Presentation is loading. Please wait.

Presentation is loading. Please wait.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

Similar presentations


Presentation on theme: "AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03."— Presentation transcript:

1 AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03 March 2011

2 WHO ARE MUTUAL ONE ? Mission Statement “To enhance the competitiveness of mutuals”

3 WHAT DOES MUTUAL ONE DO ?  We facilitate collective action amongst mutuals across 4 broad areas:  Internal audit  Compliance, risk and governance  Events  Collective procurement  We are very committed to supporting the mutual sector so that it thrives, not just survives  More details on the above can be found on

4 Contents Definition of ‘Information Security’ What Information do we need to secure? Why do we need to secure information? Auditing Information Security Frameworks Emerging Themes Questions Current ‘Hot Topics’ in Information Security Governance Auditing

5 ….protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction. Information Security…. Wikipedia – Nov 2010

6 CIA ‘triangle’

7 What information needs protecting? Customer EmployeeConfidential Company Bank / cardProduct / ideas

8 But why….? Regulatory Requirements Financial Services Authority

9 FSA Fines….

10 But why….? Regulatory Requirements Financial Services Authority Data Protection Act 1998

11 ICO Fines….!!!

12

13 But why….? Regulatory Requirements Reputation Damage Financial Cost

14 Estimated Cost of a Data Breach: Data Loss incidents cost between £365k and £3.92m to manage Average cost per lost record = £64 Biggest cost per lost record is lost business - £29 Other costs include: customer communication recompense operational costs financial penalty Increased 7% in past year, 36% in past two years Source: Ponemon Institute / PGP 2009 Annual Study - Global Cost of a Data Breach report

15 Auditing InfoSec Dependent upon: Organisation Size and nature of IT environment i.e. is control requirement proportionate? Operating environment – regulated firm? Compliance to external requirements (e.g. PCI-DSS)? Risk appetite

16 Auditing InfoSec - Frameworks ISO27001 / 2 ISO/IEC 27001:2005 – Information Security Management Systems – Requirements ISO/IEC 27002:2005 – Code of Practice for Information Security Management C OBI T FSA Paper – Data Security in Financial Services (Apr 2008) Payment Card Industry – Data Security Standards

17 Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)

18 Data Security in Financial Services (April 2008) – New Regulation ?? 1.Governance – managing systems and controls 2.Training and Awareness 3.Staff Recruitment & Vetting 4.Controls 5.Physical Security 6.Disposing of Customer Data 7.Managing Third-party Suppliers 8.Internal Audit and Compliance Monitoring

19 Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

20 FSA Fines…. Result of a lack of oversight on key outsourced service Third Party Assurance

21 Due diligence Third party assurance Ongoing review of security arrangements Contracts / service level agreements Relationship management

22 Auditing InfoSec Emerging Themes: Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

23 Can you trust your employees?

24 Who are our employees? Initial recruitment process Ongoing vetting of staff Recruitment of temporary staff credit checks CRB checks background checks

25 Auditing InfoSec Emerging Themes: Internal Threats – how is the internet used? Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

26 Web-based / social networking

27 “To block or not to block….?” Reasons to block…. Introduction of malware, spyware, virus Bandwidth usage ‘Time-wasting’ Data Leakage Accidental Intentional Data aggregation REPUTATION!

28 “To block or not to block….?” Reasons to allow…. Networking opportunities Knowledge sharing Communication with staff Increased staff morale Marketing ability / customer engagement

29 “To block or not to block….?” Controls to consider (if allowing social networking sites) Training and awareness Usage policies Granular web-site controls (next-gen firewalls) Data leakage software Solid risk assessment

30 Beware….proxy avoidance…

31 Auditing InfoSec Emerging Themes: Portable Media Devices – Encrypted? Internal Threats – how is the internet used? Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

32 Ongoing Problem

33 Laptop Security Encryption Laptop policy – cannot rely on adherence Asset Register Laptop sharing

34 Auditing InfoSec Emerging Themes: Smart Phones Portable Media Devices – Encrypted? Internal Threats – how is the internet used? Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

35 Smart Phones

36 Auditing InfoSec Emerging Themes: What next….? Cloud Computing? Smart Phones Portable Media Devices – Encrypted? Internal Threats – how is the internet used? Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

37 Cloud Computing Security Location Regulatory Compliance Segregation Recovery Auditability Longevity Costs

38 ANY QUESTIONS ?

39 Work Together Respect each other and our clients and through teamwork achieve a common goal Communicate Clearly At all levels, to achieve the optimum outcome Anticipate and Respond to Change We aim to be proactive and innovative; by being adaptable we address tomorrow's challenges today Deliver Quality Service We can be relied upon and trusted to meet agreed objectives Share Knowledge Our aim is to enlighten and add value through experience


Download ppt "AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03."

Similar presentations


Ads by Google