AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

Slides:



Advertisements
Similar presentations
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud:
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
IOR Scottish Chapter Annual Conference Glasgow Caledonian University – 1 st November 2013 Relevance of Operational Risk to the FCA Jill Savager Manager,
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works
Viewpoint Consulting – Committed to your success.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Travillon Consultants
Information Security Risk Management
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Internal Auditing and Outsourcing
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.
Consultancy.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Data Protection in Financial Services Are you Seeing the Bigger Picture? 17 September 2008.
Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
Presentation to Senior Management MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Cyber Security & Fraud – The impact on small businesses.
Information Assurance Market Research June Executive Summary Small response rate (n=43) General low awareness of information security controls and.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
Reducing data loss by threats detection. InfoWatch Traffic Monitor & Workplace Security. Andrey Sokurenko Business Development Director.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Current risk and compliance priorities for law firms PETER SCOTT CONSULTING.
PROTECTING THE INTERESTS OF CONSUMERS OF FINANCIAL SERVICES Role of Supervisory Authorities Keynote Address to the FinCoNet Open Meeting 22 April 2016.
Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.
Information Security tools for records managers Frank Rankin.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
April 2016 RM1045 Network Services: Developing Your Invitation to Tender (ITT) / Request for Proposal (RfP) Document Set.
When things go wrong: reducing the risk of FCA enforcement action Birmingham 2016 Insurance and Financial Services Conference Wednesday, 18 June 2016 Jonathan.
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
Cyber Insurance Risk Transfer Alternatives
Performing Risk Analysis and Testing: Outsource or In-house
E&O Risk Management: Meeting the Challenge of Change
Data protection headaches: GDPR, brexit AND perimeter risk
The Internal Audit Role in assessing Cybersecurity
Current ‘Hot Topics’ in Information Security Governance Auditing
Securing the Law Firm Myth vs. Reality vs. Practicality:
Service Organization Control (SOC)
Information Security based on International Standard ISO 27001
Unit 7 – Organisational Systems Security
Keeping your data, money & reputation safe
Vendor Management The Risks to Your Business
Presentation transcript:

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03 March 2011

WHO ARE MUTUAL ONE ? Mission Statement “To enhance the competitiveness of mutuals”

WHAT DOES MUTUAL ONE DO ?  We facilitate collective action amongst mutuals across 4 broad areas:  Internal audit  Compliance, risk and governance  Events  Collective procurement  We are very committed to supporting the mutual sector so that it thrives, not just survives  More details on the above can be found on

Contents Definition of ‘Information Security’ What Information do we need to secure? Why do we need to secure information? Auditing Information Security Frameworks Emerging Themes Questions Current ‘Hot Topics’ in Information Security Governance Auditing

….protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction. Information Security…. Wikipedia – Nov 2010

CIA ‘triangle’

What information needs protecting? Customer EmployeeConfidential Company Bank / cardProduct / ideas

But why….? Regulatory Requirements Financial Services Authority

FSA Fines….

But why….? Regulatory Requirements Financial Services Authority Data Protection Act 1998

ICO Fines….!!!

But why….? Regulatory Requirements Reputation Damage Financial Cost

Estimated Cost of a Data Breach: Data Loss incidents cost between £365k and £3.92m to manage Average cost per lost record = £64 Biggest cost per lost record is lost business - £29 Other costs include: customer communication recompense operational costs financial penalty Increased 7% in past year, 36% in past two years Source: Ponemon Institute / PGP 2009 Annual Study - Global Cost of a Data Breach report

Auditing InfoSec Dependent upon: Organisation Size and nature of IT environment i.e. is control requirement proportionate? Operating environment – regulated firm? Compliance to external requirements (e.g. PCI-DSS)? Risk appetite

Auditing InfoSec - Frameworks ISO27001 / 2 ISO/IEC 27001:2005 – Information Security Management Systems – Requirements ISO/IEC 27002:2005 – Code of Practice for Information Security Management C OBI T FSA Paper – Data Security in Financial Services (Apr 2008) Payment Card Industry – Data Security Standards

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)

Data Security in Financial Services (April 2008) – New Regulation ?? 1.Governance – managing systems and controls 2.Training and Awareness 3.Staff Recruitment & Vetting 4.Controls 5.Physical Security 6.Disposing of Customer Data 7.Managing Third-party Suppliers 8.Internal Audit and Compliance Monitoring

Auditing InfoSec Emerging Themes: FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

FSA Fines…. Result of a lack of oversight on key outsourced service Third Party Assurance

Due diligence Third party assurance Ongoing review of security arrangements Contracts / service level agreements Relationship management

Auditing InfoSec Emerging Themes: Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

Can you trust your employees?

Who are our employees? Initial recruitment process Ongoing vetting of staff Recruitment of temporary staff credit checks CRB checks background checks

Auditing InfoSec Emerging Themes: Internal Threats – how is the internet used? Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

Web-based / social networking

“To block or not to block….?” Reasons to block…. Introduction of malware, spyware, virus Bandwidth usage ‘Time-wasting’ Data Leakage Accidental Intentional Data aggregation REPUTATION!

“To block or not to block….?” Reasons to allow…. Networking opportunities Knowledge sharing Communication with staff Increased staff morale Marketing ability / customer engagement

“To block or not to block….?” Controls to consider (if allowing social networking sites) Training and awareness Usage policies Granular web-site controls (next-gen firewalls) Data leakage software Solid risk assessment

Beware….proxy avoidance…

Auditing InfoSec Emerging Themes: Portable Media Devices – Encrypted? Internal Threats – how is the internet used? Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

Ongoing Problem

Laptop Security Encryption Laptop policy – cannot rely on adherence Asset Register Laptop sharing

Auditing InfoSec Emerging Themes: Smart Phones Portable Media Devices – Encrypted? Internal Threats – how is the internet used? Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

Smart Phones

Auditing InfoSec Emerging Themes: What next….? Cloud Computing? Smart Phones Portable Media Devices – Encrypted? Internal Threats – how is the internet used? Internal Threats – who are our employees? FSA split into Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) Outsourcing / key suppliers

Cloud Computing Security Location Regulatory Compliance Segregation Recovery Auditability Longevity Costs

ANY QUESTIONS ?

Work Together Respect each other and our clients and through teamwork achieve a common goal Communicate Clearly At all levels, to achieve the optimum outcome Anticipate and Respond to Change We aim to be proactive and innovative; by being adaptable we address tomorrow's challenges today Deliver Quality Service We can be relied upon and trusted to meet agreed objectives Share Knowledge Our aim is to enlighten and add value through experience

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.