Information Technology and Information Management · PDF fileinformation technology and...
-
Upload
phungkhuong -
Category
Documents
-
view
217 -
download
3
Transcript of Information Technology and Information Management · PDF fileinformation technology and...
INFORMATION TECHNOLOGY AND INFORMATION MANAGEMENT AUDIT
JOSE LUIS GARCIADIRECTOR, IT AUDIT, SCOTIABANK CHILE
May 14, 2013
Agenda
• Definition of Information• Information Criteria• IT Audit Layer Approach• Physical Security Layer• IT Service Continuity Layer• Logical Security Layer• SDLC Layer• IT Management Layer• Conclusions
3
Definition of Information
• Information is a valuable asset– Business details
• Customer data, financial reports, business transactions
– Knowledge• Policies, procedures, workflows
– IT related data • Parameters, configuration settings, privileges
• As any other valuable asset, information must be protected
4
Information Criteria
5
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
Cobit Domains
7
Control Objectives PO
Control Objectives
AI
Control Objectives
DS
Control Objectives ME
Poll #1Does your organization have its own datacentre?a) Yes, we have a single datacentreb) Yes, we have a primary site and a backup site c) No, we outsource our datacentre services to a third-partyd) No, we use cloud servicese) I don’t knowf) Not applicable
8
Physical Security Layer
9
• Owned datacentres– Organizations were responsible for controls– Physical security controls:
• Electronic and keypad locks, codified badges, biometric devices, security guards, security cameras, alarm systems.
– Environmental controls:• Fire alarms, smoke and water detectors, UPS, etc.
• Outsourced datacentres– Providers were required to demonstrate the effectiveness of
internal controls• SAS 70 Report, Section 5970 Report, CSAE 3416
– Governance principles• Contract clauses, SLAs
Physical Security Layer
10
• Cloud computing– Data processing has become a commodity– Technology enablers
• Virtualization• Service Oriented Architecture (SOA)
– Service delivery can be run from anywhere– New datacentre standards
• TIA-942
Poll #2Does your organization have a disaster recovery plan in place?a) Yes, the plan is formalized and tested periodicallyb) Yes, the plan has been recently approvedc) No, but there are plans to prepare oned) No, there are no immediate plans to prepare onee) No, we rely on a third party providerf) I don’t knowg) Not applicable
11
IT Service Continuity Layer
12
• Business operations depend on technology• Technology is vulnerable to disasters• BCP / DRP• Recovery approach
– Redundancy• Cold sites • Warm sites• Hot sites• Disk mirroring / High availability technologies
IT Service Continuity Layer
13
• Cloud computing
• Resilience approach– BCP for local events– Due diligence on provider’s BCP– Backup data– Cloud redundancy
Service models
Deployment models
IT Service Continuity
14
Analysis: Amazon's Christmas faux pas shows risks in the cloud(Reuters) - A Christmas Eve glitch traced to Amazon.com Inc that shuttered Netflix for users from Canada to South America highlights the risks that companies take when they move their datacenter operations to the cloud.http://www.reuters.com/article/2012/12/27/us-amazon-cloud-idUSBRE8BQ00220121227
Lessons from Amazon Cloud Lightning Strike OutageBy Tony Bradley, PCWorld Aug 10, 2011 7:16 AMA lightning strike in Dublin took out a power transformer. In and of itself, that isn't all that unusual or noteworthy, but this particular lightning strike also impacted the backup power systems at Amazon's cloud data center, knocking the service offline. Looking back, there are some lessons to be learned both for Amazon, and for businesses that rely on cloud services.http://www.pcworld.com/article/237673/lessons_from_amazon_cloud_lightning_strike_outage.html
F.B.I. Seizes Web Servers, Knocking Sites OfflineBy VERNE G. KOPYTOFFThe F.B.I. seized Web servers in a raid on a data center early Tuesday, causing several Web sites, including those run by the New York publisher Curbed Network, to go offline.In an e-mail to one of its clients on Tuesday afternoon, DigitalOne’s chief executive, Sergej Ostroumow, said: “This problem is caused by the F.B.I., not our company. In the night F.B.I. has taken 3 enclosures with equipment plugged into them, possibly including your server — we cannot check it.”http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/
Amazon's partial cloud failure takes out several popular websitesA partial failure of Amazon's cloud server network brought down the websites of several popular services, including Quora, Redditand Foursquare for several hours beginning around 4:41am Eastern Time Thursday. The issues were isolated to the company's data centers in Northern Virginia.http://betanews.com/2011/04/21/amazon-s-partial-cloud-failure-takes-out-several-popular-websites/
Logical Security Layer• Logical Access Controls
– Data classification• Restricted, private, public
– Access matrices– System profiles– Audit logs
• User account and password management– Identification– Authentication
• Malicious code control– Hardening– Antivirus
15
Logical Security Layer• Network security
– Firewalls– IDS– Proxies
• Mobile devices– Encryption– Configuration– Remote wipe
• Social media– Policies
16
Logical Security Layer
• Cloud– Privileged accounts– Change control process– Hardening local systems and infrastructure
17
SDLC Layer
• Complex business environment– IS as a competitive advantage– New technologies
• In-house SDLC methodologies– Size, density– Linear models
• SDLC, Waterfall
– Iterative models• Prototyping, Spiral, RAD
18
SDLC Layer
• In-house SDLC methodologies (continued)– Parallel models
• Alternative path
– Rapid response models• UML, XP
• Third-party development– Integration– Security– Dependency
19
Poll #3Does your organization measure the financial benefits of IT applications?a) There is an ongoing monitoring of all IT applicationsb) All new IT applications are evaluated after
implementationc) Only some applications are evaluatedd) No, financial benefits are not measurede) I don’t knowf) Not applicable
20
IT Management Layer
• IT Governance– IT function, service providers, Information Security
• Business – IT Alignment– Steering Committee
• Value Management– Different type of investments– Key metric definition– Accountability– Ongoing monitoring
21
IT Management Layer
• IT Portfolio Management– Strategic direction– Resource availability– Selection criteria– Monitor benefits
• Investment Management– Business case– Develop program plan– Update operational IT portfolios– Retire program
22
Conclusions
• Technology has transformed organizations;• Risk and controls have evolved;• Use a layer approach to identify major
concerns for your organization;• There are many IT control guidelines available
to assist auditors to identify risks and controls on each layer.
23