NJ ISACA IT Audit Director’s Roundtable October 6, 2010 Michael P Cangemi CPA Andy Ellsweig CPA, CGEIT Agenda Introductions - Format Major Issues Facing Your Organization? World Class IA Organization - One View Data Loss Prevention (DLP) & Privacy Continuous Monitoring (CCM) & Macro Cloud Computing & Third Party Processing 2 Business Career – Michael Cangemi Ernst & Young – CPA – Dir IT Audit Phelps Dodge – CAE – VP - CIO Professional work – IS Control Journal (87-07) & Books - Managing the Audit (Wiley) BDO Seidman Ptr. IT Audit – IA Services CFO/COO to CEO Etienne Aigner 91-04 CEO Financial Executives Intl 07-08 Advisory Boards – FASB; IASB; COSO private companies Management, IT, Financial Governance 3 Cangemi Company, LLC Business Career - Andy Ellsweig Phelps Dodge – Financial/Integrated Auditor Johnson & Johnson - IT Audit PaineWebber - IT Audit Echlin/Dana Corp KPMG – Information Risk Management Sony, Schering-Plough, Centennial Corp – IT Audit Director Eisner/Amper – Risk Advisory Services ISACA President, Board member since 1993 4 Discussion Lets customize the agenda!!! We know some of your technical challenges from the pre-meeting survey. But first: What are the major issues facing your organization? 5 World Class Audit – One View What makes a world class audit organization? Good people (an organization) Following well thought out procedures Focused on significant issues and positive deliverables Team approach to management Management, IT, Financial Governance 6 Cangemi Company, LLC Elements of a world class audit function – Organization (Chap 4) Audit consists of People & Procedures Creating the organization - establish a Charter, Mission Statement Build in positive deliverables in mission When was your last SWOT analysis for Internal Audit? Corp Board - survey! Document Policies & use to orient (177) Management, IT, Financial Governance 7 Cangemi Company, LLC Essence of Internal Audit Challenges How do you contribute to the companies mission? pages (137-138) Not involved in products, customers Managements periodically review audit contribution. (not everyday, but always someday) Are you ready for the review and ROI Management, IT, Financial Governance 8 Cangemi Company, LLC The Impact of the Economy on Audit Departments – Discussion Points In today’s economic climate, it has become increasingly necessary to manage audit functions and processes more efficiently. What is the impact of the economy on executing our audit plans? What techniques are being used to accomplish this goal? Are there effective automation solutions available to help with this? Are there audit areas that are candidates for elimination or reduced audit coverage to accommodate strained budgets? Does management recognize that there is an increased motivation for fraud and data crimes, concurrent with expectations on audit departments to recognize such activities despite reduced budgets? 9 Data Loss Prevention / Data Privacy Data Loss Prevention (DLP): Detecting and preventing the unauthorized use and transmission of confidential information. Risks associated with data loss have significantly increased due to company’s having fragmented and porous network perimeters, the ability to move massive amounts of information easily, the value of multiple types of information, as well as new and emerging regulatory restrictions and marketplace liability for improperly protecting personal information. Personally Identifiable Information (PII) includes: Name, Street Address, Social Security Number (or other National identification numbers), Credit Card Number, Expiration Date, Authorization Code, Telephone number, E-mail address, Driver's license number, Face, fingerprints, or handwriting, etc….. 10 Regulations and Statutes European Data Privacy Directive (1995) Gramm-Leach-Bliley Act (1999) SEC’s Regulation S-P (2000) California state law regarding data breaches (2003) Massachusetts regulations regarding information security (2008 – 2009) US Red Flag Rules (2010) Payment Card Industry Standards (2008) HIPAA (1996)/HITECH (2010) Acts 11 Data Breaches – Scope of the Problem • The Privacy Rights Clearinghouse maintains a Chronology of Data Breaches Since 2005 there were 1,720 data breaches made public which resulted in 510,535,937 records breached. The numbers are not complete, many small breaches are not reported and the amounts of records breached in many cases is unknown The reported data breaches includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers Also includes some breaches that did not expose sensitive information. • Major causes of breaches include: lost or stolen computers or storage, hacking, programming/human error and lost backup tapes Source: http://privacyrights.org/data-breach 12 Examples of Data Breaches Heartland Payment Systems: intruders hacked over 100 million records San Francisco, July, 2008: disgruntled employee sabotaged the city’s computers by changing all the Admin passwords. Iowa recently learned that social security numbers of its residents were accessible on the Internet since 2005, through a website maintained by a County TJX, ChoicePoint, CardSystems, Veterans Administration, and many more 13 Data Loss Prevention / Privacy – Discussion Points Are audit plans and programs being modified / created to address data loss prevention? How many companies have designated Privacy Officers? Are Incident response plans documented? Is a technical solution for data loss prevention – i.e., systems designed to automatically monitor for data leakage – considered essential to enterprise risk management? Are there automated audit tools being used to determine the effectiveness of data loss prevention programs? Are IT and executive management cognizant and being responsive to protecting organizations from data loss breaches? How do we see data loss prevention evolving? 14 Continuous Controls Monitoring CCM technology provides an automated in-line means to effectively audit transactions and identify fraud and other exceptions in real time. 15 Continuous Monitoring Macro Automation – computers, new communications and surveillance devices leads to expansion of monitoring There is an ever expanding “Orwellian” interest in monitoring Government – National security; compliance – tax; motor vehicle monitoring 16 Business Monitoring Business - Financial & IC Focus – – Start higher - CM – is more pervasive – Most common terms CCM, CCM-T, CA Need for more clarity of CM objectives, benefits and definitions CM adds value to IC system – COSO Monitoring – good step, not far enough Hence – FERF Research paper 17 Overview Of Continuous Monitoring Society Business Monitoring Government Operations National Security Monitoring Compliance Monitoring (IRS) IT Finance HR CM Security Info Integrity CCM-T & recs CCM-S of duties CCM-T Internal Audit / GRC 18 Business Monitoring Features expanded use of near real time – automated monitoring We need to redefine the Control Community Role & CM terminology (EDPACS Article) Operations in addition to Financial Focus – Bigger Focus on Controls – based in operations – FedExp to Easy pass Finance & audit – to lead & educate 19 Continuous Controls Monitoring – Discussion Points • CM - What is your company doing to take advantage of automation to improve data & information integrity? • Who has implemented or is planning to implement CCM? • What are some notable successes and failures in using this technology? • What types of transactional activities and data mining are being used and where do we see the greatest potential benefits? • How has the use of CCM affected legacy audit planning and procedures? • Are there any other areas of CCM that could be used for more effective audits and timely identification of aberrant activities – e.g., monitoring IT controls? • Is the use of CCM destined to become an important and requisite audit methodology best practice? 20 Cloud Computing & Outsourcing Firms are moving at a tremendous pace to cloud computing based architectures and assignment of processing controls to third party processors to reap the cost savings. The NIST has defined Cloud computing as: a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 21 The NIST Cloud Definition Framework Hybrid Clouds Community Cloud Deployment Models Private Cloud Service Models Software as a Service (SaaS) Public Cloud Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On Demand Self-Service Essential Characteristics Common Characteristics Source: NIST Broad Network Access Rapid Elasticity Resource Pooling Measured Service Massive Scale Resilient Computing Homogeneity Geographic Distribution Virtualization Service Orientation Low Cost Software Advanced Security 22 Cloud Computing in Financial Terms No more buying servers (that will probably not ever be fully utilized and start losing value as soon as they’re delivered). Companies will not need to spend money on switches and routers, backup power, redundant bandwidth, and expensive HVAC systems that servers require . Can reduce expenses for IT staff specifically dedicated to server maintenance and server/computer rooms. Servers become someone else’s responsibility. They buy it, and you rent it. You rent it by the megahertz, gigabyte, or bits per second. Cloud service providers hire the server room staff and you rent their services. Allows companies to reap great economies of scale and reduce capital expenditures and IT operating costs. Source: Proformative 23 Cloud Economics – Cost Savings Estimates vary widely on potential cost savings: Brian Gammage, Gartner Fellow “If you move your data center to a cloud provider, it will be a tenth of the cost.” CTO of Washington D.C. – Preferred Hotel – – Government agencies moving to public or private clouds can save from 50 to 67 percent. Merrill Lynch – Traditional: $210k server refresh and $10k/month Cloud: $10k implementation and $16k/month Ted Alford and Gwen Morton of Booz Allen Hamilton – Use of cloud applications can reduce costs from 50% to 90% Claimed that technology could make business applications “3 to 5 times cheaper,” meaning that organizations could save anywhere from 67 to 80% William Forrest, McKinsey Analyst – In disputing some of the cost savings examples he indicated that: There would be few savings from cloud migrations and that moving to the cloud actually would cost 24 144 percent more than current expenditures. Six Costly Cloud Mistakes There are a number of "hidden gotchas" when it comes to using cloud infrastructure providers Not taking full account of financial commitments on existing hardware. Not factoring in your unique requirements when signing up for a cloud service. Signing an agreement that doesn't account for seasonal or variable demands. Assuming you can move your apps to the cloud for free. Assuming an incumbent vendor's new cloud offering is best for you. Getting locked in to a cloud solution. Source: CFO.com 25 Provider Due Diligence Before entering into an agreement with a cloud (or any outsourced) provider, organizations need to perform due diligence procedures, which should be based on the type of data/processes being outsourced or moved to the Cloud Due diligence should be carried out by a multi-disciplinary team that could include members from the business area(s) affected, finance, legal, information security, privacy office, corporate security & audit Many companies use questionnaires as a first step for assessing vendor’s controls Because it does not fit in their cost model, most cloud providers will not allow on- site audits If Type II SAS70s (or other certifications) are not available (e.g., for smaller providers or new entrants into Cloud Computing), then an “on-site” audit is recommended Audits should be performed pre-contract execution where possible Should also evaluate the vendors health, including review of D&B reports 26 SAS70s Reliance & Limitations SAS70 limitations include a general lack of security focus and the testing procedures are sometimes narrowly defined When reviewing SAS70s, organizations should consider the following: • • • • • • • Was it a Type I or a type II? Who performed the SAS70? Did the entity receive a clean audit opinion? What audit objectives were covered by the SAS70? Were there any findings and how were they addressed? What Client Control Considerations were included? Is this enough to cover the organizations regulatory requirements (e.g., PCI, SOX, GLBA, Privacy Laws) Organizations should look for additional assurances besides the SAS70s, which can include: ISO 27001/27002, TRUSTe, Safeharbor, SysTrust/WebTrust 27 Cloud Computing & Third Party Processing – Discussion Points What are the risks associated with third party processing that are of most concern? How is third party processing being audited by organizations – e.g., right to audit clauses vs. reliance on SAS 70 reports? Are companies doing adequate due diligence before contracting with third party providers – particularly in regards to involving audit departments prior to contractual commitments? How is the complex digital supply chain – where multiple downstream providers provide services for each other and data residence and transmission points are increasingly obscure – being dealt with from an audit perspective? What types of controls and associated technologies are considered essential to auditing third party processing? How has the economy impacted how we determine ongoing vendor viability? 28 WRAP-UP Other Topics or Focus area? Major Takeaways 29 Thank You To all participants & JH Cohn 30 For More Information: Michael P Cangemi CPA CISA President Cangemi Company LLC mpcangemi@msn.com www.canco.us 732.662.4868 Andy Ellsweig Senior Manager EisnerAmper LLP Andrew.ellsweig@eisneramper.com 732.287.1000, x- 1297