Current ‘Hot Topics’ in Information Security Governance Auditing AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03 March 2011

WHAT DOES MUTUAL ONE DO ? We facilitate collective action amongst mutuals across 4 broad areas: Internal audit Compliance, risk and governance Events Collective procurement We are very committed to supporting the mutual sector so that it thrives, not just survives More details on the above can be found on www.mutual-one.co.uk

Current ‘Hot Topics’ in Information Security Governance Auditing Contents Definition of ‘Information Security’ What Information do we need to secure? Why do we need to secure information? Auditing Information Security Frameworks Emerging Themes Questions

Information Security…. ….protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction. Wikipedia – Nov 2010

What information needs protecting? Customer Company Employee Confidential Bank / card Product / ideas

But why….? Regulatory Requirements Financial Services Authority

But why….? Regulatory Requirements Reputation Damage Financial Cost

Estimated Cost of a Data Breach: Data Loss incidents cost between £365k and £3.92m to manage Average cost per lost record = £64 Biggest cost per lost record is lost business - £29 Other costs include: customer communication recompense operational costs financial penalty Increased 7% in past year, 36% in past two years Source: Ponemon Institute / PGP 2009 Annual Study - Global Cost of a Data Breach report

Auditing InfoSec Dependent upon: Organisation Operating environment – regulated firm? Compliance to external requirements (e.g. PCI-DSS)? Size and nature of IT environment i.e. is control requirement proportionate? Risk appetite

Auditing InfoSec - Frameworks ISO27001 / 2 ISO/IEC 27001:2005 – Information Security Management Systems – Requirements ISO/IEC 27002:2005 – Code of Practice for Information Security Management COBIT FSA Paper – Data Security in Financial Services (Apr 2008) Payment Card Industry – Data Security Standards

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)

Data Security in Financial Services (April 2008) – New Regulation ?? Governance – managing systems and controls Training and Awareness Staff Recruitment & Vetting Controls Physical Security Disposing of Customer Data Managing Third-party Suppliers Internal Audit and Compliance Monitoring

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

FSA Fines…. Zurich fined £2.3m over customers’ data loss, August 2009 Result of a lack of oversight on key outsourced service Third Party Assurance

Third Party Assurance Due diligence Relationship management Contracts / service level agreements Ongoing review of security arrangements Third party assurance

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees?

Who are our employees? Initial recruitment process background checks CRB checks credit checks Recruitment of temporary staff Ongoing vetting of staff

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees? Internal Threats – how is the internet used?

“To block or not to block….?” Reasons to block…. Introduction of malware, spyware, virus Bandwidth usage ‘Time-wasting’ Data Leakage Accidental Intentional Data aggregation REPUTATION!

“To block or not to block….?” Reasons to allow…. Networking opportunities Knowledge sharing Communication with staff Marketing ability / customer engagement Increased staff morale

“To block or not to block….?” Controls to consider (if allowing social networking sites) Solid risk assessment Training and awareness Usage policies Granular web-site controls (next-gen firewalls) Data leakage software

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees? Internal Threats – how is the internet used? Portable Media Devices – Encrypted?

Ongoing Problem

Laptop Security Encryption Laptop policy – cannot rely on adherence Asset Register Laptop sharing

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees? Internal Threats – how is the internet used? Portable Media Devices – Encrypted? Smart Phones

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers Internal Threats – who are our employees? Internal Threats – how is the internet used? Portable Media Devices – Encrypted? Smart Phones What next….? Cloud Computing?

Cloud Computing Security Regulatory Compliance Location Segregation Recovery Auditability Longevity Costs

ANY QUESTIONS ?

Communicate Clearly At all levels, to achieve the optimum outcome Work Together Respect each other and our clients and through teamwork achieve a common goal Share Knowledge Our aim is to enlighten and add value through experience Communicate Clearly At all levels, to achieve the optimum outcome Deliver Quality Service We can be relied upon and trusted to meet agreed objectives Anticipate and Respond to Change We aim to be proactive and innovative; by being adaptable we address tomorrow's challenges today