www.pwc.

com

Computer Society of
Zimbabwe

IT Risk Assurance
Perspective on Information
Security

09 June 2015
www.pwc.com

Governance Risk and

Controls

Presented by:
Tambu Mawere
Senior manager: Risk Assurance
Services
Agenda

1. Corporate Governance Overview

2. What can go wrong (Risk)
3. Controls

PwC & CSZ June 2015

3
Headlines
Poor corporate governance
behind corporate failures
21 Nov 2013, FinGaz
PwC & CSZ
RBZ Bemoans Poor Corporate
Governance FinGaz 15 January 2015
Lack of good corporate governance has
led to many companies in this country,
including banks, closing.. 15 Jan 2015,
FinGaz
The RBZ Governor Dr Gedion Gono has
placed the struggling Renaissance
Merchant Bank under curatorship for the
next six months after investigations
revealed the collapse of corporate
governance structures within the
institutions- June 3, 2011
(www.rbz.co.zw)
June 2015
4
Corporate Governance Overview

Corporate governance involves a set of relationships between a

companys management, its board, its shareholders and other
stakeholders. Corporate governance also provides the structure
through which the objectives of the company are set, and the means
of attaining those objectives and monitoring performance are
determined" (OECD Principles of Corporate Governance)

The framework of rules and practices by which a board of directors

ensures accountability, fairness, and transparency in a company's
relationship with its all stakeholders (financiers, customers,
management, employees, government, and the community).
http://www.businessdictionary.com/definition/corporate-
governance.
PwC & CSZ June 2015
5
Corporate Governance Overview contd

Board is accountable to

Self accountability - to ones

the shareholder

conscience
Management is
accountable to the Board

Employees are
accountable to
Management

PwC & CSZ June 2015

6
Corporate Governance Overview contd

Corporate governance elements

Ethics
Boards and directors
Board Committees
Internal Controls and Internal audit
Risk governance
IT governance
Stakeholder management
The Board is accountable and responsible for the governance of the
organization

PwC & CSZ June 2015

7
Headlines

RBZ Bemoans Poor Corporate

Governance. Lack of good corporate
governance has led to many companies in
this country, including banks, closing..
15 Jan 2015, FinGaz
Poor corporate governance
behind corporate failures
21 Nov 2013, FinGaz

The RBZ Governor Dr Gideon Gono has

placed the struggling Renaissance
Merchant Bank under curatorship for the
next six months after investigations
revealed the collapse of corporate
governance structures within the
institutions- June 3, 2011
(www.rbz.co.zw)

PwC & CSZ June 2015

8
What can go wrong (Risk)

Misalignment of corporate strategy and activities

Unsustainable governance framework ( structures and procedures)
Lack of role clarity (Board & Management)
Inappropriate skills mix
Unethical behaviour
Non-compliance with applicable laws, rules, standards and
codes
Un-met stakeholder needs/ expectations

PwC & CSZ June 2015

9
Controls

Involvement of Board in strategy formulation

Terms of references benchmarked against best practises clearly
spelling out:
role and duties of Board and Committees
role of management (Operational, specialists and Internal
Audit)
required skills mix for Board and Committees
Board and management performance evaluations
Right tone at the top
Board and staff codes of ethics

PwC & CSZ June 2015

10
Conclusion

Right
Effective ethical
Board tone

Committed
mgt team

Good Corporate
Governance

PwC & CSZ June 2015

11
www.pwc.com

Information Technology
Risk and Control

Presented by:
Mary-Jane Mberi
Associate Director: Risk
Assurance Services
Agenda

1. IT Risk Assurance Overview

2. IT Environment Risks
3. Risk & Compliance, Internal Audit, External Audit
4. IT Risk Assurance Perspective: Managing Security

PwC & CSZ June 2015

13
IT Risk Assurance- Overview

Ensuring TRUST over information and data in your organisation

Trust means that:

your customers will buy your products on-line and have confidence
youll keep their data secure
your suppliers know your systems wont fail them
you have the confidence to move your business forward by
embracing technology and the opportunities it has to offer.

With trust in your data and security, with resilience built into your
systems, and with the knowledge that your digital transformations
will succeed, youll have the confidence to embrace your digital future,
and enjoy the exponential impact it has on your growth.

PwC & CSZ June 2015

14
IT Environment Risks

IT General Controls Application Controls

Information
General System System
Access Risk Continuity Risk Access Risk Processing Risk

Organisational
Program Change Structure and
Operational Pre-input Risk Rejection Risk
Risk
Procedure Risk

Environmental
Information and Input Risk Output Risk
Related Risk

PwC & CSZ June 2015

15
 IT Environment Risks contd:
Headlines
Econet loses $320 000 airtime o his own
use..
March 24, 2015, HeraldEconet loses $320
000 airtime Econet Wireless reportedly lost
thousands of dollars to a salesman who
allegedly converted over $320 000 worth of
airtime to his own use..
March 24, 2015, Herald
PwC & CSZ
Former Turnall bosses accused of
fraud Turnall Holdings had to restate its
2013 accounts after an internal audit carried
out at the company unearthed fraudulent
transactions alleged to have been perpetrated
by the previous
management...
April 1, 2015, Herald
Bank Frauds in Zimbabwe, How much
is the public told?
With most financial institutions turning to
computerisation to facilitate speedy monetary
transactions, Zimbabwe may well have thrown
itself into the complicated world of computer
fraud..
www. insiderzim.com
June 2015
16
Risk & Compliance, Internal Audit, External
Audit

IT IT Governance Reviews: Assessing critical

Governance firm-wide IT risk related initiatives, processes
or regulatory activities.
IT Application Reviews: Assessing an
application or suite of applications to
IT Internal IT determine whether the appropriate controls
Audit Applications
are in place and whether they are designed and
operating effectively.
IT Technical Control Reviews: Assessing
IT the controls governing the critical IT
Technical
Control
infrastructure that provide the foundation of a
Reviews Firms technology base.

PwC & CSZ June 2015

17
IT Risk Assurance Perspective:
Managing security Committees

Board & Exco

IT Exco
Objective Risk Committee & Audit committee

Protect business information in order to maintain Policies

the level of information security risk acceptable to Define ownership

the enterprise establishing and maintaining Define scope and effective date
Implementation & Monitoring
information security roles and responsibilities, Deviation

policies, standards, and procedures.

Standards
Perform security monitoring and periodic testing Objective
and implementing corrective actions for identified Repeatable
Governed by policy
security weaknesses or incidents. Monitoring & Deviations

Purpose Procedures

Objective and good practice

Executable (Documented, Communicated,)
Minimise the business impact of information Repeatable (Automated, understandable, owned)
Accountable (Monitored)
security vulnerabilities and incidents.
Roles and responsibilities

Responsible
Accountable
Consulted
Informed
Monitoring

PwC & CSZ June 2015

18
Managing Security: Areas we protect
Identity of the user
User ID, Password, Tokens, Smartcards, Biometrics

Access to network , site or server

User rights and privileges
Digital Certificates, SSL, HTTPS, IPSec etc
Firewalls, Routers, Switches

Programs and software

Administrator rights
User rights and privileges (Object Access)
Access controls to programs, source code, software build and deployment tools

Folders where data is stored

User rights and privileges (File and folder permissions)

Data
User rights and privileges (database and file access)
Access to data tools
Access to tables, stored procedures, triggers
Right afforded via applications

Scripts and operational tools

Access to tools and utilities

Transactions
User rights and privileges (Permissions)
Segregation of duties

Reports
User rights and privileges (Permissions)
Distribution limitations

Equipment
Building management
Physical security

PwC & CSZ June 2015

19
Managing Security: Board Level Considerations
Business issue Current situation
Enterprise IT Risk - Security strategy may not be completely aligned with overall business strategy.
Security Maturity Security organizations may lack the right mix of people, process and technology to face today's challenges.

Sophisticated Attacks Attacks may originate from a wide range of sources including state sponsored groups, organized crime,
socially motivated "hacktivists" or even trusted insiders

Emerging Cloud: Business drivers and cost reduction benefits have accelerated the cloud movement and adoption of
Technologies insecure and non-compliant cloud solutions.
Mobile Devices: Smartphones, tablet computers and laptops contain troves of sensitive business
information, and are often not well-controlled.
Social Media: Organizations lacking enforceable policies, monitoring capabilities and rapid incident
response plans to properly control and react to social media messages have seen their brand reputations
quickly damaged.
Privacy & Data Loss Customers and employees care about the privacy of their data, and expect companies to protect it.
Prevention
Regulatory Changes and Regulations and Frameworks are becoming more strict, more complex and regulators are increasing
Frameworks enforcement.

rd
3 Party Organizations are engaging 3rd parties for data processing and storage which increases risk, requires
Vendors additional oversight and necessitates additional brand protection strategies in the event of a breach.

Internal Audit Companies need to have highly skilled and available resources that can perform effective IT Risk
Assessments, IT Governance Reviews, IT Application Reviews, and IT Technical Control Reviews.

Third Party Assurance Increased reliance on 3rd parties, remote access, and emerging technologies have effectively removed the
network boundary and traditional security controls in traditional Third Party Reports (SSAE16) no longer give
companies the additional comfort they require over the security and privacy of their companys data.

PwC & CSZ June 2015

20
Managing security: Standards and frameworks

Define ownership

External CRO
Chief Information Security Officer
Information Security Staff

standards
Software installation staff

Define scope
What is the definition of the guidance
Mandatory or discretionary
Threads and vulnerabilities

COBIT, ITIL, What would the tolerance levels be?

Implementation & Monitoring

ISO etc How is it implemented?
Who is monitoring implementations and deviations?
How is quality assurance done?

White papers Deviation

from vendors How is deviations identified?

Escalation?
How is corrective action tracked?

PwC & CSZ June 2015

21
Managing Security: Key Considerations

Protect against malware

Manage Network and Connectivity Security
Manage end point security
Managing user identity and access
Managing physical access

PwC & CSZ June 2015

22
Managing Security: Security over mobile devices

PwC & CSZ June 2015

23
Managing Security: Security over mobile devices
Challenges

PwC & CSZ June 2015

24
The following areas have been defined:

Managing sensitive documents and output Policy setting

devices Define owners
High risk areas
Managing information security incidents
Threat and vulnerability setting
Manage information handling Policy deviation
Standards
Legislation
Employment contracts
Activity monitoring
Monitor activities

Incident management
Identify incident
Escalate to correct area
Isolate and safeguard
Log change
Test changes
Track progress
Implement change
Report to IT Exco

PwC & CSZ June 2015

25
The Cost of Inaction Proactive vs. Reactive
Approach to Information Security

PwC & CSZ June 2015

26
www.pwc.com

Fraud

Fraud Incentives,
Opportunities and
Rationalisation

Presented by:
Thompson Mucheki
Senior manager: Forensic
Services
Agenda

1. Definition of fraud
2. The Fraud Triangle
3. The Fraud Diamond
4. The Fraud Scale
5. Fraud Red Flags

PwC & CSZ June 2015

28
Definition of fraud

Fraud consists in unlawfully making, with intent to defraud, a

misrepresentation which causes actual prejudice or which is potentially
prejudicial to another.

PwC & CSZ June 2015

29
Essential elements

Unlawfully
Making a misrepresentation
Intent to defraud
Causing
Prejudice

PwC & CSZ June 2015

30
The Fraud Triangle

Pressure

Opportunity Rationalization

Dr Donald Cressey
PwC & CSZ June 2015
31
Motivation to commit fraud
Pressure
Personal financial problems
Revenge against employer /
management
Peer pressure Keeping up Weak supervision and
with the Joneses
Strong challenge to beat the
system
Personal vices alcohol,
gambling, drugs, debt
Unrealistic deadlines and
performance goals
PwC & CSZ
Opportunity Rationalization
Flawed internal controls Act is not criminal
everyone is doing it.
Management lack of
competence / know-how Am only borrowing, will
pay later
review Attempts to live honest life
have remained futile.
Poor separation of duties
I am entitled to it
Management approval
No one will know
Vague objectives /
procedures / processes
Act is justified
June 2015
32
The Fraud Diamond

Pressure Opportunity

Rationalization Capability

David Wolfe and Dana Hermanson

PwC & CSZ June 2015
33
Capability explained

Capability involves personal traits and abilities that play a major role in
whether fraud will actually occur transforming Donald Cresseys
triangle model from a triangle into a diamond.

www.acfe.com

PwC & CSZ June 2015

34
The Fraud Scale

Dr Steve Albrecht
PwC & CSZ June 2015
35
Fraud Red Flags

Living beyond ones means Refusal to take vacation leave

Persistent financial difficulties Unjustifiable backlogs in

processing
Wheeler-dealer attitude
Poor segregation of duties
Controlling and unwilling to share
duties
Poor records and documentation

Marital/family problems
Overreliance on few key individuals

Irritable, suspicious, defensive

Frequent deviation from policies,
behavior
procedures or acceptable practices

Addiction; drugs, alcohol,

Past legal problems/criminal
gambling, compulsive debts
record

PwC & CSZ June 2015

36
www.pwc.com

Digital Forensic
Solutions

Presented by:
Tendai Kanjanda
Manager: Forensic Technology
Services
Agenda

1. Computer Fraud
2. Cyber Fraud Techniques
3. Prevention
4. Investigating Cyber Fraud

PwC & CSZ June 2015

38
Computer Fraud

Definition

Use of a computer to create a dishonest misrepresentation of fact as an

attempt to induce another to do or refrain from doing something which
causes loss
https://www.law.cornell.edu/wex/computer_and_internet_fraud

PwC & CSZ June 2015

39
Computer Fraud Contd
Recorded fraudulent online transactions by continent (2012)

Continent % Fraudulent Transactions

Africa 7%

Asia 5%

South America 4%

Europe 2%

North America 1%
https://www.iovation.com/news/press-releases/iovation-identifies-top-continents-for-online-fraud-in-2012

PwC & CSZ June 2015

40
Cyber Fraud

Phishing - Email based social engineering attack.

Smishing Mobile device short message service based social

engineering attack.

Vishing VoIP or Voice based social engineering attack

https://www.verisigninc.com/assets/whitepaper-cybersecurity-essentials-fraud.pdf

PwC & CSZ June 2015

41
Prevention

PwC & CSZ June 2015

42
Investigating Cyber Fraud

Email Artefacts
Internet Artefacts
Network Analysis

PwC & CSZ June 2015

43
Thank you

The information contained in this publication by PwC is provided for discussion purposes only
and is intended to provide the reader or his/her entity with general information of interest. The
information is supplied on an as is basis and has not been compiled to meet the readers or
his/her entitys individual requirements. It is the readers responsibility to satisfy him or her that
the content meets the individual or his/ her entitys requirements. The information should not
be regarded as professional or legal advice or the official opinion of PwC. No action should be
taken on the strength of the information without obtaining professional advice. Although PwC
take all reasonable steps to ensure the quality and accuracy of the information, accuracy is not
guaranteed. PwC, shall not be liable for any damage, loss or liability of any nature incurred
directly or indirectly by whomever and resulting from any cause in connection with the
information contained herein.

PricewaterhouseCoopers Zimbabwe Firm. All rights reserved. PwC refers to the

Zimbabwean member firm, and may sometimes refer to the PwC network. Each member firm
is a separate legal entity. Please see www.pwc.co.zw for further details.