GENERAL CONTROLS OVER TECHNOLOGY
42
Transcript of GENERAL CONTROLS OVER TECHNOLOGY
SESSION OBJECTIVES
• DISTINGUISH GENERAL CONTROLS FROM APPLICATION CONTROLS AND DISCUSS THEIR IMPORTANCE.
• IDENTIFY RED FLAGS THAT MAY BE AN INDICATION OF GENERAL IT CONTROL DEFICIENCIES
• DISCUSS CATEGORIES AND PROVIDE SPECIFIC EXAMPLES OF IT GENERAL CONTROLS
• PROVIDE SEVERAL IT CONTROL AND SECURITY MODELS RECOGNIZED IN THE INDUSTRY
• PROVIDE A CALL TO ACTION THAT ALL MUST WORK TOGETHER FOR IT TO BE SECURE AND EFFECTIVE
2
SO WHY ARE CONTROLSSO IMPORTANT?
3
COSO PRINCIPLES
4
IMPORTANCE OF GENERAL CONTROLS
•COSO 2013 PRINCIPLE 11 STATES: SELECTS AND DEVELOPS GENERAL
CONTROLS OVER TECHNOLOGY.
•TO SINGLE OUT GENERAL CONTROLS OVER IT FROM ALL OTHER
CONTROL ACTIVITIES SIGNIFIES THEIR IMPORTANCE TO THE ENTIRE
ORGANIZATION. EXPRESSED ANOTHER WAY:
• “IF TOP MANAGEMENT DOES NOT KNOW AND CONTROL WHAT HAPPENS IN THE IT
DEPARTMENT, THEN THEY ARE DELUDING THEMSELVES REGARDING THE
EFFECTIVENESS OF THEIR ENTIRE SYSTEM OF INTERNAL CONTROLS”
5
APPLICATION VS. GENERAL CONTROLSAPPLICATION CONTROLS ARE SIMPLY THE AUTOMATED VERSION OF WHAT
WE HAVE ALWAYS DONE:TRADITONAL AUTOMATED
Locked filing cabinet User ID and Password
Physical segregation of duties Password hierarchies that segregate duties
through screen access
Illegible initials on paper invoices Automated workflow approvals
Manual review, paper forms, footing of inputs Input controls, automatic population of certain
fields, edit checks
Using reports to monitor and control budget System controls that refuse to process
transactions if budget authorization is inadequate.
6
APPLICATION VS. GENERAL CONTROLS•GENERAL CONTROLS REPRESENTS WHAT HAPPENS IN THE IT DEPARTMENT TO
KEEP:
• COMPUTERS CONNECTED.
• DATA BASES HUMMING.
• APPLICATIONS RUNNING AND RELIABLE.
• RESPONSE TIMES FAST.
• INFORMATION TRUSTWORTHY.
• HACKERS AT BAY.
• IN ADDITION, WHEN BAD THINGS HAPPEN, GENERAL CONTROLS ENSURE RAPID
DETECTION, RECOVERY AND REMEDIATION.
7
POLLING QUESTION #1
NEAT, LABELED ELECTRICAL AND NETWORK CABLING
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
8
POLLING QUESTION #2
PAYROLL SYSTEM ONLY PAYS INDIVIDUALS WHO ARE ESTABLISHED IN THE
HUMAN RESOURCE SYSTEM
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
9
POLLING QUESTION # 3SECURITY AWARENESS TRAINING:
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
10
POLLING QUESTION #4ACCESS BY ACCOUNTS PAYABLE STAFF TO ENTER TRANSACTIONS, BUT
ACTUAL PAYMENT MUST BE APPROVED BY A SUPERVISOR:
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
11
POLLING QUESTION #5ACCESS BY DATA BASE ADMINISTRATOR TO THE TEST ENVIRONMENT BUT
CHANGES MADE CANNOT BE MOVED TO PRODUCTION WITHOUT REVIEW AND
APPROVAL:
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
12
POLLING QUESTION #6RECONCILIATION AND AGREEMENT OF GENERAL LEDGER BALANCES TO SUB-
LEDGER BALANCES:
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
13
POLLING QUESTION #7VIRTUAL PRIVATE NETWORK (VPN) SOFTWARE INSTALLED ON A LAPTOP
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
14
POLLING QUESTION # 8
REVIEWING THE CHANGE LOGS REGARDING SCREEN ACCESS FOR ACCOUNTING EMPLOYEES
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
15
POLLING QUESTION # 9
REVIEWING CHANGE LOGS TO DETERMINE CHANGES MADE TO EMPLOYEES HAVING
ADMINISTRATIVE PRIVILEGES FOR THE ACCOUNTING APPLICATION:
A. APPLICATION CONTROL
B. GENERAL CONTROL
C. COULD BE BOTH
D. NEITHER
16
RED FLAG WARNINGS
17
RED FLAGS• EVEN PRIOR TO A CYBER ATTACK OR SIGNIFICANT NETWORK FAILURE, WARNING
SIGNS LIKELY EXIST:
• FREQUENT SYSTEM OUTAGES-A SIGN OF NETWORK FRAGILITY AND SINGLE POINTS OF FAILURE
• LEGACY SUPPORTING LEGACY-OLDER APPLICATIONS THAT REQUIRE OLDER OFTEN VULNERABLE
ANCILLARY PROGRAMS SUCH AS BROWSER, ADOBE ETC.
• LOW IT BUDGETS- WITH TODAY’S INTERCONNECTEDNESS AND INTERDEPENDENCE , IT IS NOT CHEAP AND
CUTTING CORNERS WILL COST YOU IN THE LONG RUN
• LACK OF TRAINING AND CERTIFICATIONS-THE COMPLEXITY AND PACE OF CHANGE MANDATE CONSTANT
TRAINING AND HIRING CERTIFICATIONS AND EXPERIENCE FOR KEY POSITIONS
• INABILITY TO OBTAIN CYBER-INSURANCE- INSURERS HAVE GOTTEN BURNED AND QUITE GOOD AT
ASSESSING RISK DECLINING COVERAGE FOR MANY GOVERNMENTS
• APPLICATION IMPLEMENTATION FAILURES. OVER BUDGET, MISSED DEADLINES, MISSING FUNCTIONALITY
18
GENERAL CONTROLS-
GETTING INTO THE WEEDS
19
IT GENERAL CONTROLS-ADMINISTRATIVE❑ ALIGNMENT WITH STRATEGIC GOALS AND CULTURE
❑ POLICIES
❑ RISK ASSESSMENT
❑ ADMINISTER SECURITY PROGRAM
❑ HIRING AND SCREENING
❑ USER ACCESS PROCESS (NEW USER, TERMINATIONS, CHANGES)
❑ ACCESS AUTHORIZATION
❑ SEGREGATION OF DUTIES
❑ PRINCIPLE OF LEAST PRIVILEGE
❑ EXPECTATIONS OF DUE CARE AND DUE DILIGENCE
❑ LICENSE MANAGEMENT
❑ CHANGE LOG MONITORING AND RECONCILIATION
❑ ASSET INVENTORIES, REPLACEMENT/REFRESH AND DISPOSAL POLICIES
❑ CENTRALIZED VS. DECENTRALIZED DEVICE MANAGEMENT POLICIES
❑ CONTINGENCY PLANNING / BUSINESS CONTINUATION/ DATA BACKUP
❑ ANNUAL AND MULTI-YEAR BUDGETING FOR MAINTENANCE, UPGRADE AND REPLACEMENT AKA-SUSTAINABILITY
B 20
ADMINISTRATIVE CONTROL EXAMPLES• HIRING AND SCREENING
• SEPARATE IT PAY PLAN TO COMPETE WITH PRIVATE SECTOR
• CJIS CERTIFICATION FOR ALL IT EMPLOYEES
• REQUIRING CERTIFICATIONS OR CONDUCTING HANDS ON TEST OF BASIC SKILLS
• SEGREGATION OF DUTIES
• SPECIAL PROTECTIONS AND NO DAILY USE OF ENTERPRISE ADMINISTRATOR PASSWORD AND FUNCTION
• DIVIDING ADMINISTRATIVE DUTIES AND ACCESS AMONG PERSONNEL
• BUDGETING
• DEVELOP A MULTI-YEAR PLAN FOR REFRESHMENT BASED ON ANNUAL INVENTORIES OF HARDWARE AND
LICENSES
21
PLANNED OBSOLESCENCE IS INCESSANT AND INEVITABLE
Budget for it!
22
IT GENERAL CONTROLS-PHYSICAL
❑ FACILITY ACCESS CONTROLS
❑ WORKSTATION CONTROLS
❑ DEVICE AND MEDIA CONTROLS
❑ FACILITY MAINTENANCE
❑ UPS
❑ BACK UP FACILITIES
23
PHYSICAL CONTROLS EXAMPLES
• COMPREHENSIVE ASSESSMENT AND MONITORING OF DATA CENTER AND IDF CLOSETS
• PURPOSE BUILT? IF NO, PROPERLY ADAPTED
• REMOTE MONITORING FOR INTRUSION AND ENVIRONMENT
• PROPERLY SECURED
• UPS AND GENERATORS
• ADEQUATE FOR NEEDS
• ROUTINELY TESTED
24
IT GENERAL CONTROLS-TECHNICAL❑ AUTHENTICATION CONTROLS (PASSWORD, ETC.)
❑ ACCESS CONTROLS (OPERATING SYSTEM, APPLICATION)
❑ AUDIT CONTROLS (MONITORING AND TESTING)
❑ ENCRYPTION CONTROLS
❑ ARCHITECTURE CONTROLS (FIREWALLS, VPN, ETC.)
❑ CONFIGURATION CONTROLS
❑ SYSTEM MONITORING –VULNERABILITY SCANS, INCIDENT ALERTS, INTRUSION
DETECTION AND PREVENTION
25
TECHNICAL CONTROL EXAMPLES
• PASSWORDS-RECOMMENDATIONS ON STRONG PASSWORDS AND CHANGE FREQUENCY ARE CHANGING BUT GOVERNMENT
MUST ALSO COMPLY WITH CJIS, PCI AND OTHER ENTITIES THAT MAY NOT HAVE CAUGHT UP. COMPLEXITY AND MINIMUM
LENGTH OF EIGHT TO TEN CHARACTERS IS COMMON.
• MONITORING-POOR CONFIGURATION OR ARCHITECTURE MAY BE DETECTED THROUGH VULNERABILITY SCANS THAT CAN
ALSO ALERT YOU TO KNOWN HARDWARE OR SOFTWARE WEAKNESSES AND OUT OF DATE PATCHES.
• AVOIDING PASSWORD HASH CACHES-POOR CONFIGURATION OR USE OF CERTAIN PERIPHERALS CAN LEAD TO PASSWORD
HASHES BEING STORED IN THE NETWORK. ALTHOUGH NOT USEABLE IN HASH FORM, SOPHISTICATED SOFTWARE CAN TRY
MILLIONS OF POSSIBLE PASSWORDS TO REVERSE ENGINEER THE HASH BACK TO THE PASSWORD.
• ALERTS-MONITORING SOFTWARE CAN AUTOMATICALLY ALERT IT PERSONNEL WHEN CERTAIN CONDITIONS OCCUR. A
SKILLED, EXPERIENCED CONFIGURERER IS KEY TO AVOIDING TOO MANY FALSE POSITIVES OR NEGATIVES.
26
IT GENERAL CONTROLS-VENDOR MANAGEMENT
❑ IT IS HEAVILY DEPENDENT ON VENDORS FOR SOFTWARE, HARDWARE AND
SERVICES, MAKING STRONG VENDOR MANAGEMENT CRUCIAL
❑ CONTRACT LANGUAGE (CONFIDENTIALITY, OWNERSHIP, REGULATORY AND
LEGAL COMPLIANCE)
❑ PERFORMANCE MONITORING AND ENFORCEMENT
❑ CONTROLS AUDIT, SOC/AT-C 801
❑ VENDOR ACCESS CONTROL
❑ VENDOR COPIES OF CONFIDENTIAL INFORMATION
27
VENDOR MANAGEMENT EXAMPLES
• CENTRAL CONTRACT DATABASE WITH TICKLERS FOR KEY DATES SUCH AS CONTRACT TERM, INSURANCE
RENEWALS, LICENSE RENEWALS ETC.
• USE OF A CONTRACT ATTORNEY SPECIALIZING IN IT TO DRAFT A STANDARD TEMPLATE FOR CONTRACTS
• SOC REPORTS-SEE FOLLOWING SLIDE
• STRONG RFP AND VENDOR VETTING USING MATERIAL AND ADVICE FROM ASSOCIATIONS SUCH AS
TAGITM OR CONSULTANTS.
• BUYING HARDWARE ONLY FROM OEM SUPPLIERS
• USE OF RECOGNIZED BUSINESS PARTNERS WHEN POSSIBLE
28
CHARACTERISTICS OF SOC REPORTS
• A SOC 1 TYPE 2 REPORT WILL BE REPORTING ON A SERVICE ORGANIZATIONS INTERNAL CONTROLS OVER THE GENERATION OF
INFORMATION INCLUDED BY A THIRD PARTY IN ITS FINANCIAL STATEMENTS FOR A SPECIFIED PERIOD OF TIME (I.E. ONE
YEAR)
• TO ISSUE THE REPORT, THE SERVICE AUDITOR WILL NEED TO HAVE PERFORMED TESTING THROUGHOUT THE TIME PERIOD SPECIFIED.
• BY DEFINITION TESTING CANNOT BE DONE AFTER THE PERIOD HAS ENDED AND AS A RESULT SOC 1 TYPE 2 REPORTS ARE TYPICALLY
ISSUED SHORTLY AFTER THE END OF TIME PERIOD (I.E. FOUR TO SIX WEEKS)
• WITH COMPLEX ORGANIZATIONS PROCESSING MILLIONS OF TRANSACTIONS PER YEAR, THE SERVICE AUDITOR WILL INVARIABLY
HAVE SOME FINDINGS (OFTEN CALLED EXCEPTIONS) THAT THEY WILL REPORT AND MANAGEMENT WILL FURNISH A RESPONSE
• EXCEPTIONS DO NOT NECESSARILY MEAN THAT THE SYSTEM OF CONTROLS ARE NOT WORKING EFFECTIVELY AND CAN OCCUR
WITHOUT THE SERVICE AUDITOR MODIFYING THEIR REPORT
• USERS OF SOC REPORTS SHOULD NOTE THE FREQUENCY OF EXCEPTIONS INCLUDING WHETHER THE SAME EXCEPTION IS NOTED IN
MULTIPLE YEARS TO CONSIDER POSSIBLE IMPACTS ON FINANCIAL INFORMATION
29
IT GENERAL CONTROLS-SECURITY❑ PERFORM AN INFORMATION SECURITY RISK ASSESSMENT
❑ SECURITY INCIDENT RESPONSE
❑ SECURITY AWARENESS & TRAINING-EVERY EMPLOYEE WHO HAS ACCESS TO A COMPUTER SHOULD CONSIDER
THEMSELVES A SECURITY TEAM MEMBER
❑ THREAT MONITORING
❑ REGULARLY TEST OR MONITOR EFFECTIVENESS OF CONTROLS
❑ HAVE OUTSIDE PARTY PERFORM PENETRATION TESTING
❑ PERIODICALLY EVALUATE AND ADJUST THE INFORMATION SECURITY PROGRAM
B
30
SERVICE ORGANIZATION CONTROL REPORTS• CATEGORIES OF SOC REPORTS WILL BE A 1 OR 2 BASED ON THE COSO DEFINITION OF THE THREE OBJECTIVES OF ALL
ORGANIZATIONS
• FINANCIAL REPORTING (1)
• COMPLIANCE (2)
• OPERATIONS
• IN ADDITION, SOC REPORTS CAN BE EITHER TYPE 1 OR 2
• TYPE I INCLUDES THE SERVICE AUDITOR'S OPINION ON THE FAIRNESS OF THE PRESENTATION OF THE SERVICE ORGANIZATION'S
DESCRIPTION OF CONTROLS THAT HAD BEEN PLACED IN OPERATION AND THE SUITABILITY OF THE DESIGN OF THE CONTROLS TO
ACHIEVE THE SPECIFIED CONTROL OBJECTIVES AS OF A POINT IN TIME.
• TYPE II STARTS WITH THE INFORMATION CONTAINED IN A TYPE I SERVICE AUDITOR'S REPORT AND ADDS TO IT THE SERVICE
AUDITOR'S OPINION ON WHETHER THOSE CONTROLS WERE OPERATING EFFECTIVELY DURING A SPECIFIED PERIOD OF TIME.
31
MAKING EVERY EMPLOYEE AN IT SECURITY OFFICER▪ INTERNET BASED TUTORIALS FOR ALL EMPLOYEES IS AVAILABLE AT VERY REASONABLE COSTS-OFTEN
STARTING AT LESS THAN $10 PER EMPLOYEE PER YEAR
▪SERVICES CAN RANGE FROM SIMPLE TUTORIALS, TO CREATING BASELINES AND CONDUCTING PHISHING
CAMPAIGNS TO ASSESS AND REDUCE EMPLOYEE GULLIBILITY OVER TIME
▪SOME PROVIDERS:
• WWW.SECURITYMENTOR.COM
• WWW.KNOWBE4.COM
• WWW.MEDIAPRO.COM
• WWW.WOMBATSECURITY.COM
32
LEVERAGING SHARED SERVICES
• TEXAS DEPARTMENT OF INFORMATION RESOURCES (DIR) AWARDED AT&T A MANAGED
SECURITY SERVICES (MSS) CONTRACT:
• AVAILABLE TO ALL GOVERNMENTS IN TEXAS
• OFFERS A MENU OF ALA CARTE SERVICES WITHIN THREE CATEGORIES:
• SECURITY MONITORING AND DEVICE MANAGEMENT
• INCIDENT RESPONSE
• RISK AND COMPLIANCE
• STATE AGENCIES ARE NOW REQUIRED TO PERFORM A CYBERSECURITY ASSESSMENT EVERY
TWO YEARS. LOCAL GOVERNMENTS WOULD BE SMART TO FOLLOW THE MODEL.
33
MY FAVORITE FOUR LETTER WORD-FREE!• THE DEPARTMENT OF HOMELAND SECURITY (WWW.DHS.GOV) OFFERS A VARIETY OF FREE
SERVICES TO STATE AND LOCAL GOVERNMENT
HTTPS://WWW.DHS.GOV/SITES/DEFAULT/FILES/PUBLICATIONS/4_STC-DHS-STATE-OFFERINGS.PDF INCLUDING:
• THE CYBER SECURITY EVALUATION TOOL (CSET) [email protected] AND HTTPS://ICS-CERT.US-
CERT.GOV/ASSESSMENTS
• THE CYBERSECURITY ASSESSMENT AND RISK MANAGEMENT APPROACH [email protected]
• THE SANS INSTITUTE IS A COOPERATIVE RESEARCH AND EDUCATION ORGANIZATION
(WWW.SANS.ORG) SPECIALIZING IN IT SECURITY. THE OFFER A VARIETY OF FREE
RESOURCES AND FOR FEE COURSES, CONFERENCES AND CERTIFICATIONS.
• ALSO, INQUIRE OF YOUR CYBER POLICY INSURANCE CARRIER REGARDING
ASSESSMENT RESOURCES OR PRE-IDENTIFIED CONSULTANTS THAT CAN HELP
34
IT CONTROL AND SECURITY MODELS
FIND WHAT WORKS FOR YOU
35
IT FRAMEWORKS• THERE ARE VARIOUS FRAMEWORKS OR GUIDELINES FOR IT MANAGEMENT, THREE COMMONLY USED ARE:
• ITIL (INFORMATION TECHNOLOGY INFORMATION LIBRARY)
• NIST (NATIONAL INSTITUTE FOR STANDARDS AND TECHNOLOGY)
• COBIT (CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY)
• WHILE ALL CAN BE USEFUL IT IS IMPORTANT TO REMEMBER THAN NONE ARE PRESCRIPTIVE OR
INCLUSIVE . THEY ARE SIMPLY BEST PRACTICE RECOMMENDATIONS AND TRAINING THAT MUST BE
ADAPTED TO YOUR INDIVIDUAL ORGANIZATION.
• THE IMPORTANT THING IS A METHODICAL, COMMITTED, CONTINUAL APPROACH THAT RELIES ON
TRAINING, ENVIRONMENTAL AWARENESS, VIGILANCE AND ADAPTABILITY TO CHANGING
CIRCUMSTANCES.
36
ITIL• SPONSORED BY THE UK GOVERNMENT TO IMPROVE IT PROCESSES
37
NIST FRAMEWORK
• NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PUBLISHES A HIGHLY RESPECTED FRAMEWORK
38
ISACA CLOSELY FOLLOWS COSO’S LEAD WITH COBIT
• GENERAL INTERNAL CONTROL -
COSO
• INFORMATION TECHNOLOGY
INTERNAL CONTROL – COBIT
• CONTROL OBJECTIVES FOR
INFORMATION & RELATED
TECHNOLOGY (COBIT)
• DEVELOPED BY ISACA -
INFORMATION SYSTEMS AUDIT &
CONTROL ASSOCIATION
39
COBIT FRAMEWORK
40
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
An business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
COBIT evolution
2005/720001998
Evo
lutio
n o
f sco
pe
1996 2012
Val IT 2.0(2008)
Risk IT(2009)
© 2012 ISACA® All rights reserved.
41
CALL TO ACTION
•JUST AS IT GENERAL CONTROLS EFFECT THE ENTIRE ORGANIZATION,
EFFECTIVE AND SECURE IT CAN NOT HAPPEN SOLELY IN THE IT DEPARTMENT:
• ALL DEPARTMENTS MUST DO THEIR PART WITH REALISTIC EXPECTATIONS, SECURITY AWARENESS AND
PROACTIVE MANAGEMENT AND KNOWLEDGE OF THEIR DEPARTMENT SPECIFIC APPLICATIONS
• FINANCE PLAYS AN ESPECIALLY CRUCIAL ROLE IN CURRENT AND MULTI-YEAR BUDGETING TO ENSURE NEEDED
RESOURCES AND AIDING WITH EXPERTISE AND ADVICE ON CONTROL STRATEGIES
• ALL OF US NEED TO INCREASE OUR UNDERSTANDING OF IT OPERATIONS AND THE ROLE WE PLAY IN ENSURING AN
EFFECTIVE AND SECURE IT OPERATION.
42
