Академический Документы
Профессиональный Документы
Культура Документы
com
Computer Society of
Zimbabwe
IT Risk Assurance
Perspective on Information
Security
09 June 2015
www.pwc.com
Presented by:
Tambu Mawere
Senior manager: Risk Assurance
Services
Agenda
Board is accountable to
conscience
Management is
accountable to the Board
Employees are
accountable to
Management
Right
Effective ethical
Board tone
Committed
mgt team
Good Corporate
Governance
Information Technology
Risk and Control
Presented by:
Mary-Jane Mberi
Associate Director: Risk
Assurance Services
Agenda
With trust in your data and security, with resilience built into your
systems, and with the knowledge that your digital transformations
will succeed, youll have the confidence to embrace your digital future,
and enjoy the exponential impact it has on your growth.
Information
General System System
Access Risk Continuity Risk Access Risk Processing Risk
Organisational
Program Change Structure and
Operational Pre-input Risk Rejection Risk
Risk
Procedure Risk
Environmental
Information and Input Risk Output Risk
Related Risk
Purpose Procedures
Responsible
Accountable
Consulted
Informed
Monitoring
Data
User rights and privileges (database and file access)
Access to data tools
Access to tables, stored procedures, triggers
Right afforded via applications
Transactions
User rights and privileges (Permissions)
Segregation of duties
Reports
User rights and privileges (Permissions)
Distribution limitations
Equipment
Building management
Physical security
Sophisticated Attacks Attacks may originate from a wide range of sources including state sponsored groups, organized crime,
socially motivated "hacktivists" or even trusted insiders
Emerging Cloud: Business drivers and cost reduction benefits have accelerated the cloud movement and adoption of
Technologies insecure and non-compliant cloud solutions.
Mobile Devices: Smartphones, tablet computers and laptops contain troves of sensitive business
information, and are often not well-controlled.
Social Media: Organizations lacking enforceable policies, monitoring capabilities and rapid incident
response plans to properly control and react to social media messages have seen their brand reputations
quickly damaged.
Privacy & Data Loss Customers and employees care about the privacy of their data, and expect companies to protect it.
Prevention
Regulatory Changes and Regulations and Frameworks are becoming more strict, more complex and regulators are increasing
Frameworks enforcement.
rd
3 Party Organizations are engaging 3rd parties for data processing and storage which increases risk, requires
Vendors additional oversight and necessitates additional brand protection strategies in the event of a breach.
Internal Audit Companies need to have highly skilled and available resources that can perform effective IT Risk
Assessments, IT Governance Reviews, IT Application Reviews, and IT Technical Control Reviews.
Third Party Assurance Increased reliance on 3rd parties, remote access, and emerging technologies have effectively removed the
network boundary and traditional security controls in traditional Third Party Reports (SSAE16) no longer give
companies the additional comfort they require over the security and privacy of their companys data.
Define ownership
External CRO
Chief Information Security Officer
Information Security Staff
standards
Software installation staff
Define scope
What is the definition of the guidance
Mandatory or discretionary
Threads and vulnerabilities
Incident management
Identify incident
Escalate to correct area
Isolate and safeguard
Log change
Test changes
Track progress
Implement change
Report to IT Exco
Fraud
Fraud Incentives,
Opportunities and
Rationalisation
Presented by:
Thompson Mucheki
Senior manager: Forensic
Services
Agenda
1. Definition of fraud
2. The Fraud Triangle
3. The Fraud Diamond
4. The Fraud Scale
5. Fraud Red Flags
Unlawfully
Making a misrepresentation
Intent to defraud
Causing
Prejudice
Pressure
Opportunity Rationalization
Dr Donald Cressey
PwC & CSZ June 2015
31
Motivation to commit fraud
Pressure Opportunity
Rationalization Capability
Capability involves personal traits and abilities that play a major role in
whether fraud will actually occur transforming Donald Cresseys
triangle model from a triangle into a diamond.
www.acfe.com
Dr Steve Albrecht
PwC & CSZ June 2015
35
Fraud Red Flags
Marital/family problems
Overreliance on few key individuals
Digital Forensic
Solutions
Presented by:
Tendai Kanjanda
Manager: Forensic Technology
Services
Agenda
1. Computer Fraud
2. Cyber Fraud Techniques
3. Prevention
4. Investigating Cyber Fraud
Definition
Africa 7%
Asia 5%
South America 4%
Europe 2%
North America 1%
https://www.iovation.com/news/press-releases/iovation-identifies-top-continents-for-online-fraud-in-2012
engineering attack.
Email Artefacts
Internet Artefacts
Network Analysis
The information contained in this publication by PwC is provided for discussion purposes only
and is intended to provide the reader or his/her entity with general information of interest. The
information is supplied on an as is basis and has not been compiled to meet the readers or
his/her entitys individual requirements. It is the readers responsibility to satisfy him or her that
the content meets the individual or his/ her entitys requirements. The information should not
be regarded as professional or legal advice or the official opinion of PwC. No action should be
taken on the strength of the information without obtaining professional advice. Although PwC
take all reasonable steps to ensure the quality and accuracy of the information, accuracy is not
guaranteed. PwC, shall not be liable for any damage, loss or liability of any nature incurred
directly or indirectly by whomever and resulting from any cause in connection with the
information contained herein.