1 / 53

The DARK Side of Innovation How Poorly Managed Change Can Increase the Risk of Security Breach and Fraud

The DARK Side of Innovation How Poorly Managed Change Can Increase the Risk of Security Breach and Fraud. Project Management Institute- SWOC May 7, 2010 – London, Ontario Jerrard B. Gaertner CA•CISA/IT, CGEIT, CISSP , CFI, CIA, I.S.P., ITCP

qabil
Download Presentation

The DARK Side of Innovation How Poorly Managed Change Can Increase the Risk of Security Breach and Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The DARK Side of InnovationHow Poorly Managed Change Can Increase the Risk of Security Breach and Fraud Project Management Institute- SWOC May 7, 2010 – London, Ontario Jerrard B. Gaertner CA•CISA/IT, CGEIT, CISSP, CFI, CIA, I.S.P., ITCP Soberman LLP & Soberman Technology Assurance Inc.

  2. Introduction (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  3. Soberman Technology Assurance • Subsidiary of Soberman LLP • Technology governance • GRC for IT • Computer controls and security • Privacy risk and audits • Specialized engagements – PCI, CICA 5970, digital forensics and data capture (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  4. Jerry Gaertner • Director, STAI • CA specialist designations • CGEIT, CISSP, CIA, CFI, I.S.P., ITCP • 25+ years experience in systems assurance, IT controls and related areas (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  5. Our Agenda • Frame of reference • What constitutes poorly managed change and why does it happen? • How does change affect security and fraud risk and why do we care? • A closer look at security, internal control and fraud • What can we do to minimize risk? • Discussion and questions (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  6. Frame of ReferenceChange or InnovationResulting from These Activities • System development, maintenance, upgrade, implementation, configuration related to hardware/software, including operating systems, networks, applications (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  7. Which Applications Specifically? • Financial and related systems (inventory, costing, purchasing) • Infrastructure and administrative systems (identity management, SIEM, logging, NAC, data bases) • Econometric, modeling, data mining, logistics, ERP systems (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  8. But Generally Not These • Engineering and CAD/CAM systems • Production control systems • Scientific systems • Medical systems which nevertheless have their own risks (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  9. The Difference Systems, facilities, tools, procedures and controls related to organizational assets or the protection of these assets (generally financial and IP) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  10. What Constitutes Poorly Managed Change? The OBVIOUS - Poor Results • Over-budget, late, failure to deliver The OBVIOUS – Poor Processes • Disruptive processes and implementation • Disgruntled stakeholders • Mismanaged expectations • Inefficient use of resources • Lack of documentation and on-going support (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  11. What Constitutes Poorly Managed Change? Not so obvious • Implementation without adequate testing (unidentified defects, increased risk of failure) • Implementation without adequate training (future inefficiency and error) • Use of technical shortcuts in development creating hidden vulnerabilities (impact on accuracy, control, security, reliability) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  12. What Constitutes Poorly Managed Change? (More) Not so obvious • Risk laden project processes and organization (increased security breach and fraud risk) • Failure to indentify key control processes prior to change or to create (map) equivalent processes post implementation - jointly with end user/stakeholders • Failure to fully conform to internal/external standards (affecting knowledge transfer, maintainability, risk profile, auditability) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  13. Why Do Projects Fail? The OBVIOUS • Time and budgetary pressures • Inadequate resources and expertise available • Poor/unrealistic planning, expectations • Poor/incomplete research, understanding of technology • Failure to understand the specifications and deliverables up front • Scope creep, staff creep (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  14. Why Do Projects Fail? (More) The OBVIOUS • Early adopter traps • Inadequate project/change management tools, poor feedback and control • Insufficient senior management support to address indirect project factors (organization, competence, training, work flow, stakeholder indirect requirements) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  15. Projects that Fail – Measuring IT Performance Not so obvious • IT still has few objective benchmarks based on metrics which can be used to evaluate performance/productivity. • Coarse measures (such as lines of code per programmer per day) offer little help. • Ratios (the favorite tool of accountants) provide general guidance about resource usage, but little else. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  16. Projects that Fail – Standards Confusion Not so obvious • Security metrics are for the first time being implemented, while privacy metrics remain largely in the research lab. • IT accreditation, standard setting, professional enforcement, training and methodology are a moving target. • ITIL, ISO, COBIT and others provide some guidance, but there remains considerable overlap, as well as gaps and confusion regarding application criteria. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  17. Projects that Fail – IT Culture Roadblock Not so obvious • IT is a relatively new profession (compared to accounting, engineering, medicine). • Historically, the evaluation of IT performance has often been subjective and arbitrary, leading to game-playing, suspicion and the creation of fiefdoms. Major IT projects are often a political minefield. • It can be hard for a project manager or IT director to know who to listen to and what to do. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  18. Projects that Fail – Rapid Change – Complex Risk Not so obvious • IT is changing at a breath-taking speed. Not only technology, but expectations are dramatically affected. Managing IT change means making rapid tactical and even strategic) corrections. • Different technologies have vastly different risk profiles. A 12 month waterfall development barely resembles a 12 week agile project in terms of where the major risks are; what the most effective controls are; the type of development organization best suited to deliver a successful outcome. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  19. Summarizing the Hidden Causes of Poorly Managed Change The combination of lack of formal IT performance standards, a great deal of “home-grown” talent, poor understanding of IT risk management, cultural differences between IT and other corporate departments and failures of communications can lead to dramatic, immediate project failure and/or more subtle, longer term failures based on hidden defects, elevated risks and inappropriate controls. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  20. Catch Your Breath… (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  21. So WHY Do We Care SO MUCH About IT Projects? IT often protects the organization’s vital assets (intellectual property, PIA, financial information). IT often represents a major strategic resource or competitive differentiator. IT may be critical to economic survival of the organization. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  22. IT is PERVASIVELY Implicated in Control Processes IT is frequently implicated in the exercise of due diligence, fiduciary responsibility, statutory and regulatory compliance, profitability, legal liability, stakeholder satisfaction, maintenance (or loss) of reputation and overall perception in the marketplace and industry. Compliance with statutes and regulations (such as HIPPA, PIPEDA, ITA, ETA, PCI DSS, SOx) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  23. Why Do We Care? (More) Failure to exercise adequate oversight over IT = confidential records in the parking lot; hackers in your SAN; DDoS attack shutting off your web presence; trade secrets in the hands of your competitors ALL OF WHICH YOU READ ON PAGE 2 OF THE GLOBE AND MAIL! (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  24. IT Change and Innovation Can Disrupt the Delicate Balance of Controls Protecting Corporate Assets (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  25. How Can Change Affect Security and Fraud Risk? To answer, we must Understand the factors and controls underlying the existing (initial) security and fraud risk Understand the project impact, processes and factors underlying transitional risk Understand the end state (post- implementation) factors underlying risks (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  26. And some of the key factors are… Internal controls – design, deployment, effectiveness Security controls Fraud triangle Tone at the Top (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  27. Risk Factors - The Nature of Controls Internal controls are: • activities mandated by the Board (or its delegates) • designed to provide reasonable assurance that: • objective are attained • in accordance with the organization’s policies, procedures and values, and • exceptions and deviations are identified and addressed as early as possible. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  28. Controls generally reside within frameworks • COSO (Committee of Sponsoring Organizations) • COCO (Criteria of Control) (CICA) • 12 Criteria (CCAF) • TQM • ISO 9000 • Deep Learning (Senge) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  29. Frameworks help us • Understand controls and the context within which they operate • Determine the relative importance and effectiveness of controls • Focus our control resources appropriately • Systematize the implementation • Visualize a multi-dimensional, overlapping network of controls • Standardize control terminology • Develop tools for the evaluation of controls (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  30. Components of frameworks • Control activities • Risk analysis • Information flow • Monitoring and feedback • Environment and culture of controls (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  31. Framework commonalties (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  32. Control types and objects Types • Preventive • Detective • Corrective Objects • Operational control • Financial (statement) reporting • Compliance (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  33. Hierarchy of IT Controls • Lowest level IT controls protect specific data elements representative of assets (encryption, field-level access controls) • Mid level IT controls protect the structures in which data resides and the applications which process it (file, application, data base, SDLC) • Higher level controls protect the environment in which data structures reside (Security monitoring, anti-malware, operating system, network, telecom) • Highest level controls protect globally (security policy, tone at the top, DRP/BRP, governance) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  34. Hard controls • Policies • Procedures • Supervision • Counting • Organizational hierarchy (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  35. Soft controls • Trust • Leadership • Experience • Loyalty • Commitment (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  36. Tools for evaluating and maintaining control • CSA • Asking questions • Structured reviews (audits) • Paper reviews • Analytics • Application of ICF (gap analysis) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  37. Security and access controls • Understanding the security circle • Prevent (before) • Detect (during) • React (after) • Risk to underlying operations, assets, information (financial, regulatory, fiduciary) • Concept of threat model – knowing where the risks are (technically) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  38. Key components • Passwords and password management • Secure networks and infrastructure • Monitoring and reporting (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  39. Soft security • Policies and procedures • Employee signoff • Segregation of incompatible functions • Administrator privilege • Emergency maintenance procedures • Guest and vendor procedures • ENFORCEMENT (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  40. Controls over data • Applications are a whole different thing • Audit trail integrity • Information repositories and flows (where is the data coming from?) • Data base controls (access, integrity) • Importance of metadata (disparate sources, use of information) • Masking • Encryption (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  41. Programme developmentand change • Policies and procedures • Segregation of incompatible functions • Separate partitions or libraries • Control over compilation • Version control (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  42. Monitoring • Defining and identifying exceptions and outliers • Audit trail enhancement • Real time monitoring • Software and hardware techniques (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  43. Backup and recovery • Defining critical assets and recovery parametres • Technology vs. procedures and training • Testing and more testing (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  44. Tone at the top (c) Soberman LLP & Soberman Technology Assurance Inc. 2010 44

  45. Minimizing the Project Risk -IT Risk Management IT risks enumerated and evaluated in a fashion similar to other corporate risks (insurance, legal financial). An IT risk mitigation strategy developed and implemented, including appropriate project management controls, policies and procedures, segregation of duties, continuous monitoring, internal audit, quality assurance, data security, a privacy compliance officer, insurance and DRP/BRP. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  46. Which Can Be Accomplished… How? Change Management 101: Appoint a director-level champion and fully engage IT senior management. Communicate an end-vision fully to the organization (including outside IT), including an explanation of the importance of the proposed changes based on the criticality of IT to the success of the corporate mission. Secure adequate resources for any proposed changes, including training resources and new or reassigned staff as may be required. Define a realistic plan and timeframe. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  47. All of Which Can Be Accomplished… How? Complete a business-based risk assessment and prioritize risk mitigation projects based on Board-level guidance. Include physical/logical security, data privacy, disaster/business recovery risks, organization integrity, segregation of duties and compliance risks. Complete an inventory of data assets and liabilities, including before and after mapping - intellectual property, PIA, credit cards subject to PCI, financial information, trade secrets and processes and ascertain the appropriate level of safeguards required based on Board-level guidance. Complete a review of existing policies and procedures and determine post implementation AND transitional requirements, as well. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  48. All of Which Can Be Accomplished… How? Independently evaluate the current state of data security and privacy protection and define and plan transitional and end state controls required. Identify key conversion controls, particularly data integrity and completeness. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  49. All of Which Can Be Accomplished… How? Stringently enforce segregation of duties during development, staging, implementation. Avoid using live data or real data for testing (mask data). Arrange for periodic independent audits if project extends beyond a few months or entails changes to major asset protection structures. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

  50. Then just add water and stir  (c) Soberman LLP & Soberman Technology Assurance Inc. 2010

More Related