250 likes | 500 Views
Data Analytics. ISACA Omaha Chapter February 15, 2011. Data Analytics. Why use data analytics? Efficiency Expand Scope of Records Tested Reduce Sampling Risk Achieve Continuous Monitoring / Auditing. First National of Nebraska Inc. 6 independently chartered banks.
E N D
Data Analytics ISACA Omaha Chapter February 15, 2011
Data Analytics Why use data analytics? • Efficiency • Expand Scope of Records Tested • Reduce Sampling Risk • Achieve Continuous Monitoring / Auditing
First National of Nebraska Inc. 6 independently chartered banks. 244 individual locations across 7 states.
First National of Nebraska Inc. • Credit Card • Deposits • Loans • ACH / Wires / Transaction Processing • Branch Network • Information Technology / Security • Compliance (Regulatory, PCI, etc.)
Data Analytic Services • 3 professionals • Formed in 2007 • Part of the Internal Audit Department • Made up of 8 individual teams • 38 audit professionals • Also, serve as a resource to multiple risk groups and business units outside of Internal Audit.
What We Do • Internal Requests • External Requests • Continuous Auditing / Monitoring • Recurring Reports • Monthly and Quarterly • System Administration
Tools Used to Analyze Data • ACL • SAS • Access • Crystal Reports • Business Objects • Excel • Monarch
Challenges • Understanding the Request and End Result • Location of the Data • Best Way to Access the Data • Mapping the Data to meet the Objectives of the Request • Understanding what the Data is telling you. • Avoiding Garbage In, Garbage Out • Sometimes we get audited!
How Data is Obtained • Tapes • Mainframe Jobs / Scripts • System Reports • Data Warehouse (ODBC)
Reporting • Logical Access • Regulation O – Insider Account Monitoring • Door Access comparison with HR Master File • Training Validation • Validation of System Feeds • Fraud Monitoring • Committee Reporting • Business Issues Summaries • Audit Plan Status Reporting
System Administration • Lotus Notes • Used by Internal Audit as their primary documentation system • Archer Enterprise Risk and Compliance System • Used by various risk groups through organization
Archer eGRC System • Business Issues Tracking and Reporting • Vendor Management / Due Diligence • Risk Assessments • Incident Reporting • Policy Management • AT501 Compliance / SOX 404 • Case Management
Incident Management Overview • Streamline incident submission through a customizable and easy-to-use web-based interface. • Report incidents anonymously or confidentially. • Open, prioritize and track security incidents with built-in workflow. • Attach graphics, files and documents as evidence. • Benefits • Reduce incident response times. • Ensure that a defined process is followed to address and report incidents. • Consolidate incident reporting and impact analysis. Report incidents, manage their escalation, track investigations and analyze resolutions. 19
Vendor Management Overview • Provide an enterprise view of corporate vendor documentation, services and utilization. • Assess vendor risk based on services, facilities and internal practices as well as involvement in corporate projects, processes and initiatives. • Evaluate vendors through multiple assessment types such as auto self-assessments and onsite visits. Benefits • Improve productivity through ease of data collection and retrieval. • Make data accessible to appropriate staff members through the use of access controls. Centralize vendor data, manage relationships, assess vendor risk, and ensure compliance with your policies and controls. 20
Policy Management Overview • Design, communicate and manage security policies and compliance processes. • Access corporate security policies through an enterprise portal. • Map to industry references including GLBA, SOX, HIPAA, Basel II, ISO17799, PCI, etc. • Link technical configuration procedures (e.g., Windows 2000 Server) to the policies they support. Benefits • Promote compliance with corporate security policies and industry standards. • Demonstrate compliance with regulatory requirements. Create policies, distribute them online, educate and train employees and report compliance. 21
Contact Information Michael Olson, Data Analytic Services (402) 602-6613 Molson@fnni.com