Bridging the gap between software developers and auditors Qualitative versus Quantitative Risk Assessment It is impossible to conduct risk management that is purely quantitative. Usually risk management includes both qualitative and quantitative elements, requiring both analysis and judgment or experience. It is possible to accomplish purely qualitative risk management. Qualitative risk assessment Impact Med. risk High risk High risk Low risk Med. risk High risk Low risk Low risk Med. risk Likelihood Quantitative risk assessment ALE = ARO x SLE – SLE = AV x EF • • • • • ALE = Annualized loss expectancy ARO = Annual rate of occurrence SLE = Single loss expectancy AV = Asset value EF = Exposure factor Is there something wrong with this approach? Risks in software development Buffer overflows Authentication Human intervention Code reuse What is STRIDE • • • • • • • Microsoft’s approach to threat modeling Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of privilege • http://msdn.microsoft.com/en-us/library/ms954176.aspx What is DREAD OWASP’s extension to STRIDE, providing some quantifiable measure for vulnerabilities Damage Potential Reproducibility Exploitability Affected users Discoverability All scored on the scale 0-10 DREAD = (D1 + R + E + A + D2)/5 http://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD Risks in audit Audit risk is a probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find Composed of Inherent, Control, and Detection risks Role of IT Controls Modern financial reporting is driven by information technology IT initiates, authorizes, records, and reports the effects of financial transactions. Financial reporting IC are inextricably integrated to IT. COSO identifies two groups of IT controls: application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development Important types of IT controls Input controls Processing controls Output Controls What can a university do? Teaching and training UConn started Advanced Business Certificate program in IT Audit • Aligned with ISACA CISA coverage Research UConn is now NSA Center of Excellence in Information Assurance Research