1 / 11

Bridging the gap between software developers and auditors

Bridging the gap between software developers and auditors. Qualitative versus Quantitative Risk Assessment. It is impossible to conduct risk management that is purely quantitative.

crevan
Download Presentation

Bridging the gap between software developers and auditors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bridging the gap between software developers and auditors

  2. Qualitative versus Quantitative Risk Assessment • It is impossible to conduct risk management that is purely quantitative. • Usually risk management includes both qualitative and quantitative elements, requiring both analysis and judgment or experience. • It is possibleto accomplish purely qualitative risk management.

  3. Qualitative risk assessment Impact Likelihood

  4. Quantitative risk assessment • ALE = ARO x SLE • SLE = AV x EF • ALE = Annualized loss expectancy • ARO = Annual rate of occurrence • SLE = Single loss expectancy • AV = Asset value • EF = Exposure factor Is there something wrong with this approach?

  5. Risks in software development • Buffer overflows • Authentication • Human intervention • Code reuse

  6. What is STRIDE • Microsoft’s approach to threat modeling • Spoofing Identity • Tampering with data • Repudiation • Information Disclosure • Denial of Service • Elevation of privilege • http://msdn.microsoft.com/en-us/library/ms954176.aspx

  7. What is DREAD • OWASP’s extension to STRIDE, providing some quantifiable measure for vulnerabilities • Damage Potential • Reproducibility • Exploitability • Affected users • Discoverability • All scored on the scale 0-10 • DREAD = (D1 + R + E + A + D2)/5 • http://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD

  8. Risks in audit • Audit risk is a probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find • Composed of Inherent, Control, and Detection risks

  9. Role of IT Controls • Modern financial reporting is driven by information technology • IT initiates, authorizes, records, and reports the effects of financial transactions. • Financial reporting IC are inextricably integrated to IT. • COSO identifies two groups of IT controls: • application controls – apply to specific applications and programs, andensure data validity, completeness and accuracy • general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development

  10. Important types of IT controls Input controls Processing controls Output Controls

  11. What can a university do? • Teaching and training • UConn started Advanced Business Certificate program in IT Audit • Aligned with ISACA CISA coverage • Research • UConn is now NSA Center of Excellence in Information Assurance Research

More Related