Current Trend in Information Technology: Which way for Modern...

Current Trends in Information

Technology: Which way for

Modern IT Auditors?

Joseph Akoki, ACA, MCP, CISA, AMIMC

Information Security & Risk Insights Africa Accra 2014

Quotes

Technology is like a fish. The longer it stays on the shelf the less desirable it becomes

Andrew Heller

What I did in my youth is hundred times easier today technology breeds crime-

Frank Abagnate

There will come a time when it isnt “ they are spying on me through my phone anymore. Eventually it will be my phone is spying on me” Philip K. Dick

Information Security & Risk Insights Africa

Accra 2014

Reality!!!

Technology changes twice every year,

the only way not be left behind is to

respond to changes if not you will be

twice behind… Anonymous

We are going closer and closer to the

year when cars will run with water– BANK

PHB Nigeria


Accra 2014

“With a 13% increase in identity fraud between

2010 and 2011, a study conducted by Javelin

Strategy &Research showed that consumers may

be putting themselves at a higher risk for identity

theft as a result of their increasingly intimate social media behaviors”.


Accra 2014

Point to note

“Audit failure most times is not caused by

receiving brown envelopes but most times

it is not adhering to audit quality control

process”


Accra 2014

KNOWING YOUR

ENVIRONMENTS

5/27/2014

IS CONTROL IS CORPORATE CONTROL.......

So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself

- Quotation from The Art Of War by Sun Tzu's

6

KNOWING YOUR ENVIRONMENTS

5/27/2014

Yourself(auditor)

Tools

Competency( human resources)

Methodology

Time & deadlines

Enemies(auditee)

Law & regulation

Business process of the auditee

Risk assessment by magt

Changing technology

Danger/audit

failure

Danger/ audit

failure

Quality

Audit

NB: Audit failure is where audit has failed to fulfill its objective of providing reliable evidence upon which audit opinion could be based.

7

Trend Drivers

• Customers

• Regulators

• Competitors

• Cost/Revenue Information Security & Risk Insights Africa

Accra 2014

Training Objectives:


Accra 2014

1. Identify the technologies that will have the greatest impact on

banking business and audit functions

2. Explain why understanding trends and new technologies can

help an organization prepare for the future

3. Explore the risk inherent in these emerging technologies and

audit planning can respond adequately

Introduction • Obtaining a broad view of

emerging trends and new technologies as they relate to business can help an organization anticipate and prepare for the future


Accra 2014

• Organizations that can most effectively grasp the deep currents of technological evolution can use their knowledge to protect themselves against sudden and fatal technological obsolescence

Quote from “The McKinsey Quarterly”

The “emerging affluent” segment—young,

educated, and consumption-oriented urban

professionals—could account for up to a third of

all retail-banking revenues in the coming three to

five years:

They are tech savvy, preferring online-banking and

smartphone applications; reluctant users of branches

(bricks and mortal) ; and price conscious and service

oriented. (February 2012, Miklós Dietz, Ádám Homonnay, and Irene Shvakman)

Trend Drivers – example Customers

Quote from “The McKinsey Quarterly”

Gartner: Majority of

Banks Will Turn to

Cloud for Processing

Transactions By 2016.

News: Headline

IBM Develops NFC Authentication Technology

Barclays Puts the Safety Deposit Box in the Cloud. Barclays online

banking customers will now be

able to scan and upload

important documents a cloud-based document storage

system.

What Banks Should Know About

Disaster Recovery in the Cloud. The cloud offers faster recovery

from disasters, but banks need to

be on the same page with their

providers on issues like data ownership and interoperability. Information Security & Risk Insights Africa

Accra 2014

The need to know the trend:

The jagged economic landscape — complicated by

advancing technologies, such as cloud, social media

and mobile devices — can challenge the ability of an

IT auditor to provide comfort to executives already

overwhelmed with rapidly expanding opportunities

and pressures caused by shrinking margins.


Pace of technological innovation is

increasing Medical knowledge is doubling every eight

years

50% of what students learn in their freshman year of college is obsolete, revised, or taken for granted by their senior year

All of today’s technical knowledge will represent only 1 percent of the knowledge that will be available in 2050

Potential business impact:

Shortened time-to-market for products and services

Tighter competition based on new technologies

Tighter monitoring requirements Information Security & Risk Insights Africa

Accra 2014

The Digital Disruption

The five post digital

forces affecting business:

cloud, mobile, social, analytics and cyber

The digital revolution is disrupting every industry.

Creating new possibilities and changing the ways

business is done.

The only way to compete is to evolve !!!


Accra 2014

News: Headline


IBM announced it has developed a new

mobile payments authentication security

technology based on near-field

communication(NFC) technology.

According to IBM, a user engaging in a mobile transaction would hold a contactless smartcard next to the NFC reader of the mobile device and

after keying in their PIN, a one-time code would be generated by the card and sent to the server by the mobile device. The technology is based on end-to-end encryption between the smartcard and the server using the National Institute of Standards & Technology (NIST) AES

(Advanced Encryption Standard) scheme. Current technologies on the market require users to carry an additional device, such as a random password generator, IBM stated


Accra 2014

Gartner: Majority of

Banks Will Turn to

Cloud for Processing

Transactions By 2016.

News: Headline


Barclays Puts the Safety Deposit Box in the Cloud. Barclays online

banking customers will now be

able to scan and upload

important documents a cloud-based document storage

system.

What Banks Should Know About

Disaster Recovery in the Cloud. The cloud offers faster recovery

from disasters, but banks need to

be on the same page with their

providers on issues like data ownership and interoperability. Information Security & Risk Insights Africa

Accra 2014

Continuity Across

Devices With more users working across multiple devices, we see a move to provide the

missing link in today’s

computing experience – the

ability to pick up the session

on a different device in

exactly the same place you

left off.

Innovation will occur behind

the scenes, to provide a

continuous experience for

users across call logs, text

messages, notes and

activities as they move from laptop to desktop, from

tablet to mobiles.


Accra 2014

All Encompassing Smartphones

Nowadays, consumers

are increasingly relying

on their smartphones for

just about everything.

From researching

purchasing decisions to

mobile commerce,

expect to see more

brands start to innovate

and cater to the needs

of mobile audiences,

both customers and

staff, to allow for more

seamless use and

integration of

smartphones into our

daily lives.


Accra 2014

IPv6: Major surgery for the

Internet IPv6 is the new

Internet protocol

replacing IPv4.

Protecting IPv6 is not

just a question of

porting IPv4

capabilities. There are

fundamental

changes to the

protocol which need

to be considered in

security policy.


Accra 2014

IPv6: Major surgery for the Internet contd…

The Difference Between IPv6 and IPv4 IP Addresses

An IP address is binary numbers but can be stored as text for human readers. For example, a 32-bit numeric address (IPv4) is written in decimal as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.

IPv6 addresses are 128-bit IP address written in hexadecimal and separated by colons. An example IPv6 address could be written like this: 3ffe:1900:4545:3:200:f8ff:fe21:67cf


Accra 2014

http://www.webopedia.com/TERM/I/IP_address.htmlhttp://www.webopedia.com/TERM/B/binary.html

Others are:

T+3 becoming T

Instant transfers

ATM accepting cash and cheques

Cheques scanned with mobile phones

Wearable technologies

Virtualisation of all kinds- virtual customers , staff and projects

Etc.


Accra 2014

Cloud Computing


Accra 2014

Contending With Cloud Services

Small, medium and large enterprises

are beginning to adopt cloud services

PaaS and SaaS at a greater rate. This

trend presents a big challenge for

network security, as traffic can go

around traditional points of inspection.

Additionally, as the number of

applications available in the cloud

grows, policy controls for Web

applications and cloud services will

also need to evolve.

But as the cloud evolves, so

too must network security.


Accra 2014

What is cloud computing?

Cloud Computing is not: •Any specific technology, such as VMware or SalesForce

•Virtualization

•Outsourcing

•Grid computing

•Web hosting

Cloud Computing is:

An IT delivery approach that binds together technology infrastructure, applications, and internet connectivity as a defined, managed service that can be sourced in a flexible way

Cloud computing models typically leverage scalable and dynamic resources through one or more service and deployment models

The goal of cloud computing is to provide easy access to, and elasticity of, IT services.


Accra 2014

Key Areas to Focus on during Audit

Identity and Access Management: Verify that only approved personnel are granted access to servicebased on their roles and

that access is removed in a timely manner upon the personnel's termination of employment and/or change in their roles that does not require the said access.

Physical Security Hosting & Data Logical Security Segregation of tiers; hosting encryption methods Accessibility from the open Internet, over permissive rules that open wide range of ports

Authentication & Authorization Length / strength of passwords, systems to enforce / control password security / reset rules Use of hardware / software token. Management of key fobs Only authorized users are granted access rights after proper approval Access for transferred employees is modified in a timely manner Unauthorized access to cloud computing resources is removed promptly Periodic review of super-user and regular access to cloud applications Connection & Data Transmission Secure connectivity such as VPN IPSec, SSL, HTTPS where secure data is being transmitted for

regular users or administrators

Key Areas to Focus on during Audit Auditing Cloud Computing in Five Relevant Areas Audit Objective(s)

Technology Risks:

Unique risks related to the use of virtual operating system with cotenants.

Is your primary service provider utilizing another sub-service provider? For e.g. there are several examples where a SaaS provider is utilizing an IaaS provider. Do you know whether your primary service provider is protecting you adequately from the risks inherent with utilizing an IaaS provider?

Hypervisor technology utilized and whether it is patched

Process for monitoring and patching for known vulnerabilities in hypervisor technology

Segregation of duties (SoD) considerations both from a technology as well as business perspective, for e.g. from a technology SoD perspective does one person have access to the host and guest operating systems as well as the guest database. From a business perspective, for financially significant applications, just because an application is in the cloud does not diminish the importance of segregating access within the application

Logging of access to the applications and data, where relevant

Protection of access logs from inadvertent deletion or unauthorized access

Common Observations When Auditing Cloud Computing •Password settings for cloud resources (applications, virtual servers etc.) does not comply

with user organization’s password policies. Sometimes the cloud vendor resources do not support the user organization’s policy requirements, but several times, the cloud administrators at the user organizations are not aware

•Port settings on Cloud server instances not appropriately configured (administrator added exceptions to administer cloud from their home computer and mobile device)

•Lack of policy and procedures for appropriate handling of security and privacy incidents

•Terminated users found to be active on applications in the cloud (even though the individual’s network access was terminated) and there was no IP range restriction

•Employees transferred out of a certain department had access to Cloud resources even though they transferred to another department a few months ago

•Service provider’s SOC report was not reviewed for impact to user organization •Sensitive data (PII) in the cloud was found to be not encrypted. Sometimes the user

organization is not aware that sensitive data resides in the cloud. Most commonly, with the use of cloud for test environments, sensitive data is not scrambled/de-identified before being sent to the cloud. It might even be your third-party development vendor doing that

•Use of shared accounts to administer the cloud

Good Practices in Cloud

Computing

Sensitive data is encrypted before sending to the cloud Making sure that multiple people receive notifications from the cloud service provider and that list of individuals/email id is periodically reviewed and updated. This is simple to implement and very beneficial

Several cloud service providers offer the option of IP range restriction. That could be a great tool in utilizing a cloud-based services but having the security comfort of in-house IT

Use of secure connection when connecting to the cloud, anytime sensitive data is exchanged

Access to cloud computing resources is integrated with the user organization’s identity and access management process instead of being handled one-off

Use of multi-factor authentication (MFA) such as hardware/software tokens, mobile authentication (particularly if the mobile phone is a company resource) for administration of cloud resources. This could also protect in case the user organization’s employees are subject to phishing attack

Review proper independent review report/certification: sometimes a SOC report is not sufficient

Cont’d

Top Risk Areas


Privileged use access

Who at the cloud provider will have access to your data? What controls does the provider have over these peoples access? How does the provider hire and fire

Regulatory Compliance

How will using the cloud affect your ability to comply with regulatory requirements (e.g SOX, GLBA, HIPPA, PCI). Has the provider undergone any kind of third party audit or certification?

Data Location

and Ownership Where will the data be stored? Will it be replicated out of the country? Can the customer

restrict where the data is stored? Who owns the data once it is in the cloud

Data Segregation How does the provider ensure that its other customers can not ‘see my data’ ? What type of encryption is in place? How are the keys managed

Recovery What happens to my data in the event of a disaster? Is it backed up or replicated somewhere? How can I access my backups? How long does it take to restore my data?

Forensic Support If any kind of legal investigation is required because of illegal activity- can the provider support the customer ?

Long Term Viability

What is the providers financial posture, will they be around in the next 5-15 years, if they fail how does the customer get his data back

Third Party Relationships

What third party relationships does your cloud provide have inplace

Due Diligence Have you performed extensive due diligence on your cloud provider

Cont’d


Cloud providers key Risk

and Performance

Indicators

Understand the cloud providers key risks and performance indicators and how this can be monitored and measured from a customers perspective

Auditing Mobile Computing


Accra 2014

10 Steps for Auditing Mobile Computing

Security Test


Accra 2014

Ensure that mobile device

management software is running the

latest approved software and patches.

Verify that mobile clients have

protective features enabled if they are

required by your mobile device

security policy.

Determine the effectiveness of device

security controls around protecting

data when a hacker has physical

access to the device

Evaluate the use of security monitoring

software and processes.

Verify that unmanaged devices are

not used on the network. Evaluate

controls over unmanaged devices.

Evaluate procedures in place for

tracking end user trouble tickets.

Ensure that appropriate security

policies are in place for your mobile

devices

Evaluate disaster recovery processes in place to restore mobile device access should a disaster happen.

Evaluate whether effective change management processes exist.

Evaluate controls in place to

manage the service life cycle of personally owned and company-owned devices and any associated accounts used for the gateway

Auditing Mobile Device Mgt Once installed, an MDM solution can enforce numerous security policies. Auditors should verify these policies are in place: Anti-malware and firewall policy. Mandates installation of

security software to protect the device’s apps, content, and operating system.

App/operating system update policy. Requires devices to be configured to receive and install software updates and security patches automatically.

App-vetting policy. Ensures that only trustworthy “white listed” apps can be installed; blocks “black listed” apps that could contain malicious code.

Encryption policy. Ensures that the contents of the device’s business container are encrypted and secured. Information Security & Risk Insights Africa

Accra 2014

Auditing Mobile Device Mgt

contd. PIN policy. Sets up PIN complexity rules and expiration

periods, as well as prevents reuse of old PINs. Inactive-device lockout policy. Makes the device

inoperable after a predetermined period of inactivity, after which a PIN must be entered to unlock it.

Jail break policy. Prohibits unauthorized alteration of a device’s system settings configured by the manufacturer, which can leave devices susceptible to security vulnerabilities.

Remote wipe policy. Erases the device’s business container contents should the device be lost or stolen.

Revoke access policy. Disconnects the employee’s device from the organization’s network when the MDM’s remote monitoring feature determines that it is no longer in compliance.

AUDITING Social Media


Accra 2014

ROLE OF INTERNAL AUDITING-Social Media IT auditors should be mindful of the risks

associated with social media, and take

steps to validate that the institution has

established an effective social media risk

management program commensurate with

the degree of the institution’s use of social

media. In auditing social media, internal

auditors should consider the following steps:

Program Governance and

Oversight

Evaluate how the institution assigns accountability for social media activities.

Review social media-related policies and procedures for consistency with stated social media objectives.

Assess the institution's process to stay informed of actual and proposed social media activities.

Evaluate procedures to review and approve social media content before publication.

Determine how social media risks are periodically assessed and documented.

Alignment of Activities with Enterprise Strategy Determine if the institution has documented

formally an enterprise-wide social media strategy.

Review the documented social media strategy for specific objectives and defined metrics against which progress is measured, including risk appetite.

Evaluate the process by which business line social media practices are reviewed for consistency with the institution's enterprise-wide social media strategies.

Compliance with Laws and

Regulations Discuss with legal and compliance personnel

how legal and regulatory requirements are assessed for applicability to social media activities.

Assess the completeness of the institution's inventory of laws and regulations applicable to social media activities.

Evaluate how legal and compliance are involved in the use of new social media technologies that may impact compliance with legal and regulatory requirements

Operational Risk Management

Determine if technological tools have been used to monitor and restrict social media usage, and consider opportunities to automate new and existing preventative and detective controls.

Evaluate how the institution provides and rescinds access to social media platforms, including standards for reviewing and approving access as appropriate.

Discuss with management the types of training provided to employees with access to the institution's social media platforms.

Determine if third-party social media tools and software solutions are evaluated for operational and compliance impacts in accordance with the institution's documented vendor management program, if applicable

Reputational Risk

Management

Evaluate whether management distinguishes

consumer complaints received through social

media platforms from social media incidents.

Determine if management has identified

complaint and incident scenarios that require

escalation to legal, compliance, senior

management, or other parties.

Assess how social media exchanges are

monitored for integrity and fairness to

consumers.

Last word for the modern day IT

Auditor

The current trends in IT presently and in the future demands IT auditors to be IT savvy, current and evolving so we have to:

Learn- moving with Technology

Train- build capacity

Share- leveraging Information Security & Risk Insights Africa

Accra 2014

.


Accra 2014

Current Trend in Information Technology: Which way for Modern...

Documents

Transcript of Current Trend in Information Technology: Which way for Modern...