Presentation on theme: "Bridging the gap between software developers and auditors."— Presentation transcript:
Bridging the gap between software developers and auditors
Qualitative versus Quantitative Risk Assessment It is impossible to conduct risk management that is purely quantitative. Usually risk management includes both qualitative and quantitative elements, requiring both analysis and judgment or experience. It is possible to accomplish purely qualitative risk management.
Quantitative risk assessment ALE = ARO x SLE –SLE = AV x EF ALE = Annualized loss expectancy ARO = Annual rate of occurrence SLE = Single loss expectancy AV = Asset value EF = Exposure factor Is there something wrong with this approach?
Risks in software development Buffer overflows Authentication Human intervention Code reuse
What is STRIDE Microsoft’s approach to threat modeling Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of privilege http://msdn.microsoft.com/en-us/library/ms954176.aspx
What is DREAD OWASP’s extension to STRIDE, providing some quantifiable measure for vulnerabilities Damage Potential Reproducibility Exploitability Affected users Discoverability All scored on the scale 0-10 DREAD = (D 1 + R + E + A + D 2 )/5 http://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD
Risks in audit Audit risk is a probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find Composed of Inherent, Control, and Detection risks
Role of IT Controls Modern financial reporting is driven by information technology IT initiates, authorizes, records, and reports the effects of financial transactions. Financial reporting IC are inextricably integrated to IT. COSO identifies two groups of IT controls: application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development
Important types of IT controls Input controls Processing controls Output Controls
What can a university do? Teaching and training UConn started Advanced Business Certificate program in IT Audit Aligned with ISACA CISA coverage Research UConn is now NSA Center of Excellence in Information Assurance Research