10/16/2013

1
IT AUDIT IT AUDIT
#NERDSTRONG #NERDSTRONG
10/16/2013
2
Bio Bio
IndianaUniversityGraduate(3timessofar)
ITAuditProgramManageratIUHealth
15+yearsinAuditing,13asanITAuditor
2
nd
degreeBlackbeltcandidate
Momtothemost
adorable9yearold
ontheplanet.
ObjectivesforToday
ITgeneralcontrolsreviewstrategiesfornonIT
auditors auditors.
HowtotestbasicITgeneralcontrolsinasmall
businessenvironment.
Leadingpracticerecommendationsforsecuring
personal,proprietaryandclientconfidential
l i i f i i l di bl electronicinformation,includingportablestorage
media,iPads/tablets,SmartPhonesandremote
personal/Cloudstorage.
10/16/2013
3
WhatisPII?
(personallyidentifiableinformation)
Fullname(orcommonname)
Dateofbirth
Birthplace
Nationalidentificationnumbers(SSN,DriversLicense)
Vehicleregistrationorplatenumber
Emailaddress(and/orIPaddressinsomecases)
Face(photos),fingerprints,orhandwriting
Genetic/Healthinformation
includinginsuranceinformation
Creditcardnumbers
Digitalidentity
Criminalrecord
ITGCs
(ITgeneralcontrols)
10/16/2013
4
ITCGsare
Controlsthatapplytoallhardware/software,
processes and data for an organization or IT processes,anddataforanorganizationorIT
environment.ITcontrolobjectivesrelateto
theconfidentiality,integrity,andavailabilityof
dataandtheoverallmanagementoftheIT
functionofthebusinessenterprise.
ITCGsare
TypesofITGCsinclude:
AutomatedControls
Programmedcontrols(requirementconfiguredintheapplication
settings).
C id d t t l b it ill f ti th h Consideredastrongcontrolbecauseitwillfunctionthesamewayeach
time(aslongasthecontrolisnotchanged/reprogrammed).
Example:Transactionrequiresmanagementselectronicapproval/signoff
tomoveprocessforward.
PartiallyAutomatedControls
PeoplerelyoninformationfromITsystems(systemgeneratedreports)for
thecontrol.
Consideredlessstrongbecauseofthehumanelement.
E l B k ili ti h th t l t f th Example:Bankreconciliation,wherethecontrolusesreportsfromthe
generalledgersystem.
ManualControls
Peopleenableacontrolthatisnontechnologydependent.
Example:Twoormorephysicalsignaturesonacheck.
10/16/2013
5
ITCGsforsmallspaces ITCGsforsmallspaces
CommonITCGsforsmallbusinessinclude
(but are not limited to): (butarenotlimitedto):
ITgovernance
Policies/procedure(SANSandNISThavegoodtemplates)
Networksecurity
Encryption
Logicalandphysicalaccess
Application(transaction)controlscanbemanualorautomated
andincludepasswords,rolebasedaccess,logging/monitoring,
i f d i segregationofduties,etc.
Virus/malwareprotection
Disasterrecovery
Backup/restore
ITCGsforsmallspaces
WhyareITGCsimportant?
ThereisanITinfrastructuresupportingcritical
businessprocessesinalmosteverycompany.
ITCGscanbeappliedregardlessofbusiness
sizeorcomplexity.
Without effective ITGCs reliance on IT WithouteffectiveITGCs,relianceonIT
systemsmaynotbepossible.
10/16/2013
6
ReviewingITGCs
(Howtohitthehighpointsandidentifytherisks)
TheUsualSuspectsChecklist
AreITpoliciesandproceduresdocumented?
Haveemployeessignedacceptableuseand/or
fid i li ? confidentialityagreements?
Askemployees,
AreyoufamiliarwiththecompanysIT
Securitypolicies?
Areyoufamiliarwiththecompanys
privacy/confidentiality of client privacy/confidentialityofclient
Informationpolicy?
Wherewouldyoufindacopyofthese
policies?
10/16/2013
7
TheUsualSuspectsChecklist
Isuseraccessuniqueandrolebased?
Istheapproverofaccessdifferentfromthe
person who sets up access in the system? personwhosetsupaccessinthesystem?
(Segregationofduties)
Isaccesstonetworkandallapplicationsremoved
immediatelyontermination?
Areuseraccountsanduseractivitylogs
periodicallyreviewed?
Arepasswords/usercredentialswrittendownand
keptneartheworkstation(tapedtomonitor,inside
deskdrawer,underkeyboardormousepad)?
TheUsualSuspectsChecklist
Areworkstationsandserversinthebusinessunitin
securelocations?
Canvisitorsview/accessworkstations?
Arescreensaversused(withautotimeoutand
passwordlock)?
Whohasphysicalaccesstotheserverroom?
Is the wireless network password protected? Isthewirelessnetworkpasswordprotected?
Hasthedefaultpasswordbeenchanged?
Encryptionturnedon?
10/16/2013
8
TheUsualSuspectsChecklist
Canusersaccesscompanysystemsremotely?VPN?
Ifhomecomputersareusedforremoteaccess,can
client/companydatabedownloadedtopersonalPCs?
(Potentiallynonsecuredconnection;sharedpersonalPC,etc.)
AreuserIDsorpasswordssharedwithother
employees/contractors?
Ifyes,withwhomandforwhatapplication(s)?
Isthereabusinessneedtoshare?
Cannoncompanypersonnelaccesscompanysystem
from a remote location? fromaremotelocation?
Ifyes,whoandforwhatapplication(s)?
Isthereabusinessneedforaccess?
Hasthe3
rd
partysignedaconfidentialityagreement?
TheUsualSuspectsChecklist
Areapplicationsanddatabackeduponaregular
basis? basis?
Isthebackupkeptinasecureoffsitelocation?
Areallmobiledevice(laptops,tablets,SmartPhones,
etc)usedforcompanybusinessrequiredtobe
passwordprotected,(includingBYODs)?
Havedefaultpasswordsbeenchanged?
Malwareprotection?
Encryption?(includingSDcards)
10/16/2013
9
TheUsualSuspectsChecklist
Are USB drives and other portable storage media AreUSBdrivesandotherportablestoragemedia
utilizedforbusinesspurposesrequiredtobe
encrypted?
DoestheclientknowhowtoreportapossibleIT
securityand/orprivacyincident/breach?
IndianaPrivacyLaw
TheUsualSuspectsChecklist
Otherconsiderations:
Social Networking SocialNetworking
(policyinplace)
Officeequipment
Digitalcamera
Copierharddrive
(internalmemorycard)
Shredder use required Shredder userequired
Creditcardacceptance
(PCIDSS)aworkshop
initself
10/16/2013
10
MobileandCloudcomputing MobileandCloudcomputing
(Considerationsforyouandyourclient)
ThreatstoMobileComputing
ManybusinessesaregoingtoBYOD BYOD,but
SmartPhones/tablets now have the same risk as SmartPhones/tabletsnowhavethesameriskas
conventionalcomputersystems.
CompleteO/S,lotsofappsandtheenduserisin
control(vs.IT).
Moreviruses/malware(andlowerthresholdofhacking
experience needed) experienceneeded)
Additionalattacksflanks>SMS/textphishing
Requireweakornoauthentication(default
passwordorminimalcharacters).
10/16/2013
11
ThreatstoMobileComputing(cont.)
Loseyourdevice,loseyourdata(itsthedata
thats valuable not the device) that svaluable,notthedevice).
ShippedwithseveralGBofonboardstorage.
Howtoforbreakingvendorencryptioncanbeeasily
Googled.
Memorycardsaretypicallynotencryptedbydefault.
Remotewipeisfrequentlysubjecttofailure.
CriminalsimmediatelyremoveSIMtopreventremotewipe
IfBYOD,whoownsthedata?(GettoLegaltodiscuss
liabilityASAP).
WhatifEmployeeterminates?
SecuringTheDevice SecuringTheDevice
10/16/2013
12
StepstoSecureYour
MobileDevice
1. Developappropriatepolicies,procedures,standards,
andguidelinesformobiledevices.
2. Configuremobiledevicessecurely.
Enableautolock&passwordprotection(complexpasswords).
Avoidusingfeaturesthatrememberusernamesorpasswords.
Ensurebrowsersecuritysettingsareconfiguredappropriately.
Enableremotewipe.
EnsurethatSSLprotectionisenabled,ifavailable.
3. ConnecttosecureWiFinetworksanddisableWiFi,
Bluetooth,GPS,etc.whennotinuse.
setBluetoothenableddevicestonondiscoverabletorender
theminvisibletounauthenticateddevices.
StepstoSecureYour
MobileDevice(cont.)
4. Updatemobiledevicesfrequently.Selecttheautomatic
updateoptionifavailable.
5. Usedigitalcertificatesonmobiledevices.
AnelectronicIDcard"thatverifiescredentialswhendoing
businessorothertransactionsontheWeb.
6. Takeappropriatephysicalsecuritymeasurestoprevent
theftorenablerecoveryofmobiledevices.
Usecablelocksandtrackingsoftware(e.g.,Computrace,
k b l ) Lookout,MobileMe,STOP).
Neverleaveyourmobiledeviceunattended.
Reportlostorstolendevicesimmediately.
Backupdataonyourmobiledeviceonaregularbasis.
10/16/2013
13
StepstoSecureYour
MobileDevice(cont.)
7. Deleteallinformationstoredonadevice
priortodiscarding,exchanging,or
donatingit.
8. Implementongoinganduptodate
mobiledevicesecuritytraining.
LifeinTheCloud LifeinTheCloud
10/16/2013
14
TheCloudandPersonal
RemoteStorage
Endusersaccesscloudbasedapplications
throughawebbrowseronadesktopor
through a mobile app while the software throughamobileappwhilethesoftware
anddataarestoredonserversataremote
location.
Threetypes:
Private exclusiveusebyasingle
organization.
Public openusebythegeneralpublic
(Amazon,Google,Microsoft,etc). ( , g , , )
IncludesCloudbasedpersonalstorageservices
suchasBox.net,GoogleDocs,DropBox,
RackSpace,Carbonite,Mozy,Snapfish,Flickr,
Shutterfly,etc.
Hybrid acombinationofpublic/private.
SecurityConsiderations
forCloudComputing
Security,privacy,identity,andothercomplianceimplicationsofmoving
dataintothecloud.
1. ConfidentialityandPrivacy
CertainindustriesaregovernedbyFederal/StateregulationssuchasHIPAA or
FERPA toprotectpersonaldata;placingthatdatainthecloudintroducesnew
risk.
2. DataBreachResponsibilitiesandSecurity.Placingdataandservicesinthe
cloudamplifyconcernsaboutdatabreaches;(securityisnotunderdirect
controlofthedataowner.)
Databreachgenerallycarrieswithitanobligationtonotify.
What goes to the Cloud stays in the Cloud! (There is no way to get data it WhatgoestotheCloudstaysintheCloud!(Thereisnowaytogetdatait
back.)
3. EDiscovery
Recordsarenotunderdirectinstitutionalcontrol;theinstitutionnolonger
hastherecordinthesamewaythatitformerlydid.Howdoesone'discover'
whatonedoesnothave?
Source:https://wiki.internet2.edu/confluence/display/itsg2/Cloud+Computing+Security
10/16/2013
15
SecurityConsiderations
forCloudComputing(cont.)
SocanapublicCloudbeusedsecurely? Maybe.
For personal use: be selective about what you Forpersonaluse:beselectiveaboutwhatyou
storeintheCloud.
Forbusinessuse,paycloseattentiontoVendor
contracts,BAA/SLAlanguage.
EmergenceofVerticalClouds(industryspecific)
NISTrecentlypublishedSpecialPublication800
144:GuidelinesonSecurityandPrivacyinPublic
CloudComputing.
BeyondThisWorkshop BeyondThisWorkshop
SANSITPolicytemplates http://www.sans.org/securityresources/policies/
The California Office of Information Security Risk Assessment Toolkit TheCaliforniaOfficeofInformationSecurityRiskAssessmentToolkit
http://www.cio.ca.gov/OIS/Government/documents/docs/RA_Checklist.doc
10BestPracticesfortheSmallHealthcareEnvironment
http://www.healthit.gov/sites/default/files/basicsecurityforthesmall
healthcarepracticechecklists.pdf
CompTIARiskAssessmentChecklistForSmallBusiness
http://www.comptia.org/news/pressreleases/0907
28/A_Risk_Assessment_Checklist_For_Small_Business.aspx
BBB S i S iti D t htt // bbb /d t it / i BBBSecuringSensitiveData http://www.bbb.org/datasecurity/securing
sensitivedata/overview/
SmallBusinessComputing.com http://www.smallbusinesscomputing.com/
10/16/2013
16
Questions? Questions?
Thanks! Thanks!
CaroleJ.GuessMBA,MSA,CISA,CRISC
cguess@iuhealth.org