afm internal audit network meeting mutual one grove park, leicester current ‘hot topics’ in...

AFM INTERNAL AUDIT

NETWORK MEETINGMUTUAL ONE

GROVE PARK, LEICESTER

Current ‘Hot Topics’ in Information Security Governance Auditing

David Tattersall03 March 2011

WHO ARE MUTUAL ONE ?

Mission Statement “To enhance the competitiveness of mutuals”

WHAT DOES MUTUAL ONE DO ? We facilitate collective action amongst mutuals across 4 broad

areas:

Internal audit

Compliance, risk and governance

Events

Collective procurement

We are very committed to supporting the mutual sector so that it thrives, not just survives

More details on the above can be found on www.mutual-one.co.uk

Contents

• Definition of ‘Information Security’

• What Information do we need to secure?

• Why do we need to secure information?

• Auditing Information Security

• Frameworks • Emerging Themes

• Questions

Current ‘Hot Topics’ in Information Security Governance Auditing

….protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction.

Information Security….

Wikipedia – Nov 2010

CIA ‘triangle’

What information needs protecting?

Customer

Employee Confidential

Company

Bank / card Product / ideas

But why….?

• Regulatory Requirements

• Financial Services Authority

FSA Fines….

But why….?


• Financial Services Authority

• Data Protection Act 1998

ICO Fines….!!!

But why….?


• Reputation Damage

• Financial Cost

Estimated Cost of a Data Breach:

• Data Loss incidents cost between £365k and £3.92m to manage

• Average cost per lost record = £64

• Biggest cost per lost record is lost business - £29

• Other costs include: customer communicationrecompenseoperational costsfinancial penalty

• Increased 7% in past year, 36% in past two years

Source: Ponemon Institute / PGP 2009 Annual Study - Global Cost of a Data Breach report

Auditing InfoSec

Dependent upon:

• Organisation

• Size and nature of IT environment i.e. is control requirement proportionate?

• Operating environment – regulated firm? Compliance to external requirements (e.g. PCI-DSS)?

• Risk appetite

Auditing InfoSec - Frameworks

• ISO27001 / 2

• ISO/IEC 27001:2005 – Information Security Management Systems – Requirements• ISO/IEC 27002:2005 – Code of Practice for Information Security Management

• COBIT

• FSA Paper – Data Security in Financial Services (Apr 2008)

• Payment Card Industry – Data Security Standards

Auditing InfoSec

Emerging Themes:

• FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)

Data Security in Financial Services (April 2008) – New Regulation ??

1. Governance – managing systems and controls

2. Training and Awareness

3. Staff Recruitment & Vetting

4. Controls

5. Physical Security

6. Disposing of Customer Data

7. Managing Third-party Suppliers

8. Internal Audit and Compliance Monitoring

Auditing InfoSec

Emerging Themes:


• Outsourcing / key suppliers

FSA Fines….

• Result of a lack of oversight on key outsourced service

• Third Party Assurance

Third Party Assurance

• Due diligence

• Third party assurance

• Ongoing review of security arrangements

• Contracts / service level agreements

• Relationship management

Auditing InfoSec

Emerging Themes:

• Internal Threats – who are our employees?



Can you trust your employees?

Who are our employees?

• Initial recruitment process

• Ongoing vetting of staff

• Recruitment of temporary staff

• credit checks• CRB checks• background checks

Auditing InfoSec

Emerging Themes:

• Internal Threats – how is the internet used?




Web-based email / social networking

“To block or not to block….?”

Reasons to block….

• Introduction of malware, spyware, virus

• Bandwidth usage

• ‘Time-wasting’

• Data Leakage

• Accidental

• Intentional

• Data aggregation

• REPUTATION!


Reasons to allow….

• Networking opportunities

• Knowledge sharing

• Communication with staff

• Increased staff morale

• Marketing ability / customer engagement


Controls to consider (if allowing social networking sites)

• Training and awareness

• Usage policies

• Granular web-site controls (next-gen firewalls)

• Data leakage software

• Solid risk assessment

Beware….proxy avoidance…

Auditing InfoSec

Emerging Themes:

• Portable Media Devices – Encrypted?





Ongoing Problem

Laptop Security

• Encryption

• Laptop policy – cannot rely on adherence

• Asset Register

• Laptop sharing

Auditing InfoSec

Emerging Themes:

• Smart Phones






Smart Phones

Auditing InfoSec

Emerging Themes:

• What next….? Cloud Computing?

• Smart Phones






Cloud Computing

• Security

• Location

• Regulatory Compliance

• Segregation

• Recovery

• Auditability

• Longevity

• Costs

ANY QUESTIONS ?

Work TogetherRespect each other and our clients and through teamwork achieve a

common goal

Communicate ClearlyAt all levels, to achieve the

optimum outcome

Anticipate and Respond to ChangeWe aim to be proactive and innovative; by being adaptable we address tomorrow's

challenges today

Deliver Quality ServiceWe can be relied upon and trusted

to meet agreed objectives

Share KnowledgeOur aim is to enlighten and add

value through experience

afm internal audit network meeting mutual one grove park, leicester current ‘hot topics’ in...

Documents