260 likes | 607 Views
ISACA Kampala Chapter Annual Security Workshop. SECURITY DECISIONS: THE CHALLENGES FOR TODAY AND TOMORROW. Godffrey Mwika, CPA(K), CIA, CISA, CISM Risk Consulting Division KPMG East Africa. Information Insecurity. Real life cases of how businesses are losing cash without trace.
E N D
ISACA Kampala Chapter Annual Security Workshop SECURITY DECISIONS: THE CHALLENGES FOR TODAY AND TOMORROW Godffrey Mwika, CPA(K), CIA, CISA, CISM Risk Consulting Division KPMG East Africa Godffrey Mwika, Risk Consulting, KPMG East Africa
Information Insecurity Real life cases of how businesses are losing cash without trace Godffrey Mwika, Risk Consulting, KPMG East Africa
Information insecurity Failure protect information assets from the following risks: - • Unauthorized access • Unauthorized use • Disclosure to unauthorized parties • Disruption of the information Godffrey Mwika, Risk Consulting, KPMG East Africa
Information insecurity Failure protect information assets from the following risks: - • Modification • Viewing, perusal, Inspection • Writing, Recording or Editing • Deletion or other forms of destruction Godffrey Mwika, Risk Consulting, KPMG East Africa
Information insecurity Generally its failure to ensure that the 3 key components of information security are established and operational i.e. CIA • Confidentiality ( C ) • Integrity ( I ) • Availability ( A ) The order of importance is debatable Godffrey Mwika, Risk Consulting, KPMG East Africa
Why information insecurity Reasons why information will be insecure: - • Software weaknesses – when applications are made insecure at development • When an organisation has not classified its information – restricted, confidential, protect, public, unclassified etc Godffrey Mwika, Risk Consulting, KPMG East Africa
Why information insecurity Reasons why information will be insecure: - • Lack of capacity – Inadequate IT Resources to assess and mitigate against security risks, • Poor or Non – existent Risk Management Framework for information security risks hence no mitigating factors Godffrey Mwika, Risk Consulting, KPMG East Africa
Why information insecurity Reasons why information will be insecure: - • Governance issues – Tone at the top on IS Risks is wrong or missing • Wrong attitude – ‘Snakes are not dangerous till they bite me’ • Underestimating the people risk factor Godffrey Mwika, Risk Consulting, KPMG East Africa
Why information insecurity Reasons why information will be insecure: - • Poorly defined business processes – this includes issues like lack of separation of duties and conflicting roles (Labour cost) • Fraudulent intentions – Where fraudulent managers and staff prefer insecure systems. Godffrey Mwika, Risk Consulting, KPMG East Africa
Why information insecurity Reasons why information will be insecure: - • Resistance to change – security comes with responsibility, roles definition, process designing/redesigning and people may resist • Ignorance and General lack of knowledge Godffrey Mwika, Risk Consulting, KPMG East Africa
Information Insecurity – Losses When business information is insecure and the weaknesses are exploited, the result is either: - • Direct cash losses – direct benefits to the people exploiting the security gaps • Indirect cash losses to an organisation as a result of the security gaps Godffrey Mwika, Risk Consulting, KPMG East Africa
Suppliers Master Data Insecurity • Creation of non-prequalified suppliers and deletion after fraud payments have been made • Amending suppliers details for fraudulent payments • Violation of Separation of duties in systems • Create, use and delete scheme A company pays for poor quality work or no work at all Godffrey Mwika, Risk Consulting, KPMG East Africa
POP and Goods receipts Insecurity • System holds on order matching are overridden to allow wrong or inadequate receipts to be delivered • Exaggerated usage reports to reconcile ghost deliveries • Un-reconciled production reports • Accounting for cost of production based on actual usage only (end to end) and without stepwise business process WIP management Godffrey Mwika, Risk Consulting, KPMG East Africa
POP and Goods receipts Insecurity • Contract /Order breakdown into small bits to skip certain levels of management approval • Creation of orders for unwanted items in the mix of wanted ones • Buying with a view to write off • Generating GRN/SRN for non-existent technical and complicated services – when there is no control of services in the system – using heavy terminology to confuse accounts Godffrey Mwika, Risk Consulting, KPMG East Africa
Payments Insecurity • Procure to payment manned by a single person (intentional or unknown). Cutting on labor costs and loss of cash • IT unlimited and uncontrolled access to the business process modules • No relationship between POP, suppliers master and Payment System • Manual payments to capture in the system later Godffrey Mwika, Risk Consulting, KPMG East Africa
Payments Insecurity • Down payments that are never recovered on final payment • Access controls over the payment master • Duplicate supplier payments undetected by the system • Deliberate disputes created by suppliers to recover un-reconciled amounts in a company • Approving many small immaterial payments and preparing a final single payment Godffrey Mwika, Risk Consulting, KPMG East Africa
Customers master Insecurity • Creating customers, trading on credit and deleting from database • Varying credit limits, trading and reversing • Posting ‘erroneously’ trading and reversing the posting • Endless unexplained postings into an a customers account • Inter-account transfers that are ‘due to error’ Godffrey Mwika, Risk Consulting, KPMG East Africa
Customers master Insecurity • Deleting invoices from a customers accounts and describing as an error • Unapproved credit notes posted in customers accounts without support • Confused customers accounts that take too long to reconcile while goods are shipped • Customers switching between cash and credit terms temporarily Godffrey Mwika, Risk Consulting, KPMG East Africa
Sales Order processing Insecurity • Unprotected price master • Big customers orders placed on the eve of a price increase to frustrate price increases and favor an individual • Moving customers to price regimes they don’t deserve • Hedging orders floated in the system to await a favorable price • Fraudulent and unnecessary promotions Godffrey Mwika, Risk Consulting, KPMG East Africa
Inventories Insecurity • Product master changes to accept wrong goods which are later written off as obsolete goods • Changes of product usage to cover stock losses • Deletion of missing/misappropriated inventories from the database • Malicious issues and receipts • Weighbridge fraud – ‘cheating the system’ Godffrey Mwika, Risk Consulting, KPMG East Africa
Governments systems Insecurity • Unrecorded receipts • Parallel systems to beat IT based systems • Ghost payments • Deliberate system crashes • Bureaucracy • Resistance to ICT • Most old government staff ignore IT • Young government staff take advantage Godffrey Mwika, Risk Consulting, KPMG East Africa
Overtime and payroll Insecurity • Recording un-worked hours • Varying the value of hours worked • Paying twice for same hours even more than 24 hours a day • Running parallel payroll systems for bank and for accounting and then creating reconciling differences that are never resolved. • Editing salaries and wages after computation but before transmission to increase net pay Godffrey Mwika, Risk Consulting, KPMG East Africa
Taming Insecurity • Align ICT to business needs – A MUST DO. • Define your data and classify it correctly. Various information has different levels of insecurity • Define all process level risks and implement controls for that • Use CAATs for continuous auditing procedures • Establish a Risk Management System that includes all business process owners Godffrey Mwika, Risk Consulting, KPMG East Africa
Taming Insecurity • Have a clear ICT Security policy • Define security roles and separate duties between ICT & Business and between Business process owners • Develop and implement monitoring reports that can be reviewed by managers continuously • Conduct proper investigations and Punish violations mercilessly as a deterrent Godffrey Mwika, Risk Consulting, KPMG East Africa
Questions ? Godffrey Mwika, Risk Consulting, KPMG East Africa
Ahsanteni Sana ……….. Be Secure Kwaheri! Godffrey Mwika, Risk Consulting, KPMG East Africa