Spring Education Conference Securing the Organization ... · Spring Education Conference Securing...
-
Upload
truongdieu -
Category
Documents
-
view
217 -
download
3
Transcript of Spring Education Conference Securing the Organization ... · Spring Education Conference Securing...
![Page 1: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/1.jpg)
Spring Education Conference
Securing the Organization
(Ensuring Trustworthy Systems)
Ken Vander Wal, CISA, CPA
Past President, ISACA
![Page 2: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/2.jpg)
2012-2013 Board of Directors
Past International President
Kenneth Vander Wal
Chicago Chapter
Vice Presidents
Past International President
Emil D’Angelo
NY Metropolitan Chapter
Tony Hayes
Brisbane Chapter
International President
Greg Grocholski
Member at Large
Christos Dimitriadis
Athens Chapter
Jeff Spivey
Charlotte Chapter Allan Boardman
London Chapter
Juan Luis Carselle
Mexico City
Chapter
Ramses Gallego
Barcelona
Chapter
Marc Vael
Belgium Chapter
Appointed directors: John Ho Chi, Singapore Chapter; Krysten McCabe , Atlanta Chapter; Jo Stewart-Rattray, Adelaide
Chapter
![Page 3: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/3.jpg)
Agenda
• IT Changing Landscape
• IT Value, Trust and Assurance
• Impact on Assurance Profession
• Questions and Discussion
3
![Page 4: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/4.jpg)
Digital power =
Computing
Moore’s law
Doubles every
18 months
Communication
Fiber law
Doubles every
9 months
Storage
Disk law
Doubles every
12 months
Content
Community law
2n, where n
is number
of people
x x x
x x x
Source: John Seely Brown
Pace of Change of Digital Infrastructure
4
![Page 5: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/5.jpg)
Worldwide IT Spending Forecast (Billions of US Dollars)
5
![Page 6: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/6.jpg)
Other Gartner Predictions • Technology spend outside IT will become
almost 90% by end of the decade
• 4.4M IT jobs globally will be created to support Big Data, 1.9 M in the US
– $34B of IT spending in 2013
• In 2016 > 1.6B smart mobile devices purchases globally
• Security investments to increase by 56% in five years
– Driver: Regulatory compliance 6
![Page 7: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/7.jpg)
Source: CIO Insight
Trends Sure to Impact CIOs in 2013
1. The increasing importance of smartphones
2. Tablets will make inroads
3. The Cloud is here to stay
4. BYOD (or is it IBMOD)
5. Big Data
6. The increasing role of Windows 8
7. Social networking security
8. Small, lighter hardware
9. Increasing employee knowledge
10. Apple love
7
![Page 8: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/8.jpg)
We no longer speak using terms like bytes or
kilobyte (KB) or gigabytes (GB)
How many bytes in a Terabyte (TB)?
1012 (or 240)
Equivalent to roughly 1,610 CDs worth of data
Anyone heard of a Petabyte ?
Or an Exabyte?
1 Petabyte (PB) is 1,024TB
1 Exabyte (EB) is 1,024PB
1 Zettabyte (ZB) is 1,024EB
1 Yottabyte (YB) is 1,024ZB
Speaking of Big Data
8
![Page 9: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/9.jpg)
9
2012 © ISACA. Used by permission.
![Page 10: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/10.jpg)
• Information systems environments are continuing to
increase in complexity and impact, bringing
unprecedented value opportunities along with
significant risk.
• This requires:
– active governance and management of information
– advanced auditing practices
What Does It mean?
10
![Page 11: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/11.jpg)
• Need to provide more value to the stakeholders of
an organization by focusing more on business and
information.
• Silos being removed: business, IT internal audit,
finance internal audit, fraud investigators, security,
governance, external audit, SLA managers.
• Era of diverse framework integration and central
management.
• New technologies introduce new skill requirements
for auditors – not solely technical ones.
What is the Impact on the Audit Profession?
11
![Page 12: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/12.jpg)
• Securing and Auditing the Cloud requires good understanding of:
– Technologies (web services, virtualization)
– Related control frameworks
– Business requirements (linking IT with the business)
– Legal requirements (data transfer, retention, protection)
– Contractual agreements (e.g. impeding factors from moving to other providers)
Example
ISACA Cloud Computing Management Audit/Assurance Program 12
![Page 13: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/13.jpg)
Alignment
• IT and business processes
• Organization structure
• Organization strategy
Integration
• Enterprise architecture
• Business architecture
• Process design
• Organization design
• Performance metrics
IT Resources
Business Requirements
IT Processes
Enterprise Information
drive the investment in
that are used by
which responds to
to deliver
IT Value Factors
13
![Page 14: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/14.jpg)
• IT is not an end to itself but a means of enabling business outcomes. IT is not about implementing technology. It is about unlocking value through IT-enabled organizational change.
• Value is the total life-cycle benefits net of related costs, adjusted for risk and (in the case of financial value) for the time value of money.
• The concept of value relies on the relationship between meeting the expectations of stakeholders and the resources used to do so.
Value Defined (Val IT)
14
![Page 15: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/15.jpg)
Definition 1: Trust is the ability to predict
what a system will do in various situations.
Definition 2: Trust is using an information
system without having full knowledge about
it.
Definition 3: Trust is giving something now
(credit card) with an expectation of some
future return or benefit (on line purchase).
Definition 4: Trust is being vulnerable
(entering private and sensitive information)
while expecting that the vulnerabilities will
not be exploited (identity theft).
Trust that:
Private and sensitive information will
remain confidential
Process integrity is maintained
Essential business processes are
available or recoverable
Trust Defined
15
![Page 16: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/16.jpg)
• Systems should give minimum and, as much as possible,
measurable guarantees and information on related risks concerning
quality of service, security and resilience, transparency of actions
and the protection of users’ data and users’ privacy, in accordance
with predefined, acknowledged policies.
• Systems should provide tools and mechanisms (or allow third-party
service providers to do so) that enable the user to assess the risks
and audit the qualities it is claimed to possess.
• A bona fide trustworthy system must also entail quantifiable and
auditable technical and organizational aspects of delivery (policies,
architectures, service level agreements, etc.), as well as the user’s
perceptions on its operation.
Trust in an Information Society
16
![Page 17: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/17.jpg)
Security
Privacy
Reliability
Integrity
Investment in expertise & technology
Responsible leadership and partnering
Guidance and engagement through best practices & education
Design, development and testing
Standards and policies
User sense of control over personal information
Resilient – continues in the face of internal or external disruption
Recoverable – restorable to a previously known state
Controlled – accurate and timely service
Undisruptable – changes and upgrades do not disrupt service
Production ready – minimal bugs or fixes
Predictable - works as expected or promised
Acceptance or responsibility for problems and takes action to correct them
Trustworthy Computing
17
![Page 18: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/18.jpg)
T R U S T
V A L U E
ASSURANCE
Trust creates the opportunity for Value
Value is based on an expectation of Trust
Assurance binds Trust and Value together
Trust and Value Relationship
18
![Page 19: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/19.jpg)
Governance
Risk Management
Info Security
Audit/Assurance
Information systems are integral enablers that:
• Achieve an organization’s strategy and business
objectives
• Provide the confidentiality, integrity, availability and
reliability of information assets
• Ensure compliance with applicable laws and
regulations
Their criticality brings to the enterprise
unprecedented potential for both value creation
and risk (creating the need for trust).
19
![Page 20: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/20.jpg)
What does all this mean for ISACA and IIA members?
20
Learn Faster
Share Knowledge
Engage
![Page 21: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/21.jpg)
• White papers
• IT audit/assurance programs
• Survey results
• Other research
• Journal articles
LEARN FASTER
21
![Page 22: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/22.jpg)
Examples of Resources
ISACA
• Information Technology Assurance Framework
• Audit programs (downloadable)
• IT Risk/Reward Barometer Survey
• eLibrary
• White papers
• COBIT
IIA
• International Professional Practices Framework
• Global Technology Audit Guides
• GAIN annual benchmarking study
• Chief audit executive resources
22
![Page 23: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/23.jpg)
COBIT 5 Principles
2012 © ISACA. Used by permission. 23
![Page 24: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/24.jpg)
COBIT 5 Enablers
2012 © ISACA. Used by permission. 24
![Page 25: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/25.jpg)
COBIT 5 Enabling Processes
2012 © ISACA. Used by permission. 25
![Page 26: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/26.jpg)
• Networking at chapter, regional and international
levels
• Use of knowledge centers and collaboration
• Communicate
SHARE KNOWLEDGE
26
![Page 27: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/27.jpg)
• Volunteer
• Share knowledge
• Attend
• Get a certification
• Comment on exposure drafts
ENGAGE
27
![Page 28: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/28.jpg)
Certifications
ISACA
CISA
CISM
CGEIT
CRISC
IIA
CIA
CGAP
CFSA
CCSA
CRMA
28
![Page 29: Spring Education Conference Securing the Organization ... · Spring Education Conference Securing the Organization (Ensuring Trustworthy Systems) Ken Vander Wal, CISA, CPA Past President,](https://reader031.fdocuments.us/reader031/viewer/2022030607/5ad646a97f8b9a075a8dff4d/html5/thumbnails/29.jpg)
THANK YOU
29