Presented by:JJ Edmunds CPA, CIA, CISA, Audit and Assurance ManagerAntonina McAvoy CISA, Cyber and Control Risk Services Manager
Don’t be a Target!
Peace of mind is a matter of choice.
E-Auditing Pitfalls to Avoid
Business Disruption
GLOBAL CYBER WARFARE
Intellectual Property
Trade Secrets Infrastructure
Designs Confidential Project Data
Financial Data
Personal Data
Data Is The New Oil
Cybercrime Annual Revenues
Key Cyber Trends
Root Cause of Cyber Attacks
Source: Ponemon Report
Types of Cyber Attacks
Source: Ponemon Report
Data at Risk
Source: Ponemon Report
Reduce Your Risk Vector
How Can You Minimize Being a Statistic?
• What are your assets?
• What are your threats?
• What are your vulnerabilities?
• Impact vs Likelihood
Risk Management Programand E-Auditing Considerations
Member Identification
• Strong authentication questions• Call backs• OFAC Scans• Multi-factor authentication• Exception monitoring• Frequent and Constant Employee training
NCUA Wire Internal Controls
• Training• Physical and Logical Controls• Segregation of Duties• Exposure limits• Defined roles• Member identification• User access monitoring• Call back/dual authentication
NCUA ACH Internal Controls
• HR Policies and Procedures• Physical Security• Data Security • Software development and change• Exposure limits• Segregation of duties• User Access
NCUA Remote DepositInternal Controls
• Benchmarking of performance• Board approved policies• Data security• Segregation of Duties• User Access
Cybersecurity Risk Management
User Education and Awareness• Acceptable Use Policy / Agreement• Security awareness and policy
training• Secure Password Construction• Phishing• Whaling Attack
• Social Engineering• Physical Access• Malware• Ransomware• Confidential Data Handling
• Compliance and Monitoring
Home and Mobile Working
• How many organizations have a Virtual Office Policy / Mobile Working Policy, or Agreement?
• Threats: Network Attacks, Viruses, Data Loss, and other remote user hazards
• Protect Data in Transit and at Rest• Secure Baseline Build for all Devices
– i.e. Ensure devices have updated virus protection software and appropriate firewall status before allowing them on VPN
Secure Configuration
• Current System Inventory List• Baseline Build for all Devices• Patch Management Policy/Process
• Are you at risk? Practices to be avoided:– Use of default passwords for systems and devices– Lack of formal configuration management process– Lack of consistent software install process– Unnecessary software installed on networks/servers– Improper file and directory permissions– User accounts with unnecessary access privileges
Removable Media Controls
• What is the Risk?– Loss of sensitive information – Introduction of malware– Reputational damage
• Corporate Removable Media Policy• Best Practices to Implement:
– Limit use of removable media– Scan all media for malware– Formally issue media to users– Encrypt information held on media– Manage reuse/disposal of removable media– Educate users and maintain awareness
Managing User Privileges
• Access Control Policy• User Provisioning
– Formal request and approval– Principle of least privilege (network, app, and db)– Regulate the creation of new accounts, administration of
rights, and the editing of account details
• User Deprovisioning– Access disabled/deleted within 1-3 business days– Admin password change when support leave
• User Access Reviews• Restrict Administrative Access
Incident Management
• Do you have a written plan? • How many times have you
tested it?– Living Process… Update
Regularly!
Business Continuity Planning (BCP) andDisaster Recovery (DR)
Source: Centre Technologies
• BCP: Business function prioritization, Business Impact Analysis, Risk Assessment, Legal and Regulatory Requirements Identified
• DR: Asset/Technology Inventory, Asset Criticality, Disaster Recovery Contracts, Building Plans and System Diagrams
Monitoring
• Monitoring Strategy & Supporting Policies• Continuously Monitor all Systems & Networks• Capture and Analyze Logs for Unusual Activity• Real-Time Monitoring:
– Monitor network performance / availability / traffic– Monitor user activity (i.e. Detect and stop malicious
activity before security is compromised)– Monitor computer operations (key backups / batches)
Malware Protection
• Corporate Malware Policy• Personal Vigilance
– Be wary of emails with attachments, links, or requests to enter your User ID and password
• Protective Tools– Anti-virus security package– Scan for malware across the organization– Automatically filter out malicious attempts– Only compliant machines gain network access
Network Security
• Security Policy• Apply the Principle of Least Privilege• Dual Authentication• Segmented Networks
– Create clear separation of data within network based on security requirements (i.e. isolate cardholder data from the rest of network)
• Network Security Scanner• Vulnerability Scanning• Patch Management
Questions
Presented by:JJ Edmunds CPA, CIA, CISA, Audit and Assurance ManagerAntonina McAvoy CISA, Cyber and Control Risk Services Manager
MANAGING OUTSOURCED TECHNOLOGYAND SERVICE PROVIDERS
Why do I need a vendor management program?
Why do I need a vendor
management program?
THIRD-PARTY VENDORS
59%
THIRD PARTIES PLAY A CRITICAL
ROLE IN BUSINESS
FUNCTIONS
DELOITTE SURVEY
74%
Another threat:
Third Party Vendors
FINANCIAL / ACCOUNTING
SYSTEM
IT SUPPORT NETWORK
PAYROLL
CORPORATE CREDIT UNION
YOUR CREDIT UNION
THIRD-PARTY VENDOR RISK
PONEMON INSTITUTE
59%
DATA BREACHES CAUSED BY A THIRD-PARTY
VENDOR
Source: reuters.com
THIRD PARTY BREACHES IN THE NEWS
Source: reuters.com
THIRD PARTY BREACHES IN THE NEWS
Source: reuters.com
THIRD PARTY BREACHES IN THE NEWS
Can You RateYour Vendors’ Risk Level?
FINANCIAL / ACCOUNTING
SYSTEM
IT SUPPORT NETWORK
PAYROLL
CORPORATE CREDIT UNION
YOUR CREDIT UNION
?
? ?
?
Security Risk Affects YourWhole Organization
EMPLOYEESMEMBERSITOPERATIONS
How can you mitigate risks associated with outsourced service providers?
Do I need aSOC audit for allvendors?
Do I need aSOC audit for allvendors?
Why CUECS are Important
ACCESS DENIED
Key Consideration
97% - Negligent Employees or Third Party Contractor
Who is your weakest link?
The Blame Game
Insurance: Common Problems
Common Business Misconception
I’m not worried… I’ve got insurance!
Yes, but the real question is does your organization have the right cyber insurance?
Key ConsiderationsAre You Being Negligent?
Cyber Insurance… Denied?
• National Bank of Blacksburg v. Everest National Insurance Co.
• Hacked twice in less than a year and suffered total losses of $2.4 million (phishing scam)
• Link to article https://www.businessinsurance.com/article/20180727/NEWS06/912322962?template=printart
Do You Have a Strategic Plan?
Questions
Contact
Antonina K. McAvoy, CISAManager, Cyber & Control Risk Services
150 Boush Street, Suite 400Norfolk, VA 23510Phone: (757) [email protected]
Visit www.pbmares.com to read our blog and learn of upcoming events.
JJ Edmunds, CPA, CIA, CISAManager, Audit and Attestation
3957 Westerre Parkway, Suite 220Richmond, Virginia [email protected]
About the Speaker
JJ Edmunds, CPA, CIA, CISA• Manager, Audit and Attestation Services• Education:
– BS in Accounting, Christopher Newport University– Masters of Science of Accounting, Old Dominion University
• Experience:– 7 years of public accounting experience– Certified Public Accountant (CPA)– Certified Internal Auditor (CIA)– Certified Information Systems Auditor (CISA)
About the Speaker
Antonina K. McAvoy, CISA• Manager, Cyber and Control Risk Services• Education:
– BS in Business Management & Accounting, Babson College– Pursuing MS in Cybersecurity, Utica College
• Experience:– 10 years in information technology (IT) auditing experience– Certified Information Systems Auditor (CISA)– Focus areas: Cybersecurity, IT General Controls (ITGC), Cyber Risk
Assessments, HIPAA Reviews, SOC Audits, and Internal Audit
About PBMaresCyber & Control Risk Services• PBMares has been specializing in IT and Cyber Security auditing for more
than 15 years. Service include:– Attestation
• IT General Controls Audits (ITGC)• Service Organization Control (SOC) Audits – SOC1, SOC2, SOC3 & SOC for Cybersecurity
– Consulting• Cyber Risk Assessments• Review of Cyber Insurance Coverage• Vulnerability Scans of Network (Internal and External)• Penetration Testing• Incident Response Consulting• Data Classification Process Design and Consulting• Review of Information Security Program Policies and Procedures• Information Security Awareness Training• User Life Cycle Management Consulting