AFM INTERNAL AUDIT
NETWORK MEETING
MUTUAL ONE
GROVE PARK, LEICESTER
Current ‘Hot Topics’ in Information
Security Governance Auditing
David Tattersall
03 March 2011
WHO ARE MUTUAL ONE ?
Mission Statement “To enhance the competitiveness of mutuals”
WHAT DOES MUTUAL ONE DO ?
 We facilitate collective action amongst mutuals across 4 broad
areas:
 Internal audit
 Compliance, risk and governance
 Events
 Collective procurement
 We are very committed to supporting the mutual sector so that it
thrives, not just survives
 More details on the above can be found on www.mutual-one.co.uk
Current ‘Hot Topics’ in Information Security
Governance Auditing
Contents
• Definition of ‘Information Security’
• What Information do we need to secure?
• Why do we need to secure information?
• Auditing Information Security
• Frameworks
• Emerging Themes
• Questions
Information Security….
….protecting information and information systems from
unauthorised access, use, disclosure, disruption,
modification or destruction.
Wikipedia – Nov 2010
CIA ‘triangle’
What information needs protecting?
Customer
Company
Employee
Confidential
Bank / card
Product / ideas
But why….?
• Regulatory Requirements
• Financial Services Authority
FSA Fines….
But why….?
• Regulatory Requirements
• Financial Services Authority
• Data Protection Act 1998
ICO Fines….!!!
ICO Fines….!!!
But why….?
• Regulatory Requirements
• Reputation Damage
• Financial Cost
Estimated Cost of a Data Breach:
• Data Loss incidents cost between £365k and £3.92m to manage
• Average cost per lost record = £64
• Biggest cost per lost record is lost business - £29
• Other costs include:
customer communication
recompense
operational costs
financial penalty
• Increased 7% in past year, 36% in past two years
Source: Ponemon Institute / PGP 2009 Annual Study - Global Cost of a Data Breach report
Auditing InfoSec
Dependent upon:
• Organisation
• Operating environment – regulated firm? Compliance to external
requirements (e.g. PCI-DSS)?
• Size and nature of IT environment i.e. is control requirement
proportionate?
• Risk appetite
Auditing InfoSec - Frameworks
• ISO27001 / 2
• ISO/IEC 27001:2005 – Information Security Management Systems – Requirements
• ISO/IEC 27002:2005 – Code of Practice for Information Security Management
• COBIT
• FSA Paper – Data Security in Financial Services (Apr 2008)
• Payment Card Industry – Data Security Standards
Auditing InfoSec
Emerging Themes:
• FSA split into Prudential Regulation Authority (PRA) and the
Financial Conduct Authority (FCA)
Data Security in Financial Services (April
2008) – New Regulation ??
1. Governance – managing systems and controls
2. Training and Awareness
3. Staff Recruitment & Vetting
4. Controls
5. Physical Security
6. Disposing of Customer Data
7. Managing Third-party Suppliers
8. Internal Audit and Compliance Monitoring
Auditing InfoSec
Emerging Themes:
• FSA split into Prudential Regulation Authority (PRA) and the
Financial Conduct Authority (FCA)
• Outsourcing / key suppliers
FSA Fines….
• Result of a lack of oversight on key outsourced service
• Third Party Assurance
Third Party Assurance
• Due diligence
• Relationship management
• Contracts / service level agreements
• Ongoing review of security arrangements
• Third party assurance
Auditing InfoSec
Emerging Themes:
• FSA split into Prudential Regulation Authority (PRA) and the
Financial Conduct Authority (FCA)
• Outsourcing / key suppliers
• Internal Threats – who are our employees?
Can you trust your employees?
Who are our employees?
• Initial recruitment process
• background checks
• CRB checks
• credit checks
• Recruitment of temporary staff
• Ongoing vetting of staff
Auditing InfoSec
Emerging Themes:
• FSA split into Prudential Regulation Authority (PRA) and the
Financial Conduct Authority (FCA)
• Outsourcing / key suppliers
• Internal Threats – who are our employees?
• Internal Threats – how is the internet used?
Web-based email / social networking
“To block or not to block….?”
Reasons to block….
• Introduction of malware, spyware, virus
• Bandwidth usage
• ‘Time-wasting’
• Data Leakage
• Accidental
• Intentional
• Data aggregation
• REPUTATION!
“To block or not to block….?”
Reasons to allow….
• Networking opportunities
• Knowledge sharing
• Communication with staff
• Marketing ability / customer engagement
• Increased staff morale
“To block or not to block….?”
Controls to consider (if allowing social networking sites)
• Solid risk assessment
• Training and awareness
• Usage policies
• Granular web-site controls (next-gen firewalls)
• Data leakage software
Beware….proxy avoidance…
Auditing InfoSec
Emerging Themes:
• FSA split into Prudential Regulation Authority (PRA) and the
Financial Conduct Authority (FCA)
• Outsourcing / key suppliers
• Internal Threats – who are our employees?
• Internal Threats – how is the internet used?
• Portable Media Devices – Encrypted?
Ongoing Problem
Laptop Security
• Encryption
• Laptop policy – cannot rely on adherence
• Asset Register
• Laptop sharing
Auditing InfoSec
Emerging Themes:
• FSA split into Prudential Regulation Authority (PRA) and the
Financial Conduct Authority (FCA)
• Outsourcing / key suppliers
• Internal Threats – who are our employees?
• Internal Threats – how is the internet used?
• Portable Media Devices – Encrypted?
• Smart Phones
Smart Phones
Auditing InfoSec
Emerging Themes:
• FSA split into Prudential Regulation Authority (PRA) and the
Financial Conduct Authority (FCA)
• Outsourcing / key suppliers
• Internal Threats – who are our employees?
• Internal Threats – how is the internet used?
• Portable Media Devices – Encrypted?
• Smart Phones
• What next….? Cloud Computing?
Cloud Computing
• Security
• Regulatory Compliance
• Location
• Segregation
• Recovery
• Auditability
• Longevity
• Costs
ANY QUESTIONS ?
Work Together
Respect each other and our clients
and through teamwork achieve a
common goal
Communicate Clearly
At all levels, to achieve the optimum
outcome
Anticipate and Respond to Change
We aim to be proactive and innovative; by
being adaptable we address tomorrow's
challenges today
Share Knowledge
Our aim is to enlighten and add
value through experience
Deliver Quality Service
We can be relied upon and trusted
to meet agreed objectives