Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bridging the gap between software developers and auditors.

Published byJaylin Scrivener Modified over 9 years ago

Similar presentations

Presentation on theme: "Bridging the gap between software developers and auditors."— Presentation transcript:

1 Bridging the gap between software developers and auditors

2 Qualitative versus Quantitative Risk Assessment  It is impossible to conduct risk management that is purely quantitative.  Usually risk management includes both qualitative and quantitative elements, requiring both analysis and judgment or experience.  It is possible to accomplish purely qualitative risk management.

3 Qualitative risk assessment Med. riskHigh risk Low riskMed. riskHigh risk Low risk Med. risk Likelihood Impact

4 Quantitative risk assessment  ALE = ARO x SLE –SLE = AV x EF ALE = Annualized loss expectancy ARO = Annual rate of occurrence SLE = Single loss expectancy AV = Asset value EF = Exposure factor Is there something wrong with this approach?

5 Risks in software development  Buffer overflows  Authentication  Human intervention  Code reuse

6 What is STRIDE Microsoft’s approach to threat modeling Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of privilege http://msdn.microsoft.com/en-us/library/ms954176.aspx

7 What is DREAD OWASP’s extension to STRIDE, providing some quantifiable measure for vulnerabilities Damage Potential Reproducibility Exploitability Affected users Discoverability All scored on the scale 0-10 DREAD = (D 1 + R + E + A + D 2 )/5 http://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD

8 Risks in audit  Audit risk is a probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find  Composed of Inherent, Control, and Detection risks

9 Role of IT Controls  Modern financial reporting is driven by information technology  IT initiates, authorizes, records, and reports the effects of financial transactions. Financial reporting IC are inextricably integrated to IT.  COSO identifies two groups of IT controls: application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development

10 Important types of IT controls  Input controls  Processing controls  Output Controls

11 What can a university do?  Teaching and training UConn started Advanced Business Certificate program in IT Audit Aligned with ISACA CISA coverage  Research UConn is now NSA Center of Excellence in Information Assurance Research

Download ppt "Bridging the gap between software developers and auditors."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
© Blackboard, Inc. All rights reserved. Developing Secure Software Bob Alcorn, Blackboard Inc.

© Blackboard, Inc. All rights reserved. Developing Secure Software Bob Alcorn, Blackboard Inc.
Control and Accounting Information Systems

Control and Accounting Information Systems
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Unit # 3: Information Security and Risk Management

Unit # 3: Information Security and Risk Management
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.

Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena.
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Conostix S.A. Sensible defence.

Conostix S.A. Sensible defence.
Advanced Auditing Materiality and the Audit Risk Model

Advanced Auditing Materiality and the Audit Risk Model
Information Security Rabie A. Ramadan GUC, Cairo Room C7 -310 Lecture 2.

Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Similar presentations

Ads by Google