INFORMATION TECHNOLOGY AND INFORMATION MANAGEMENT AUDIT

JOSE LUIS GARCIADIRECTOR, IT AUDIT, SCOTIABANK CHILE

May 14, 2013

Your Presenter

Jose Luis GarciaDirector, IT AuditScotiabank Chile

Agenda

• Definition of Information• Information Criteria• IT Audit Layer Approach• Physical Security Layer• IT Service Continuity Layer• Logical Security Layer• SDLC Layer• IT Management Layer• Conclusions

3

Definition of Information

• Information is a valuable asset– Business details

• Customer data, financial reports, business transactions

– Knowledge• Policies, procedures, workflows

– IT related data • Parameters, configuration settings, privileges

• As any other valuable asset, information must be protected

4

Information Criteria

5

• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

PhysicalSecurity

6

Layer approach

ServiceContinuity

LogicalSecurity

SDLC IT

Management

Cobit Domains

7

Control Objectives PO

Control Objectives

AI

Control Objectives

DS

Control Objectives ME

Poll #1Does your organization have its own datacentre?a) Yes, we have a single datacentreb) Yes, we have a primary site and a backup site c) No, we outsource our datacentre services to a third-partyd) No, we use cloud servicese) I don’t knowf) Not applicable

8

Physical Security Layer

9

• Owned datacentres– Organizations were responsible for controls– Physical security controls:

• Electronic and keypad locks, codified badges, biometric devices, security guards, security cameras, alarm systems.

– Environmental controls:• Fire alarms, smoke and water detectors, UPS, etc.

• Outsourced datacentres– Providers were required to demonstrate the effectiveness of

internal controls• SAS 70 Report, Section 5970 Report, CSAE 3416

– Governance principles• Contract clauses, SLAs

Physical Security Layer

10

• Cloud computing– Data processing has become a commodity– Technology enablers

• Virtualization• Service Oriented Architecture (SOA)

– Service delivery can be run from anywhere– New datacentre standards

• TIA-942

Poll #2Does your organization have a disaster recovery plan in place?a) Yes, the plan is formalized and tested periodicallyb) Yes, the plan has been recently approvedc) No, but there are plans to prepare oned) No, there are no immediate plans to prepare onee) No, we rely on a third party providerf) I don’t knowg) Not applicable

11

IT Service Continuity Layer

12

• Business operations depend on technology• Technology is vulnerable to disasters• BCP / DRP• Recovery approach

– Redundancy• Cold sites • Warm sites• Hot sites• Disk mirroring / High availability technologies

IT Service Continuity Layer

13

• Cloud computing

• Resilience approach– BCP for local events– Due diligence on provider’s BCP– Backup data– Cloud redundancy

Service models

Deployment models

IT Service Continuity

14

Analysis: Amazon's Christmas faux pas shows risks in the cloud(Reuters) - A Christmas Eve glitch traced to Amazon.com Inc that shuttered Netflix for users from Canada to South America highlights the risks that companies take when they move their datacenter operations to the cloud.http://www.reuters.com/article/2012/12/27/us-amazon-cloud-idUSBRE8BQ00220121227

Lessons from Amazon Cloud Lightning Strike OutageBy Tony Bradley, PCWorld Aug 10, 2011 7:16 AMA lightning strike in Dublin took out a power transformer. In and of itself, that isn't all that unusual or noteworthy, but this particular lightning strike also impacted the backup power systems at Amazon's cloud data center, knocking the service offline. Looking back, there are some lessons to be learned both for Amazon, and for businesses that rely on cloud services.http://www.pcworld.com/article/237673/lessons_from_amazon_cloud_lightning_strike_outage.html

F.B.I. Seizes Web Servers, Knocking Sites OfflineBy VERNE G. KOPYTOFFThe F.B.I. seized Web servers in a raid on a data center early Tuesday, causing several Web sites, including those run by the New York publisher Curbed Network, to go offline.In an e-mail to one of its clients on Tuesday afternoon, DigitalOne’s chief executive, Sergej Ostroumow, said: “This problem is caused by the F.B.I., not our company. In the night F.B.I. has taken 3 enclosures with equipment plugged into them, possibly including your server — we cannot check it.”http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/

Amazon's partial cloud failure takes out several popular websitesA partial failure of Amazon's cloud server network brought down the websites of several popular services, including Quora, Redditand Foursquare for several hours beginning around 4:41am Eastern Time Thursday. The issues were isolated to the company's data centers in Northern Virginia.http://betanews.com/2011/04/21/amazon-s-partial-cloud-failure-takes-out-several-popular-websites/

Logical Security Layer• Logical Access Controls

– Data classification• Restricted, private, public

– Access matrices– System profiles– Audit logs

• User account and password management– Identification– Authentication

• Malicious code control– Hardening– Antivirus

15

Logical Security Layer• Network security

– Firewalls– IDS– Proxies

• Mobile devices– Encryption– Configuration– Remote wipe

• Social media– Policies

16

Logical Security Layer

• Cloud– Privileged accounts– Change control process– Hardening local systems and infrastructure

17

SDLC Layer

• Complex business environment– IS as a competitive advantage– New technologies

• In-house SDLC methodologies– Size, density– Linear models

• SDLC, Waterfall

– Iterative models• Prototyping, Spiral, RAD

18

SDLC Layer

• In-house SDLC methodologies (continued)– Parallel models

• Alternative path

– Rapid response models• UML, XP

• Third-party development– Integration– Security– Dependency

19

Poll #3Does your organization measure the financial benefits of IT applications?a) There is an ongoing monitoring of all IT applicationsb) All new IT applications are evaluated after

implementationc) Only some applications are evaluatedd) No, financial benefits are not measurede) I don’t knowf) Not applicable

20

IT Management Layer

• IT Governance– IT function, service providers, Information Security

• Business – IT Alignment– Steering Committee

• Value Management– Different type of investments– Key metric definition– Accountability– Ongoing monitoring

21

IT Management Layer

• IT Portfolio Management– Strategic direction– Resource availability– Selection criteria– Monitor benefits

• Investment Management– Business case– Develop program plan– Update operational IT portfolios– Retire program

22

Conclusions

• Technology has transformed organizations;• Risk and controls have evolved;• Use a layer approach to identify major

concerns for your organization;• There are many IT control guidelines available

to assist auditors to identify risks and controls on each layer.

23

Questions?

Jose Luis GarciaDirector, IT AuditScotiabank Chile