Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro…...
Transcript of Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro…...
![Page 1: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/1.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
©20
13 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
Not All “IT Audits” Are the Same How to Choose One That Is Right For You
![Page 2: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/2.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Intro… • Scott Charleson
• Lots of certs - GWAPT, GPEN, GSEC,
CISSP, CEH, EnCE
• Hacking for CliftonLarsonAllen…
![Page 3: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/3.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Intro… • Scott Charleson
• Lots of certs - GWAPT, GPEN, GSEC,
CISSP, CEH, EnCE
• Hacking for CliftonLarsonAllen
• Paleo Barefoot Runner
![Page 4: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/4.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Presentation overview • What is Risk Assessment
• Governance Frameworks
• Types of “Audits”
![Page 5: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/5.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
“We need…” • “Our examiners said we need to
do an IT Audit…”
• “To be in compliance with XYZ, we
need to do a Risk Assessment…”
![Page 6: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/6.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
What is not a risk assessment..? • Vulnerability Scanning
• Penetration Test
• Phishing / Social Engineering
http://bit.ly/May20-2
![Page 7: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/7.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Risk Assessment
• “The uncertainty of an event occurring that could have an impact on the achievement of objectives.”
Institute of Internal Auditors
(IIA) glossary’s definition of risk:
• Likelihood/Occurrence and • Impact/Consequences to the
business
Key terms when evaluating risk in an organization
are:
![Page 8: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/8.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Risk Assessment – Inherent & Residual Risk • Inherent risk is the risk to an entity in the absence of any actions
management might take to alter either the risk’s likelihood or impact (ie. absent controls/before control effectiveness testing)
• Residual risk is the risk that remains after management’s response to the risk (ie. after control effectiveness testing)
• Risk assessment is applied first to inherent risks. Once risk responses have been developed, management then considers residual risk.
• Effective Risk Management requires that risk assessment be done both with respect to inherent risk and also following risk response.
![Page 9: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/9.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Risk Assessment Risk Assessment Process (30K foot view)
1. Identify key assets and processes 2. Define threats & vulnerabilities to assets/processes 3. Quantify/qualify likelihood of occurrence 4. Establish Impact (to the business)
This is Inherent Risk
![Page 10: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/10.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Risk Assessment Risk Assessment Process (30K foot view - continued)
1. Perform controls effectiveness testing 2. Analyze control testing results for mitigation
effectiveness This result is Residual Risk
• Build business plans and audit plans based on
residual risk. • Examiners expect to see Risk Assessment process
as basis for business decisions
![Page 11: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/11.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP Governance Frameworks
• Common Frameworks - Matrix Resources: http://bit.ly/May20-1
![Page 12: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/12.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Types of Risk Assessments and Audits • Risk Assessment
– Enterprise Risk Assessment – IT Risk Assessment – Compliance Risk Assessment
• IT Audits – Process Audits (ie. ACH) – IT Compliance Audits
• Security Assessment – Vulnerability Assessments – Penetration Testing – Social Engineering
![Page 13: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/13.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Audit Philosophy and Approach Philosophy: • People, Rules and Tools Approach: • Understand • Test • Assess
![Page 14: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/14.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Enterprise Risk – “drive the business” RISK OVERSIGHT & INSIGHT Board & Executive Management
People Process
Technology
Alternatives, Decisions, Scenarios & Events
Strategy & Execution
Risk Taking
Financial Reporting
Risk Avoidance
Operations Risk
Avoidance
Compliance Risk
Avoidance
Rewarded risk can drive value. Unrewarded risk can destroy value.
ENTERPRISE VALUE
STAKEHOLDER VALUE
Revenue Growth
Operating Margin
Asset Efficiency
Expectations
ENTERPRISE RISKS
GOVERNANCE Ethics/Decision Authority Oversight/Independence Compensation/Other
OPERATIONS Service Delivery Inventory Management Staffing and Employment Quality Standards Cost Management
INFRASTRUCTURE Compliance Finance & Accounting Tax Information Technology Insurance BCP Safety/Physical Security Legal/IP/Litigation Environmental / Other
EXTERNAL FACTORS Competition/Economic Conditions Geo-political/Regulatory Activism/Public Safety Natural Disasters/Other
STRATEGY Strategic Plan/Acquisitions/ Divestitures Succession Planning Brand/Marketing /Pricing Reputational
STAKEHOLDER VALUE
![Page 15: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/15.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Enterprise Risk – “drive the business”
Conducting an Enterprise-Wide Risk Assessment is similar to sitting down with a financial planner to discuss your investment strategy. You determine your tolerance for risk by deciding whether you want to invest aggressively, preserve capital or take a conservative growth approach. This can be described as a control self assessment of your finances.
There is a clear distinction between an Enterprise Risk Assessment and an Enterprise Information Security Risk Assessment. The first type focuses on Financial, Strategic and Operational functions, and the latter is Information Security/Network/Technology driven. Clarify with your examiner which one is being requested if your business is asked to complete an Enterprise Risk Assessment.
![Page 16: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/16.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
IT Risk Assessment & Information Security Risk Assessment • Focus is on one
component of the enterprise:
Information Technology and/or
Information Security Management Program
![Page 17: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/17.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Types of Risk Assessments and Audits • Risk Assessment
– Enterprise Risk Assessment – IT Risk Assessment – Compliance Risk Assessment
• IT Audits – Process Audits (ie. ACH) – IT Compliance Audits
• Security Assessment – Vulnerability Assessments – Penetration Testing – Social Engineering
![Page 18: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/18.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Process Specific • ACH audits
• Wire transfer / Fed Line audits
• Application specific audits
• Business process specific audits
• Member authentication procedures
These tend to be focused on the operational
processes supporting the business process
![Page 19: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/19.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
“Traditional IT Audit” • Broad audits
– IT General Controls Review
• Specific/focused audits
– DRP/IR/BCP audits and testing
– SDLC and Change Management audits
– User and group permission audits
– Vendor management
![Page 20: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/20.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
“Traditional IT Audit” • IT General Controls Review “A mile wide and 10 feet deep”
![Page 21: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/21.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
“Traditional IT Audit” • IT General Controls Review
– Good for broad, high level coverage of IT management,
member information security program, and compliance
requirements
– Answers the question: “Do we have the right standards
and are they well documented?”
– Effectiveness testing tends to be light
– Does not really test the systems or ID exceptions
![Page 22: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/22.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
“Traditional IT Audit” – Focused Audits • Common Examples include DRP/IR/BCP audit and
testing; user access reviews; SDLC and Change
Management; ACH or other application audits
– More focused audits get to the next level of detail; focus on
the process and perhaps application level controls (ie.
menus); effectiveness testing tends to be more thorough,
but likely still based on sampling
– These can be Design or Compliance focused
![Page 23: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/23.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Vulnerability Assessment • Port Scans and Vulnerability Scans
– They are like Radar… – Pros – Cons
• External and Internal Scanning – What are the benefits?
• Example – Monthly scanning for Business “A” – July – nothing new/unusual – August – nothing new/unusual – September - SSH open, and…
![Page 24: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/24.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Penetration Testing • External Network
• Applications
• Internal Network
• Wireless
• Facilities (social engineering)
![Page 25: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/25.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
External Network Penetration Testing Everything that touches the outside 1. Routing devices 2. Remote access 3. Web/applications* 4. Other*: ___________________ ___________________ ___________________
![Page 26: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/26.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Application Penetration Testing External Apps or Internal Apps
![Page 27: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/27.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Internal Network Penetration Testing Everything that touches the inside
![Page 28: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/28.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Wireless Network Penetration Testing
![Page 29: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/29.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Definition of a Secure System
29
“A secure system is one we can depend on to behave as we expect.”
Source: “Web Security and Commerce” by Simson Garfinkel with Gene Spafford
• Confidentiality • Integrity • Availability
![Page 30: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/30.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
![Page 31: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/31.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Intro…
![Page 32: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/32.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
Questions?
![Page 33: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/33.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP
©20
13 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
Thank you!
Scott Charleson About.me/charleson
![Page 34: Not All IT Audits Are the Same - Microsoft Azure€¦ · ©2013 CliftonLarsonAllen LLP. Intro… •Scott Charleson •Lots of certs - GWAPT, GPEN, GSEC, CISSP, CEH, EnCE •Hacking](https://reader031.fdocuments.us/reader031/viewer/2022012921/5f2e39894635e326c8716668/html5/thumbnails/34.jpg)
©20
13 C
lifto
nLar
sonA
llen
LLP Sources for Standards and Guidelines
• FFIEC IT Handbook http://bit.ly/May20-3
• NIST 800-53: Information Security and IT Auditing http://bit.ly/May20-4
• PCI Requirements http://bit.ly/May20-5 http://bit.ly/May20-6