NJ ISACA IT Audit Director’s Roundtable. October 6, 2010. Michael P Cangemi CPA Andy Ellsweig CPA, CGEIT. Agenda. Introductions - Format Major Issues Facing Your Organization? World Class IA Organization - One View Data Loss Prevention (DLP) & Privacy Continuous Monitoring (CCM) & Macro
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
IT Audit Director’s Roundtable
October 6, 2010
Michael P Cangemi CPA
Andy Ellsweig CPA, CGEIT
Management, IT, Financial Governance 3 Cangemi Company, LLC
What makes a world class audit organization?
Management, IT, Financial Governance 6 Cangemi Company, LLC
Management, IT, Financial Governance 7 Cangemi Company, LLC
Managements periodically review audit contribution. (not everyday, but always someday)
Management, IT, Financial Governance 8 Cangemi Company, LLC
The Impact of the Economy on Audit Departments – Discussion Points
Data Loss Prevention (DLP): Detecting and preventing the unauthorized use and transmission of confidential information. Risks associated with data loss have significantly increased due to company’s having fragmented and porous network perimeters, the ability to move massive amounts of information easily, the value of multiple types of information, as well as new and emerging regulatory restrictions and marketplace liability for improperly protecting personal information.
Personally Identifiable Information (PII) includes: Name, Street Address, Social Security Number (or other National identification numbers), Credit Card Number, Expiration Date, Authorization Code, Telephone number, E-mail address, Driver's license number, Face, fingerprints, or handwriting, etc…..
European Data Privacy Directive (1995)
Gramm-Leach-Bliley Act (1999)
SEC’s Regulation S-P (2000)
California state law regarding data breaches (2003)
Massachusetts regulations regarding information security (2008 – 2009)
US Red Flag Rules (2010)
Payment Card Industry Standards (2008)
HIPAA (1996)/HITECH (2010) Acts
Heartland Payment Systems: intruders hacked over 100 million records
San Francisco, July, 2008: disgruntled employee sabotaged the city’s computers by changing all the Admin passwords.
Iowa recently learned that social security numbers of its residents were accessible on the Internet since 2005, through a website maintained by a County
TJX, ChoicePoint, CardSystems, Veterans Administration, and many more
Data Loss Prevention / Privacy – Discussion Points necessary to manage audit functions and processes more efficiently.
Continuous Controls Monitoring
CCM-S of duties
CM -SecurityInfo Integrity
CCM-T & recs
Internal Audit / GRC
Continuous Controls Monitoring – Discussion Points effectively audit transactions and identify fraud and other exceptions in real time.
Firms are moving at a tremendous pace to cloud computing based architectures and assignment of processing controls to third party processors to reap the cost savings.The NIST has defined Cloud computing as: a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Cloud Computing & Outsourcing
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
On Demand Self-Service
Broad Network Access
Low Cost Software
Estimates vary widely on potential cost savings:
“If you move your data center to a cloud provider, it will be a tenth of the cost.”
There are a number of "hidden gotchas" when it comes to using cloud infrastructure providers
SAS70 limitations include a general lack of security focus and the testing procedures are sometimes narrowly defined
When reviewing SAS70s, organizations should consider the following:
Organizations should look for additional assurances besides the SAS70s, which can include: ISO 27001/27002, TRUSTe, Safeharbor, SysTrust/WebTrust
To all participants