Presentation is loading. Please wait.

Presentation is loading. Please wait.

San Francisco IIA Fall Seminar

Published byArchibald Pitts Modified over 5 years ago

Similar presentations

Presentation on theme: "San Francisco IIA Fall Seminar"— Presentation transcript:

1 San Francisco IIA Fall Seminar
How to perform a cyber risk assessment This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

2

3

4

5 Cyber assurance: A critical component of Internal Audit
Why should Internal Audit care? Because the board and the audit committee care Audit, legal and regulatory requirements for cyber are rapidly evolving The risk profile can change very rapidly A cyber breach could be material Cybersecurity affects Internal Audit! The board of directors and audit committee require Internal Audit to have an independent and objective perspective on the organization’s state of cyber readiness

6 Cyber assurance program approach
Risk assessment is a comprehensive method for assessing cyber risk, is appropriate for the organization, and is scored M.Y. plan is a multi-year, risk-based assurance cycle which targets domain-specific issues with adequate scoping and sizing Execution occurs with the right people, tools, and depth while providing the right conclusions Reporting is continuous, accurate, score card-based, and adequate for multiple stakeholders Reporting Foundational elements Risk assessment Execution M.Y. plan

7 Cyber assurance: A comprehensive view
Those charged with governance do not have the benefit of a narrow cyber focus. For these stakeholders, “cyber” must cover all the aspects of cyber risk. Consequently, a cyber assurance program must be comprehensive in scope. Internal Audit Board of Directors Chief Information Security Officer: IT and information security Chief Information Officer: IT and IT operations Chief Technology Officer: Product and innovation Legal Counsel: Legal aspects, contracting Chief Risk Officer: Cyber insurance, enterprise risk management Chief Marketing Officer: Social media, customer channels Chief Communications Officer: Communications, crisis management Procurement: Third-party vendors Facilities Management: Physical security

8 Cybersecurity Governance
Current view… Cybersecurity Governance Secure Threat modeling and intelligence Penetration testing Threat and vulnerability management Software security Program management Monitoring Data protection Cloud security Third-party management Account provisioning Privileged user management Access certification Access management and governance Generic account management Identity and access management Crisis management Business Impact Analysis (BIA) Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) Enterprise resiliency Infrastructure security Workforce management Vigilant Resilient *The Deloitte Advisory cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.

9 Cyber assurance: A comprehensive framework*
Cybersecurity Governance Program governance Organizational model Steering committee structure Tone at the top Regulatory and legal landscape Cybersecurity strategy Secure Threat modeling and intelligence Penetration testing Vulnerability management Emerging threats (e.g., mobile devices) Threat and vulnerability management Software security Secure build and testing Secure coding guidelines Application role design/access Development lifecycle Patch Management Policies, standards, baselines, guidelines, and procedures Talent and Budget management Asset management Change management Program reporting Risk and compliance management Program management Security Log Management (SLM) Security Information and Event Management (SIEM) Cyber risk analytics Metrics and reporting Monitoring Data classification Data security strategy Information records management Enterprise content management Data quality management Data loss prevention Data protection Cloud security Cloud strategy Cloud risk identification Cloud provider inventory Minimum controls baseline Cloud controls compliance Evaluation and selection Contract and service initiation Ongoing monitoring Service termination Third-party management Account provisioning Privileged user management Access certification Access management and governance Generic account management Identity and access management Response planning Tabletop exercises War game exercises Incident response and forensics Crisis communication plan Third-party responsibilities Crisis management Business Impact Analysis (BIA) Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) Enterprise resiliency Hardening standards Security design/architecture Configuration management Network defense Security operations management Infrastructure security Physical security Phishing exercises Security training and awareness Workforce management Vigilant Resilient *The Deloitte Advisory cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.

10 Cyber assurance risk assessment alternative views
Maturity model Risk/maturity hybrid model Risk model Audit relevance score

11 Cyber assurance risk assessment methods
Client Industry Initial Repeatable Defined Managed Optimized Cybersecurity domains colored by risk 1 2 3 4 5 Governance Secure Program Management Data Protection Identity and access management Infrastructure Security Software Security Illustrative Cloud Security Third-party management Workforce management Vigilant Threat and vulnerability management Monitoring Initial Observed Maturity Resilient Crisis management Current Maturity Enterprise Resiliency Target Maturity

12 Defining the cyber assurance cycle
M.Y. plan Defining the cyber assurance cycle Helps organizations gain a level of assurance over some or all cyber domains every year Outlines assurance frequencies for cyber domains: Based on risk quantification methods used Regulatory or industry requirements Sustainable and repeatable Examples: ARS Audit Frequency Critical Annually High Twice every three years Moderate Once every two years Low Once every three years Risk Audit Frequency High Annually Medium Every two years Low Every three years

13 Building the cyber assurance plan
M.Y. plan Building the cyber assurance plan The development of a cyber assurance plan should be straightforward once cyber domains have been assessed and a cyber assurance cycle has been defined. The plan should be re-assessed annually to maintain relevance as threats and regulatory requirements change. See example below. Domain with ARS 2018 2019 2020 Cybersecurity Governance Program management Data protection Identity and Access Management Infrastructure security Software security Cloud security Third-party management Workforce management Threat and vulnerability management Monitoring Crisis management Enterprise resiliency Secure Illustrative Vigilant Resilient Copyright © 2017 Deloitte Development LLC. All rights reserved.

14 Cyber assurance audit execution
People Audit enablers Execution tools Scope Reporting The right number Network scanning tools Deloitte Diamonde Presentation to stakeholder groups Entire domain or subdomain only The right team Data Loss Prevention scanning Type of audit (assurance or consultative) Audit Programs Dashboards Exploitation frameworks The right skills Formal reports The right model Proprietary tool kits Emerging risks

15 Cyber assurance communication strategy
Reporting Allows stakeholders to communicate effectively Provides “at a glance” status update Customized for each group of stakeholders Executive Committee Steering Committee Working Group

16 Foundational elements
ORGANIZATIONAL COMMITMENT Stakeholder collaboration Supportive governance structure in place Audit is collaborative and value-driven Board of directors support Supported by organization policies ADAPTIVE TO CHANGE Regulatory and compliance landscape External audit requirements Threat landscape Skill requirements Frameworks and standards TOOLS Audit enablers Execution tools Templates Audit programs TEAM Right number Right skills Continuous evolvement Alternative models

17 Thank You! Glenn Wilson Deloitte & Touche LLP LinkedIn:

18 As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see for a detailed description of the legal structure of Deloitte USA LLP, Deloitte LLP, and their respective subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright © 2017 Deloitte Development LLC. All rights reserved. 36 USC

Download ppt "San Francisco IIA Fall Seminar"

Similar presentations

General tax landscape.

General tax landscape.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Control and Accounting Information Systems

Control and Accounting Information Systems
Mind the Gap: Evaluating Internal Controls in Pharmaceutical Supply Chains across Sub-Saharan Africa AIDS 2012: July 22-27 Julianna Kohler, Revathi Avasarala,

Mind the Gap: Evaluating Internal Controls in Pharmaceutical Supply Chains across Sub-Saharan Africa AIDS 2012: July Julianna Kohler, Revathi Avasarala,
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Leveraging CPQ Cloud for Channel Enablement Self Service Quoting for One and Two Tier Networks.

Leveraging CPQ Cloud for Channel Enablement Self Service Quoting for One and Two Tier Networks.
Security Controls – What Works

Security Controls – What Works
Deloitte in India APLG Annual Meeting Savannah, Georgia February 14, 2011.

Deloitte in India APLG Annual Meeting Savannah, Georgia February 14, 2011.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Trade Across the Americas: Bolstering Security and Efficiency Supply Chain Risk Analytics May 2015.

Trade Across the Americas: Bolstering Security and Efficiency Supply Chain Risk Analytics May 2015.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Tax Transformation: What does it mean to you?

Tax Transformation: What does it mean to you?
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.

Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.

Similar presentations

Ads by Google