Bridging the gap between software developers and auditors.

Slides:



Advertisements
Similar presentations
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Advertisements

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
© Blackboard, Inc. All rights reserved. Developing Secure Software Bob Alcorn, Blackboard Inc.
Control and Accounting Information Systems
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Unit # 3: Information Security and Risk Management
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena.
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Conostix S.A. Sensible defence.
Advanced Auditing Materiality and the Audit Risk Model
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Auditing Internal Control over Financial Reporting
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
1 Presented by July-2013, IIM Indore. 2  RFID = Radio Frequency IDentification.  RFID is ADC (Automated Data Collection) technology that:-  uses radio-frequency.
Audit Risk. "Audit risk" means the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated Audit.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Risk Analysis James Walden Northern Kentucky University.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Audit Risk and Audit Evidence
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Lesson 20-Risk Management. Background  Risk management can be described as a decision-making process.  Effective risk management avoids costly oversights.
Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Introduction to Information Security
Practical Threat Modeling for Software Architects & System Developers
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Module 2: Designing Network Security
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Chapter 3 The Audit Process. Overview of Audit Process Developing an Understanding with the Client Financial statement engagements Audits Compilations.
CHAPTER 8 MATERIALITY AND RISK. MATERIALITY THE MAGNITUDE OF AN OMISSION OR MISSTATEMENT…THAT MAKES IT PROBABLE THAT THE JUDGMENT OF A REASONABLE PERSON.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
Chapter 1: Security Governance Through Principles and Policies
CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Chapter 3-Auditing Computer-based Information Systems.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS
Chapter 15A IT Controls Part I: Sarbanes-Oxley & IT Governance.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
8 INTERNAL CONTROL. Definition Duty  mgt (CEO)  Board  Internal auditor  Employee  External person.
Risk management.
Design for Security Pepper.
Evaluating Existing Systems
Security Management Practices
Evaluating Existing Systems
Off-line Risk Assessment of Cloud Service Provider
IT Audit Manager – UT System
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Copyright Gupta Consulting, LLC.
Cybersecurity Threat Assessment
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Bridging the gap between software developers and auditors

Qualitative versus Quantitative Risk Assessment  It is impossible to conduct risk management that is purely quantitative.  Usually risk management includes both qualitative and quantitative elements, requiring both analysis and judgment or experience.  It is possible to accomplish purely qualitative risk management.

Qualitative risk assessment Med. riskHigh risk Low riskMed. riskHigh risk Low risk Med. risk Likelihood Impact

Quantitative risk assessment  ALE = ARO x SLE –SLE = AV x EF ALE = Annualized loss expectancy ARO = Annual rate of occurrence SLE = Single loss expectancy AV = Asset value EF = Exposure factor Is there something wrong with this approach?

Risks in software development  Buffer overflows  Authentication  Human intervention  Code reuse

What is STRIDE Microsoft’s approach to threat modeling Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of privilege

What is DREAD OWASP’s extension to STRIDE, providing some quantifiable measure for vulnerabilities Damage Potential Reproducibility Exploitability Affected users Discoverability All scored on the scale 0-10 DREAD = (D 1 + R + E + A + D 2 )/5

Risks in audit  Audit risk is a probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find  Composed of Inherent, Control, and Detection risks

Role of IT Controls  Modern financial reporting is driven by information technology  IT initiates, authorizes, records, and reports the effects of financial transactions. Financial reporting IC are inextricably integrated to IT.  COSO identifies two groups of IT controls: application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development

Important types of IT controls  Input controls  Processing controls  Output Controls

What can a university do?  Teaching and training UConn started Advanced Business Certificate program in IT Audit Aligned with ISACA CISA coverage  Research UConn is now NSA Center of Excellence in Information Assurance Research

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.