Cybersecurity It Audit Services Gt April2012

© Grant Thornton LLP. All rights reserved. - 1 -

Cyber Security Consulting, IT Audit & Assessment

Services Protecting Information in the Enterprise

Grant Thornton, LLP A QSA Company

Danny Miller, CISA, CGEIT, CRISC, ITIL

April 2012


Founded in 1924, Grant Thornton LLP is the U.S. member firm of Grant

Thornton International. Through member firms in more than 80 countries

including 50 offices in United States, the partners of Grant Thornton provide

personalized attention and the highest quality of service to companies around the

globe.

Statistics Grant Thornton

International Ltd

Grant Thornton

LLP

Revenues $ 4 billion $ 1.2 billion

Personnel 29,890 5,505

Partners 2,539 540

Offices 498 52

Statistics as of Sept. 30, 2008 July 31, 209

Grant Thornton overview

At-a-glance


Grant Thornton's Cyber Security Solution Practice

Grant Thornton's Cyber Security practice is focused on protecting the enterprise's information no

matter where it is. In this age of distributed, mobile and cloud-based systems and data, it is vitally

important to understand how information is created, processed, transmitted and stored.

We address our client's complex security requirements through a variety of consulting support,

including strategy, information protection, data leakage, assessing security vulnerabilities, advising

on establishing or improving the operations of a security organization, remediating compliance

failures or gaps – including gaps related to PCI and HIPAA/HITECH compliance and developing

approaches and programs to effectively assess and manage risk by implementing appropriate

security countermeasures through the entire life cycle of information in the enterprise.

Cyber Security

& IT Audit

Vulnerability &

Penetration Services

Other assessment

services Contact Privacy PCI

Strategy &

Design Services


Our IT Audit Services

Our approach to technology risk is compatible with all major frameworks, including COSO,

the latest Risk IT framework from ISACA and fills the gaps that other frameworks do not

provide. We also cover application risk with a lens from the Global Technology Audit Guides

(GTAG) from the IIA.

The team that will be managing and executing this engagement have more than 90 years of

combined technology experience in industry, Big-4 consultancy and as practitioners. Their

credentials include one or more of CPA, CIA, CISA, CISM, CISSP, GAWN, GCWN, CCNP,

CCNA, or MCSE, ITIL, CGEIT

Grant Thornton has a long history of consulting in the Oil, Gas and Chemicals Industry.

Relevant clients include:

Sunoco

Quaker Chemical

Philadelphia Gas Works

Donegal Insurance

Lyondell Chemical

Amerigas

Airgas

Valspar Corporation

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


©2010 ISACA. All rights reserved.

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Guiding Principles of IT Risk Management

Ensure a connection to enterprise objectives and enterprise risk

Align the management of IT-related business risk with overall enterprise risk

management

Balance the costs and benefits of managing risk

Establish the right tone from the top while defining and enforcing personal

accountability for operating within acceptable and well-defined tolerance levels

Risk is a continuously changing landscape and risk management acknowledges that it

is a continuous process

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Grant Thornton Cyber Security services

- Information protection at all levels

- Data Leakage detection and prevention

- Security Strategy and Design

- Threat Analysis

- Vulnerability Assessments

- Penetration Testing

- Anti-phishing consulting

- Risk-event consulting

- Data Privacy & Protection

- PCI Data Security Standards QSA Consulting

- HIPAA

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Grant Thornton's Cyber Security Services

• Experienced and dedicated cyber security personnel

– Deep technical background – real expertise in cybersecurity

– Experience across industries

– Practical and cost effective strategies to mitigate risk

• Address the security risk within the context of business risk

– Understand the relationship of IT risk management within overall enterprise risk management

– Communicate technical risks using layman terms and business impact

• Proven cyber security methodologies, tools, and techniques

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Life Cycle

Component Solution Set Activities/Scope

ITIL* Framework

Component

Policy Strategy and Assessment Develop and test policy, best practices Plan/Maintain

Assess Strategy and Design,

Threats

Risk, Data privacy and classification,

Breaches, Programs, Monitoring, PCI,

HIPAA, Vulnerability and Penetration

testing, Cloud, Agreements with third

parties, Service Level Agreements (SLA),

Operational Level Agreements (OLA)

Evaluate

Implement Plan, Design and

Implement

Threat Profiling, PCI, HIPAA, IDS/IPS,

VPN, Firewalls, SIM/SEM, Application

(including Cloud-based), SDLC, Data

classification, Data privacy (state, federal,

international)

Implement

Manage Risk, Policy, Standards,

Procedures, Programs

Threats, Incidents, Master Data

Management (MDM),IT Audits, Self

Assessment, Penetration and

Vulnerability, Communication, Response

Control/Maintain

Respond Investigate, Respond,

Remediate

Threat reduction, Countermeasures, Data

leakage and breaches, PCI breaches,

HIPAA information exposure Control/Maintain

* - The IT Infrastructure Library (ITIL) is a global framework for service management and is the most widely accepted approach to managing

information technology. Services are assets from which the customer gains value, hence cybersecurity is one of those services.

Cybersecurity Life Cycle and Service Components

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Cyber Security Strategy & Design

Based upon the IT Infrastructure Library (ITIL)

framework of best practices in IT, the ITIL

Information Security Management's (ISM) strategy

goal is the alignment of IT security with business security

to ensure that information security is effectively managed

in all service and Service Management activities.

This strategy includes managing risk and security over

information assets while balancing the needs of the

business for:

• Availability of information and assets

• Confidentiality of information

• Integrity of information

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


The problem with "Big Data"

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services

Attribution: Cloud Security Alliance (CSA)


Vulnerability assessment vs. Penetration test

• The terms "vulnerability assessment" and "penetration test" are

sometimes used interchangeably, so it's important to define and

distinguish them.

• Vulnerability assessment

– a service that provides a comprehensive prioritized identification of

vulnerabilities, but does not attempt to exploit them.

• Penetration test

– a goal oriented service that attempts to gain unauthorized access to a

specified target by exploiting one or more vulnerabilities.

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Other assessment services

Wireless Assessment − a service that assesses the security mechanisms (e.g.,

authentication, encryption) of a wireless network, and attempts to identify rogue access points.

Web Application Security Assessment − a service that assesses the security of a web application,

including session management, authentication, authorization, and input validation.

Voice Over IP (VoIP) Security Assessment − a service that assesses the security of a deployed VoIP

infrastructure, including the infrastructure support, the VoIP components, and the VoIP protocols.

Data Leakage Prevention Assessment − a service that measures an organization's risk of information

leakage.

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Privacy

Information Trends

• Every day, companies collect, use, profile, disclose, and analyze customer

information

• Employees who have access to sensitive information inside an

organization also represent a key risk – we see this as the fastest rising

threat

• Unfortunately, some of this information is: • Misused

• Stolen

• Sold , traded or given to organizations (e.g., WikiLeaks)

• This has led to a trust gap among customers, employees and corporate

leadership

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Privacy

Personally Identifiable Information (PII)

Personal information is any information that is, or reasonably could be,

attributable to a specific individual. The information can be either factual or

subjective, and recorded in any form or even unrecorded. Some examples

include:

Social Security number

Driver's license number or state-issued identification card number

financial account number, credit card number, or debit card number

Name, address, email address

Credit records

Buying history

Employee records

Much of this information is sensitive and greater cause for concern.

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Privacy

Information stakeholder concerns

• Customers – Concerned with how and why their information is collected, used,

disclosed, and retained

– Want businesses to earn trust

• Businesses – Trying to strike a balance between collection and use of information

– Concerned with reducing privacy risk of poor privacy practices

– Want to leverage good privacy practices and retain trust of customers

• Government – Taking increased action on growing concerns about privacy to:

– Protect rights of citizens

– Better manage its own data stores

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


HIPAA

GT Healthcare IT Security Offerings:

• IT Security Risk Assessment

• IT Security Program Implementation Assistance

• IT Security/HIPAA Review and Recommendations

• HIPAA Compliance Attestation Report

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


HIPAA

IT Security Risk Assessment

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


HIPAA

IT Security Program Implementation Assistance

• Based on HIPAA/ISO/CobiT/NIST

• IT Security Risk Assessment

• Policies

• Procedures

• Business Impact Analysis

• Incident Management Program

• Security Awareness Program

• IT Contingency Plans/Updated DRP

• Vulnerability Assessment/Pen Tests

• Controls Testing

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


HIPAA

IT Security/HIPAA Review and Recommendations

• Evaluate and test:

– Administrative safeguards,

– Physical safeguards

– Technical safeguards

– Organizational safeguards

– Policies, Procedures and

Documentation Requirements

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


HIPAA

HIPAA Compliance Attestation Report and Readiness Review

Similar to SAS70, except opinion on HIPAA Compliance

• Evaluate and reaffirm the appropriateness of the

design of processes and controls with management

• Evaluate and reaffirm management’s interpretation of

compliance to ensure that the defined criterion are

measurable, objective and will be understood by any

readers of the report

• Test the operating effectiveness of identified controls for the testing period

• Determine whether controls were operating effectively throughout the testing period

• Confirm the validity of identified findings with the process owner and inform management of validated findings

• Evaluate the significance of any instances of non-compliance with the specified criterion

Management Checkpoints

Criterion Definition

Observation and testing Reporting

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Privacy Assessment Approach

1 2 3 4

Identify entry points

Develop process flows

Map flows onto IT infrastructure

Leverage DLP to validate

Information Collection

Identify Scope Reduction

Opportunities

Gap Analysis Remediation Planning & Roadmap

Reduce / modify data collection

Reduce data storage

Modify business processes

Conducted Gap Analysis with Enhanced Privacy Framework

Recommendation remediation projects

Develop prioritized approach

Gained an understanding of the environment

Reduced Scope and Risk Created Gap analysis document with gap prioritization

Remediation plan

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Payment Card Industry Data Security Standard (PCI DSS)

• Card Systems •40 Million Cards, Processing Ability Revoked by Visa and MasterCard

2005

• TJX •At least 45.7 Million Customers Affected, Over $250 Million in costs

2007

• Hannaford Foods • 4.2 Million Cards, Validated Compliant at time

of breach, Liability and Results Pending 2008

•Heartland Payment Systems • Potentially more than 100 Million cards

compromised and untold amounts of resulting damages

2009

Major payment card security

breaches since 2005

The Payment Card Industry Data

Security Standard (PCI-DSS) is a set

of comprehensive requirements for the

protection of payment card

information.

The PCI-DSS is managed by the PCI

Security Standards Council (PCI-SSC)

and sponsored by the major card

brands.

The PCI-DSS is applicable to any

organization that stores, processes or

transmits cardholder data (CHD).

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services



PCI DSS high level requirements The PCI DSS prescribes requirements that any business of any size must adhere to in order to

accept payment cards.

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


What information must be protected?

Data Element Storage

Permitted

Protection

Required

Encryption

Required

Cardholder Data

Primary Account Number (PAN) Yes Yes Yes

Cardholder Name Yes Yes No

Service Code Yes Yes No

Expiration Date Yes Yes No

Sensitive Authentication Data

Full Magnetic Stripe Data No N/A N/A

CAV2/CVC2/CVV2/CID No N/A N/A

PIN/PIN Block No N/A N/A

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services



Some common PCI DSS myths:

• PCI doesn’t apply to us because:

– We don’t take enough credit cards, or

– It only applies to retailers and ecommerce

• PCI makes us store cardholder data

• We are compliant because we:

– Encrypt our cardholder data, or

– Use vendor/product ABC, or

– Outsource our credit card processing

• PCI compliance is an IT project

• PCI will make us secure

• We completed our SAQ so we’re compliant

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services



Grant Thornton PCI DSS Capabilities

Current capabilities:

• An experienced Qualified Security Assessor Company (QSAC) with a significant

number of QSA's in our practice across two countries

• Client base that we can reference from in the QSA space

• Extensive PCI DSS consulting experience

• Performing PCI DSS penetration testing and risk assessments

• Performing PCI DSS readiness assessments for all merchant levels

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services


Contact information

Danny Miller Grant Thornton LLP Principal & Practice Leader Tel: 215.376.6010 | email: [email protected] Or e-mail [email protected]

Cyber Security

& IT Audit

Vulnerability &


Other assessment


Strategy &

Design Services

Cybersecurity It Audit Services Gt April2012

Documents

Transcript of Cybersecurity It Audit Services Gt April2012