New York Office
641 Lexington Avenue, Suite 1322
New York, NY 10022
Tel : (212) 634 6325
Internet : www.sia-conseil.com
Sia Partners US
AIBA Presentation: IT Risk Assessments
September 20, 2012
Presenters
Gus Moreno
IT Risk Specialist
Tel : (917) 239-7549
Email : gus.moreno@sia-partners.com
Alexis Wyrofsky
Consultant
Tel : (401) 862-1661
Email : alexis.wyrofsky@sia-partners.com
Paris | New York | Rome | Milan | Casablanca | Dubai | Amsterdam | Brussels
Table of Contents
1
Introduction
2
IT Risk: In the News
3
IT Risk Hot Topics
4
IT Risk Program
5
IT Standards and Selective Article Links
2
CONFIDENTIAL © 2012 Sia Partners
page
Introduction
•
With the growing complexity of Information Technology, financial institutions are exposed to a greater
number of IT risks.
In 2012 alone, many
Information Security attacks
and operational issues
made national news
headlines:
•
Password File Hacking
Amazon Cloud Outage
SQL Injection Attacks
Mobile Device Attacks
Due to the increased threat, regulators hold companies accountable not only to regulatory requirements but
also to standards of best practices and procedures.
Guidance for regulatory
exams is published;
however, regulators’ focus
changes based on the
current IT trends. For
example, recent hot topics
in Financial Services
include:
•
•
•
•
•
•
•
•
•
Cyber Attacks
Data Leakage
Vendor Management
Disaster Recovery & Business Continuity
Plans
• Data Privacy
IT Risk expertise assists companies in navigating the current threats to their IT environment, and ensures
compliance with regulatory requirements.
3
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk: In the News
Password File Hacking
SECURITY EVENT
• Since 2002, Information Security breaches have risen exponentially.
• Cyber activity has spiked this year.
• 6/2012: 3 major Password Breaches.
• LinkedIn: 6.4 million hacked passwords.
• Lastfm.com.
• eHarmony.
• Passwords were stored in database using a standard algorithm rather
than encryption.
POSSIBLE RISK MITIGATION
Controls
• Review quality of stored passwords.
• Set up security monitoring procedures that should be able to detect an
attempted breach.
• Establish adequate security perimeter controls.
• Develop a security patch deployment process.
Cost-benefit
• $200,000-300,000: set up adequate, A+ security measures, versus
• $5.5 million: the average cost to a company of a security breach.
CONFIDENTIAL © 2012 Sia Partners
4
page
IT Risk: In the News
Cloud Computing
OPERATIONAL EVENT
• 6/9/2012: Outage of Amazon Elastic Compute Cloud
(EC2) caused by severe weather conditions.
• Mainstream websites running off the Amazon cloud
were down – Netflix, Instagram, Pinterest, Heroku.
• 4/2011: Technical glitch caused an Amazon cloud outage.
• Caused service interruptions for websites Foursquare,
Reddit and HootSuite.
POSSIBLE RISK MITIGATION
Controls
• Understand availability of computer resources risk and
ensure that infrastructure is resilient.
• E.g.: Establish an automatic switch over to a standby
machine.
• Implement security monitoring in a cloud.
• Establish vendor management controls.
• Include cloud services in Disaster Recovery Plan.
• Employ geographic distribution of data centers.
5
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk: In the News
SQL Injection Hacks
SECURITY EVENT
• 11/2011 - 1/2012: SQL injection hack affected over 1 million urls.1
• Infected by lilupophilupop.com malware.
• The attacker can completely take over the underlying operating system of the
SQL server and the Web application.
• Hacking process is partially manual and partially automated – suggests significant
preparation and manpower.
• Toolkit constructed for a particular attack and targets a specific application architecture.
• 3/2011: Lizamoon.com SQL injection hack:
• 500,000 urls affected via redirects that push rogue AV software.
• Quickly contained.
POSSIBLE RISK MITIGATION
• Establish patch deployment process.
• Verify Virus / Malware process.
• Set up Web application development policies and requirements.
• Inspect application on Firewalls.
• Ensure appropriate use of "least privileges."
• Assume the applications are not secure (encrypt passwords, etc.).
1
According to the SANS Internet Storm Center; Cisco claims that fewer web pages were affected as online
discussions following a hack increase hits.
6
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk: In the News
Mobile Device Attacks
SECURITY EVENT
• Android malware attacks: New framework Tatanga –“man-in-the-mobile” attacks (MitMo):
• Intercept the secret codes sent by a bank via text message to a customer’s phone to verify a large
transaction request.
• Initiate transfers and transactions by bypassing the out-of-bank authorization systems.
• Target small businesses using online banking; mobile attacks expected to become more prevalent.
•
Other Mobile Device Security Risks:
• High potential for mobile devices to be lost or stolen.
• Applications do not typically have encrypted containers (in place for email) or other security
measures.
POSSIBLE RISK MITIGATION
• Ensure Mobile Computing policies are in place:
• State that applications must be downloaded from a trusted source, e.g., Google Play
•
•
•
•
app stores.
Set up multifactor authentication.
Implement user security awareness training.
Move slowly into the space.
Update and ensure SDLC process is specific for mobile device applications.
7
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk Hot Topics
Cyber Attacks
Cyber Attacks
•
•
1
Cause
of Risk
•
•
•
•
•
•
2
Risk
Mitigation
•
•
•
•
•
Cyber attacks are increasingly more targeted to specific corporations.
Moving from simply making a point to wreaking financial havoc.
Advanced Persistent Threats (APTs) focus on hacking an individual employee rather than the
organization’s infrastructure.
Spear Phishing: hackers obtain a company email list in order to appear as a trusted source.
Example: RSA Spear Phishing Attack in 3/2011– Hackers sent phishing emails appearing to
come from a Recruitment website to employees of RSA.
Attachment in the email placed a malicious file on the employee’s computer, enabling
attackers to gain remote access to the company network and steal information regarding
RSA’s SecurID keyfob products.
Establish effective security patch and virus/malware patch procedures.
Review network security processes to ensure that sufficient restriction exists for access to
business critical applications (either internally or externally hosted).
Perform ongoing penetration testing.
Implement a Computer Emergency Response Team (CERT) process.
Ensure Security Administration (both new hires and existing personnel) have adequate
training.
Ensure that strong password and pin requirements are included and enforced in company
policies.
Evaluate practices used by Help Desk to reduce opportunities for social engineering attacks.
8
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk Hot Topics
Data Leakage
Data Leakage
•
•
1
Cause
of Risk
•
•
•
•
•
•
•
•
•
2
Risk
Mitigation
•
•
•
•
•
Reliance on the Internet and emails to transfer and store data.
Wireless networks.
Mobile devices.
Storage sites.
Personal and unauthorized websites.
File transmission, FTP, Skype, etc.
Social networking.
USB ports/thumb drives.
Remote access controls.
Assess all possible data leakage channels within the IT environment.
Apply measures to reduce the unauthorized disclosure of sensitive data to secure the
environment.
Ensure effective data classification process exists for all company information.
Identify potential leakage channels.
Establish additional controls where possible based a data classification system.
Implement monitoring solutions to manage sensitive information.
Put in place an ongoing employee awareness program.
9
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk Hot Topics
Vendor Management
Vendor Management
•
1
Increasing reliance on third-party vendors to perform many IT functions and services.
 Vendors and service providers are responsible for continuous operations of key
business IT processes and proper handling of sensitive data.
Prevalence of Cloud Services.
Service disruptions or Information Security breaches result in high financial or reputational
costs.
Cause
of Risk
•
•
•
2
Risk
Mitigation
•
•
•
Ensure that due diligence is conducted on vendors.
 Prior to engagement during the Contract Phase.
– Right to Audit, Security Monitoring.
 On a periodic (annual) basis.
Manage vendor relationships – enforce the adoption of internal controls by the vendor.
Monitor the vendor’s Information Security and data-handling procedures.
 Restrict access to critical production data and information processing systems.
Implement security monitoring solutions for vendor access to business sensitive data.
10
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk Hot Topics
Disaster Recovery/Business Continuity Plans
Disaster Recovery/Business Continuity Plans
•
1
Cause
of Risk
•
•
•
•
•
2
Risk
Mitigation
•
Post-9/11, Business Continuity (BCP) and Disaster Recovery (DR) became highlighted areas
for regulatory examiners.
Regulators going beyond the idea of alternate sites to the requirement that enough critical
staff be available for principal trading applications, especially for “market makers.”
Increased use of vendors would require that DR/BCP plans include an appropriate level of
testing.
Include business continuity considerations into the overall design of the business model in
order to reduce the risk of service disruptions.
Ensure plans are robust, detailed, regularly updated, tested and approved by a bank’s
Executive Management.
Include areas such as pandemic crisis management, media communication, hardware
recovery and security measures.
Monitor and analyze the results of testing:
 Identify areas requiring special attention.
 Personnel that could benefit from additional training.
11
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk Hot Topics
Data Privacy
Data Privacy
•
Differences in global data privacy regulations and standards:
United States
1
Cause
of Risk
•
US government has limited power to
protect citizens’ data privacy.
• Federal Trade Commission rarely takes
action against US companies for privacy
breaches; usually levies small fines.
•
If company has lawful access to data it
may use it, as long as it is not
prohibited (such as under GrammLeach-Bliley Act).
•
Importance of privacy policy /
statement: as long as a customer is
made aware of the policy when data is
collected and does not object, the
company can use it.
•
Patriot Act allows US officials to access
phone, email and financial information
without a warrant.
Europe
•
•
1995 EU Directive on Data Protection
Protects citizens' privacy and states
that permission is required by a
consumer for a company to use or
exchange personal data.
•
2012: EC proposed General Data
Protection Regulation, a draft update
of the Directive.
• Requires reporting a data breach
within 24 hours.
Asia
•
2011 marked a pivotal year in Asia
with the introduction of many data
protection regulations.
•
South Korea: Personal Information
Protection Act considered the most
stringent data privacy regulation globally.
May require companies to delete • Creates a Data Protection Commission.
consumer data if its retention is not • Mandates a Privacy Compliance Officer
for businesses.
justified.
• Requires data breach notification.
• Conforms data privacy rules across EU.
• Introduces Privacy Impact Assessments.
•
•
US companies would be heavily
penalized for releasing EU citizens’
personal data to US authorities (such
as by complying with National
Security Letters)
•
Hong Kong and the Philippines have
both recently passed significant data
privacy regulations.
• Review data protection control jurisdictions of business activities and verify their adherence to sovereign laws.
2
Risk
Mitigation
• Corroborate that policies support the segregation of company and personal information that might go cross-border.
• Review the security monitoring process, particularly the communication procedure in the event of a security breach.
• Verify that cloud and email storage infrastructure supports infrastructure requirements.
• Ensure that the DR solution is not in violation of regional standards.
CONFIDENTIAL © 2012 Sia Partners
12
page
IT Risk Program
How to Monitor & Control IT Risk
Designing and Implementing an IT Risk Program:
–Set up security controls
–Perform an annual independent IT Risk Assessment
–Conduct application security reviews
–Perform internal and external penetration tests
–Ensure security patches/malware patches are completed on a timely basis
–Maintain risk reporting that provides information on patching process (up-to-date)
–Verify that adequate number of Information Security personnel have adequate skillset
–Ensure existence of training program; up-to-date training of current employees
–Confirm that IS Policy allows for personal use on business devices and use of personal devices for
business purposes
13
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk Program
IT Risk Assessment Methodology
Methodology and Process of an IT Risk Assessment:
•
Conduct in accordance with established industry and regulatory guidance (FFIEC, COBIT, etc., further discussed on slide 16).
In addition to the previously mentioned “Hot Topics” scope should include the following areas:
• Risk Management
• Information Security Administration
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Network, Communications & Operations Management
• Access Control
• Information Systems Acquisition, Development & Maintenance
• Incident Event & Communications Management
• Compliance
Risk Assessment Process Should Encompass:
• Review existing IT Risk related material in place
• Develop specific control tools (such as the RCM discussed on slide 15)
• Conduct interviews with key IT and IS personnel and management, as well as other relevant staff such as HR, Administration, Audit &
Compliance
IT Risk Assessment Enables Management to:
• Obtain a comprehensive and documented understanding of risks in the IT / IS operational environment
• Grasp the severity and level of urgency for each associated risk
• Appropriately and accordingly take measures to reduce risks in order of priority
• Ensure resources are deployed to address risks that have the most significant implications for the organization at that time
• Plan and budget for projects that mitigate IT / IS risk according to assessed risk and priorities with varying mandates and longevity
• Acknowledge and accept risks not considered by management to pose a significant threat
CONFIDENTIAL © 2012 Sia Partners
14
page
IT Risk Program
Risk Control Matrix
Risk Control Matrix (RCM) Tool:
•
•
•
•
•
•
Provides a qualitative assessment of the expected controls for each area of the IT environment.
Documents whether relevant control objectives are met.
Identifies open risk issues based on gaps between the required control and the control in place.
Categorizes issues based on a risk rating such as “High” “Medium” and “Low.” The determination of the risk rating is based
on the severity of the risk and the probability of its occurrence.
Determines and tracks management’s decision whether each flagged risk should be remediated, partially remediated,
accepted or a combination.
Prescribes recommendations on steps to address the risk deemed to need mitigation.
Sample RCM
Control Objective
& Associated Risks
Current or Planned Controls, Procedures
Other Risk Mitigating Factors
Residual Risk
Recommended Actions
D. Vendor Management
1.
1.
1.
1.
15
CONFIDENTIAL © 2012 Sia Partners
page
IT Risk Program
Guidance & Internal Audit’s Role
IT Risk Guidance
• FFIEC:
• Maintains and publishes 11 FFIEC Information Technology Examination Handbooks which outline examination
objectives and procedures for evaluating IT environments of financial institutions.
• Provides introductory, reference, and educational training material on specific topics of interest to field examiners
from the FFIEC member agencies.
• CobiT:
• IT governance framework established by ISACA, the former Information Systems Audit and Control Association;
• Shared Assessments:
• Evaluation program of security controls focusing on Information Technology and Information Security.
• Created by several major US Banks (JPMorgan Chase, Bank of America, Citigroup, BNY Mellon) in association with the
Big 4 accounting firms.
• ISO/IEC 27002:
• Standard aimed at Information Security, which was published jointly by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC).
Role of Internal Audit
• Audit the IT/IS Control Program.
• IT Risk Assessment:
• Perform the IT Risk Assessment (if done in-house)
• Collaborate with external vendor firm to oversee performance of assessment.
16
CONFIDENTIAL © 2012 Sia Partners
page
IT Standards and Selective Article Links
• http://ithandbook.ffiec.gov/it-booklets.aspx
•http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx
•http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html?pagewanted=2&_r=1&emc=eta1
• http://mobile.blogs.wsj.com/cio/2012/06/06/linkedin-password-breach-illustrates-endemic-security-issue/
•http://www.forbes.com/sites/anthonykosner/2012/06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/
•http://www.forbes.com/sites/anthonykosner/2012/07/01/survey-of-effects-of-cloud-outage-shows-how-much-of-the-web-runs-on-amazon/
•http://www.wired.com/cloudline/2012/06/amazon-outage-pilot-error/
•http://www.forbes.com/sites/kellyclay/2012/06/30/aws-power-outage-questions-reliability-of-public-cloud/
•http://www.huffingtonpost.com/2012/07/02/amazon-power-outage-cloud-computing_n_1642700.html
•http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
•http://mobile.eweek.com/c/a/Security/New-Android-Malware-Better-at-Targeting-Bank-Transactions-161221/
•http://www.nftc.org/default/Innovation/PromotingCrossBorderDataFlowsNFTC.pdf
•http://www.informationweek.com/security/attacks/sql-injection-hack-infects-1-million-web/232301355
•http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232301285/latest-sql-injection-campaign-infects-1-million-webpages.html?itc=edit_stub
•http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/
•http://www.informationweek.com/government/security/nsa-chief-china-behind-rsa-attacks/232700341
•http://blogs.rsa.com/rivner/anatomy-of-an-attack/
•https://www.bit9.com/blog/2011/03/18/rsa-and-the-apt-attack/
•http://www.msnbc.msn.com/id/15221111/ns/technology_and_science-privacy_lost/t/la-difference-stark-eu-us-privacy-laws/#.UFEG95afht0
•http://cyberlaw.stanford.edu/node/5544
•http://www.computing.co.uk/ctg/news/2162386/europe-s-protection-laws-cause-conflict-warn-legal-experts
•http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2120983
17
CONFIDENTIAL © 2012 Sia Partners
page
Contacts at Sia Partners US
Gus Moreno
Alexis Wyrofsky
IT Risk Specialist
Consultant
Sia Partners US
Sia Partners US
641 Lexington Ave.
Suite 1322
New York, NY 10022
Office :(212) 634-6325 – Cell: (917) 239-7549
Email: gus.moreno@sia-partners.com
641 Lexington Ave.
Suite 1322
New York, NY 10022
Office :(212) 634-6325 – Cell: (401) 862-1661
Email: alexis.wyrofsky@sia-partners.com
18
CONFIDENTIAL © 2012 Sia Partners
page