Professional Documents
Culture Documents
Quotes
Reality!!!
Technology
With
Point to note
Audit failure most times is not caused by
receiving brown envelopes but most times
it is not adhering to audit quality control
process
5/27/2014
KNOWING YOUR
ENVIRONMENTS
So it is said that if you know your enemies and
know yourself, you can win a hundred battles
without a single loss.
If you only know yourself, but not your
opponent, you may win or may lose.
If you know neither yourself nor your enemy,
you will always endanger yourself
- Quotation from The Art Of War by Sun
Tzu's
IS CONTROL IS CORPORATE CONTROL.......
KNOWING YOUR
ENVIRONMENTS
5/27/2014
Yourself(auditor)
Tools
Competency( human resources) Danger/audit
failure
Methodology
Time & deadlines
Enemies(auditee)
Law & regulation
Business process of the auditee
Danger/ audit
Risk assessment by magt
failure
Changing technology
Quality
Audit
NB: Audit failure is where audit has failed to fulfill its objective of providing reliable
evidence upon which audit opinion could be based.
Trend Drivers
Customers
Regulators
Competitors
Cost/Revenue
Information Security & Risk Insights Africa
Accra 2014
Training Objectives:
1.
2.
3.
Quote from
Quote
from
The
McKinsey
Trend
Drivers
example
The McKinsey
Quarterly
Customers
Quarterly
The
News: Headline
IBM Develops NFC Authentication Technology
Gartner: Majority of
Banks Will Turn to
Cloud for Processing
Transactions By 2016.
News: Headline
IBM Develops NFC Authentication Technology
IBM announced it has developed a new
mobile payments authentication security
technology based on near-field
communication(NFC) technology.
According to IBM, a user engaging in a mobile
transaction would hold a contactless smartcard
next to the NFC reader of the mobile device and
after keying in their PIN, a one-time code would
be generated by the card and sent to the server
by the mobile device. The technology is based
on end-to-end encryption between the
smartcard and the server using the National
Institute of Standards & Technology (NIST) AES
(Advanced Encryption Standard) scheme.
CurrentInformation
technologies
on &
the
Security
Riskmarket
Insights require
Africa users
Accra
to carry an additional device, such
as2014
a random
password generator, IBM stated
News: Headline
IBM Develops NFC Authentication Technology
Gartner: Majority of
Banks Will Turn to
Cloud for Processing
Transactions By 2016.
Continuity Across
With more users working
Devices
across multiple devices, we
Internet protocol
replacing IPv4.
Protecting IPv6 is not
just a question of
porting IPv4
capabilities. There are
fundamental
Information Security & Risk Insights Africa
changes
to the Accra 2014
protocol which need
Others are:
T+3 becoming T
Instant transfers
ATM accepting cash and cheques
Cheques scanned with mobile phones
Wearable technologies
Virtualisation of all kinds- virtual customers , staff
and projects
Etc.
Information Security & Risk Insights Africa
Accra 2014
Cloud Computing
Verify that only approved personnel are granted access to servicebased on their roles and
that access is removed in a timely manner upon the personnel's termination of employment
and/or change in their roles that does not require the said access.
Physical Security
Accessibility from the open Internet, over permissive rules that open wide range of ports
Length / strength of passwords, systems to enforce / control password security / reset rules
Only authorized users are granted access rights after proper approval
Secure connectivity such as VPN IPSec, SSL, HTTPS where secure data is being transmitted for
regular users or administrators
Password settings for cloud resources (applications, virtual servers etc.) does not comply
with user organizations password policies. Sometimes the cloud vendor resources do not
support the user organizations policy requirements, but several times, the cloud
administrators at the user organizations are not aware
Port settings on Cloud server instances not appropriately configured (administrator added
exceptions to administer cloud from their home computer and mobile device)
Lack of policy and procedures for appropriate handling of security and privacy incidents
Terminated users found to be active on applications in the cloud (even though the
individuals network access was terminated) and there was no IP range restriction
Employees transferred out of a certain department had access to Cloud resources even
though they transferred to another department a few months ago
Service providers SOC report was not reviewed for impact to user organization
Sensitive data (PII) in the cloud was found to be not encrypted. Sometimes the user
organization is not aware that sensitive data resides in the cloud. Most commonly, with the
use of cloud for test environments, sensitive data is not scrambled/de-identified before
being sent to the cloud. It might even be your third-party development vendor doing that
Use of shared accounts to administer the cloud
Contd
Who at the cloud provider will have access to your data? What controls does the
provider have over these peoples access? How does the provider hire and fire
Regulatory
Compliance
How will using the cloud affect your ability to comply with regulatory requirements (e.g
SOX, GLBA, HIPPA, PCI). Has the provider undergone any kind of third party audit or
certification?
Data Location
and Ownership
Where will the data be stored? Will it be replicated out of the country? Can the customer
restrict where the data is stored? Who owns the data once it is in the cloud
Data Segregation
How does the provider ensure that its other customers can not see my data ? What type
of encryption is in place? How are the keys managed
Recovery
Forensic Support
If any kind of legal investigation is required because of illegal activity- can the provider
support the customer ?
Long Term
Viability
What is the providers financial posture, will they be around in the next 5-15 years, if they
fail how does the customer get his data back
Third Party
Relationships
What third party relationships does your cloud provide have inplace
Due Diligence
Contd
Cloud providers key Risk
and Performance
Indicators
Reputational Risk
Management
Train-
build capacity
Share-
leveraging
Information Security & Risk Insights Africa
Accra 2014