With the ever-increasing threat of viruses, security breaches, and cyber theft, it is important to understand the basics of network and internet security. In this session, you will learn how to pass the security portion of your audit and how to protect your hardware. We will also discuss security in the cloud and Privacy Laws.
This class is beneficial to IT, Operations, and Administrative professionals.
2. ATTENDEES WILL LEARN:
• IT requirements for financial audits
• Defining security risks
• Types of security assessments
• How hackers exploit vulunuabilities
• How privacy security laws affect organizations
3. WHAT’S ON TAP?
• Passing the Security Portion of Your Financial Audit
• Assessing Security Vulnerabilities
• Security in the Cloud
• Privacy Laws
• Q&A
3
4. WHO’S A CFO? RAISE YOUR HAND
4
Computer
Operations
Are system and application data backed
up? What is the frequency?
How and where are the backups stored?
What is the frequency in which backups
are tested?
What restrictions are placed, if any, to
access to the computer room and any
computer equipment,
telecommunication equipment and data
files?
5. To what extent is the computer room and any computer equipment,
telecommunication equipment and data files protected from
environmental hazards?
To what extent are security management practices in place to support
the IT functions and infrastructure?
How are modifications to user access privileges performed and
authorized?
How is IT security monitored? To what extent are logs of security
activity created and maintained?
Are User IDs and passwords used for individual user authentication to
gain access to the company applications and financial systems?
Do user passwords require strong complexity controls (i.e.: length,
expiration, history, sessions, timeouts, and special restrictions).
Does the client have access to the source code for any accounting
system modifications made for them?
5
12. CLIENT SIDE VULNERABILITIES
CLIENT SIDE VULNERABILITIES ARE NOT ALWAYS EASY TO IDENTIFY.
SOME COMMON CLIENT SIDE ATTACK AGENTS INCLUDE:
- ADOBE READER
- WINZIP
- ITUNES
- INTERNET EXPLORER
- FIREFOX
- SAFARI
- ADOBE FLASH PLAYER (STILL USING FLASH?)
12
13. THE INTERNET OF THINGS
HOME AUTIOMATION ITEMS STARTING TO MAKE THEIR WAY INTO THE
WORKPLACE:
- AMAZON ECHO
- GOOGLE HOME
- AUTOMATE LIGHTS
- HVAC SYSTEMS
13
15. WHAT IS PENETRATION TESTING?
BLACK BOX
- APPROACHING THINGS JUST LIKE AN UNIFORMED ATTACKER
- REQUIRES NO REVELATION OF SECURITY
WHITE BOX
- USING KNOWLEDGE OF THE SYSTEMS TO ELABORATE TEST
CASES
- PROVIDES AS MUCH INFORMATION AS POSSIBLE TO THE
PENETRATION TEST TO THAT THEY CAN GAIN INSIGHT AND
CREATE TESTS
HOST BASED ASSESSMENTS
- MAKE A COPY OF YOUR SERVERS. TEST ON THEM WITH FULL
ACCESS LOOKING FOR VULNERABILITIES
15
16. WHAT DOES A REPORT DELIVER?
A SECURITY ASSESSMENT DELIVERS A REPORT THAT
• HELPS EXECUTIVES MAKE DECISIONS ON IMPLEMENTING
SECURITY CONTROLS
• HELP THE IT TEAM IMPLEMENT CONTROLS AND PATCH FLAWS
DISCOVERED DURING TESTING
• LOW
• MED
• HIGH
• SERIOUS
• CRITICAL
16
20. PRIVACY (GAPP)
PERSONAL INFORMATION COLLECTED ON EMPLOYEES
• NAME
• ADDRESS
• PHONE NUMBERS
• SOCIAL SECURITY NUMBER
• BANK ACCOUNT AND ROUTING NUMBERS.
20
21. EXTERNAL DATA COLLECTION
NAMES
• ADDRESSES OR GEOGRAPHIC IDENTIFIERS SMALLER THAN A STATE
• PHONE NUMBERS
• FAX NUMBERS
• EMAIL ADDRESSES
• SOCIAL SECURITY NUMBERS
• CREDIT CARD ACCOUNT NUMBERS
• WEB ADDRESSES
• PHOTOGRAPHIC IMAGES
21
22. WHAT’S A BREACH?
FIRST NAME OR FIRST INITIAL AND LAST NAME IN COMBINATION WITH
ANY OF THE FOLLOWING
• SOCIAL SECURITY NUMBER
• HOME ADDRESS
• EMAIL ADDRESS
• PHONE NUMBERS
• CREDIT CARD ACCOUNT NUMBERS
22
23. INCIDENTS REQUIRING NOTIFICATION
• A USER (EMPLOYEE, CONTRACTOR OR THIRD PARTY PROVIDER)
HAS OBTAINED UNAUTHORIZED ACCESS TO
PERSONAL INFORMATION MAINTAINED IN EITHER PAPER OR
ELECTRONIC FORM
• AN INTRUDER HAS ACCESSED DATABASE(S) SUCH AS THAT
CONTAIN PERSONAL INFORMATION ON AN INDIVIDUAL.
• COMPUTER EQUIPMENT SUCH AS A WORKSTATION, LAPTOP, CD-
ROM OR OTHER ELECTRONIC MEDIA CONTAINING PERSONAL
INFORMATION ON AN INDIVIDUAL HAS BEEN LOST OR STOLEN.
• A DEPARTMENT OR UNIT HAS NOT PROPERLY DISPOSED OF
RECORDS CONTAINING PERSONAL INFORMATION ABOUT AN
INDIVIDUAL.
• A THIRD-PARTY SERVICE PROVIDER HAS EXPERIENCED ANY OF THE
INCIDENTS ABOVE, AFFECTING THE ORGANIZATION’S
DATACONTAINING PERSONAL INFORMATION.
23
26. GDPR – MAY 25, 2018
DOES THIS AFFECT ME?
• IF YOU OFFER GOODS OR SERVICES OR MONITOR THE BEHAVIOR OF
EU DATA SUBJECTS
• ALL COMPANIES PROCESSING AND HOLDING THE PERSONAL DATA OF
DATA SUBJECTS RESIDING IN THE EUROPEAN UNION
• ANY DATA THAT CAN BE USED TO DIRECTLY OR INDIRECTLY
INDENTIFY THE PERSON
26
27. 27
MINIMIZING OPEN PORTS
- FEWER SERVICES?
- MAYBE THE CLOUD
PEOPLE
- LET’S GET BACK TO THIS ONE
AGGRESSIVE SOFTWARE PATCHING
- SERVERS
- WORKSTATIONS
- APPS
AV VS IDS
AUTHENTICATION
PEOPLE