resources
through one or more service and deployment models
The goal of cloud computing is to provide easy access to, and elasticity of, IT
services.

Information Security & Risk Insights Africa

Accra 2014

Key Areas to Focus on

during Audit
Identity and Access Management:

Verify that only approved personnel are granted access to servicebased on their roles and
that access is removed in a timely manner upon the personnel's termination of employment
and/or change in their roles that does not require the said access.

Physical Security

Hosting & Data Logical Security

Segregation of tiers; hosting encryption methods

Accessibility from the open Internet, over permissive rules that open wide range of ports

Authentication & Authorization

Length / strength of passwords, systems to enforce / control password security / reset rules

Use of hardware / software token. Management of key fobs

Only authorized users are granted access rights after proper approval

Access for transferred employees is modified in a timely manner

Unauthorized access to cloud computing resources is removed promptly

Periodic review of super-user and regular access to cloud applications

Connection & Data Transmission

Secure connectivity such as VPN IPSec, SSL, HTTPS where secure data is being transmitted for
regular users or administrators

Key Areas to Focus on during

Audit

Auditing Cloud Computing in Five Relevant Areas Audit Objective(s)

Technology Risks:
Unique risks related to the use of virtual operating system with cotenants.
Is your primary service provider utilizing another sub-service provider? For e.g.
there are several examples where a SaaS provider is utilizing an IaaS provider.
Do you know whether your primary service provider is protecting you
adequately from the risks inherent with utilizing an IaaS provider?
Hypervisor technology utilized and whether it is patched
Process for monitoring and patching for known vulnerabilities in hypervisor
technology
Segregation of duties (SoD) considerations both from a technology as well as
business perspective, for e.g. from a technology SoD perspective does one
person have access to the host and guest operating systems as well as the
guest database. From a business perspective, for financially significant
applications, just because an application is in the cloud does not diminish the
importance of segregating access within the application
Logging of access to the applications and data, where relevant
Protection of access logs from inadvertent deletion or unauthorized access

Common Observations When

Auditing Cloud Computing

Password settings for cloud resources (applications, virtual servers etc.) does not comply
with user organizations password policies. Sometimes the cloud vendor resources do not
support the user organizations policy requirements, but several times, the cloud
administrators at the user organizations are not aware
Port settings on Cloud server instances not appropriately configured (administrator added
exceptions to administer cloud from their home computer and mobile device)
Lack of policy and procedures for appropriate handling of security and privacy incidents
Terminated users found to be active on applications in the cloud (even though the
individuals network access was terminated) and there was no IP range restriction
Employees transferred out of a certain department had access to Cloud resources even
though they transferred to another department a few months ago
Service providers SOC report was not reviewed for impact to user organization
Sensitive data (PII) in the cloud was found to be not encrypted. Sometimes the user
organization is not aware that sensitive data resides in the cloud. Most commonly, with the
use of cloud for test environments, sensitive data is not scrambled/de-identified before
being sent to the cloud. It might even be your third-party development vendor doing that
Use of shared accounts to administer the cloud

Good Practices in Cloud

Computing

Sensitive data is encrypted before sending to the cloud

Making sure that multiple people receive notifications from the cloud service
provider and that list of individuals/email id is periodically reviewed and
updated. This is simple to implement and very beneficial
Several cloud service providers offer the option of IP range restriction. That
could be a great tool in utilizing a cloud-based services but having the
security comfort of in-house IT
Use of secure connection when connecting to the cloud, anytime sensitive
data is exchanged
Access to cloud computing resources is integrated with the user
organizations identity and access management process instead of being
handled one-off
Use of multi-factor authentication (MFA) such as hardware/software tokens,
mobile authentication (particularly if the mobile phone is a company
resource) for administration of cloud resources. This could also protect in case
the user organizations employees are subject to phishing attack
Review proper independent review report/certification: sometimes a SOC
report is not sufficient

Contd

Top Risk Areas

Privileged use
access

Who at the cloud provider will have access to your data? What controls does the
provider have over these peoples access? How does the provider hire and fire

Regulatory
Compliance

How will using the cloud affect your ability to comply with regulatory requirements (e.g
SOX, GLBA, HIPPA, PCI). Has the provider undergone any kind of third party audit or
certification?

Data Location
and Ownership

Where will the data be stored? Will it be replicated out of the country? Can the customer
restrict where the data is stored? Who owns the data once it is in the cloud

Data Segregation

How does the provider ensure that its other customers can not see my data ? What type
of encryption is in place? How are the keys managed

Recovery

What happens to my data in the event of a disaster? Is it backed up or replicated

somewhere? How can I access my backups? How long does it take to restore my data?

Forensic Support

If any kind of legal investigation is required because of illegal activity- can the provider
support the customer ?

Long Term
Viability

What is the providers financial posture, will they be around in the next 5-15 years, if they
fail how does the customer get his data back

Third Party
Relationships

What third party relationships does your cloud provide have inplace

Due Diligence

Have you performed extensive due diligence on your cloud provider

Information Security & Risk Insights Africa Accra 2014

Contd
Cloud providers key Risk
and Performance
Indicators

Understand the cloud providers key risks and performance indicators

and how this can be monitored and measured from a customers
perspective

Information Security & Risk Insights Africa Accra 2014

Auditing Mobile Computing

Information Security & Risk Insights Africa

Accra 2014

10 Steps for Auditing Mobile Computing

Security Test

Ensure that mobile device

management software is running the
latest approved software and patches.
Verify that mobile clients have
protective features enabled if they are
required by your mobile device
security policy.
Determine the effectiveness of device
security controls around protecting
data when a hacker has physical
access to the device
Evaluate the use of security monitoring
software and processes.
Verify that unmanaged devices are
not used on the network. Evaluate
controls over unmanaged devices.
Evaluate procedures in place for
tracking end user trouble tickets.
Ensure that appropriate security
policies are in place for your mobile
devices

Evaluate disaster recovery

processes in place to restore
mobile device access should a
disaster happen.
Evaluate whether effective
change management processes
exist.
Evaluate controls in place to
manage the service life cycle of
personally owned and companyowned devices and any
associated accounts used for the
gateway

Information Security & Risk Insights Africa

Accra 2014

Auditing Mobile Device Mgt

Once installed, an MDM solution can enforce numerous
security policies. Auditors should verify these policies are in
place:

Anti-malware and firewall policy. Mandates installation of

security software to protect the devices apps, content,
and operating system.
App/operating system update policy. Requires devices to
be configured to receive and install software updates and
security patches automatically.
App-vetting policy. Ensures that only trustworthy white
listed apps can be installed; blocks black listed apps
that could contain malicious code.
Encryption policy. Ensures that the contents of the devices
business container are encrypted and secured.
Information Security & Risk Insights Africa
Accra 2014

Auditing Mobile Device Mgt

contd.

PIN policy. Sets up PIN complexity rules and expiration

periods, as well as prevents reuse of old PINs.
Inactive-device lockout policy. Makes the device
inoperable after a predetermined period of inactivity, after
which a PIN must be entered to unlock it.
Jail break policy. Prohibits unauthorized alteration of a
devices system settings configured by the manufacturer,
which can leave devices susceptible to security
vulnerabilities.
Remote wipe policy. Erases the devices business container
contents should the device be lost or stolen.
Revoke access policy. Disconnects the employees device
from the organizations network when the MDMs remote
monitoring feature determines that it is no longer in
compliance.

AUDITING Social Media

Information Security & Risk Insights Africa

Accra 2014

ROLE OF INTERNAL AUDITINGSocial Media

IT auditors should be mindful of the risks
associated with social media, and take
steps to validate that the institution has
established an effective social media risk
management program commensurate with
the degree of the institutions use of social
media. In auditing social media, internal
auditors should consider the following steps:

Program Governance and

Oversight

Evaluate how the institution assigns

accountability for social media activities.
Review social media-related policies and
procedures for consistency with stated social
media objectives.
Assess the institution's process to stay informed
of actual and proposed social media activities.
Evaluate procedures to review and approve
social media content before publication.
Determine how social media risks are
periodically assessed and documented.

Alignment of Activities with

Enterprise Strategy

Determine if the institution has documented

formally an enterprise-wide social media
strategy.
Review the documented social media strategy
for specific objectives and defined metrics
against which progress is measured, including
risk appetite.
Evaluate the process by which business line
social media practices are reviewed for
consistency with the institution's enterprise-wide
social media strategies.

Compliance with Laws and

Regulations

Discuss with legal and compliance personnel

how legal and regulatory requirements are
assessed for applicability to social media
activities.
Assess the completeness of the institution's
inventory of laws and regulations applicable to
social media activities.
Evaluate how legal and compliance are
involved in the use of new social media
technologies that may impact compliance with
legal and regulatory requirements

Operational Risk Management

Determine if technological tools have been used to

monitor and restrict social media usage, and consider
opportunities to automate new and existing
preventative and detective controls.
Evaluate how the institution provides and rescinds
access to social media platforms, including standards for
reviewing and approving access as appropriate.
Discuss with management the types of training provided
to employees with access to the institution's social media
platforms.
Determine if third-party social media tools and software
solutions are evaluated for operational and compliance
impacts in accordance with the institution's
documented vendor management program, if
applicable

Reputational Risk
Management

Evaluate whether management distinguishes

consumer complaints received through social
media platforms from social media incidents.
Determine if management has identified
complaint and incident scenarios that require
escalation to legal, compliance, senior
management, or other parties.
Assess how social media exchanges are
monitored for integrity and fairness to
consumers.

Last word for the modern day IT

Auditor

The current trends in IT presently

and in the future demands IT
auditors to be IT savvy, current
and evolving so we have to:
Learn- moving with Technology

Train-

build capacity

Share-

leveraging
Information Security & Risk Insights Africa
Accra 2014

Information Security & Risk Insights Africa

Accra 2014