IT and Audit Building a Security Aware Culture Tracey Adkins MS Information Management Certified Information Security Manager HI Trust Certified Security Practioner Agenda IT Strategic Objectives ID: 773221
Download Presentation The PPT/PDF document "IT and Audit Building a Security Aware C..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
IT and Audit Building a Security Aware Culture Tracey Adkins – M.S. Information Management Certified Information Security Manager, HI Trust Certified Security Practioner
Agenda IT Strategic Objectives Audit Strategic Objectives IT Processes Audit Processes Intersection of IT and Audit Security Awareness Building a Security Aware Culture Wrap Up
IT Strategic Objectives
IT Strategic Objectives Support Mission, Vision and Values of an Organization Derive IT Mission Vision, Values Secure the environment from inside and outside attacks Comply with industry regulations (HIPAA, FISMO, NCLB, NYCR, COBIT, FEDRAMP, PCI, GDPR, ISO, NIST, etc.) Innovate Educate Organization on IT role and importance of security
IT Strategic Objectives Reduce Costs Identify Technology Risks and Gaps Transparency Communicate through out the organization Market IT Services and Value Build Relationships in each department Stay abreast of industry regulations and technology advancements Have a seat at the table
Audit Strategic Objectives
Audit Strategic Objectives Support Mission, Vision and Values of an Organization Derive Audit Mission Vision, Values Ensure Organization has adequate internal controls Identify and Assess Organization’s Risk Create Audit Plan Identify gaps in business processes Protect the organization from risk (Financial, Reputational, etc.)
Audit Strategic Objectives Educate organization on the importance of internal controls and repeatable processes Transparency Communication through-out the organization Market Audit Services and Value Build Relationships in each department
Audit Strategic Objectives Stay abreast of Industry Regulations Manage Business Risk Comply with industry regulations (HIPAA, COSO, NCLB, NYCR, COBIT, FEDRAMP, PCI, GDPR, ISO, NIST, etc.) Have a seat at the table
IT Processes
IT Processes Support IT Strategic Plan Data Life Cycle Management Asset Life Cycle Management Change Control Management IT Resource Management Security Management Risk Mitigation
Audit Processes
Audit Processes Identify Audit Scope Select Audit Approach (methodology) Plan the audit Execute the audit Issue Audit Report Follow up
Intersection of IT and Audit
What Do IT and Audit Have in Common (Shared Foundations) Source: IIA
What Do IT and Audit Have in Common Controls Comply with industry regulations (HIPAA, COSO, NCLB, NYCR, COBIT, FEDRAMP, PCI, GDPR, ISO, NIST, etc.) Transparency Organizational Communication Support Organizational Mission, Vision Values Stay abreast of industry regulations Support strategic plan
What Do IT and Audit Have in Common Communicate through out the organization Market IT Services and Value Market Audit Services and Value Build Relationships in each department Risk Management
IT and Audit - Partners IT Audit Compliance Organization Support Security Risk Management Controls Process
Building a Security Aware Culture
Building A Security Aware Culture What is Security Awareness? Why Does Security Matter? How to Build a Security Aware Culture
What is Security Awareness? Knowledge and attitude towards the protection of company assets (physical, reputation, informational) On-going educational programs Corporate / Organizational Policies and Procedures for working with company assets Acceptable Use Policies Identified Resource Responsible for Security (CISO) Ability to Audit Security Policies and Procedures Sanctions Individual Responsibility
Why Does Security Matter Financial Losses Penalties and Fines Damaged Reputation Could go out of business Organizations Are Entrusted with confidential information National Security
How to Build a Security Aware Culture (Start Small) Key elements of a security aware culture Deliberate and Disruptive Fun and Engaging Rewarding Return on Investment Security Messaging SECURITY BEGINS WITH YOU! (Not just an IT or Security Department Problem) Needs Executive / Management Sponsor Ship
How to Build a Security Aware Culture Focus on awareness and the future Advertise (Posters, Security Hot line, Intranet, Newsletters, etc.) Raise the level of security awareness for applications Application Security Development Life Cycle Build security into an application (not as an after thought) Change Control Educate Developers (Agile becomes a challenge) Develop an application security office (similar to PMO) Recognize and Reward your security superstars!!!
How to Build a Security Aware Culture Establish a Security Community in Your Organization Create a security conference Let your security superstars share their success with the whole company Identify the security evangelists in your organization and harness their passion! Make Security Awareness Fun and Engaging Security Flashcards Security Jeopardy Security Trivia Cards again Security
How To Build A Security Aware Culture Offer formal educational benefits to employees investing in their education and development while strengthening the organization Set security goals Security Awareness Training is NOT the same as culture change Budget for Security Remember – Culture Shifts Take Time Partner with IT and other departments (HR, PMO, etc.) Included security and controls in the design process
Security Facts Email is the most popular method of infiltrating an organization (humans are the weakest link in the security chain) 49 percent of companies which have suffered a breach are targeted again within one year In 2016, 95% of all breaches came from retail, government, and technology sectors There is a hacker every 39 seconds 43% of cyber attacks target small businesses Average cost of a data breach in 2020 greater than $150 Million Source: https://www.cybintsolutions.com/cyber-security-facts-stats/
Security Facts In 2017, 91% of attacks began with a phishing email Mortgage Companies are the #1 Target 93% of breaches could have been preventing by updating software or utilizing cloud services Ransomware leads the way The Number of Attacks are going up, not down Source: https://www.cybintsolutions.com/cyber-security-facts-stats/
Data Breach History https://www.varonis.com/blog/data-breach-statistics/
Data Breach History https://www.varonis.com/blog/data-breach-statistics/
Risk of Data Breaches https://www.varonis.com/blog/data-breach-statistics/
Cost of Data Breaches https://www.varonis.com/blog/data-breach-statistics/
Cost of Data Breaches https://www.varonis.com/blog/data-breach-statistics/
Data Breach Numbers https://www.varonis.com/blog/data-breach-statistics/
Data Breach Numbers https://www.varonis.com/blog/data-breach-statistics/
Security Awareness Resources Podcasts https://www.knowbe4.com/ https://inspiredelearning.com/resources/ https://www.isaca.org/Journal/archives/2016/volume-2/Pages/build-a-security-culture.aspx https://www.cisecurity.org/ https://www.sans.org/ www.isaca.org https://hitrustalliance.net/ https://na.theiia.org/Pages/IIAHome.aspx
Wrap Up