530 likes | 670 Views
The DARK Side of Innovation How Poorly Managed Change Can Increase the Risk of Security Breach and Fraud. Project Management Institute- SWOC May 7, 2010 – London, Ontario Jerrard B. Gaertner CA•CISA/IT, CGEIT, CISSP , CFI, CIA, I.S.P., ITCP
E N D
The DARK Side of InnovationHow Poorly Managed Change Can Increase the Risk of Security Breach and Fraud Project Management Institute- SWOC May 7, 2010 – London, Ontario Jerrard B. Gaertner CA•CISA/IT, CGEIT, CISSP, CFI, CIA, I.S.P., ITCP Soberman LLP & Soberman Technology Assurance Inc.
Introduction (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Soberman Technology Assurance • Subsidiary of Soberman LLP • Technology governance • GRC for IT • Computer controls and security • Privacy risk and audits • Specialized engagements – PCI, CICA 5970, digital forensics and data capture (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Jerry Gaertner • Director, STAI • CA specialist designations • CGEIT, CISSP, CIA, CFI, I.S.P., ITCP • 25+ years experience in systems assurance, IT controls and related areas (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Our Agenda • Frame of reference • What constitutes poorly managed change and why does it happen? • How does change affect security and fraud risk and why do we care? • A closer look at security, internal control and fraud • What can we do to minimize risk? • Discussion and questions (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Frame of ReferenceChange or InnovationResulting from These Activities • System development, maintenance, upgrade, implementation, configuration related to hardware/software, including operating systems, networks, applications (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Which Applications Specifically? • Financial and related systems (inventory, costing, purchasing) • Infrastructure and administrative systems (identity management, SIEM, logging, NAC, data bases) • Econometric, modeling, data mining, logistics, ERP systems (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
But Generally Not These • Engineering and CAD/CAM systems • Production control systems • Scientific systems • Medical systems which nevertheless have their own risks (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
The Difference Systems, facilities, tools, procedures and controls related to organizational assets or the protection of these assets (generally financial and IP) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
What Constitutes Poorly Managed Change? The OBVIOUS - Poor Results • Over-budget, late, failure to deliver The OBVIOUS – Poor Processes • Disruptive processes and implementation • Disgruntled stakeholders • Mismanaged expectations • Inefficient use of resources • Lack of documentation and on-going support (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
What Constitutes Poorly Managed Change? Not so obvious • Implementation without adequate testing (unidentified defects, increased risk of failure) • Implementation without adequate training (future inefficiency and error) • Use of technical shortcuts in development creating hidden vulnerabilities (impact on accuracy, control, security, reliability) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
What Constitutes Poorly Managed Change? (More) Not so obvious • Risk laden project processes and organization (increased security breach and fraud risk) • Failure to indentify key control processes prior to change or to create (map) equivalent processes post implementation - jointly with end user/stakeholders • Failure to fully conform to internal/external standards (affecting knowledge transfer, maintainability, risk profile, auditability) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Why Do Projects Fail? The OBVIOUS • Time and budgetary pressures • Inadequate resources and expertise available • Poor/unrealistic planning, expectations • Poor/incomplete research, understanding of technology • Failure to understand the specifications and deliverables up front • Scope creep, staff creep (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Why Do Projects Fail? (More) The OBVIOUS • Early adopter traps • Inadequate project/change management tools, poor feedback and control • Insufficient senior management support to address indirect project factors (organization, competence, training, work flow, stakeholder indirect requirements) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Projects that Fail – Measuring IT Performance Not so obvious • IT still has few objective benchmarks based on metrics which can be used to evaluate performance/productivity. • Coarse measures (such as lines of code per programmer per day) offer little help. • Ratios (the favorite tool of accountants) provide general guidance about resource usage, but little else. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Projects that Fail – Standards Confusion Not so obvious • Security metrics are for the first time being implemented, while privacy metrics remain largely in the research lab. • IT accreditation, standard setting, professional enforcement, training and methodology are a moving target. • ITIL, ISO, COBIT and others provide some guidance, but there remains considerable overlap, as well as gaps and confusion regarding application criteria. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Projects that Fail – IT Culture Roadblock Not so obvious • IT is a relatively new profession (compared to accounting, engineering, medicine). • Historically, the evaluation of IT performance has often been subjective and arbitrary, leading to game-playing, suspicion and the creation of fiefdoms. Major IT projects are often a political minefield. • It can be hard for a project manager or IT director to know who to listen to and what to do. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Projects that Fail – Rapid Change – Complex Risk Not so obvious • IT is changing at a breath-taking speed. Not only technology, but expectations are dramatically affected. Managing IT change means making rapid tactical and even strategic) corrections. • Different technologies have vastly different risk profiles. A 12 month waterfall development barely resembles a 12 week agile project in terms of where the major risks are; what the most effective controls are; the type of development organization best suited to deliver a successful outcome. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Summarizing the Hidden Causes of Poorly Managed Change The combination of lack of formal IT performance standards, a great deal of “home-grown” talent, poor understanding of IT risk management, cultural differences between IT and other corporate departments and failures of communications can lead to dramatic, immediate project failure and/or more subtle, longer term failures based on hidden defects, elevated risks and inappropriate controls. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Catch Your Breath… (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
So WHY Do We Care SO MUCH About IT Projects? IT often protects the organization’s vital assets (intellectual property, PIA, financial information). IT often represents a major strategic resource or competitive differentiator. IT may be critical to economic survival of the organization. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
IT is PERVASIVELY Implicated in Control Processes IT is frequently implicated in the exercise of due diligence, fiduciary responsibility, statutory and regulatory compliance, profitability, legal liability, stakeholder satisfaction, maintenance (or loss) of reputation and overall perception in the marketplace and industry. Compliance with statutes and regulations (such as HIPPA, PIPEDA, ITA, ETA, PCI DSS, SOx) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Why Do We Care? (More) Failure to exercise adequate oversight over IT = confidential records in the parking lot; hackers in your SAN; DDoS attack shutting off your web presence; trade secrets in the hands of your competitors ALL OF WHICH YOU READ ON PAGE 2 OF THE GLOBE AND MAIL! (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
IT Change and Innovation Can Disrupt the Delicate Balance of Controls Protecting Corporate Assets (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
How Can Change Affect Security and Fraud Risk? To answer, we must Understand the factors and controls underlying the existing (initial) security and fraud risk Understand the project impact, processes and factors underlying transitional risk Understand the end state (post- implementation) factors underlying risks (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
And some of the key factors are… Internal controls – design, deployment, effectiveness Security controls Fraud triangle Tone at the Top (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Risk Factors - The Nature of Controls Internal controls are: • activities mandated by the Board (or its delegates) • designed to provide reasonable assurance that: • objective are attained • in accordance with the organization’s policies, procedures and values, and • exceptions and deviations are identified and addressed as early as possible. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Controls generally reside within frameworks • COSO (Committee of Sponsoring Organizations) • COCO (Criteria of Control) (CICA) • 12 Criteria (CCAF) • TQM • ISO 9000 • Deep Learning (Senge) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Frameworks help us • Understand controls and the context within which they operate • Determine the relative importance and effectiveness of controls • Focus our control resources appropriately • Systematize the implementation • Visualize a multi-dimensional, overlapping network of controls • Standardize control terminology • Develop tools for the evaluation of controls (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Components of frameworks • Control activities • Risk analysis • Information flow • Monitoring and feedback • Environment and culture of controls (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Framework commonalties (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Control types and objects Types • Preventive • Detective • Corrective Objects • Operational control • Financial (statement) reporting • Compliance (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Hierarchy of IT Controls • Lowest level IT controls protect specific data elements representative of assets (encryption, field-level access controls) • Mid level IT controls protect the structures in which data resides and the applications which process it (file, application, data base, SDLC) • Higher level controls protect the environment in which data structures reside (Security monitoring, anti-malware, operating system, network, telecom) • Highest level controls protect globally (security policy, tone at the top, DRP/BRP, governance) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Hard controls • Policies • Procedures • Supervision • Counting • Organizational hierarchy (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Soft controls • Trust • Leadership • Experience • Loyalty • Commitment (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Tools for evaluating and maintaining control • CSA • Asking questions • Structured reviews (audits) • Paper reviews • Analytics • Application of ICF (gap analysis) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Security and access controls • Understanding the security circle • Prevent (before) • Detect (during) • React (after) • Risk to underlying operations, assets, information (financial, regulatory, fiduciary) • Concept of threat model – knowing where the risks are (technically) (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Key components • Passwords and password management • Secure networks and infrastructure • Monitoring and reporting (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Soft security • Policies and procedures • Employee signoff • Segregation of incompatible functions • Administrator privilege • Emergency maintenance procedures • Guest and vendor procedures • ENFORCEMENT (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Controls over data • Applications are a whole different thing • Audit trail integrity • Information repositories and flows (where is the data coming from?) • Data base controls (access, integrity) • Importance of metadata (disparate sources, use of information) • Masking • Encryption (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Programme developmentand change • Policies and procedures • Segregation of incompatible functions • Separate partitions or libraries • Control over compilation • Version control (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Monitoring • Defining and identifying exceptions and outliers • Audit trail enhancement • Real time monitoring • Software and hardware techniques (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Backup and recovery • Defining critical assets and recovery parametres • Technology vs. procedures and training • Testing and more testing (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Tone at the top (c) Soberman LLP & Soberman Technology Assurance Inc. 2010 44
Minimizing the Project Risk -IT Risk Management IT risks enumerated and evaluated in a fashion similar to other corporate risks (insurance, legal financial). An IT risk mitigation strategy developed and implemented, including appropriate project management controls, policies and procedures, segregation of duties, continuous monitoring, internal audit, quality assurance, data security, a privacy compliance officer, insurance and DRP/BRP. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Which Can Be Accomplished… How? Change Management 101: Appoint a director-level champion and fully engage IT senior management. Communicate an end-vision fully to the organization (including outside IT), including an explanation of the importance of the proposed changes based on the criticality of IT to the success of the corporate mission. Secure adequate resources for any proposed changes, including training resources and new or reassigned staff as may be required. Define a realistic plan and timeframe. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
All of Which Can Be Accomplished… How? Complete a business-based risk assessment and prioritize risk mitigation projects based on Board-level guidance. Include physical/logical security, data privacy, disaster/business recovery risks, organization integrity, segregation of duties and compliance risks. Complete an inventory of data assets and liabilities, including before and after mapping - intellectual property, PIA, credit cards subject to PCI, financial information, trade secrets and processes and ascertain the appropriate level of safeguards required based on Board-level guidance. Complete a review of existing policies and procedures and determine post implementation AND transitional requirements, as well. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
All of Which Can Be Accomplished… How? Independently evaluate the current state of data security and privacy protection and define and plan transitional and end state controls required. Identify key conversion controls, particularly data integrity and completeness. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
All of Which Can Be Accomplished… How? Stringently enforce segregation of duties during development, staging, implementation. Avoid using live data or real data for testing (mask data). Arrange for periodic independent audits if project extends beyond a few months or entails changes to major asset protection structures. (c) Soberman LLP & Soberman Technology Assurance Inc. 2010
Then just add water and stir (c) Soberman LLP & Soberman Technology Assurance Inc. 2010