COSO-Focused Cyber Risk Assessment for Internal Auditors · obligations relating to cybersecurity...
Transcript of COSO-Focused Cyber Risk Assessment for Internal Auditors · obligations relating to cybersecurity...
COSO-Focused Cyber Risk
Assessment for Internal
Auditors
September 2015
Siah Weng Yew, Deloitte Risk Consulting
Thio Tse Gan, Deloitte Risk Consulting
2 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Cyber risk—High on the agenda
Audit committees and board members are seeing cybersecurity as a top risk,
underscored by recent headlines and increased government and regulatory
focus
The Executive Order highlights the focus on an improved cybersecurity framework
and the rapid changes of regulatory agency expectations and oversight
Recent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosure
obligations relating to cybersecurity risks and incidents…..
“Registrants should address cybersecurity risks and cyber
incidents in their Management’s Discussion and Analysis of
Financial Condition and Results of Operations (MD&A), Risk
Factors, Description of Business, Legal Proceedings and
Financial Statement Disclosures.” SEC Division of Corporate
Finance Disclosure Guidance: Topic No. 2 - Cybersecurity
Ever-growing concerns about cyber-attacks affecting the nation’s critical infrastructure prompted the
signing of the Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.
One of the foundational drivers behind the update and release of the 2013 COSO Framework was
the need to address how organizations use and rely on evolving technology for internal control
purposes
3 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Cyber Risk – COSO
Framework 2013
3
4 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Transformation of IT when the COSO 1992 framework was initially
launched
COSO 2013 Framework
• Different business environment:
1. There were less than 14 million Internet users worldwide in 1992, compared
to nearly 3 billion today.
2. America Online (AOL) for Microsoft DOS had been recently released.
3. Microsoft Internet Explorer did not exist.
4. Some of the most popular cell phones were “bag phones.”
5. Telephone and fax were the predominant ways businesses communicated.
• Nowadays:
1. Customers’ orders are now processed over electronic data interchanges on
the Internet with little or no human intervention.
2. More and more corporate personnel work remotely or from home, with little
need to come into the office. Online only banks exist, and nearly all banks
offer Internet banking to customers.
5 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Cyber Risk COSO Cube
COSO 2013 Framework
• Control Environment — Does the board of directors understand the
organization’s cyber risk profile and are they informed of how the
organization is managing the evolving cyber risks management faces?
• Risk Assessment — Has the organization and its critical stakeholders
evaluated its operations, reporting, and compliance objectives and
gathered information to understand how cyber risk could impact such
objectives?
• Control Activities — Has the entity developed control activities, including
general control activities over technology, that enable the organization to
manage cyber risk within the level of tolerance acceptable to the
organization? Have such control activities been deployed through
formalized policies and procedures?
• Information and Communication — Has the organization identified information requirements to
manage internal control over cyber risk? Has the organization defined internal and external
communication channels and protocols that support the functioning of internal control? How will the
organization respond to, manage, and communicate a cyber risk event?
• Monitoring Activities — How will the organization select, develop, and perform evaluations to
ascertain the design and operating effectiveness of internal controls that address cyber risks? When
deficiencies are identified how are these deficiencies communicated and prioritized for corrective
action? What is the organization doing to monitor their cyber risk profile?
6 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Effective risk management is the product of multiple layers of risk
defense. Internal Audit should support the board’s need to
understand the effectiveness of cybersecurity controls.
COSO 2013 - Control Environment
• Establish governance and oversight
• Set risk baselines, policies, and standards
• Implement tools and processes
• Monitor and call for action, as appropriate
• Provide oversight, consultation, checks and balances, and
enterprise-level policies and standards
• Incorporate risk-informed decision making into day-to-day
operations and fully integrate risk management into operational
processes
• Define risk appetite and escalate risks outside of tolerance
• Mitigate risks, as appropriate
• Independently review program effectiveness
• Provide confirmation to the board on risk management
effectiveness
• Meet requirements of regulator disclosure obligations focused
on cybersecurity risks
1st Line of defense
business and IT
functions
2nd Line of defense
information and technology
risk management
function
3rd Line of
defense
internal audit
Roles and responsibilities
Given recent high profile cyber attacks and data losses, and the regulators’ expectations, it is critical for Internal
Audit to understand cyber risks and be prepared to address the questions and concerns expressed by the audit
committee and the board
7 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
The forces driving growth and efficiency may
create a broad attack surface
COSO 2013 - Risk Assessment
Technology becomes more pervasive
• Internet, cloud, mobile, and social are mainstream
platforms inherently oriented for sharing
• Employees want continuous, real-time access to
their information
Changing business models
• Service models have evolved—outsourcing, offshoring,
contracting, and remote workforce
More data to protect
• Increased volume of customers’ personal, account, &
credit card data, as well as employee’s personal
identifiable information and also company trade secrets
• The need to comply with privacy requirements across a
wide array of jurisdictions
Threat actors with varying motives
• Hackers to nation states
• Continuously innovating & subverting common controls
• Often beyond the reach of a country’s law enforcement
Cybersecurity
Technology
expansion
Evolving
business
models
Data growth
Motivated
attackers
8 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
COSO 2013 - Risk AssessmentUnderstanding the actors and their attributes
9 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
COSO 2013 - Risk AssessmentLifecycle of an attack – Monetisation
10 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
“The biggest retail hack in U.S. history wasn’t particularly
inventive, nor did it appear destined for success”Business Week
Intense & prolific media
coverage exposing breach
Loss of consumer
confidence & sales;
Brand reputation & market
confidence damaged
One of Target’s 3rd parties
breached via phishing email
– credentials stolen to
procurement application
Target’s CEO, CIO &
Security Officer resign
>90 lawsuits filed against
Target by customers & banks -
>$61m spent within 3 mos to
increase security capabilities
Attackers used credentials to
breach network, infect Target’s
POSs & commit largest data
breach to date
Vulnerabilities identified – attack
detected early enough to avoid
breach – risks were neither
articulated nor managed
appropriately by executive
management
Number of credit card numbers
affected
Current cost of Target’s data breach
Drop in earnings reflecting more
cautious consumer spending
Time Target will provide free credit
screening services to any customers
affected
Forrester Research’s forecasted
total cost to Target resulting from
breach
70M
$0.78
1 Year
$1B
$148M
The Target breach reiterated several realities
• No industry is immune & all will be compromised
• Security damages go well beyond dollars
• The speed of attacks are increasing while
response times are decreasing
• Everything can’t be protected equally
• Traditional controls are necessary but not
adequate
• A secure, vigilant & resilient program requires
strong governance & risk management
ESSENTIAL TRUTHS
BY THE NUMBERS*In December 2013, Target disclosed that it was victim to the world-
largest data breach which affected more than 100M customers
10
Risk Appetite - How to erode a successful brand
COSO 2013 - Risk Assessment
11 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
• Perimeter defenses
• Vulnerability management
• Asset management
• Identity management
• Secure SDLC
• Data protection
Cyber Risk Program and Governance
Risk Appetite - Management should develop an understanding of
who might attack, why, and how
COSO 2013 - Risk Assessment
• Cyber criminals
• Hactivists (agenda driven)
• Nation states
• Insiders/partners
• Competitors
• Skilled individual hackers
• Theft of IP/strategic plans
• Financial fraud
• Reputation damage
• Business disruption
• Destruction of critical infrastructure
• Threats to health and safety
Who might attack?
What are they after, and what business risks do I
need to mitigate?
What tactics might they use?
• Governance and operating model
• Policies and standards
• Management processes and capabilities
• Risk reporting
• Risk awareness and culture
• Spear phishing, drive by
download, etc.
• Software or hardware vulnerabilities
• Third-party compromise
• Multi-channel attacks
• Stolen credentials
• Incident response
• Forensics
• Business continuity /
disaster recovery
• Crisis management
SecureAre controls in place to guard against known and
emerging threats?
VigilantCan we detect malicious or unauthorized activity, including
the unknown?
ResilientCan we act and recover quickly to reduce impact?
• Threat intelligence
• Security monitoring
• Behavioral analysis
• Risk analytics
12 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
An internal audit assessment of cybersecurity should cover all domains
and relevant capabilities, and involve subject matter specialists when
appropriate
COSO 2013 - Risk Assessment
Phase III: Risk
assessment
Phase II: Understand
current state
Phase IV: Gap assessment
and recommendationsPhase I: Planning and scoping
Ph
as
eK
ey a
cti
vit
ies
De
live
rab
les
Activities:
• Identify specific internal and
external stakeholders: IT,
Compliance, Legal, Risk, etc.
• Understand organization
mission and objectives
• Identify industry requirements
and regulatory landscape
• Perform industry and sector risk
profiling (i.e., review industry
reports, news, trends,
risk vectors)
• Identify in-scope systems
and assets
• Identify vendors and third-party
involvement
Activities:
• Conduct interviews and
workshops to understand the
current profile
• Perform walkthroughs of in-
scope systems and processes
to understand existing controls
• Understand the use of third-
parties, including reviews of
applicable reports
• Review relevant policies and
procedures, including security
environment, strategic plans,
and governance for both
internal and external
stakeholders
• Review self assessments
• Review prior audits
Activities:
• Document list of potential risks
across all in-scope capabilities
• Collaborate with subject matter
specialists and management to
stratify emerging risks, and
document potential impact
• Evaluate likelihood and impact
of risks
• Prioritize risks based upon
organization’s objectives,
capabilities, and risk appetite
• Review and validate the risk
assessment results with
management and identify
criticality
Activities:
• Document capability
assessment results and
develop assessment scorecard
• Review assessment results
with specific stakeholders
• Identify gaps and evaluate
potential severity
• Map to maturity analysis
• Document recommendations
• Develop multiyear
cybersecurity/IT audit plan
Deliverable:
• Assessment objectives and
scope
• Capability assessment scorecard
framework
Deliverable:
• Understanding of environment
and current state
Deliverable:
• Prioritized risk ranking
• Capability assessment findings
Deliverables:
• Maturity analysis
• Assessment scorecard
• Remediation recommendations
• Cybersecurity audit plan
13 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
A cybersecurity assessment can drive a risk-based IT internal audit plan.
Audit frequency should correspond to the level of risk identified, and
applicable regulatory requirements/expectations.
Representative internal audit plan
Internal Audit FY 2015 FY 2016 FY 2017 Notes (representative)
SOX IT General
Computer ControlsX X X
Annual requirement but only covers financially
significant systems and applications
External Penetration and
Vulnerability TestingX X X Cover a portion of IP addresses each year
Internal Vulnerability Testing X Lower risk due to physical access controls
Business Continuity Plan/Disaster
Recovery PlanX X
Coordinate with annual 1st and 2nd line of
defense testing
Data Protection and
Information Security X Lower risk due to …
Third-party Management X Lower risk due to …
Risk Analytics X X XAnnual testing to cycle through risk areas, and
continuous monitoring
Crisis Management X X Cyber war gaming scenario planned
Social Media X Social media policy and awareness program
Data Loss Protection (DLP) X Shared drive scan for SSN / Credit Card #
14 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Certain cybersecurity domains may be partially covered by existing IT audits, however many
capabilities have historically not been reviewed by internal audit
• Account provisioning
• Privileged user management
• Access certification
• Access management and governance
SOX (financially relevant systems only) Penetration and vulnerability testing BCP/DRP Testing
Vig
ilan
tS
ecu
re
• Data classification and inventory
• Breach notification and management
• Data loss prevention
• Data security strategy
• Data encryption and obfuscation
• Records and mobile device management
Data management and protection
• Secure build and testing
• Secure coding guidelines
• Application role design/access
• Security design/architecture
• Security/risk requirements
Secure development life cycle
• Compliance monitoring
• Issue and corrective action planning
• Regulatory and exam management
• Risk and compliance assessment and mgmt.
• Integrated requirements and control framework
Cybersecurity risk and compliance management
• Incident response and forensics
• Application security testing
• Threat modeling and intelligence
• Security event monitoring and logging
• Penetration testing
• Vulnerability management
Threat and vulnerability management
Resil
ien
t
• Change management
• Configuration management
• Network defense
• Security operations management
• Security architecture
Security operations
• Security training
• Security awareness
• Third-party responsibilities
Security awareness and training
• Recover strategy, plans, and procedures
• Testing and exercising
• Business impact analysis
• Recover strategy, plans, and procedures
• Testing and exercising
Crisis management and resiliency
• Information gathering and analysis around:
– User, account, entity
– Events/incidents
– Fraud and anti-money laundering
– Operational loss
Risk analytics
• Security direction and strategy
• Security budget and finance management
• Policy and standards management
• Exception management
• Talent strategy
Security program and talent management
• Evaluation and selection
• Contract and service initiation
• Ongoing monitoring
• Service termination
Third-party management Identity and access management
• Information and asset classification and inventory
• Information records management
• Physical and environment security controls
• Physical media handling
Information and asset management
Deloitte cybersecurity framework
* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.
15 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Maintaining and enhancing security capabilities can help mitigate cyber
threats and help the organization to arrive at its desired level of maturity
COSO 2013 - Assessment maturity analysis
Cybersecurity domain
Cybersecurity risk and compliance mgmt.
Third-party management
Secure development life cycle
Information and asset management
Security program and talent management
Identity and access management
Threat and vulnerability management
Data management and protection
Risk analytics
Crisis management and resiliency
Security operations
Security awareness and training
Initial Managed Defined Predictable Optimized
Current state CMMI maturity*
Maturity analysis
• Recognized the issue
• Ad-hoc/case by case
• Partially achieved goals
• No training, communication, or
standardization
• Process is managed
• Responsibility defined
• Defined procedures with
deviations
• Process reviews
• Defined process
• Communicated procedures
• Performance data collected
• Integrated with other processes
• Compliance oversight
• Defined quantitative performance
thresholds and control limits
• Constant improvement
• Automation and tools implemented
• Managed to business objectives
• Continuously improved
• Improvement objectives
defined
• Integrated with IT
• Automated workflow
• Improvements from new
technology
Stage 1: Initial Stage 2: Managed Stage 4: PredictableStage 3: Defined Stage 5: Optimized
*The industry recognized
Capability Maturity Model
Integration (CMMI) can be used
as the model for the assessment.
Each domain consists of specific
capabilities which are assessed
and averaged to calculate an
overall domain maturity.
Secu
reV
igila
nt
Re
silie
nt
Desired / Target state
16 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
COSO 2013 - Communication
Important to communicate to the various
stakeholders
• Communication
1. To all personnel
2. To those Explicitly Responsible for Managing and
Monitoring Cyber Risks and Controls
3. To the Board of Directors
4. External parties
17 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
COSO 2013 – Control Environment & Monitoring
Control Environment and
Monitoring Activities — Managing
Cyber Risk is not possible Without
Governance
• The Control Environment and Monitoring
Activities internal control components are
foundational for an organization to properly
manage its cyber risk exposures.
• Qualified cyber risk professionals are also
critically important to the Monitoring Activities of
the organization.
18 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Internal Audit Areas
- Email Phishing
- Cybersecurity Simulations
19 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Examples of new areas coveredSocial Engineering – Email or USB phishing
Threat
Attacker uses spear phishing or mass-mailing attacks to
distribute malware.
Steps
Confirmation of objective (flags)
Confirmation of “target” distribution list Engagement
Simulate a ‘phishing’ attack against the agreed address list
Demonstrate the relative success of the attack by collecting
non-personally identifiable information for statistical
purposes
Post-engagement
Client Briefing/Presentation
Phishing awareness workshop and e-learning
20 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Scenarios that challenge
Simulations need to be designed which focus on the business and strategic consequences of
high impact events and which are genuinely challenging and informative for senior
executives.
• Rise in reinsurance claims – strategic impact
• Medium / long term productivity planning
• Geographical handover strategies
• Resource management
• Workload distribution
• Reinsurance claims - estimation / escalation
• Data theft – Regulatory and media impacts
• Cyber investment strategy – options
• Media management - cyber attack
• Technical failure
• Escalation and invocation channels
• Cyber attack – pre-emptive measures
• Asian crisis – disruption to growth initiative
• Protectionism
• Future market assessment – political risk, war
• Analysis of 2nd and 3rd order effects
• Single team market analysis
• APAC Resource management
• Workload distribution
• Stakeholder strategy and communications
• Counterparty appraisal strategy review
• Analysis of 2nd and 3rd order effects
• Workarounds for affected processes
• Review of legal positions/contract documentation
• Risk exposure analysis & interdependencies
• Geographical restructuring strategies
• Future market assessment – currency risk
• Firm strategy - Portfolio management
• Workload handover – office disruption
• Internal and external communications
• Single team market analysis
• Organisational / structural changes
• Managing reinsurance demand - strategies
o Short / Medium / Long term
• Coordination of BAU process changes
• Contract / data review and management
• Examine tech/financial model adjustments
Geo-political
Pandemic or
Natural Disaster
Counterparty
Failure
RRPs
Sovereign Debt€
Cyber Security
Strategic Focus Operational focus
Example topic areas
Examples of new areas covered
21 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Cyber attack through a third party vendor
• To provide education and awareness of key cyber threats the bank faces as
well as the opportunity to review how the Group Crisis Management Team would
respond to a hypothetical cyber threat scenario in a safe environment:
• Practising the response to emerging cyber threats will help speed up the
decision-making during an actual event and lessen its impact
Aim
Objectives
• Provide education and awareness
• Have engaging discussion around critical decision making
• Build teamwork, collaborative working and confidence
• Identify key stakeholders and associated roles and responsibilities
• Derive lessons learned and follow up actions
• Support the development of a Cyber Contingency Plan
Key
learnings
• Develop a real-time Communications Strategy & Framework, to be used for
internal and external communications (during business as usual and crises)
• Review all existing critical activities to confirm that all single points of failure
(SPOFs) (internal and external) have been identified, that a ‘BCM mentality’
has been applied to them, and that necessary contingency strategies are in place
• Review the process for how to embed resilience into all design changes
• Review, from a Legal perspective, the degree of control at times of
incidents/crisis over key vendors
Supported a Global bank to design and deliver it’s annual Global Crisis Management
Exercise, focussing on Cyber preparedness. We designed and delivered a 3-hour Cyber
Workshop which included external guest speakers on Cyber and external communications,
as well as a high-level facilitated scenario walkthrough.
4-stage unfolding &
escalating scenario
walkthrough
20 Executive members
participated via video
conference across 3
global locations
2 external luminary
speakers involved to
provide views of macro
Cyber threats in FS and
strategic management of
the media in a Crisis
Examples of new areas covered
22 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
ConclusionKey Questions to Ask
23 COSO-Focused Cyber Risk Assessment for Internal Auditors Copyright © 2015 Deloitte & Touche. All rights reserved.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of
member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also
referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/sg/about for a more detailed description
of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public
and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and
territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most
complex business challenges. Deloitte’s more than 210,000 professionals are committed to becoming the standard of excellence.
About Deloitte Southeast Asia
Deloitte Southeast Asia Ltd – a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei,
Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam – was established to deliver
measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises.
Comprising over 270 partners and 6,300 professionals in 24 office locations, the subsidiaries and affiliates of Deloitte Southeast Asia Ltd
combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region.
All services are provided through the individual country practices, their subsidiaries and affiliates which are separate and independent legal
entities.
About Deloitte Singapore
In Singapore, services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates.
© 2015 Deloitte & Touche Enterprise Risk Services Pte Ltd
2
3