Cybersecurity It Audit Services Gt April2012
-
Upload
danny-miller -
Category
Documents
-
view
403 -
download
0
description
Transcript of Cybersecurity It Audit Services Gt April2012
© Grant Thornton LLP. All rights reserved. - 1 -
Cyber Security Consulting, IT Audit & Assessment
Services Protecting Information in the Enterprise
Grant Thornton, LLP A QSA Company
Danny Miller, CISA, CGEIT, CRISC, ITIL
April 2012
© Grant Thornton LLP. All rights reserved. - 2 -
Founded in 1924, Grant Thornton LLP is the U.S. member firm of Grant
Thornton International. Through member firms in more than 80 countries
including 50 offices in United States, the partners of Grant Thornton provide
personalized attention and the highest quality of service to companies around the
globe.
Statistics Grant Thornton
International Ltd
Grant Thornton
LLP
Revenues $ 4 billion $ 1.2 billion
Personnel 29,890 5,505
Partners 2,539 540
Offices 498 52
Statistics as of Sept. 30, 2008 July 31, 209
Grant Thornton overview
At-a-glance
© Grant Thornton LLP. All rights reserved. - 3 -
Grant Thornton's Cyber Security Solution Practice
Grant Thornton's Cyber Security practice is focused on protecting the enterprise's information no
matter where it is. In this age of distributed, mobile and cloud-based systems and data, it is vitally
important to understand how information is created, processed, transmitted and stored.
We address our client's complex security requirements through a variety of consulting support,
including strategy, information protection, data leakage, assessing security vulnerabilities, advising
on establishing or improving the operations of a security organization, remediating compliance
failures or gaps – including gaps related to PCI and HIPAA/HITECH compliance and developing
approaches and programs to effectively assess and manage risk by implementing appropriate
security countermeasures through the entire life cycle of information in the enterprise.
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 4 -
Our IT Audit Services
Our approach to technology risk is compatible with all major frameworks, including COSO,
the latest Risk IT framework from ISACA and fills the gaps that other frameworks do not
provide. We also cover application risk with a lens from the Global Technology Audit Guides
(GTAG) from the IIA.
The team that will be managing and executing this engagement have more than 90 years of
combined technology experience in industry, Big-4 consultancy and as practitioners. Their
credentials include one or more of CPA, CIA, CISA, CISM, CISSP, GAWN, GCWN, CCNP,
CCNA, or MCSE, ITIL, CGEIT
Grant Thornton has a long history of consulting in the Oil, Gas and Chemicals Industry.
Relevant clients include:
Sunoco
Quaker Chemical
Philadelphia Gas Works
Donegal Insurance
Lyondell Chemical
Amerigas
Airgas
Valspar Corporation
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 5 -
©2010 ISACA. All rights reserved.
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 6 -
Guiding Principles of IT Risk Management
Ensure a connection to enterprise objectives and enterprise risk
Align the management of IT-related business risk with overall enterprise risk
management
Balance the costs and benefits of managing risk
Establish the right tone from the top while defining and enforcing personal
accountability for operating within acceptable and well-defined tolerance levels
Risk is a continuously changing landscape and risk management acknowledges that it
is a continuous process
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 7 -
Grant Thornton Cyber Security services
- Information protection at all levels
- Data Leakage detection and prevention
- Security Strategy and Design
- Threat Analysis
- Vulnerability Assessments
- Penetration Testing
- Anti-phishing consulting
- Risk-event consulting
- Data Privacy & Protection
- PCI Data Security Standards QSA Consulting
- HIPAA
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 8 -
Grant Thornton's Cyber Security Services
• Experienced and dedicated cyber security personnel
– Deep technical background – real expertise in cybersecurity
– Experience across industries
– Practical and cost effective strategies to mitigate risk
• Address the security risk within the context of business risk
– Understand the relationship of IT risk management within overall enterprise risk management
– Communicate technical risks using layman terms and business impact
• Proven cyber security methodologies, tools, and techniques
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 9 -
Life Cycle
Component Solution Set Activities/Scope
ITIL* Framework
Component
Policy Strategy and Assessment Develop and test policy, best practices Plan/Maintain
Assess Strategy and Design,
Threats
Risk, Data privacy and classification,
Breaches, Programs, Monitoring, PCI,
HIPAA, Vulnerability and Penetration
testing, Cloud, Agreements with third
parties, Service Level Agreements (SLA),
Operational Level Agreements (OLA)
Evaluate
Implement Plan, Design and
Implement
Threat Profiling, PCI, HIPAA, IDS/IPS,
VPN, Firewalls, SIM/SEM, Application
(including Cloud-based), SDLC, Data
classification, Data privacy (state, federal,
international)
Implement
Manage Risk, Policy, Standards,
Procedures, Programs
Threats, Incidents, Master Data
Management (MDM),IT Audits, Self
Assessment, Penetration and
Vulnerability, Communication, Response
Control/Maintain
Respond Investigate, Respond,
Remediate
Threat reduction, Countermeasures, Data
leakage and breaches, PCI breaches,
HIPAA information exposure Control/Maintain
* - The IT Infrastructure Library (ITIL) is a global framework for service management and is the most widely accepted approach to managing
information technology. Services are assets from which the customer gains value, hence cybersecurity is one of those services.
Cybersecurity Life Cycle and Service Components
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 10 -
Cyber Security Strategy & Design
Based upon the IT Infrastructure Library (ITIL)
framework of best practices in IT, the ITIL
Information Security Management's (ISM) strategy
goal is the alignment of IT security with business security
to ensure that information security is effectively managed
in all service and Service Management activities.
This strategy includes managing risk and security over
information assets while balancing the needs of the
business for:
• Availability of information and assets
• Confidentiality of information
• Integrity of information
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 11 -
The problem with "Big Data"
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
Attribution: Cloud Security Alliance (CSA)
© Grant Thornton LLP. All rights reserved. - 12 -
Vulnerability assessment vs. Penetration test
• The terms "vulnerability assessment" and "penetration test" are
sometimes used interchangeably, so it's important to define and
distinguish them.
• Vulnerability assessment
– a service that provides a comprehensive prioritized identification of
vulnerabilities, but does not attempt to exploit them.
• Penetration test
– a goal oriented service that attempts to gain unauthorized access to a
specified target by exploiting one or more vulnerabilities.
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 13 -
Other assessment services
Wireless Assessment − a service that assesses the security mechanisms (e.g.,
authentication, encryption) of a wireless network, and attempts to identify rogue access points.
Web Application Security Assessment − a service that assesses the security of a web application,
including session management, authentication, authorization, and input validation.
Voice Over IP (VoIP) Security Assessment − a service that assesses the security of a deployed VoIP
infrastructure, including the infrastructure support, the VoIP components, and the VoIP protocols.
Data Leakage Prevention Assessment − a service that measures an organization's risk of information
leakage.
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 14 -
Privacy
Information Trends
• Every day, companies collect, use, profile, disclose, and analyze customer
information
• Employees who have access to sensitive information inside an
organization also represent a key risk – we see this as the fastest rising
threat
• Unfortunately, some of this information is: • Misused
• Stolen
• Sold , traded or given to organizations (e.g., WikiLeaks)
• This has led to a trust gap among customers, employees and corporate
leadership
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 15 -
Privacy
Personally Identifiable Information (PII)
Personal information is any information that is, or reasonably could be,
attributable to a specific individual. The information can be either factual or
subjective, and recorded in any form or even unrecorded. Some examples
include:
Social Security number
Driver's license number or state-issued identification card number
financial account number, credit card number, or debit card number
Name, address, email address
Credit records
Buying history
Employee records
Much of this information is sensitive and greater cause for concern.
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 16 -
Privacy
Information stakeholder concerns
• Customers – Concerned with how and why their information is collected, used,
disclosed, and retained
– Want businesses to earn trust
• Businesses – Trying to strike a balance between collection and use of information
– Concerned with reducing privacy risk of poor privacy practices
– Want to leverage good privacy practices and retain trust of customers
• Government – Taking increased action on growing concerns about privacy to:
– Protect rights of citizens
– Better manage its own data stores
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 17 -
HIPAA
GT Healthcare IT Security Offerings:
• IT Security Risk Assessment
• IT Security Program Implementation Assistance
• IT Security/HIPAA Review and Recommendations
• HIPAA Compliance Attestation Report
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 18 -
HIPAA
IT Security Risk Assessment
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 19 -
HIPAA
IT Security Program Implementation Assistance
• Based on HIPAA/ISO/CobiT/NIST
• IT Security Risk Assessment
• Policies
• Procedures
• Business Impact Analysis
• Incident Management Program
• Security Awareness Program
• IT Contingency Plans/Updated DRP
• Vulnerability Assessment/Pen Tests
• Controls Testing
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 20 -
HIPAA
IT Security/HIPAA Review and Recommendations
• Evaluate and test:
– Administrative safeguards,
– Physical safeguards
– Technical safeguards
– Organizational safeguards
– Policies, Procedures and
Documentation Requirements
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 21 -
HIPAA
HIPAA Compliance Attestation Report and Readiness Review
Similar to SAS70, except opinion on HIPAA Compliance
• Evaluate and reaffirm the appropriateness of the
design of processes and controls with management
• Evaluate and reaffirm management’s interpretation of
compliance to ensure that the defined criterion are
measurable, objective and will be understood by any
readers of the report
• Test the operating effectiveness of identified controls for the testing period
• Determine whether controls were operating effectively throughout the testing period
• Confirm the validity of identified findings with the process owner and inform management of validated findings
• Evaluate the significance of any instances of non-compliance with the specified criterion
Management Checkpoints
Criterion Definition
Observation and testing Reporting
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 22 -
Privacy Assessment Approach
1 2 3 4
Identify entry points
Develop process flows
Map flows onto IT infrastructure
Leverage DLP to validate
Information Collection
Identify Scope Reduction
Opportunities
Gap Analysis Remediation Planning & Roadmap
Reduce / modify data collection
Reduce data storage
Modify business processes
Conducted Gap Analysis with Enhanced Privacy Framework
Recommendation remediation projects
Develop prioritized approach
Gained an understanding of the environment
Reduced Scope and Risk Created Gap analysis document with gap prioritization
Remediation plan
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 23 -
Payment Card Industry Data Security Standard (PCI DSS)
• Card Systems •40 Million Cards, Processing Ability Revoked by Visa and MasterCard
2005
• TJX •At least 45.7 Million Customers Affected, Over $250 Million in costs
2007
• Hannaford Foods • 4.2 Million Cards, Validated Compliant at time
of breach, Liability and Results Pending 2008
•Heartland Payment Systems • Potentially more than 100 Million cards
compromised and untold amounts of resulting damages
2009
Major payment card security
breaches since 2005
The Payment Card Industry Data
Security Standard (PCI-DSS) is a set
of comprehensive requirements for the
protection of payment card
information.
The PCI-DSS is managed by the PCI
Security Standards Council (PCI-SSC)
and sponsored by the major card
brands.
The PCI-DSS is applicable to any
organization that stores, processes or
transmits cardholder data (CHD).
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 24 -
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS high level requirements The PCI DSS prescribes requirements that any business of any size must adhere to in order to
accept payment cards.
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 25 -
What information must be protected?
Data Element Storage
Permitted
Protection
Required
Encryption
Required
Cardholder Data
Primary Account Number (PAN) Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive Authentication Data
Full Magnetic Stripe Data No N/A N/A
CAV2/CVC2/CVV2/CID No N/A N/A
PIN/PIN Block No N/A N/A
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 26 -
Payment Card Industry Data Security Standard (PCI DSS)
Some common PCI DSS myths:
• PCI doesn’t apply to us because:
– We don’t take enough credit cards, or
– It only applies to retailers and ecommerce
• PCI makes us store cardholder data
• We are compliant because we:
– Encrypt our cardholder data, or
– Use vendor/product ABC, or
– Outsource our credit card processing
• PCI compliance is an IT project
• PCI will make us secure
• We completed our SAQ so we’re compliant
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 27 -
Payment Card Industry Data Security Standard (PCI DSS)
Grant Thornton PCI DSS Capabilities
Current capabilities:
• An experienced Qualified Security Assessor Company (QSAC) with a significant
number of QSA's in our practice across two countries
• Client base that we can reference from in the QSA space
• Extensive PCI DSS consulting experience
• Performing PCI DSS penetration testing and risk assessments
• Performing PCI DSS readiness assessments for all merchant levels
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services
© Grant Thornton LLP. All rights reserved. - 28 -
Contact information
Danny Miller Grant Thornton LLP Principal & Practice Leader Tel: 215.376.6010 | email: [email protected] Or e-mail [email protected]
Cyber Security
& IT Audit
Vulnerability &
Penetration Services
Other assessment
services Contact Privacy PCI
Strategy &
Design Services