slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER PowerPoint Presentation
Download Presentation
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER

Loading in 2 Seconds...

play fullscreen
1 / 39

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER - PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03 March 2011. WHO ARE MUTUAL ONE ?. Mission Statement “To enhance the competitiveness of mutuals”. WHAT DOES MUTUAL ONE DO ?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER' - linus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
AFM INTERNAL AUDIT

NETWORK MEETING

MUTUAL ONE

GROVE PARK, LEICESTER

Current ‘Hot Topics’ in Information Security Governance Auditing

David Tattersall

03 March 2011

who are mutual one
WHO ARE MUTUAL ONE ?

Mission Statement “To enhance the competitiveness of mutuals”

what does mutual one do
WHAT DOES MUTUAL ONE DO ?
  • We facilitate collective action amongst mutuals across 4 broad areas:
    • Internal audit
    • Compliance, risk and governance
    • Events
    • Collective procurement
  • We are very committed to supporting the mutual sector so that it thrives, not just survives
  • More details on the above can be found on www.mutual-one.co.uk
slide4

Current ‘Hot Topics’ in Information Security Governance Auditing

Contents

  • Definition of ‘Information Security’
  • What Information do we need to secure?
  • Why do we need to secure information?
  • Auditing Information Security
      • Frameworks
      • Emerging Themes
  • Questions
slide5

Information Security….

….protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction.

Wikipedia – Nov 2010

slide7

What information needs protecting?

Customer

Company

Employee

Confidential

Bank / card

Product / ideas

slide8

But why….?

  • Regulatory Requirements
  • Financial Services Authority
slide10

But why….?

  • Regulatory Requirements
  • Financial Services Authority
  • Data Protection Act 1998
slide13

But why….?

  • Regulatory Requirements
  • Reputation Damage
  • Financial Cost
slide14

Estimated Cost of a Data Breach:

  • Data Loss incidents cost between £365k and £3.92m to manage
  • Average cost per lost record = £64
  • Biggest cost per lost record is lost business - £29
  • Other costs include:
  • customer communication
  • recompense
  • operational costs
  • financial penalty
  • Increased 7% in past year, 36% in past two years

Source: Ponemon Institute / PGP 2009 Annual Study - Global Cost of a Data Breach report

auditing infosec
Auditing InfoSec

Dependent upon:

  • Organisation
  • Operating environment – regulated firm? Compliance to external requirements (e.g. PCI-DSS)?
  • Size and nature of IT environment i.e. is control requirement proportionate?
  • Risk appetite
slide16

Auditing InfoSec - Frameworks

  • ISO27001 / 2
    • ISO/IEC 27001:2005 – Information Security Management Systems – Requirements
    • ISO/IEC 27002:2005 – Code of Practice for Information Security Management
  • COBIT
  • FSA Paper – Data Security in Financial Services (Apr 2008)
  • Payment Card Industry – Data Security Standards
auditing infosec1
Auditing InfoSec

Emerging Themes:

  • FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)
data security in financial services april 2008 new regulation
Data Security in Financial Services (April 2008) – New Regulation ??
  • Governance – managing systems and controls
  • Training and Awareness
  • Staff Recruitment & Vetting
  • Controls
  • Physical Security
  • Disposing of Customer Data
  • Managing Third-party Suppliers
  • Internal Audit and Compliance Monitoring
auditing infosec2
Auditing InfoSec

Emerging Themes:

  • FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)
  • Outsourcing / key suppliers
slide20

FSA Fines….

  • Result of a lack of oversight on key outsourced service
  • Third Party Assurance
third party assurance
Third Party Assurance
  • Due diligence
  • Relationship management
  • Contracts / service level agreements
  • Ongoing review of security arrangements
  • Third party assurance
auditing infosec3
Auditing InfoSec

Emerging Themes:

  • FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)
  • Outsourcing / key suppliers
  • Internal Threats – who are our employees?
who are our employees
Who are our employees?
  • Initial recruitment process
  • background checks
  • CRB checks
  • credit checks
  • Recruitment of temporary staff
  • Ongoing vetting of staff
auditing infosec4
Auditing InfoSec

Emerging Themes:

  • FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)
  • Outsourcing / key suppliers
  • Internal Threats – who are our employees?
  • Internal Threats – how is the internet used?
to block or not to block
“To block or not to block….?”

Reasons to block….

  • Introduction of malware, spyware, virus
  • Bandwidth usage
  • ‘Time-wasting’
  • Data Leakage
  • Accidental
  • Intentional
  • Data aggregation
  • REPUTATION!
to block or not to block1
“To block or not to block….?”

Reasons to allow….

  • Networking opportunities
  • Knowledge sharing
  • Communication with staff
  • Marketing ability / customer engagement
  • Increased staff morale
to block or not to block2
“To block or not to block….?”

Controls to consider (if allowing social networking sites)

  • Solid risk assessment
  • Training and awareness
  • Usage policies
  • Granular web-site controls (next-gen firewalls)
  • Data leakage software
auditing infosec5
Auditing InfoSec

Emerging Themes:

  • FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)
  • Outsourcing / key suppliers
  • Internal Threats – who are our employees?
  • Internal Threats – how is the internet used?
  • Portable Media Devices – Encrypted?
laptop security
Laptop Security
  • Encryption
  • Laptop policy – cannot rely on adherence
  • Asset Register
  • Laptop sharing
auditing infosec6
Auditing InfoSec

Emerging Themes:

  • FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)
  • Outsourcing / key suppliers
  • Internal Threats – who are our employees?
  • Internal Threats – how is the internet used?
  • Portable Media Devices – Encrypted?
  • Smart Phones
auditing infosec7
Auditing InfoSec

Emerging Themes:

  • FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)
  • Outsourcing / key suppliers
  • Internal Threats – who are our employees?
  • Internal Threats – how is the internet used?
  • Portable Media Devices – Encrypted?
  • Smart Phones
  • What next….? Cloud Computing?
cloud computing
Cloud Computing
  • Security
  • Regulatory Compliance
  • Location
  • Segregation
  • Recovery
  • Auditability
  • Longevity
  • Costs
slide39

Work TogetherRespect each other and our clients and through teamwork achieve a common goal

Share KnowledgeOur aim is to enlighten and add value through experience

Communicate ClearlyAt all levels, to achieve the optimum outcome

Deliver Quality Service

We can be relied upon and trusted to meet agreed objectives

Anticipate and Respond to ChangeWe aim to be proactive and innovative; by being adaptable we address tomorrow's challenges today