SlideShare a Scribd company logo

Cybersecurity It Audit Services Gt April2012

Danny Miller, profile picture
Danny Miller

Grant Thornton is an international professional services firm that provides cyber security and IT audit services. It has over 29,000 personnel across 52 US offices and 498 total offices. The document discusses Grant Thornton's cyber security strategy and design services, vulnerability assessments, penetration testing, and other IT audit and compliance services. It also provides an overview of some of the key standards and frameworks in areas like privacy, PCI, and HIPAA that Grant Thornton's services address.

1 of 28
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Cyber Security Consulting, IT Audit & Assessment Services Protecting Information in the Enterprise Grant Thornton, LLP A QSA Company Danny Miller, CISA, CGEIT, CRISC, ITIL April 2012 -1- © Grant Thornton LLP. All rights reserved.
Grant Thornton overview At-a-glance Founded in 1924, Grant Thornton LLP is the U.S. member firm of Grant Thornton International. Through member firms in more than 80 countries including 50 offices in United States, the partners of Grant Thornton provide personalized attention and the highest quality of service to companies around the globe. Grant Thornton Grant Thornton Statistics International Ltd LLP Revenues $ 4 billion $ 1.2 billion Personnel 29,890 5,505 Partners 2,539 540 Offices 498 52 Statistics as of Sept. 30, 2008 July 31, 209 -2- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton's Cyber Security Solution Practice Grant Thornton's Cyber Security practice is focused on protecting the enterprise's information no matter where it is. In this age of distributed, mobile and cloud-based systems and data, it is vitally important to understand how information is created, processed, transmitted and stored. We address our client's complex security requirements through a variety of consulting support, including strategy, information protection, data leakage, assessing security vulnerabilities, advising on establishing or improving the operations of a security organization, remediating compliance failures or gaps – including gaps related to PCI and HIPAA/HITECH compliance and developing approaches and programs to effectively assess and manage risk by implementing appropriate security countermeasures through the entire life cycle of information in the enterprise. -3- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Our IT Audit Services  Our approach to technology risk is compatible with all major frameworks, including COSO, the latest Risk IT framework from ISACA and fills the gaps that other frameworks do not provide. We also cover application risk with a lens from the Global Technology Audit Guides (GTAG) from the IIA.  The team that will be managing and executing this engagement have more than 90 years of combined technology experience in industry, Big-4 consultancy and as practitioners. Their credentials include one or more of CPA, CIA, CISA, CISM, CISSP, GAWN, GCWN, CCNP, CCNA, or MCSE, ITIL, CGEIT  Grant Thornton has a long history of consulting in the Oil, Gas and Chemicals Industry. Relevant clients include:  Sunoco  Lyondell Chemical  Quaker Chemical  Amerigas  Philadelphia Gas Works  Airgas  Donegal Insurance  Valspar Corporation -4- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services ©2010 ISACA. All rights reserved. -5- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Guiding Principles of IT Risk Management  Ensure a connection to enterprise objectives and enterprise risk  Align the management of IT-related business risk with overall enterprise risk management  Balance the costs and benefits of managing risk  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels  Risk is a continuously changing landscape and risk management acknowledges that it is a continuous process -6- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton Cyber Security services - Information protection at all levels - Data Leakage detection and prevention - Security Strategy and Design - Threat Analysis - Vulnerability Assessments - Penetration Testing - Anti-phishing consulting - Risk-event consulting - Data Privacy & Protection - PCI Data Security Standards QSA Consulting - HIPAA -7- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton's Cyber Security Services • Experienced and dedicated cyber security personnel – Deep technical background – real expertise in cybersecurity – Experience across industries – Practical and cost effective strategies to mitigate risk • Address the security risk within the context of business risk – Understand the relationship of IT risk management within overall enterprise risk management – Communicate technical risks using layman terms and business impact • Proven cyber security methodologies, tools, and techniques -8- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Cybersecurity Life Cycle and Service Components Life Cycle ITIL* Framework Solution Set Activities/Scope Component Component Policy Strategy and Assessment Develop and test policy, best practices Plan/Maintain Risk, Data privacy and classification, Breaches, Programs, Monitoring, PCI, Strategy and Design, HIPAA, Vulnerability and Penetration Assess Threats testing, Cloud, Agreements with third Evaluate parties, Service Level Agreements (SLA), Operational Level Agreements (OLA) Threat Profiling, PCI, HIPAA, IDS/IPS, VPN, Firewalls, SIM/SEM, Application Plan, Design and Implement Implement (including Cloud-based), SDLC, Data Implement classification, Data privacy (state, federal, international) Threats, Incidents, Master Data Risk, Policy, Standards, Management (MDM),IT Audits, Self Manage Procedures, Programs Assessment, Penetration and Control/Maintain Vulnerability, Communication, Response Threat reduction, Countermeasures, Data Investigate, Respond, Respond Remediate leakage and breaches, PCI breaches, Control/Maintain HIPAA information exposure * - The IT Infrastructure Library (ITIL) is a global framework for service management and is the most widely accepted approach to managing information technology. Services are assets from which the customer gains value, hence cybersecurity is one of those services. -9- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Cyber Security Strategy & Design Based upon the IT Infrastructure Library (ITIL) framework of best practices in IT, the ITIL Information Security Management's (ISM) strategy goal is the alignment of IT security with business security to ensure that information security is effectively managed in all service and Service Management activities. This strategy includes managing risk and security over information assets while balancing the needs of the business for: • Availability of information and assets • Confidentiality of information • Integrity of information - 10 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services The problem with "Big Data" Attribution: Cloud Security Alliance (CSA) - 11 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Vulnerability assessment vs. Penetration test • The terms "vulnerability assessment" and "penetration test" are sometimes used interchangeably, so it's important to define and distinguish them. • Vulnerability assessment – a service that provides a comprehensive prioritized identification of vulnerabilities, but does not attempt to exploit them. • Penetration test – a goal oriented service that attempts to gain unauthorized access to a specified target by exploiting one or more vulnerabilities. - 12 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Other assessment services Wireless Assessment − a service that assesses the security mechanisms (e.g., authentication, encryption) of a wireless network, and attempts to identify rogue access points. Web Application Security Assessment − a service that assesses the security of a web application, including session management, authentication, authorization, and input validation. Voice Over IP (VoIP) Security Assessment − a service that assesses the security of a deployed VoIP infrastructure, including the infrastructure support, the VoIP components, and the VoIP protocols. Data Leakage Prevention Assessment − a service that measures an organization's risk of information leakage. - 13 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Information Trends • Every day, companies collect, use, profile, disclose, and analyze customer information • Employees who have access to sensitive information inside an organization also represent a key risk – we see this as the fastest rising threat • Unfortunately, some of this information is: • Misused • Stolen • Sold , traded or given to organizations (e.g., WikiLeaks) • This has led to a trust gap among customers, employees and corporate leadership - 14 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Personally Identifiable Information (PII) Personal information is any information that is, or reasonably could be, attributable to a specific individual. The information can be either factual or subjective, and recorded in any form or even unrecorded. Some examples include: Social Security number Driver's license number or state-issued identification card number  financial account number, credit card number, or debit card number Name, address, email address Credit records Buying history Employee records Much of this information is sensitive and greater cause for concern. - 15 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Information stakeholder concerns • Customers – Concerned with how and why their information is collected, used, disclosed, and retained – Want businesses to earn trust • Businesses – Trying to strike a balance between collection and use of information – Concerned with reducing privacy risk of poor privacy practices – Want to leverage good privacy practices and retain trust of customers • Government – Taking increased action on growing concerns about privacy to: – Protect rights of citizens – Better manage its own data stores - 16 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA GT Healthcare IT Security Offerings: • IT Security Risk Assessment • IT Security Program Implementation Assistance • IT Security/HIPAA Review and Recommendations • HIPAA Compliance Attestation Report - 17 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security Risk Assessment - 18 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security Program Implementation Assistance • Based on HIPAA/ISO/CobiT/NIST • IT Security Risk Assessment • Policies • Procedures • Business Impact Analysis • Incident Management Program • Security Awareness Program • IT Contingency Plans/Updated DRP • Vulnerability Assessment/Pen Tests • Controls Testing - 19 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security/HIPAA Review and Recommendations • Evaluate and test: – Administrative safeguards, – Physical safeguards – Technical safeguards – Organizational safeguards – Policies, Procedures and Documentation Requirements - 20 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA HIPAA Compliance Attestation Report and Readiness Review Similar to SAS70, except opinion on HIPAA Compliance • Evaluate and reaffirm the appropriateness of the design of processes and controls with management Criterion Observation Reporting Definition and testing • Evaluate and reaffirm management’s interpretation of compliance to ensure that the defined criterion are measurable, objective and will be understood by any Management Checkpoints readers of the report • Test the operating effectiveness of identified controls for the testing period • Determine whether controls were operating effectively throughout the testing period • Confirm the validity of identified findings with the process owner and inform management of validated findings • Evaluate the significance of any instances of non-compliance with the specified criterion - 21 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Assessment Approach 1 2 3 4 Information Identify Scope Gap Analysis Remediation Planning & Collection Reduction Roadmap Opportunities Identify entry points Reduce / modify data Conducted Gap Recommendation Develop process collection Analysis with remediation projects flows Reduce data storage Enhanced Privacy Develop prioritized Map flows onto IT Modify business Framework approach infrastructure processes Leverage DLP to validate Gained an understanding of Reduced Scope and Risk Created Gap analysis Remediation plan the environment document with gap prioritization - 22 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS)  The Payment Card Industry Data Major payment card security Security Standard (PCI-DSS) is a set breaches since 2005 of comprehensive requirements for the protection of payment card • Card Systems information. 2005 • 40 Million Cards, Processing Ability Revoked by Visa and MasterCard  The PCI-DSS is managed by the PCI • TJX Security Standards Council (PCI-SSC) 2007 • At least 45.7 Million Customers Affected, Over $250 Million in costs and sponsored by the major card brands. • Hannaford Foods 2008 • 4.2 Million Cards, Validated Compliant at time of breach, Liability and Results Pending  The PCI-DSS is applicable to any organization that stores, processes or • Heartland Payment Systems transmits cardholder data (CHD). 2009 • Potentially more than 100 Million cards compromised and untold amounts of resulting damages - 23 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) PCI DSS high level requirements The PCI DSS prescribes requirements that any business of any size must adhere to in order to accept payment cards. - 24 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services What information must be protected? Storage Protection Encryption Data Element Permitted Required Required Primary Account Number (PAN) Yes Yes Yes Cardholder Name Yes Yes No Cardholder Data Service Code Yes Yes No Expiration Date Yes Yes No Full Magnetic Stripe Data No N/A N/A Sensitive Authentication Data CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A - 25 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) Some common PCI DSS myths: • PCI doesn’t apply to us because: – We don’t take enough credit cards, or – It only applies to retailers and ecommerce • PCI makes us store cardholder data • We are compliant because we: – Encrypt our cardholder data, or – Use vendor/product ABC, or – Outsource our credit card processing • PCI compliance is an IT project • PCI will make us secure • We completed our SAQ so we’re compliant - 26 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) Grant Thornton PCI DSS Capabilities Current capabilities: • An experienced Qualified Security Assessor Company (QSAC) with a significant number of QSA's in our practice across two countries • Client base that we can reference from in the QSA space • Extensive PCI DSS consulting experience • Performing PCI DSS penetration testing and risk assessments • Performing PCI DSS readiness assessments for all merchant levels - 27 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Contact information Danny Miller Grant Thornton LLP Principal & Practice Leader Tel: 215.376.6010 | email: Danny.Miller@us.gt.com Or e-mail cybersecurity@us.gt.com - 28 - © Grant Thornton LLP. All rights reserved.

More Related Content

PDF
Sunera Business & Technology Risk Consulting
Sunera
 
PDF
IDBI Intech - Information security consulting
IDBI Intech
 
PDF
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
PDF
Data Breach Response Guide (Whitepaper))
NAFCU Services Corporation
 
PDF
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
 
PPT
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler
 
PDF
The Value Of HISP Certification [Compatibility Mode]
jdimaria
 
PDF
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
Phil Agcaoili
 
Sunera Business & Technology Risk Consulting
Sunera
 
IDBI Intech - Information security consulting
IDBI Intech
 
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
Data Breach Response Guide (Whitepaper))
NAFCU Services Corporation
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler
 
The Value Of HISP Certification [Compatibility Mode]
jdimaria
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
Phil Agcaoili
 

What's hot (18)

PDF
Under Lock And Key
Yarko Petriw
 
PDF
The Security Circle- Services Offered
Rachel Anne Carter
 
PDF
The Proactive Approach to Cyber Security
Nathan Desfontaines
 
PDF
Cyber security investments 2021
Management Events
 
PPTX
IT compliance
Phan Vuong
 
PDF
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
PPTX
Deconstructing the cost of a data breach
Patrick Florer
 
PDF
Enterprise cyber security
nsheel
 
PDF
Riskpro Legal And Compliance Audits
Rahul Bhan (CA, CIA, MBA)
 
PDF
Riskpro legal and compliance audits
Rahul Bhan (CA, CIA, MBA)
 
PDF
Riskpro Legal And Compliance Audits
Rahul Bhan (CA, CIA, MBA)
 
PDF
Finding a Strategic Voice - IBM CISO Study
IBMGovernmentCA
 
PDF
Cyber Threat Management Services
Marlabs
 
PDF
The paypers Vol 5.
EastNets
 
PPT
Compliance Awareness
Dinesh O Bareja
 
PDF
Riskpro brief introduction
Rahul Bhan (CA, CIA, MBA)
 
PPTX
Data Security and Regulatory Compliance
Lifeline Data Centers
 
PDF
Co3 rsc r5
Patrick Florer
 
Under Lock And Key
Yarko Petriw
 
The Security Circle- Services Offered
Rachel Anne Carter
 
The Proactive Approach to Cyber Security
Nathan Desfontaines
 
Cyber security investments 2021
Management Events
 
IT compliance
Phan Vuong
 
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Deconstructing the cost of a data breach
Patrick Florer
 
Enterprise cyber security
nsheel
 
Riskpro Legal And Compliance Audits
Rahul Bhan (CA, CIA, MBA)
 
Riskpro legal and compliance audits
Rahul Bhan (CA, CIA, MBA)
 
Riskpro Legal And Compliance Audits
Rahul Bhan (CA, CIA, MBA)
 
Finding a Strategic Voice - IBM CISO Study
IBMGovernmentCA
 
Cyber Threat Management Services
Marlabs
 
The paypers Vol 5.
EastNets
 
Compliance Awareness
Dinesh O Bareja
 
Riskpro brief introduction
Rahul Bhan (CA, CIA, MBA)
 
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Co3 rsc r5
Patrick Florer
 
Ad

Viewers also liked (8)

PPTX
Netas Nova Cyber Security Product Family
Cagdas Tanriover
 
PDF
Security Consulting Services
ePlus
 
PDF
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 
PPTX
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
PDF
Marlabs Capabilities Overview: Cyber Security Services
Marlabs
 
PDF
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
PPT
DHS ICS Security Presentation
guest85a34f
 
PDF
Top Cyber Security Trends for 2016
Imperva
 
Netas Nova Cyber Security Product Family
Cagdas Tanriover
 
Security Consulting Services
ePlus
 
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
Marlabs Capabilities Overview: Cyber Security Services
Marlabs
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
DHS ICS Security Presentation
guest85a34f
 
Top Cyber Security Trends for 2016
Imperva
 
Ad

Similar to Cybersecurity It Audit Services Gt April2012 (20)

PDF
DFlabs corporate profile 01-2013
DFLABS SRL
 
PDF
Technology Risk Services
sarah kabirat
 
PDF
Sunera business & technology risk consulting services -slide share
Sunera
 
PPTX
Magnus Management Group Capability Presentation 2020
NXTKey Corporation
 
PDF
Agama Profile
Agama Consulting
 
PDF
Agam Profile
Agama Consulting
 
PDF
MENA IT Governance, Risk & Compliance 2010
Sudhakar_s
 
PDF
MitKat Ad
manojajgaonkar
 
PDF
Brandon Consulting Overview
Ronan Martin
 
PPT
Security architecture rajagiri talk march 2011
subramanian K
 
PDF
Inv306 going social in a world of grc v.1.1
Arthur Fontaine
 
PDF
Riskpro Information Risk Management
Rahul Bhan (CA, CIA, MBA)
 
PDF
Riskpro Information Risk Management
Rahul Bhan (CA, CIA, MBA)
 
PDF
Riskpro information risk management
Rahul Bhan (CA, CIA, MBA)
 
PPTX
Aalto cyber-10.4.18
japijapi
 
PDF
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Enterprise Management Associates
 
PDF
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec
 
PPTX
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
PDF
Risk management for ICT Technology Dept.
NahidHasan6141
 
PDF
in-ra-service-brochure-December-23-noexp.pdf
aakash malhotra
 
DFlabs corporate profile 01-2013
DFLABS SRL
 
Technology Risk Services
sarah kabirat
 
Sunera business & technology risk consulting services -slide share
Sunera
 
Magnus Management Group Capability Presentation 2020
NXTKey Corporation
 
Agama Profile
Agama Consulting
 
Agam Profile
Agama Consulting
 
MENA IT Governance, Risk & Compliance 2010
Sudhakar_s
 
MitKat Ad
manojajgaonkar
 
Brandon Consulting Overview
Ronan Martin
 
Security architecture rajagiri talk march 2011
subramanian K
 
Inv306 going social in a world of grc v.1.1
Arthur Fontaine
 
Riskpro Information Risk Management
Rahul Bhan (CA, CIA, MBA)
 
Riskpro Information Risk Management
Rahul Bhan (CA, CIA, MBA)
 
Riskpro information risk management
Rahul Bhan (CA, CIA, MBA)
 
Aalto cyber-10.4.18
japijapi
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Enterprise Management Associates
 
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec
 
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Risk management for ICT Technology Dept.
NahidHasan6141
 
in-ra-service-brochure-December-23-noexp.pdf
aakash malhotra
 

More from Danny Miller (7)

PDF
Cip Multichannel Retail Webcast 091112 (2)
Danny Miller
 
PDF
Social Media Presentation Gt Vfinal
Danny Miller
 
PPTX
Iia 2012 Spring Conference Philly V Final
Danny Miller
 
PDF
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Danny Miller
 
PPTX
Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)
Danny Miller
 
PPTX
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
Danny Miller
 
PPTX
Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Danny Miller
 
Cip Multichannel Retail Webcast 091112 (2)
Danny Miller
 
Social Media Presentation Gt Vfinal
Danny Miller
 
Iia 2012 Spring Conference Philly V Final
Danny Miller
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Danny Miller
 
Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)
Danny Miller
 
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
Danny Miller
 
Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Danny Miller
 

Cybersecurity It Audit Services Gt April2012

  • 1. Cyber Security Consulting, IT Audit & Assessment Services Protecting Information in the Enterprise Grant Thornton, LLP A QSA Company Danny Miller, CISA, CGEIT, CRISC, ITIL April 2012 -1- © Grant Thornton LLP. All rights reserved.
  • 2. Grant Thornton overview At-a-glance Founded in 1924, Grant Thornton LLP is the U.S. member firm of Grant Thornton International. Through member firms in more than 80 countries including 50 offices in United States, the partners of Grant Thornton provide personalized attention and the highest quality of service to companies around the globe. Grant Thornton Grant Thornton Statistics International Ltd LLP Revenues $ 4 billion $ 1.2 billion Personnel 29,890 5,505 Partners 2,539 540 Offices 498 52 Statistics as of Sept. 30, 2008 July 31, 209 -2- © Grant Thornton LLP. All rights reserved.
  • 3. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton's Cyber Security Solution Practice Grant Thornton's Cyber Security practice is focused on protecting the enterprise's information no matter where it is. In this age of distributed, mobile and cloud-based systems and data, it is vitally important to understand how information is created, processed, transmitted and stored. We address our client's complex security requirements through a variety of consulting support, including strategy, information protection, data leakage, assessing security vulnerabilities, advising on establishing or improving the operations of a security organization, remediating compliance failures or gaps – including gaps related to PCI and HIPAA/HITECH compliance and developing approaches and programs to effectively assess and manage risk by implementing appropriate security countermeasures through the entire life cycle of information in the enterprise. -3- © Grant Thornton LLP. All rights reserved.
  • 4. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Our IT Audit Services  Our approach to technology risk is compatible with all major frameworks, including COSO, the latest Risk IT framework from ISACA and fills the gaps that other frameworks do not provide. We also cover application risk with a lens from the Global Technology Audit Guides (GTAG) from the IIA.  The team that will be managing and executing this engagement have more than 90 years of combined technology experience in industry, Big-4 consultancy and as practitioners. Their credentials include one or more of CPA, CIA, CISA, CISM, CISSP, GAWN, GCWN, CCNP, CCNA, or MCSE, ITIL, CGEIT  Grant Thornton has a long history of consulting in the Oil, Gas and Chemicals Industry. Relevant clients include:  Sunoco  Lyondell Chemical  Quaker Chemical  Amerigas  Philadelphia Gas Works  Airgas  Donegal Insurance  Valspar Corporation -4- © Grant Thornton LLP. All rights reserved.
  • 5. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services ©2010 ISACA. All rights reserved. -5- © Grant Thornton LLP. All rights reserved.
  • 6. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Guiding Principles of IT Risk Management  Ensure a connection to enterprise objectives and enterprise risk  Align the management of IT-related business risk with overall enterprise risk management  Balance the costs and benefits of managing risk  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels  Risk is a continuously changing landscape and risk management acknowledges that it is a continuous process -6- © Grant Thornton LLP. All rights reserved.
  • 7. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton Cyber Security services - Information protection at all levels - Data Leakage detection and prevention - Security Strategy and Design - Threat Analysis - Vulnerability Assessments - Penetration Testing - Anti-phishing consulting - Risk-event consulting - Data Privacy & Protection - PCI Data Security Standards QSA Consulting - HIPAA -7- © Grant Thornton LLP. All rights reserved.
  • 8. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton's Cyber Security Services • Experienced and dedicated cyber security personnel – Deep technical background – real expertise in cybersecurity – Experience across industries – Practical and cost effective strategies to mitigate risk • Address the security risk within the context of business risk – Understand the relationship of IT risk management within overall enterprise risk management – Communicate technical risks using layman terms and business impact • Proven cyber security methodologies, tools, and techniques -8- © Grant Thornton LLP. All rights reserved.
  • 9. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Cybersecurity Life Cycle and Service Components Life Cycle ITIL* Framework Solution Set Activities/Scope Component Component Policy Strategy and Assessment Develop and test policy, best practices Plan/Maintain Risk, Data privacy and classification, Breaches, Programs, Monitoring, PCI, Strategy and Design, HIPAA, Vulnerability and Penetration Assess Threats testing, Cloud, Agreements with third Evaluate parties, Service Level Agreements (SLA), Operational Level Agreements (OLA) Threat Profiling, PCI, HIPAA, IDS/IPS, VPN, Firewalls, SIM/SEM, Application Plan, Design and Implement Implement (including Cloud-based), SDLC, Data Implement classification, Data privacy (state, federal, international) Threats, Incidents, Master Data Risk, Policy, Standards, Management (MDM),IT Audits, Self Manage Procedures, Programs Assessment, Penetration and Control/Maintain Vulnerability, Communication, Response Threat reduction, Countermeasures, Data Investigate, Respond, Respond Remediate leakage and breaches, PCI breaches, Control/Maintain HIPAA information exposure * - The IT Infrastructure Library (ITIL) is a global framework for service management and is the most widely accepted approach to managing information technology. Services are assets from which the customer gains value, hence cybersecurity is one of those services. -9- © Grant Thornton LLP. All rights reserved.
  • 10. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Cyber Security Strategy & Design Based upon the IT Infrastructure Library (ITIL) framework of best practices in IT, the ITIL Information Security Management's (ISM) strategy goal is the alignment of IT security with business security to ensure that information security is effectively managed in all service and Service Management activities. This strategy includes managing risk and security over information assets while balancing the needs of the business for: • Availability of information and assets • Confidentiality of information • Integrity of information - 10 - © Grant Thornton LLP. All rights reserved.
  • 11. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services The problem with "Big Data" Attribution: Cloud Security Alliance (CSA) - 11 - © Grant Thornton LLP. All rights reserved.
  • 12. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Vulnerability assessment vs. Penetration test • The terms "vulnerability assessment" and "penetration test" are sometimes used interchangeably, so it's important to define and distinguish them. • Vulnerability assessment – a service that provides a comprehensive prioritized identification of vulnerabilities, but does not attempt to exploit them. • Penetration test – a goal oriented service that attempts to gain unauthorized access to a specified target by exploiting one or more vulnerabilities. - 12 - © Grant Thornton LLP. All rights reserved.
  • 13. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Other assessment services Wireless Assessment − a service that assesses the security mechanisms (e.g., authentication, encryption) of a wireless network, and attempts to identify rogue access points. Web Application Security Assessment − a service that assesses the security of a web application, including session management, authentication, authorization, and input validation. Voice Over IP (VoIP) Security Assessment − a service that assesses the security of a deployed VoIP infrastructure, including the infrastructure support, the VoIP components, and the VoIP protocols. Data Leakage Prevention Assessment − a service that measures an organization's risk of information leakage. - 13 - © Grant Thornton LLP. All rights reserved.
  • 14. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Information Trends • Every day, companies collect, use, profile, disclose, and analyze customer information • Employees who have access to sensitive information inside an organization also represent a key risk – we see this as the fastest rising threat • Unfortunately, some of this information is: • Misused • Stolen • Sold , traded or given to organizations (e.g., WikiLeaks) • This has led to a trust gap among customers, employees and corporate leadership - 14 - © Grant Thornton LLP. All rights reserved.
  • 15. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Personally Identifiable Information (PII) Personal information is any information that is, or reasonably could be, attributable to a specific individual. The information can be either factual or subjective, and recorded in any form or even unrecorded. Some examples include: Social Security number Driver's license number or state-issued identification card number  financial account number, credit card number, or debit card number Name, address, email address Credit records Buying history Employee records Much of this information is sensitive and greater cause for concern. - 15 - © Grant Thornton LLP. All rights reserved.
  • 16. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Information stakeholder concerns • Customers – Concerned with how and why their information is collected, used, disclosed, and retained – Want businesses to earn trust • Businesses – Trying to strike a balance between collection and use of information – Concerned with reducing privacy risk of poor privacy practices – Want to leverage good privacy practices and retain trust of customers • Government – Taking increased action on growing concerns about privacy to: – Protect rights of citizens – Better manage its own data stores - 16 - © Grant Thornton LLP. All rights reserved.
  • 17. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA GT Healthcare IT Security Offerings: • IT Security Risk Assessment • IT Security Program Implementation Assistance • IT Security/HIPAA Review and Recommendations • HIPAA Compliance Attestation Report - 17 - © Grant Thornton LLP. All rights reserved.
  • 18. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security Risk Assessment - 18 - © Grant Thornton LLP. All rights reserved.
  • 19. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security Program Implementation Assistance • Based on HIPAA/ISO/CobiT/NIST • IT Security Risk Assessment • Policies • Procedures • Business Impact Analysis • Incident Management Program • Security Awareness Program • IT Contingency Plans/Updated DRP • Vulnerability Assessment/Pen Tests • Controls Testing - 19 - © Grant Thornton LLP. All rights reserved.
  • 20. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security/HIPAA Review and Recommendations • Evaluate and test: – Administrative safeguards, – Physical safeguards – Technical safeguards – Organizational safeguards – Policies, Procedures and Documentation Requirements - 20 - © Grant Thornton LLP. All rights reserved.
  • 21. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA HIPAA Compliance Attestation Report and Readiness Review Similar to SAS70, except opinion on HIPAA Compliance • Evaluate and reaffirm the appropriateness of the design of processes and controls with management Criterion Observation Reporting Definition and testing • Evaluate and reaffirm management’s interpretation of compliance to ensure that the defined criterion are measurable, objective and will be understood by any Management Checkpoints readers of the report • Test the operating effectiveness of identified controls for the testing period • Determine whether controls were operating effectively throughout the testing period • Confirm the validity of identified findings with the process owner and inform management of validated findings • Evaluate the significance of any instances of non-compliance with the specified criterion - 21 - © Grant Thornton LLP. All rights reserved.
  • 22. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Assessment Approach 1 2 3 4 Information Identify Scope Gap Analysis Remediation Planning & Collection Reduction Roadmap Opportunities Identify entry points Reduce / modify data Conducted Gap Recommendation Develop process collection Analysis with remediation projects flows Reduce data storage Enhanced Privacy Develop prioritized Map flows onto IT Modify business Framework approach infrastructure processes Leverage DLP to validate Gained an understanding of Reduced Scope and Risk Created Gap analysis Remediation plan the environment document with gap prioritization - 22 - © Grant Thornton LLP. All rights reserved.
  • 23. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS)  The Payment Card Industry Data Major payment card security Security Standard (PCI-DSS) is a set breaches since 2005 of comprehensive requirements for the protection of payment card • Card Systems information. 2005 • 40 Million Cards, Processing Ability Revoked by Visa and MasterCard  The PCI-DSS is managed by the PCI • TJX Security Standards Council (PCI-SSC) 2007 • At least 45.7 Million Customers Affected, Over $250 Million in costs and sponsored by the major card brands. • Hannaford Foods 2008 • 4.2 Million Cards, Validated Compliant at time of breach, Liability and Results Pending  The PCI-DSS is applicable to any organization that stores, processes or • Heartland Payment Systems transmits cardholder data (CHD). 2009 • Potentially more than 100 Million cards compromised and untold amounts of resulting damages - 23 - © Grant Thornton LLP. All rights reserved.
  • 24. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) PCI DSS high level requirements The PCI DSS prescribes requirements that any business of any size must adhere to in order to accept payment cards. - 24 - © Grant Thornton LLP. All rights reserved.
  • 25. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services What information must be protected? Storage Protection Encryption Data Element Permitted Required Required Primary Account Number (PAN) Yes Yes Yes Cardholder Name Yes Yes No Cardholder Data Service Code Yes Yes No Expiration Date Yes Yes No Full Magnetic Stripe Data No N/A N/A Sensitive Authentication Data CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A - 25 - © Grant Thornton LLP. All rights reserved.
  • 26. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) Some common PCI DSS myths: • PCI doesn’t apply to us because: – We don’t take enough credit cards, or – It only applies to retailers and ecommerce • PCI makes us store cardholder data • We are compliant because we: – Encrypt our cardholder data, or – Use vendor/product ABC, or – Outsource our credit card processing • PCI compliance is an IT project • PCI will make us secure • We completed our SAQ so we’re compliant - 26 - © Grant Thornton LLP. All rights reserved.
  • 27. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) Grant Thornton PCI DSS Capabilities Current capabilities: • An experienced Qualified Security Assessor Company (QSAC) with a significant number of QSA's in our practice across two countries • Client base that we can reference from in the QSA space • Extensive PCI DSS consulting experience • Performing PCI DSS penetration testing and risk assessments • Performing PCI DSS readiness assessments for all merchant levels - 27 - © Grant Thornton LLP. All rights reserved.
  • 28. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Contact information Danny Miller Grant Thornton LLP Principal & Practice Leader Tel: 215.376.6010 | email: Danny.Miller@us.gt.com Or e-mail cybersecurity@us.gt.com - 28 - © Grant Thornton LLP. All rights reserved.