San Francisco IIA Fall Seminar How to perform a cyber risk assessment This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
Cyber assurance: A critical component of Internal Audit Why should Internal Audit care? Because the board and the audit committee care Audit, legal and regulatory requirements for cyber are rapidly evolving The risk profile can change very rapidly A cyber breach could be material Cybersecurity affects Internal Audit! The board of directors and audit committee require Internal Audit to have an independent and objective perspective on the organization’s state of cyber readiness
Cyber assurance program approach Risk assessment is a comprehensive method for assessing cyber risk, is appropriate for the organization, and is scored M.Y. plan is a multi-year, risk-based assurance cycle which targets domain-specific issues with adequate scoping and sizing Execution occurs with the right people, tools, and depth while providing the right conclusions Reporting is continuous, accurate, score card-based, and adequate for multiple stakeholders Reporting Foundational elements Risk assessment Execution M.Y. plan
Cyber assurance: A comprehensive view Those charged with governance do not have the benefit of a narrow cyber focus. For these stakeholders, “cyber” must cover all the aspects of cyber risk. Consequently, a cyber assurance program must be comprehensive in scope. Internal Audit Board of Directors Chief Information Security Officer: IT and information security Chief Information Officer: IT and IT operations Chief Technology Officer: Product and innovation Legal Counsel: Legal aspects, contracting Chief Risk Officer: Cyber insurance, enterprise risk management Chief Marketing Officer: Social media, customer channels Chief Communications Officer: Communications, crisis management Procurement: Third-party vendors Facilities Management: Physical security
Cybersecurity Governance Current view… Cybersecurity Governance Secure Threat modeling and intelligence Penetration testing Threat and vulnerability management Software security Program management Monitoring Data protection Cloud security Third-party management Account provisioning Privileged user management Access certification Access management and governance Generic account management Identity and access management Crisis management Business Impact Analysis (BIA) Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) Enterprise resiliency Infrastructure security Workforce management Vigilant Resilient *The Deloitte Advisory cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.
Cyber assurance: A comprehensive framework* Cybersecurity Governance Program governance Organizational model Steering committee structure Tone at the top Regulatory and legal landscape Cybersecurity strategy Secure Threat modeling and intelligence Penetration testing Vulnerability management Emerging threats (e.g., mobile devices) Threat and vulnerability management Software security Secure build and testing Secure coding guidelines Application role design/access Development lifecycle Patch Management Policies, standards, baselines, guidelines, and procedures Talent and Budget management Asset management Change management Program reporting Risk and compliance management Program management Security Log Management (SLM) Security Information and Event Management (SIEM) Cyber risk analytics Metrics and reporting Monitoring Data classification Data security strategy Information records management Enterprise content management Data quality management Data loss prevention Data protection Cloud security Cloud strategy Cloud risk identification Cloud provider inventory Minimum controls baseline Cloud controls compliance Evaluation and selection Contract and service initiation Ongoing monitoring Service termination Third-party management Account provisioning Privileged user management Access certification Access management and governance Generic account management Identity and access management Response planning Tabletop exercises War game exercises Incident response and forensics Crisis communication plan Third-party responsibilities Crisis management Business Impact Analysis (BIA) Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) Enterprise resiliency Hardening standards Security design/architecture Configuration management Network defense Security operations management Infrastructure security Physical security Phishing exercises Security training and awareness Workforce management Vigilant Resilient *The Deloitte Advisory cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.
Cyber assurance risk assessment alternative views Maturity model Risk/maturity hybrid model Risk model Audit relevance score
Cyber assurance risk assessment methods Client Industry Initial Repeatable Defined Managed Optimized Cybersecurity domains colored by risk 1 2 3 4 5 Governance Secure Program Management Data Protection Identity and access management Infrastructure Security Software Security Illustrative Cloud Security Third-party management Workforce management Vigilant Threat and vulnerability management Monitoring Initial Observed Maturity Resilient Crisis management Current Maturity Enterprise Resiliency Target Maturity
Defining the cyber assurance cycle M.Y. plan Defining the cyber assurance cycle Helps organizations gain a level of assurance over some or all cyber domains every year Outlines assurance frequencies for cyber domains: Based on risk quantification methods used Regulatory or industry requirements Sustainable and repeatable Examples: ARS Audit Frequency Critical Annually High Twice every three years Moderate Once every two years Low Once every three years Risk Audit Frequency High Annually Medium Every two years Low Every three years
Building the cyber assurance plan M.Y. plan Building the cyber assurance plan The development of a cyber assurance plan should be straightforward once cyber domains have been assessed and a cyber assurance cycle has been defined. The plan should be re-assessed annually to maintain relevance as threats and regulatory requirements change. See example below. Domain with ARS 2018 2019 2020 Cybersecurity Governance Program management Data protection Identity and Access Management Infrastructure security Software security Cloud security Third-party management Workforce management Threat and vulnerability management Monitoring Crisis management Enterprise resiliency Secure Illustrative Vigilant Resilient Copyright © 2017 Deloitte Development LLC. All rights reserved.
Cyber assurance audit execution People Audit enablers Execution tools Scope Reporting The right number Network scanning tools Deloitte Diamonde Presentation to stakeholder groups Entire domain or subdomain only The right team Data Loss Prevention scanning Type of audit (assurance or consultative) Audit Programs Dashboards Exploitation frameworks The right skills Formal reports The right model Proprietary tool kits Emerging risks
Cyber assurance communication strategy Reporting Allows stakeholders to communicate effectively Provides “at a glance” status update Customized for each group of stakeholders Executive Committee Steering Committee Working Group
Foundational elements ORGANIZATIONAL COMMITMENT Stakeholder collaboration Supportive governance structure in place Audit is collaborative and value-driven Board of directors support Supported by organization policies ADAPTIVE TO CHANGE Regulatory and compliance landscape External audit requirements Threat landscape Skill requirements Frameworks and standards TOOLS Audit enablers Execution tools Templates Audit programs TEAM Right number Right skills Continuous evolvement Alternative models
Thank You! Glenn Wilson Deloitte & Touche LLP +1 213 688 6976 glennwilson@deloitte.com LinkedIn: http://www.linkedin.com/in/gmw13 Twitter: @DeloitteGlenn
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte USA LLP, Deloitte LLP, and their respective subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright © 2017 Deloitte Development LLC. All rights reserved. 36 USC 220506