SlideShare ist ein Scribd-Unternehmen logo

Iia 2012 Spring Conference Philly V Final

Als PPTX, PDF herunterladen
Danny Miller
Danny Miller

Presentation given to the IIA 2012 Spring Conference on Emerging Technology Challenges for Internal Auditors. Includes discussion on Cloud Security,Mobile Device Security, PCI, Data Governance and Privacy.

1 von 31
Emerging Technology Challenges and Solutions for Internal Audit and Compliance Danny Miller, CISA, CGEIT, CRISC, ITIL, QSA Principal & National Solutions Leader Cybersecurity & Privacy © Grant Thornton. All rights reserved.
Topics • Current Technology Landscape • Emerging Technology – Cloud computing – Mobile computing – Cybersecurity trends • Key fundamentals of Cloud security • Potential IA Complexities • Solutions • What’s Next? © Grant Thornton. All rights reserved.
Current Technology Landscape • On-premise hardware, software, and management • Support may be on-shore, near-shore or off-shore © Grant Thornton. All rights reserved.
Current Technology Landscape (continued) • Localized processes and controls • Prompt remediation when required • Clear data ownership • Straightforward compliance approach © Grant Thornton. All rights reserved.
Current Technology Landscape (continued) • Challenges/benefits – It's expensive and requires a lot of overhead – Difficult to scale and react quickly – Significant embedded cost structure – Inflexible to meet business need – Easier to maintain audit trail © Grant Thornton. All rights reserved.
Emerging Technology Trends Spending on public IT cloud services will grow at more than five times the rate of the IT industry in 2011-2012 Enterprise IT planners begin to include cloud-computing expertise in some of their job searches to be prepared for the projects of the short-term and mid-term future Hosted private clouds will outnumber internal clouds 3:1… But service providers have been incrementally ready. Cloud management and monitoring will fuel enterprise cloud adoption 32% of CIOs expected virtualization to be their top investment in 2011 - it is accelerating faster in 2012 © Grant Thornton. All rights reserved.
Emerging Technology • Cloud computing – Saas, PaaS, IaaS, DaaS • Mobile computing – Mobile platforms that are blurring the line between a hand-held and complex computing • Data analytics – Master Data Management • Cybersecurity – Trends © Grant Thornton. All rights reserved.
Emerging Technology Platforms (continued) Types of Clouds Models of Cloud: • Public • Software as a Service (SaaS) - Shared computer resources - Software applications delivered provided by an off-site third-party over the Internet provider • Platform as a Service (PaaS) • Private - Full or partial operating - Dedicated computer resources system/development environment provided by an off-site third-party delivered over the Internet or use of Cloud technologies on a • Infrastructure as a Service private internal network (IaaS) • Hybrid - Computer infrastructure delivered - Consisting of multiple public and over the Internet private Clouds • Platform as a Service (PaaS) - Virtualization of desktop systems serving thin clients, delivered over the Internet or a private Cloud © Grant Thornton. All rights reserved.
Emerging Technology Platforms (continued) Public Cloud Private Cloud © Grant Thornton. All rights reserved.
Emerging Technology Platforms (continued) Cloud computing – Hybrid cloud © Grant Thornton. All rights reserved.
Emerging Technology Platforms (continued) • Mobile computing is: – Wireless – Utilizes tablet platforms and smartphones – Internet-based – Communication via 4G and WiFi – Scaled applications © Grant Thornton. All rights reserved.
Potential New IA Complexity • Cloud computing – Availability & performance – Business continuity – Data protection – Data encryption – Privacy (especially in Healthcare & Life Sciences) © Grant Thornton. All rights reserved.
Potential New IA Complexity (continued) Cloud computing (continued) – Compliance • FISMA • HIPAA • SOX • PCI DSS (card payments) • EU Data Protection Directive, et al. © Grant Thornton. All rights reserved.
Key Fundamentals of Cloud Security • Focus on foundational controls that protects information and ensures availability. Is the security on your cloud service at least as high as applications used internally? • Match work processes to security needs (if the process is regulatory in nature, or has high security need, then ensure security threshold meets that). • When building or selecting a cloud service, ensure integration and usability are considered in the enterprise. Because of the integrated nature of services these days, need to consider • Adopt a risk mitigation plan when adopting cloud technology. This would include responses to risk events. • Consider how storage with your organization's information is handled, including backup, recovery and "immediate availability". There have been instances of incorrect image recoveries. Make the decision on "co-mingled" data with other clients of vendors. • Ensure evaluations of security are performed and that they are robust. Never take a vendor's word that they are audited and are secure on their own. © Grant Thornton. All rights reserved.
Key Fundamentals of Cloud Security (cont'd) • Whether you are deploying or you are subscribing to a vendor, you should ensure that intrusion prevention, monitoring, access and identity management are adequate for the service. • Consider strategic elements, such as the domicile of the data, Legal and e- Discovery rules for your state • What are your responsibilities in the event of a breach of your information? • Ensure that there is a strong continuity program in place and that if you are a subscriber to a service, that you include that in the BCP. Test at least annually. • On at least an annual basis, revisit the security model on all cloud services. © Grant Thornton. All rights reserved.
Key Fundamentals of Cloud Security (cont'd) Attribution: Cloud Security Alliance (CSA) © Grant Thornton. All rights reserved.
Key Fundamentals of Cloud Security (cont'd) Attribution: Cloud Security Alliance (CSA) © Grant Thornton. All rights reserved.
Potential New IA Complexity Mobile computing – Security (physical and virtual) – Data ownership – Service interruption and recovery – Data archiving – Availability © Grant Thornton. All rights reserved.
Potential New IA Complexity (continued) Mobile computing – WiFi/4G security – Surveillance and access control – Availability – Data ownership and recovery – Auditability – Bluetooth “hijacking” – AIDC © Grant Thornton. All rights reserved.
Solutions Cloud computing – Demand good security in the contract with provider – Have a "return of data" plan at end of contract – Know where the data is and who has access – Deploy a layered security architecture – Assess and inventory risks – Conduct annual security policy audits – Deploy and authenticate user credentials – Encrypt all stored data (P2P encryption) – Actively manage passwords and segregation of duties – Implement layered firewalls © Grant Thornton. All rights reserved.
Solutions (continued) Mobile computing – Encrypt all WiFi access – Clarify data ownership – Classify information going across – Implement service interruption plan – Disable Bluetooth communications – Deploy device-specific security software – Encrypt all communications – If it's lost or stolen, ensure that you can do a remote "wipe" of information © Grant Thornton. All rights reserved.
What’s Next? • Distributed computing (the Cloud) • Cybersecurity & Privacy focus • Virtualization • Advanced IA tools – Analytics – Provenance engines – Enhanced hardware firewalls – Advanced encryption technology – New data segregation and security standards – Secure digital communications • Standards such as ITIL, COBIT and PCI are integrating and are now complimentary towards each other © Grant Thornton. All rights reserved.
What’s Next? (PCI Data Security Standards v2.0) © Grant Thornton. All rights reserved.
What’s Next? (PCI Data Security Standards v2.0) © Grant Thornton. All rights reserved.
What’s Next? (PCI Data Security Standards v2.0) © Grant Thornton. All rights reserved.
What’s Next? (Enterprise Master Data Management) • Companies are awash in data, but which data is the right data to use? Data grows by 50%+ each year. • Company leadership needs "one version of the truth" on dashboards, reports and in analytical datasets. • Internal Audit and Compliance departments should be concerned about controls, availability, integrity and quality of data. • Conceptually: – Data and information are valuable corporate assets and should be treated as such – Data must be managed carefully and should have quality, integrity, security and availability addressed. © Grant Thornton. All rights reserved.
What’s Next? (Enterprise Master Data Management) MDM is the management of an institution’s fundamental data that is shared across multiple business units, everything from project budgets to donor contacts to employee contact information. You can think of master data as all of the enterprise data (people, places, things and activities) that the institution needs to conduct its business. The goal of MDM, consequently, is to ensure the accuracy, consistency and availability of this data to the various business users. We believe that all organizations would benefit greatly from creating a strategy for MDM and implementing an MDM program in light of its current state and an organization's future data and information needs. © Grant Thornton. All rights reserved.
What’s Next? (Enterprise Master Data Management) Data and Information Management Data Governance Data Architecture Management Data Development Data Operations Management Data Security Management Data Quality Management Reference and Master Data Data Warehouse /Business Management Intelligence Management Document and Content Management Metadata Management Table 1: Scope of Data Management © Grant Thornton. All rights reserved.
What’s Next? (Data Governance Activities) • Establish institutional data standards • Identify and resolve data disputes • Implement necessary changes to data standards and policies • Communicate actions to the organization as appropriate • Ensure accountability of institutional data policies and standards • Escalate issues to Governance Team as necessary © Grant Thornton. All rights reserved.
Questions? © Grant Thornton. All rights reserved.
Emerging Technology Challenges for Internal Audit and Compliance Danny Miller, CISA, CGEIT, CRISC, ITIL, QSA National Solutions Lead – Cybersecurity Regional Solutions Lead – Business Consulting Principal, Grant Thornton LLP Danny.Miller@us.gt.com http://grantthornton.com/ © Grant Thornton. All rights reserved.

Empfohlen

Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Danny Miller
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
Valencell, Inc.
 
Trend micro data protection
Trend micro data protectionTrend micro data protection
Trend micro data protection
Andrew Wong
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Hi-Tech College
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
Capgemini
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Nithin Raj
 

Empfohlen

Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Danny Miller
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
Valencell, Inc.
 
Trend micro data protection
Trend micro data protectionTrend micro data protection
Trend micro data protection
Andrew Wong
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Hi-Tech College
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
Capgemini
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Nithin Raj
 
Introduction - The Smart Protection Network
Introduction - The Smart Protection NetworkIntroduction - The Smart Protection Network
Introduction - The Smart Protection Network
Andrew Wong
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb es
Sonny Hashmi
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
Marc Vael
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
Falgun Rathod
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security Issues
Stelios Krasadakis
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
Christophe Monnier
 
Cloud Outlook & Implications for Communications Architecture
Cloud Outlook & Implications for Communications ArchitectureCloud Outlook & Implications for Communications Architecture
Cloud Outlook & Implications for Communications Architecture
vCom Solutions
 
Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2
KBIZEAU
 
Data security in a big data environment sweden
Data security in a big data environment swedenData security in a big data environment sweden
Data security in a big data environment sweden
IBM Sverige
 
The Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseThe Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's Enterprise
ReadWrite
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forces
commandersaini
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoption
Sudsanguan Ngamsuriyaroj
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715
Jim Romeo
 
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Cloudera, Inc.
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3
Anne Starr
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
Cloud computing and its security issues
Cloud computing and its security issuesCloud computing and its security issues
Cloud computing and its security issues
Jyoti Srivastava
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
Brian K. Dickard
 
TestTest
TestTestTestTest
TestTest
NightLightW
 
Great promise of navigating the internet using in chis
Great promise of navigating the internet using in chisGreat promise of navigating the internet using in chis
Great promise of navigating the internet using in chis
US Environmental Protection Agency (EPA), Center for Computational Toxicology and Exposure
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
Cloud Outlook & Implications for Communications Architecture
Cloud Outlook & Implications for Communications ArchitectureCloud Outlook & Implications for Communications Architecture
Cloud Outlook & Implications for Communications Architecture
vCom Solutions
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715
Jim Romeo
 
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Cloudera, Inc.
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3
Anne Starr
 

Was ist angesagt? (20)

Introduction - The Smart Protection Network
Introduction - The Smart Protection NetworkIntroduction - The Smart Protection Network
Introduction - The Smart Protection Network
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb es
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security Issues
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
Cloud Outlook & Implications for Communications Architecture
Cloud Outlook & Implications for Communications ArchitectureCloud Outlook & Implications for Communications Architecture
Cloud Outlook & Implications for Communications Architecture
 
Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2
 
Data security in a big data environment sweden
Data security in a big data environment swedenData security in a big data environment sweden
Data security in a big data environment sweden
 
The Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseThe Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's Enterprise
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forces
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoption
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715
 
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Cloud computing and its security issues
Cloud computing and its security issuesCloud computing and its security issues
Cloud computing and its security issues
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 

Andere mochten auch

Great promise of navigating the internet using in chis
Great promise of navigating the internet using in chisGreat promise of navigating the internet using in chis
Great promise of navigating the internet using in chis
US Environmental Protection Agency (EPA), Center for Computational Toxicology and Exposure
 
今すぐ実行できる環境配慮型印刷《環境・CSR担当の方へ》
今すぐ実行できる環境配慮型印刷《環境・CSR担当の方へ》今すぐ実行できる環境配慮型印刷《環境・CSR担当の方へ》
今すぐ実行できる環境配慮型印刷《環境・CSR担当の方へ》
吉田印刷所
 
Claude Resources Inc. 2011 Annual MD&A and Financials
Claude Resources Inc. 2011 Annual MD&A and FinancialsClaude Resources Inc. 2011 Annual MD&A and Financials
Claude Resources Inc. 2011 Annual MD&A and Financials
Claude Resources Inc.
 
困髮族五大原因
困髮族五大原因困髮族五大原因
困髮族五大原因
formosa858
 

Andere mochten auch (20)

TestTest
TestTestTestTest
TestTest
 
Great promise of navigating the internet using in chis
Great promise of navigating the internet using in chisGreat promise of navigating the internet using in chis
Great promise of navigating the internet using in chis
 
Change process ppt @ bec doms mba bagalkot mba
Change process ppt @ bec doms mba bagalkot mbaChange process ppt @ bec doms mba bagalkot mba
Change process ppt @ bec doms mba bagalkot mba
 
IEEE GOLD STEP
IEEE GOLD STEPIEEE GOLD STEP
IEEE GOLD STEP
 
Emotional intelligence bec doms mba
Emotional intelligence bec doms mbaEmotional intelligence bec doms mba
Emotional intelligence bec doms mba
 
Rpi slaid
Rpi slaidRpi slaid
Rpi slaid
 
今すぐ実行できる環境配慮型印刷《環境・CSR担当の方へ》
今すぐ実行できる環境配慮型印刷《環境・CSR担当の方へ》今すぐ実行できる環境配慮型印刷《環境・CSR担当の方へ》
今すぐ実行できる環境配慮型印刷《環境・CSR担当の方へ》
 
Ef mta presentation 2012 italian
Ef mta presentation 2012 italianEf mta presentation 2012 italian
Ef mta presentation 2012 italian
 
Meninas
MeninasMeninas
Meninas
 
Claude Resources Inc. 2011 Annual MD&A and Financials
Claude Resources Inc. 2011 Annual MD&A and FinancialsClaude Resources Inc. 2011 Annual MD&A and Financials
Claude Resources Inc. 2011 Annual MD&A and Financials
 
христос в пустыне 2 класс
христос в пустыне 2 классхристос в пустыне 2 класс
христос в пустыне 2 класс
 
困髮族五大原因
困髮族五大原因困髮族五大原因
困髮族五大原因
 
Tien tips om interne conversatie te activeren
Tien tips om interne conversatie te activerenTien tips om interne conversatie te activeren
Tien tips om interne conversatie te activeren
 
Herausforderung Marketing - Märkte, Prozesse, Medien und Budgets im Umbruch (...
Herausforderung Marketing - Märkte, Prozesse, Medien und Budgets im Umbruch (...Herausforderung Marketing - Märkte, Prozesse, Medien und Budgets im Umbruch (...
Herausforderung Marketing - Märkte, Prozesse, Medien und Budgets im Umbruch (...
 
ВелоСПАРТ "Ключи от города или прогулка Прусского кота"
ВелоСПАРТ "Ключи от города или прогулка Прусского кота"ВелоСПАРТ "Ключи от города или прогулка Прусского кота"
ВелоСПАРТ "Ключи от города или прогулка Прусского кота"
 
Menjar
MenjarMenjar
Menjar
 
How to be a star at work ppt @ bec doms mba
How to be a star at work ppt @ bec doms mbaHow to be a star at work ppt @ bec doms mba
How to be a star at work ppt @ bec doms mba
 
Long term evolution
Long term evolutionLong term evolution
Long term evolution
 
The Great Promise of Online Data for Chemistry and the Life Sciences
The Great Promise of Online Data for Chemistry and the Life Sciences The Great Promise of Online Data for Chemistry and the Life Sciences
The Great Promise of Online Data for Chemistry and the Life Sciences
 
Creativity ppt @ bec doms mba
Creativity ppt @ bec doms mbaCreativity ppt @ bec doms mba
Creativity ppt @ bec doms mba
 

Ähnlich wie Iia 2012 Spring Conference Philly V Final

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Ahmad Abdalla
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
AchSulav
 

Ähnlich wie Iia 2012 Spring Conference Philly V Final (20)

EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
 
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkThe Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Blueprint for the Industrial Internet: The Architecture
Blueprint for the Industrial Internet: The ArchitectureBlueprint for the Industrial Internet: The Architecture
Blueprint for the Industrial Internet: The Architecture
 
Forcepoint Corporate Presentation_Short.pptx
Forcepoint Corporate Presentation_Short.pptxForcepoint Corporate Presentation_Short.pptx
Forcepoint Corporate Presentation_Short.pptx
 
Embedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsEmbedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and Solutions
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
 
ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentation
 
Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...
Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...
Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...
 
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
 
Power at the edge: l'analisi del ciao di produzione previene guasti, riduce g...
Power at the edge: l'analisi del ciao di produzione previene guasti, riduce g...Power at the edge: l'analisi del ciao di produzione previene guasti, riduce g...
Power at the edge: l'analisi del ciao di produzione previene guasti, riduce g...
 
htcia-5-2015
htcia-5-2015htcia-5-2015
htcia-5-2015
 
Mobile enterprise sept 24 v1
Mobile enterprise sept 24 v1Mobile enterprise sept 24 v1
Mobile enterprise sept 24 v1
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startups
 
IOT - Internet of Things - September 2017
IOT - Internet of Things - September 2017IOT - Internet of Things - September 2017
IOT - Internet of Things - September 2017
 
Top 10 tech trends 2014
Top 10 tech trends 2014Top 10 tech trends 2014
Top 10 tech trends 2014
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 

Mehr von Danny Miller

Mehr von Danny Miller (6)

Cip Multichannel Retail Webcast 091112 (2)
Cip Multichannel Retail Webcast 091112 (2)Cip Multichannel Retail Webcast 091112 (2)
Cip Multichannel Retail Webcast 091112 (2)
 
Social Media Presentation Gt Vfinal
Social Media Presentation Gt VfinalSocial Media Presentation Gt Vfinal
Social Media Presentation Gt Vfinal
 
Cybersecurity It Audit Services Gt April2012
Cybersecurity It Audit Services Gt April2012Cybersecurity It Audit Services Gt April2012
Cybersecurity It Audit Services Gt April2012
 
Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)
Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)
Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)
 
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
 
Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Bcp Dr Grant Thornton Llp(Danny Miller) VfinalBcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
 

Iia 2012 Spring Conference Philly V Final

  • 1. Emerging Technology Challenges and Solutions for Internal Audit and Compliance Danny Miller, CISA, CGEIT, CRISC, ITIL, QSA Principal & National Solutions Leader Cybersecurity & Privacy © Grant Thornton. All rights reserved.
  • 2. Topics • Current Technology Landscape • Emerging Technology – Cloud computing – Mobile computing – Cybersecurity trends • Key fundamentals of Cloud security • Potential IA Complexities • Solutions • What’s Next? © Grant Thornton. All rights reserved.
  • 3. Current Technology Landscape • On-premise hardware, software, and management • Support may be on-shore, near-shore or off-shore © Grant Thornton. All rights reserved.
  • 4. Current Technology Landscape (continued) • Localized processes and controls • Prompt remediation when required • Clear data ownership • Straightforward compliance approach © Grant Thornton. All rights reserved.
  • 5. Current Technology Landscape (continued) • Challenges/benefits – It's expensive and requires a lot of overhead – Difficult to scale and react quickly – Significant embedded cost structure – Inflexible to meet business need – Easier to maintain audit trail © Grant Thornton. All rights reserved.
  • 6. Emerging Technology Trends Spending on public IT cloud services will grow at more than five times the rate of the IT industry in 2011-2012 Enterprise IT planners begin to include cloud-computing expertise in some of their job searches to be prepared for the projects of the short-term and mid-term future Hosted private clouds will outnumber internal clouds 3:1… But service providers have been incrementally ready. Cloud management and monitoring will fuel enterprise cloud adoption 32% of CIOs expected virtualization to be their top investment in 2011 - it is accelerating faster in 2012 © Grant Thornton. All rights reserved.
  • 7. Emerging Technology • Cloud computing – Saas, PaaS, IaaS, DaaS • Mobile computing – Mobile platforms that are blurring the line between a hand-held and complex computing • Data analytics – Master Data Management • Cybersecurity – Trends © Grant Thornton. All rights reserved.
  • 8. Emerging Technology Platforms (continued) Types of Clouds Models of Cloud: • Public • Software as a Service (SaaS) - Shared computer resources - Software applications delivered provided by an off-site third-party over the Internet provider • Platform as a Service (PaaS) • Private - Full or partial operating - Dedicated computer resources system/development environment provided by an off-site third-party delivered over the Internet or use of Cloud technologies on a • Infrastructure as a Service private internal network (IaaS) • Hybrid - Computer infrastructure delivered - Consisting of multiple public and over the Internet private Clouds • Platform as a Service (PaaS) - Virtualization of desktop systems serving thin clients, delivered over the Internet or a private Cloud © Grant Thornton. All rights reserved.
  • 9. Emerging Technology Platforms (continued) Public Cloud Private Cloud © Grant Thornton. All rights reserved.
  • 10. Emerging Technology Platforms (continued) Cloud computing – Hybrid cloud © Grant Thornton. All rights reserved.
  • 11. Emerging Technology Platforms (continued) • Mobile computing is: – Wireless – Utilizes tablet platforms and smartphones – Internet-based – Communication via 4G and WiFi – Scaled applications © Grant Thornton. All rights reserved.
  • 12. Potential New IA Complexity • Cloud computing – Availability & performance – Business continuity – Data protection – Data encryption – Privacy (especially in Healthcare & Life Sciences) © Grant Thornton. All rights reserved.
  • 13. Potential New IA Complexity (continued) Cloud computing (continued) – Compliance • FISMA • HIPAA • SOX • PCI DSS (card payments) • EU Data Protection Directive, et al. © Grant Thornton. All rights reserved.
  • 14. Key Fundamentals of Cloud Security • Focus on foundational controls that protects information and ensures availability. Is the security on your cloud service at least as high as applications used internally? • Match work processes to security needs (if the process is regulatory in nature, or has high security need, then ensure security threshold meets that). • When building or selecting a cloud service, ensure integration and usability are considered in the enterprise. Because of the integrated nature of services these days, need to consider • Adopt a risk mitigation plan when adopting cloud technology. This would include responses to risk events. • Consider how storage with your organization's information is handled, including backup, recovery and "immediate availability". There have been instances of incorrect image recoveries. Make the decision on "co-mingled" data with other clients of vendors. • Ensure evaluations of security are performed and that they are robust. Never take a vendor's word that they are audited and are secure on their own. © Grant Thornton. All rights reserved.
  • 15. Key Fundamentals of Cloud Security (cont'd) • Whether you are deploying or you are subscribing to a vendor, you should ensure that intrusion prevention, monitoring, access and identity management are adequate for the service. • Consider strategic elements, such as the domicile of the data, Legal and e- Discovery rules for your state • What are your responsibilities in the event of a breach of your information? • Ensure that there is a strong continuity program in place and that if you are a subscriber to a service, that you include that in the BCP. Test at least annually. • On at least an annual basis, revisit the security model on all cloud services. © Grant Thornton. All rights reserved.
  • 16. Key Fundamentals of Cloud Security (cont'd) Attribution: Cloud Security Alliance (CSA) © Grant Thornton. All rights reserved.
  • 17. Key Fundamentals of Cloud Security (cont'd) Attribution: Cloud Security Alliance (CSA) © Grant Thornton. All rights reserved.
  • 18. Potential New IA Complexity Mobile computing – Security (physical and virtual) – Data ownership – Service interruption and recovery – Data archiving – Availability © Grant Thornton. All rights reserved.
  • 19. Potential New IA Complexity (continued) Mobile computing – WiFi/4G security – Surveillance and access control – Availability – Data ownership and recovery – Auditability – Bluetooth “hijacking” – AIDC © Grant Thornton. All rights reserved.
  • 20. Solutions Cloud computing – Demand good security in the contract with provider – Have a "return of data" plan at end of contract – Know where the data is and who has access – Deploy a layered security architecture – Assess and inventory risks – Conduct annual security policy audits – Deploy and authenticate user credentials – Encrypt all stored data (P2P encryption) – Actively manage passwords and segregation of duties – Implement layered firewalls © Grant Thornton. All rights reserved.
  • 21. Solutions (continued) Mobile computing – Encrypt all WiFi access – Clarify data ownership – Classify information going across – Implement service interruption plan – Disable Bluetooth communications – Deploy device-specific security software – Encrypt all communications – If it's lost or stolen, ensure that you can do a remote "wipe" of information © Grant Thornton. All rights reserved.
  • 22. What’s Next? • Distributed computing (the Cloud) • Cybersecurity & Privacy focus • Virtualization • Advanced IA tools – Analytics – Provenance engines – Enhanced hardware firewalls – Advanced encryption technology – New data segregation and security standards – Secure digital communications • Standards such as ITIL, COBIT and PCI are integrating and are now complimentary towards each other © Grant Thornton. All rights reserved.
  • 23. What’s Next? (PCI Data Security Standards v2.0) © Grant Thornton. All rights reserved.
  • 24. What’s Next? (PCI Data Security Standards v2.0) © Grant Thornton. All rights reserved.
  • 25. What’s Next? (PCI Data Security Standards v2.0) © Grant Thornton. All rights reserved.
  • 26. What’s Next? (Enterprise Master Data Management) • Companies are awash in data, but which data is the right data to use? Data grows by 50%+ each year. • Company leadership needs "one version of the truth" on dashboards, reports and in analytical datasets. • Internal Audit and Compliance departments should be concerned about controls, availability, integrity and quality of data. • Conceptually: – Data and information are valuable corporate assets and should be treated as such – Data must be managed carefully and should have quality, integrity, security and availability addressed. © Grant Thornton. All rights reserved.
  • 27. What’s Next? (Enterprise Master Data Management) MDM is the management of an institution’s fundamental data that is shared across multiple business units, everything from project budgets to donor contacts to employee contact information. You can think of master data as all of the enterprise data (people, places, things and activities) that the institution needs to conduct its business. The goal of MDM, consequently, is to ensure the accuracy, consistency and availability of this data to the various business users. We believe that all organizations would benefit greatly from creating a strategy for MDM and implementing an MDM program in light of its current state and an organization's future data and information needs. © Grant Thornton. All rights reserved.
  • 28. What’s Next? (Enterprise Master Data Management) Data and Information Management Data Governance Data Architecture Management Data Development Data Operations Management Data Security Management Data Quality Management Reference and Master Data Data Warehouse /Business Management Intelligence Management Document and Content Management Metadata Management Table 1: Scope of Data Management © Grant Thornton. All rights reserved.
  • 29. What’s Next? (Data Governance Activities) • Establish institutional data standards • Identify and resolve data disputes • Implement necessary changes to data standards and policies • Communicate actions to the organization as appropriate • Ensure accountability of institutional data policies and standards • Escalate issues to Governance Team as necessary © Grant Thornton. All rights reserved.
  • 30. Questions? © Grant Thornton. All rights reserved.
  • 31. Emerging Technology Challenges for Internal Audit and Compliance Danny Miller, CISA, CGEIT, CRISC, ITIL, QSA National Solutions Lead – Cybersecurity Regional Solutions Lead – Business Consulting Principal, Grant Thornton LLP Danny.Miller@us.gt.com http://grantthornton.com/ © Grant Thornton. All rights reserved.