Transcript Central Bank of Libya

Information Technology (IT)
Internal Controls Presentation for the
Central Bank of Libya
Royce Walker
Financial Services Volunteer Corps
March 23 - 25, 2009
IT Internal Controls
Introduction
Topics of Discussion:
• Definition of Internal Control
• Overview of Internal Control/Risk Management
Frameworks
• Information Technology Internal Controls
IT Internal Controls
Definition of Internal Control
Internal Control is a process, effected by an entity’s board
of directors, management and other personnel. This
process is designed to provide reasonable assurance
regarding the achievement of objectives in effectiveness
and efficiency of operations, reliability of financial
reporting, and compliance with applicable laws and
regulations.
Source: The Committee on Sponsoring Organizations of the Treadway Commission. – http://www.coso.org/resources.htm.
IT Internal Controls
Internal Control/Risk Management Frameworks
Enterprise-wide Frameworks
• The Cadbury Committee (United Kingdom)
• The Canadian Criteria of Control Committee (CoCo) (Canada)
• The Committee on Sponsoring Organizations (COSO) (United
States)
IT Frameworks
• The Information Systems Audit and Control Association – Control
Objectives for Information Technology (COBIT)
• Information Technology Infrastructure Library (ITIL)
• The International Organization for Standardization (ISO)
IT Internal Controls
Information Technology Internal Controls
Governance
Who is in charge of IT?
Governance is one of the most important controls. If
someone or some group is not actively overseeing the IT
function, the result will be chaos.
IT Internal Controls
Governance (continued)
• Achieved through management structure, assignment of
responsibilities and authority, establishment of policies,
standards and procedures, allocation of resources,
monitoring, and accountability.
• Required to ensure tasks are completed appropriately,
accountability is maintained, and risk is managed for the
entire enterprise.
• Responsibility of the board of directors and executive
management.
• Fundamentally concerned with two issues: 1) IT delivers
value, 2) IT risks are mitigated.
Source: Federal Financial Institutions Examination Council, Information Security, IT Examination Handbook, and Information Systems and Control
Association CISA Review Manual 2006, Chapter 2, IT Governance
IT Internal Controls
Governance (continued)
Management Structure
IT should be governed/supported by:
• Board of Directors.
• IT officers and supervisory personnel.
• IT employees.
• IT users.
• Auditors.
• Service providers and contractors.
IT Internal Controls
IT Risk Assessment
An IT risk assessment includes three parts:
1. Gathering technical and non-technical information about
the IT function.
2. Analyzing the information to
• classify and rank sensitive data, systems, and
applications.
• assess threats and vulnerabilities.
• evaluate control effectiveness.
3. Setting priorities for responses.
IT Internal Controls
IT Risk Assessment (continued)
Necessary Information
Examples of technical information include:
• Data and systems to be protected (electronic and paper).
• Network diagrams of internal and external connectivity.
• Hardware, software, database file inventories.
Examples of non-technical information include:
• Policies, standards, and procedures for security.
• Vendor contracts, including insurance coverage
• Reports of security monitoring, self-assessments, metrics,
and independent tests.
IT Internal Controls
IT Risk Assessment (continued)
Classify/Rank Sensitive Data, Systems, and Applications
Assess/classify relative importance of information systems,
classify data to identify and rank data, systems, and
applications in order of importance.
Assess Threats and Vulnerabilities
Determine which threats and vulnerabilities deserve priority
attention relative to value of the information or information
systems being protected.
IT Internal Controls
IT Risk Assessment (continued)
Evaluate Control Effectiveness
Identify controls that will mitigate impact threat/vulnerability.
• Preventive Control – Keeps something from occurring.
• Detective Control – Finds something after it occurred.
• Corrective Control – Corrects problems that occurred.
Assign Risk Ratings
Risk ratings should be assigned to information systems and
data to establish importance and criticality.
IT Internal Controls
Information Security Strategy
Typical steps to building an information security strategy
include:
• Defining control objectives.
• Identifying and assessing approaches to security.
• Establishing of benchmarks and metrics.
• Preparing and implementing testing plans.
IT Internal Controls
Information Security Strategy (continued)
•
•
•
•
Control Framework Considerations
Using a widely recognized technology standard, such as:
COBIT, ITIL, ISO 17799, etc.
Policies and Procedures
Primary component of strategy; guides decisions made by
users, administrators, and managers.
Inform individuals of their responsibilities, specify ways of
meeting responsibilities.
Provide guidance in acquiring, configuring, and auditing
information systems.
IT Internal Controls
Information Security Strategy (continued)
Technology Design
• Provides effective network-level monitoring, limits
intruder’s ability to traverse the network, offers minimum
level of services required by business needs.
• If updated in a timely manner, mitigates newly discovered
threats and vulnerabilities.
IT Internal Controls
Information Security Strategy (continued)
•
•
•
•
Outsourced Security Services
Security services may be outsourced to obtain greater
expertise, greater range of services, and lower costs.
Institution retains same responsibilities for security as if
those services were performed in-house.
Sufficient expertise is needed to oversee and manage
outsourced security service relationship properly.
Detailed contract is needed for scope and nature of services
as well as for expected and required service levels.
IT Internal Controls
Information Security Internal Controls
Internal controls should be established to minimize IT Risk.
•
•
•
•
•
•
•
•
•
•
•
Access Control
Physical and Environmental Protections
Encryption
Malicious Code Prevention
Systems Development, Acquisition, and Maintenance
Personnel Security
Data Security
Service Provider Oversight
Business Continuity Considerations
Insurance
Monitoring
IT Internal Controls
Access Control
Goal of access control is to allow access by authorized
individuals and devices and to disallow access by all others.
• Limit to specifically authorized persons.
• Authorize only individuals whose identity is established.
• Limit activities to those required for business purposes.
• Approve device installation in accordance policy.
• Use change controls for devices and software used inside
the external perimeter, configure institution devices to
accept authorized connections from outside the perimeter.
IT Internal Controls
Access Rights Administration
Implement an effective process to administer access rights.
• Assign users and devices only the access required to
perform their required functions (business need).
• Update access rights based on personnel and system
changes.
• Review users’ access rights at periodic intervals.
• Design acceptable-use policies and require users to agree
to them in writing.
• Review exception reports.
IT Internal Controls
Authentication
Use effective authentication methods.
• Select authentication mechanisms based on risk associated
with application or services.
• Consider when multi-factor authentication is appropriate.
• Encrypt transmission and storage of authenticators (e.g.,
passwords, personal identification numbers (PINs), digital
certificates, biometric templates).
IT Internal Controls
Authentication (continued)
Shared Secret Systems – Uniquely identify user by matching
knowledge on system to knowledge only system and user are
expected to share.
• Passwords, pass phrases, current transaction knowledge.
• Password string – C2$v73#L
• Pass phrase – My favorite candy is peppermint.
• Current transaction knowledge – Account balance on
the last statement mailed to the user/customer.
• Controls should prevent user from re-using shared secrets
that were compromised, or recently used by user.
IT Internal Controls
Authentication (continued)
Shared Secret Systems (continued)
• Passwords and pass phrases should be difficult to guess.
• Strength is lack of disclosure of and about the secret,
difficulty in guessing it, length of time before it is changed.
• User should select passwords and pass phrases without
assistance from other users. (Exception – Temporary
password to create new account).
IT Internal Controls
Authentication (continued)
Shared Secret Systems (continued)
• Automated tools can assist enforcement of shared secret
system policies.
• Length
• Complexity
• Periodic changes (e.g., every 30, 60, 90 days)
• Lock out after unsuccessful password attempts
• Disallow re-use of password
IT Internal Controls
Authentication (continued)
Other Authentication Systems
Token Systems – Two-factor authentication of something
user has and something user knows.
Public Key Infrastructure (PKI) – Combines hardware
components, system software, policies, practices, standards
for authentication, data integrity, defense against customer
repudiation, and confidentiality.
Biometrics – Verifies user by reference to unique physical or
behavioral characteristics (e.g., thumbprint, iris pattern). May
or may not require use of a token.
IT Internal Controls
Authentication (continued)
Other Authentication Systems (continued)
Authenticator Reissuance – Needed when user forgets
shared secret, loses token, biometric identifier changes.
Behavioral Authentication – Assurance gained from
comparing connection-related or activity-related information
with expectations.
Device Authentication – Supplements authentication of
individuals or when assurance is needed that the device is
authorized to be on the network.
IT Internal Controls
Network Access
Secure access to computer networks through multiple layers
of access controls to protect against unauthorized access.
• Group servers, applications, data, users into security
domains (e.g., untrusted external networks, external
service providers, various internal user systems).
• Establish access requirements within/between domains.
• Implement technological controls to meet access
requirements consistently.
• Monitor cross-domain access for security policy violations
and anomalous activity.
IT Internal Controls
Network Access (continued)
Firewalls – Devices (computers, routers, and software) that
mediate access between different security domains. All
traffic between security domains must pass through the
firewall, regardless of the direction of the flow.
Malicious Code Filtering – Devices that act as a control
point to enforce the institution’s security policy over
incoming communications (e.g., anti-virus, anti-spyware, and
anti-spam filtering, blocking of downloading of executable
files, and other actions).
IT Internal Controls
Network Access (continued)
Outbound Filtering – Devices that inspect outbound
communications for compliance with the institution’s security
policy (e.g., forbid origination of outbound communications
from certain computers).
Network Intrusion Prevention System (IPS) – Devices that
allow or disallow access based on an analysis of packet
headers and packet payloads (similar to firewalls).
Intrusion Detection System (IDS) – Software and/or devices
designed to detect unwanted attempts to access, manipulate,
disabling computer systems or information.
IT Internal Controls
Network Access (continued)
• Vulnerability Assessment Systems – Systems to identify,
quantify, prioritize vulnerabilities in networked systems.
• Data Loss Prevention - System to identify, monitor, and
protect data while it is being used, stored, transmitted;
designed to detect and prevent the unauthorized use and
transmission of confidential information.
• Security Information Management System (SIMS) Consolidates reports from firewalls, IPS, IDS, and system
and event logs into a central repository for trend analysis.
IT Internal Controls
Operating System Access
Secure access to operating systems of all system components.
• Secure access to system utilities.
• Restrict and monitor privileged access.
• Log and monitor user/program access to sensitive
resources and alert on security events.
• Update operating systems with security patches.
• Secure devices that can access the operating system
through physical and logical means.
IT Internal Controls
Application Access
Control access to applications.
• Use authentication and authorization controls appropriately
robust for the risk of the application.
• Monitor access rights to ensure they are the minimum
required for user’s current business needs.
• Use time-of-day limitations on access as appropriate.
• Log access and security events.
• Use software that enables rapid analysis of user activities.
IT Internal Controls
Remote Access
Secure remote access to and from systems.
• Disable remote communications if no business need exists.
• Control access via management approval and review.
• Implement robust controls over configurations at both ends
of the remote connection to prevent malicious use.
• Log and monitor all remote access communications.
• Secure remote access devices.
• Use strong authentication and encryption to secure
communications.
IT Internal Controls
Physical and Environmental Protection
Define physical security zones and implement preventive and
detective controls in each zone to protect against:
• Physical access by malicious or unauthorized people.
• Damage from environmental contaminants.
• Electronic access through active or passive electronic
emissions.
IT Internal Controls
Physical and Environmental Protection (continued)
Data Center Security
Major objective is to limit risk of exposure from internal and
external sources.
• Choose an area relatively safe from exposure to fire, flood,
explosion, or similar environmental hazards.
• Deter intruders with guards, fences, barriers, surveillance
equipment, etc.
• Ensure air conditioning equipment maintains temperature
for optimal equipment operation.
IT Internal Controls
Physical and Environmental Protection (continued)
•
•
•
•
Data Center Security (continued)
Record access by vendors and other persons not assigned
to data center.
Secure doors and windows with switches that activate
alarm systems.
Do not identify location by signage or other indicators.
Use detection devices (e.g., security cameras) to prevent
theft and safeguard equipment.
IT Internal Controls
Physical and Environmental Protection (continued)
Data Center Security (continued)
• Minimize risk from environmental threats with fire
suppression systems, smoke alarms, raised flooring, and
heat sensors.
• Use maintenance logs to determine whether devices are
appropriately maintained.
• Periodically test the devices to determine they are
operating correctly.
IT Internal Controls
Physical and Environmental Protection (continued)
Data Center Security (continued)
• Require visitors to sign in and wear proper IDs so that they
can be monitored and identified easily.
• Install power supply conditioning equipment (e.g., surge
protection).
• Install uninterruptible power supply equipment that will
activate immediately in the event of power loss from the
main power supply.
IT Internal Controls
Physical and Environmental Protection (continued)
Cabinet and Vault Security
• Install protective containers designed to meet fire-resistant
and theft-resistant standards.
Physical Security In Distributed Environments
• Protect personal computers in unrestricted areas such as
lobbies by securing them to workstations, locking or
removing disk drives and unnecessary physical ports, and
activating screensaver passwords or automatic timeouts.
IT Internal Controls
Encryption
Implement encryption to mitigate risk of disclosure or
alteration of sensitive information in storage and in transit.
• Encryption strength sufficient to protect information from
disclosure until disclosure poses no material risk.
• Effective key management practices.
• Robust reliability.
• Appropriate protection of the encrypted communication’s
endpoints.
IT Internal Controls
Malicious Code Prevention
Implement appropriate controls to prevent and detect
malicious code, and engage in user education.
• Malicious code is any program that acts in unexpected and
potentially damaging ways.
• Common types of malicious code are viruses, worms,
Trojan horses, monitoring programs such as spyware, and
cross-site scripts, key-stroke loggers, and screen-shot
transmissions.
IT Internal Controls
Malicious Code Prevention (continued)
Controls To Protect Against Malicious Code
Controls use technology, policies and procedures, and
training, all applied in a layered manner from perimeters
inward to hosts and data. Controls are applied at the host,
network, and user levels.
Host Level
• Host hardening, including patch application and securityminded configurations of the operating system (OS),
browsers, and other network-aware software.
IT Internal Controls
Malicious Code Prevention (continued)
Controls To Protect Against Malicious Code (continued)
Network Level
• Limit transfer of executable files through the perimeter,
and use IDS and IPS to monitor incoming and outgoing
network traffic.
User Level
• User education in awareness, safe computing practices,
indicators of malicious code, and response actions.
IT Internal Controls
Systems Development, Acquisition, and Maintenance
Ensure that systems are developed, acquired, and maintained
with appropriate security controls.
• Ensure systems are developed and implemented with
appropriate security features enabled.
• Ensure software is trustworthy by implementing
appropriate controls in the development process, reviewing
source code, reviewing the history and reputation of
vendors and third party developers, and implementing
appropriate controls outside of the software to mitigate
unacceptable risks from any deficiencies.
IT Internal Controls
Systems Development, Acquisition, and Maintenance
(continued)
• Maintain appropriately robust configuration management
and change control processes.
• Establish an effective patch management process.
• Use a separate system to test software changes/patches
before moving into the production environment.
IT Internal Controls
Personnel Security
Mitigate risks posed by employees and other internal users.
• Perform background checks/screening of new employees.
• Obtain agreements covering confidentiality, nondisclosure,
and authorized use.
• Use job descriptions, employment agreements, and training
to increase accountability for security.
• Provide training to support awareness/policy compliance.
IT Internal Controls
Data Security
Control and protect access to paper, film, and computer-based
media to avoid loss or damage.
• Develop a data classification policy.
• Establish/ensure compliance with policies for handling and
storing information,
• Ensure safe and secure disposal of sensitive media.
• Secure information in transit or transmission to third
parties.
IT Internal Controls
Service Provider Oversight
Exercise security responsibilities for outsourced operations.
• Conduct due diligence in service provider research and
selection.
• Obtain contractual assurances regarding security
responsibilities, controls, and reporting.
• Get nondisclosure agreements regarding systems and data.
• Require independent review of service provider’s security
though appropriate audits and tests.
• Coordinate incident response policies and contractual
notification requirements.
IT Internal Controls
Business Continuity Considerations
Implement an effective business continuity plan.
• Identify personnel with key security roles during
continuity plan implementation, and train personnel in
those roles.
• Identify security needs for back-up sites and alternate
communication networks.
• Periodically test the business continuity plan.
• Update the plan when business processes change or new
technologies are implemented.
IT Internal Controls
Insurance
Evaluate the extent and availability of insurance coverage in
relation to the specific risks being mitigated.
• Insurance can be an effective method to transfer risks from
the institution to insurance carriers.
• Insurance not a substitute for an effective security
program.
• Insurance companies typically require companies to certify
that certain security practices are in place.
IT Internal Controls
Security Monitoring
Assure adequacy of risk mitigation strategy/implementation.
• Monitor to identify policy violations, anomalous behavior.
• Monitor to identify unauthorized configuration, conditions
that increase risk of intrusion, or other security events.
• Analyze results to accurately and quickly identify, classify,
escalate, report, and guide responses to security events.
• Respond to intrusions, other security events.
• Continuously gather and analyze information regarding
new threats, vulnerabilities, actual attacks, effectiveness of
existing security controls.
IT Internal Controls
Conclusion
I hope this presentation has given you a better understanding
of internal controls that can be implemented for information
technology to protect the institution and its customers.
Thank you for your interest and attention today!!!
IT Internal Controls
Bibliography
1. The Committee on Sponsoring Organizations of the Treadway
Commission. – http://www.coso.org/resources.htm.
2. Federal Financial Institutions Examination Council, IT Examination
Handbook, 2006.
3. Information Systems Audit and Control Association, CISA Review
Manual, 2006.