Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Expanding Client Offerings Through IT Audit/Security
Michael Hammond, CISA, CRISC, CISSP, C|EHDirector, IT Audit & Security ServicesO’Connor & Drew P.C.
#SuperConf15
Objectives
• Why IT controls are just as important as financial controls
• What type of IT Audit & Security services can your firm offer?
• What type of clients need IT Audit and Security services?
• How to get started with IT Audit & Security.
#SuperConf15
Why IT controls are just as important as financial controls
Do you use one of these for your business?
#SuperConf15
Why IT controls are just as important as financial controls
Our clients use technology every day• Client proprietary data resides on computers• Client financial transactions are conducted on
computers• We trust the “cloud” to hold our backups; CRM,
sales pipeline data
#SuperConf15
Why IT controls are just as important as financial controls
• Common IT Control Types:• IT General Controls (ITGC)
• ITGC’s are required as a foundation to support sound business processes and prevent risk to data that reside on computers, networks, wireless, and software applications.
• The IT staff often have complete access to the network. These individuals can read and modify company sensitive files
#SuperConf15
Why IT controls are just as important as financial controls
• Segregation of duty – dual controls in place to ensure no one person has the keys to everything• Does accounts payable/receivable really
understand what IT is spending?• Is IT purchasing excess equipment and selling
it on online auction sites?
#SuperConf15
Why IT controls are just as important as financial controls
• Confidentiality - Controls to protect sensitive data from falling into the wrong hands
• Access controls• Encryption• User IDs/passwords
#SuperConf15
Why IT controls are just as important as financial controls
• Integrity – Controls to maintain consistency, accuracy, and trustworthiness of the data
• Access controls• File permissions• Version control
#SuperConf15
Why IT controls are just as important as financial controls
• Availability - Controls to ensure applications are available when needed
• Redundancy• Patching• Adequate bandwidth• Disaster Recovery Plans
#SuperConf15
What type of IT Audit & Security services can your firm offer?
• Regulatory Control Testing• Financial services companies• State data protection laws
• MA 201 CMR 17.00 & California Civil Code §1798.82
• HIPAA• FTC Safeguards• Sarbanes Oxley (SOX)• FISMA• IRS 1075
#SuperConf15
What type of IT Audit & Security services can your firm offer?
• Non – Regulatory• Independent Vulnerability Assessments
• Reviewing desktop/servers/network devices for common exposure
• Anti-virus coverage• Firewall service disclosure• Default passwords• Missing patches
#SuperConf15
What type of IT Audit & Security services can your firm offer?
• Non – Regulatory• Independent Vulnerability Assessments
(cont)• Wireless security• Confidential data review• Backup infrastructure• Remote firewall testing (what’s exposed
from the outside)
#SuperConf15
What type of IT Audit & Security services can your firm offer?
• Non – Regulatory• AICPA Service Organization Control
Reports 2 / 3• These reports are intended to meet the needs of a broad range
of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.
#SuperConf15
What type of IT Audit & Security services can your firm offer?
• Non – Regulatory• Penetration Testing• PCI-DSS (Credit Cards)
• Staff augmentation• Provide assistance to management to
perform internal control testing
#SuperConf15
What type of IT Audit & Security services can your firm offer?
• Typical Client Engagements • Vulnerability Assessment
• Typically 2 week engagement• 2-3 days onsite
• Risk rated reports to clients of security issues facing their networks
• Default passwords• Unpatched systems• Insecure wireless and network connections
• PCI-DSS - “May need more lawyers than IT staff”
• Staff certifications• QSA/DSS/PSA/
#SuperConf15
What type of clients need IT Audit & Security Services?
• Does your client have a computer?• Does your client have employees?
Therefore:• Your clients need IT Audit & Security
Services • They may be in regulated industries• They may be hearing of other companies getting
hacked• They may want to know where they stand
#SuperConf15
What type of clients need IT Audit & Security Services?
• Data breaches continue, and experts estimate it will only get worse
https://www.privacyrights.org/data-breach/new
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
2012 2013 2014 2015
Records Breached
#SuperConf15
How to get started with IT Audit & Security
• Staff – needed education• Common certifications
• CISA – Certified Information Systems Auditor• CISSP - Certified Information Systems Security Professional• CRISC - Certified in Risk and Information Systems Control• C|EH – Certified Ethical Hacker
• Training – Most certifications require 120 CPEs over 3 years
#SuperConf15
How to get started with IT Audit & Security
• Staff – desired experience
• Microsoft Windows Server/AD administrators (MCSE/MCP)
• Network administrators (CCNA/CCNP)• Security administrators (CISSP/Security+)
#SuperConf15
How to get started with IT Audit & Security
• Technology – minimal investment• Use existing workpaper system• Vulnerability scanning software
($1,500-$15,000)• PCI-DSS cert ($25,000+)• Laptops with more memory for
virtualization
#SuperConf15
Value for your firm
• Clients appreciate being able to obtain the additional service
• Additional revenue stream for your firm
• Not seasonal – steady (busy) workflow
#SuperConf15
Value for your firm
• Reoccurring• Vulnerability assessments, minimum –
quarterly• Penetration testing, minimum – annual• SOX controls are annual, control testing
throughout the year• FTC safeguards are required annually, but
without a year end
#SuperConf15
Value for your firm
• OCD is 2.5 years into offering this service
• Exceptional revenue growth• $300k first year (CY 2013)• $750k second year (CY 2014)• $1.5Mest third year (CY 2015)
• Adding jobs• 7 full time staff, soon to be 8
#SuperConf15
Barriers to entry
• #1 – Staff, staff, staff• Market demand is fierce; finding
qualified staff with 5+ year experience is almost impossible
• Salaries exceed $100k
http://s3.amazonaws.com/DBM/M3/2011/Downloads/RHT_2015_salary-guide.pdf
#SuperConf15
Barriers to entry
• #2 – Specialization• Government / Private / Public?• Infrastructure / Web / App?
#SuperConf15
Raspberry Pi
• A computer, which fits in the palm of your hand, and costs less than $40 can wreak havoc on a network
• An easy example to show clients how technology can get out of hand
#SuperConf15
IT risks are getting increasingly more
complex.Our clients IT controls
need to keep up.
#SuperConf15
Our Contact InfoEmail: [email protected]: www.linkedin.com/in/michaelwhammondTwitter: @ocdcpa
#SuperConf15