Scribd Logo
Upload

Welcome to Scribd!

  • Presentation - UNDERSTANDING SECURITY, AUDIT AND COMPLIANCE IN A COMPLEX ENVIRONMENT

    Uploaded by

    Justin L
    32 views32 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    32 views32 pages

    Presentation - UNDERSTANDING SECURITY, AUDIT AND COMPLIANCE IN A COMPLEX ENVIRONMENT

    Uploaded by

    Justin L

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 32

    SECURITY, AUDIT & COMPLIANCE

    IN A COMPLEX ENVIRONMENT

    MILT ROSBERG, VP OF GLOBAL SALES, MARKETING & BUSINESS DEVELOPMENT, VANGUARD


    INTEGRITY PROFESSIONALS

    JOHN CONNORS, VP OF TECHNOLOGY, VANGUARD INTEGRITY PROFESSIONALS

    7 MARCH 2019
    WELCOME To receive your
    CPE Credit:
    1. Complete 3 Attendance
    Audio is streamed over your computer. Checkpoints
    or

    2. Watching the On-Demand


    Dial-in numbers and codes are on the left. recording? Watch from the
    beginning to the very end.
    Have a question for the speaker? Access the Q&A tab. 3. Don’t forget to take the
    survey!

    Technical issues? Access the Help tab.


    Use the Credits tab to
    track your Checkpoints
    Questions or suggestions? Visit https://support.isaca.org
    Use the Papers tab to
    find the following:
    1. PDF Copy of today’s
    presentation.
    2. CPE Submission Guide.
    TODAY’S SPEAKER

    Milt Rosberg

    VP of Sales, Marketing & Global


    Business Development

    Vanguard Integrity Professionals


    TODAY’S SPEAKER

    John Connors

    VP of Technology

    Vanguard Integrity Professionals


    AGENDA

    Subjects:
    • Board Expectations

    • Stakeholder Discussion

    • What is the insider threat

    • Compromise Impact

    • Understanding the Threat

    • Meeting Stakeholder Requirements

    • Meet World Wide Demands and Requirements

    • Q &A
    Board Assurances - Are We Safe - All Good ?
    • BOD asks stakeholders

    • Meeting Regulations

    • Improve Efficiency

    • Avoid Penalties

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Stakeholder Responsibility

    SECURITY AUDIT COMPLIANCE


    • CISO • Audit Team • Chief Info Officers
    • CSO • Data • Governance Team
    Protection

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved Image source: Twitter
    Recognizing a Legitimate Concern

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Answering the Question - Settings Safe ?

    • Your system settings for security and


    compliance are much like that of a commercial
    jetliner - Requires precise and complex
    settings.

    • Accurate, well defined baseline settings


    protect your operations

    • Baseline deviations indicate gaps that need


    to be remediated and resolved immediately.

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Cross Industries Targeted (Average 35% Inside)

    Verizon 2018 Data Breach Investigations Report


    Months to Discover - Compromise
    The time it takes cybercriminals to compromise a system is often just a matter of minutes—or even seconds.
    They don’t need much time to extract valuable data—they usually have much more than they need as it typically
    takes organizations weeks or months to discover a breach.

    Verizon 2018 Data Breach Investigations Report

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Patient Records Breached (Example)

    2017 2018
    5,579,438 total vs 15,085,302 total = 37% Increase

    Source: Protenus 2019 Breach Barometer


    Patient Records Breached by Insiders (Example)

    • Insiders were responsible


    for 28.09% of the total
    number of breaches this
    year

    • 2018, on average, 3.86


    healthcare employees
    breach patient privacy per
    every 1,000 employees.

    Source: Protenus 2019 Breach Barometer

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Third-Party Risks (Outsourcers)
    Fifty-nine percent confirm their organizations experienced a data breach caused by one
    54 percent sayoftheir
    theircompanies
    third parties
    do and 42 percent
    not monitor thesay they
    had such a data breach in the past 12 months. security and privacy practices of vendors with whom
    they share sensitive or confidential information or they
    are unsure.

    Source: Ponemon Institute 2018 Data Risk in the Third-Party Ecosystem

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Cyber Criminal Incentive – Failure Is Not An Option

    1. Vulnerability 2. Break & Enter 3. Theft 4. Aftermath


    Expen$ive

    Banking Information SSNs


    Driver License Numbers
    401k Information
    Credit Card Numbers
    Medical Records
    Home Address
    DARKWEB Passport Information
    $1.5 Trillion Industry Employment Information

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Internal and External Hacks

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Only 0% is acceptable

    Average 35% of all corporate hacks were from knows users from
    inside the company.

    Only need 1 exfiltration

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Stop Unauthorized Access to
    Execute Privileged Instruction

    • Limit access to sensitive data

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Control the Keys to the Library

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Access Control Libraries
    Depending on your platform, access control libraries can include authorized program facilities (APF) for z/OS,
    access control lists (ACL) for UNIX/Linux/AIX or authorization lists (*AUTL) for AS/400

    • The APF/ACL limits the use of sensitive


    system services and resources to authorized
    system and user programs.

    • APF/ACL libraries are used to allow the Verify Access


    Identify
    installation to identify system or user Execute
    programs that can use sensitive data.

    • An authorized program can do virtually


    anything it wants.

    • It can put itself into supervisor state or a


    system key. It can modify system control User

    blocks and execute privileged instructions.


    Administrator

    • It can turn off logging to cover its tracks.


    Cleary, this authorization must be given
    sparingly and monitored closely.
    There can be hundreds of access control libraries with
    thousands of users in each – machine and human.

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved Source: IBM Knowledge Base
    VANGUARD MEETS COMPLIANCE CHALLENGES
    KNOWN
    USER
    with
    Permissions KNOWN
    USER
    with
    Permissions KNOWN
    KNOWN USER
    with
    USER KNOWN Permissions
    with USER Network Perimeter KNOWN KNOWN
    Permissions
    with USER USER
    Permissions with with
    Permissions Permissions
    KNOWN
    USER
    with
    KNOWN
    USER
    ACCESS
    Permissions with KNOWN KNOWN
    Permissions USER
    with
    CONTROL USER
    with
    Permissions Permissions

    LIBRARY
    35% of all attacks in KNOWN
    USER
    2018 were from with
    KNOWN Permissions
    insiders/known users USER
    with
    Permissions

    KNOWN USERS
    • Human users with assigned unique alpha numeric ID
    • Stakeholders give known users access permissions
    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved
    VANGUARD COMPLIANCE SOLUTION

    KNOWN VANGUARD COMPLIANCE PROTECTION


    USER
    with
    Permissions • Verifies list of USER IDs of known users
    allowed by the company
    KNOWN
    ACCESS USER • Scans access control lists to verify who is a
    with current match
    CONTROL Permissions
    • Finds unauthorized users and exposes any
    KNOWN
    USER LIBRARY gaps
    with • Perform up to 800 baseline checks quickly
    Permissions
    and accurately
    • Saves time, manpower and money

    KNOWN
    USER
    with
    KNOWN
    Permissions
    USER
    with
    Permissions

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Meet Security, Compliance & Audit for the Stakeholders

    Organizations are under intense


    pressure to meet requirements to:

    • Meet Industry Regulatory


    Requirements

    • Meet both internal and


    external Audit requirements
    Leverage Subject Matter Experts
    • Meet Global, Federal and
    State Laws and
    Regulations

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Stakeholders Define Unique Compliance Checks
    Who is allowed access? (Interview Process)
    • APFs/ACLs – machine or human
    • Authorized human users = assigned alphanumeric value have access
    • Machine users = Automated

    APF/ACL
    HUMAN CLEAR OF ANY
    USER UNAUTHORIZED
    USER IDs

    INSTALL
    Q’s
    VERIFIES LIST SCANS
    OF USER IDs LIBRARIES TO FINDS GAPS AND
    ALLOWED VERIFY WHO IS UNAUTHORIZED
    COLLECT ACCESS BY A CURRENT USER IDs AND
    DATA THE COMPANY MATCH REMEDIATES

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Managing Compliance in a World-Wide Complex Environment

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Single-Pane View of Aggregate Data
    Aggregate compliance checks
    from multiple systems into a
    single view

    System B System C

    System A System D

    System A System B

    System C System D

    Web Interface

    Systems Checks

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Implement specific checks = your specific business requirements

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    Vanguard Meets the Challenge

    Vanguard Integrity Professionals -2019 Nevada All Rights Reserved


    QUESTIONS?
    CONTACT

    Milt Rosberg

    Milton.Rosberg@go2vanguard.com
    info@go2vanguard.com
    702.794.0014 x 320
    This training content (“content”) is provided to you without warranty, “as is” and “with all
    faults”. ISACA makes no representations or warranties express or implied, including
    those of merchantability, fitness for a particular purpose or performance, and non-
    infringement, all of which are hereby expressly disclaimed.

    You assume the entire risk for the use of the content and acknowledge that: ISACA has
    designed the content primarily as an educational resource for IT professionals and
    therefore the content should not be deemed either to set forth all appropriate
    procedures, tests, or controls or to suggest that other procedures, tests, or controls that
    are not included may not be appropriate; ISACA does not claim that use of the content
    will assure a successful outcome and you are responsible for applying professional
    judgement to the specific circumstances presented to determining the appropriate
    procedures, tests, or controls.

    Copyright © 2018 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
    modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
    THANK YOU FOR
    ATTENDING THIS
    WEBINAR

    You might also like