Embed Size (px)
Citation preview
HOW TO PROTECT CONFIDENTIAL INFORMATION AT CA’s OFFICE
USING CYBER SECURITYBEST PRACTICES?
CA. A RAFEQCA. BABU JAYENDRAN
CA. ANAND JANGID
Overview of Cyber Security best practices
CA A.RAFEQ
What is a Cyber Security?
‘Cybersecurity is the body of technologies, processes and practicesdesigned to protect networks, computers, programs and data fromattack, damage or unauthorized’
http://whatis.techtarget.com/definition/cybersecurity
‘A major part of Cyber Security is to fix broken software’
3
Need for Cybersecurity
• The recent ransomware attacks have demonstrated need for having an effective cybersecurity system in place.
• Cybersecurity incidents and breaches are on the rise, despite high investments in security.
• Enterprise cybersecurity efforts have to be implemented using a holistic approach with focus on governance, risk and security.
• Understanding cybersecurity-related risks and opportunities is now a critical component to the oversight, governance, and management responsibilities for enterprises.
• CAs can guide Enterprise leaders and board members on implementing the right cybersecurity measures to protect enterprise data.
Why you need to learn Cyber Security?
Move to
Digital is
inevitable,
Digital is future and
Digital is Now!
IT is a way of life
and accelerating.
E-Commerce, M-
Commerce,
eBanking, Mobile
Banking,
DIGITISATION!
Technology push
by Government to
curb corruption &
increase
transparency,
deliver services.
Demonetization,
GST automation,
digital payments,
eGovernance,
online filing, etc.
5
Digital Disruption
Technology is driving rapid
transformation in diverse and dynamic ways
New Business models and information systems are
rapidly implemented
Software-driven
information systems are key
differentiator for enterprises
High impact of ever-changing technology on
enterprises and professionals
6
CAs & Cyber Security
7
Tec
Business
Information
Compliance
requirements
Fiduciary
Responsibility
Technology
Deployed
Trusted
Custodians
Framework for Improving Critical Infrastructure Cybersecurity
March 2017
Why does the NIST Cybersecurity Framework matter?
• As cyberattacks become more complex, repelling them becomes more difficult, especially without a single cohesive strategy.
• CSF aims to standardize practices to ensure uniform protection of all US cyber assets.
Who does the NIST Cybersecurity Framework affect?
• The CSF affects anyone who makes decisions about cybersecurity in their organization, and those responsible for implementing new IT policies.
The Cybersecurity Framework...
• Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
• Provides a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
• Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations.
• Is consistent with voluntary international standards.11
The Framework Is for Organizations…
12
• Of any size, in any sector in (and outside of) the critical infrastructure.
• That already have a mature cyber risk management and cybersecurity
program.
• That don’t yet have a cyber risk management or cybersecurity program.
• Needing to keep up-to-date managing risks, facing business or societal
threats.
• In the federal government, too…since it is compatible with FISMA
requirements and goals.
Cybersecurity Framework Components
Framework Core
Framework Implementation
Tiers
Framework Profile
13
Describes how cybersecurity
risk is managed by an organization
and degree the risk management
practices exhibit key characteristics
Aligns industry standards and best
practices to the Framework Core in a
particular implementation scenario
Supports prioritization and
measurement while
factoring in business needs
Cybersecurity activities and
informative references, organized
around particular outcomes
Enables communication of
cyber risk across an
organization
CoreCybersecurity Framework Component
14
Function Category ID
What processes and assets need protection?
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
What safeguards are available? Protect
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes &
ProceduresPR.IP
Maintenance PR.MA
Protective Technology PR.PT
What techniques can identify incidents?
Detect
Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
What techniques can contain impacts of incidents?
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
What techniques can restore capabilities?
RecoverRecovery Planning RC.RP
Improvements RC.IM
Communications RC.CO
Core: Cybersecurity Framework Component
15
Function Category ID
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management
StrategyID.RM
Protect
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection
Processes & ProceduresPR.IP
Maintenance PR.MA
Protective Technology PR.PT
Detect
Anomalies and Events DE.AE
Security Continuous
MonitoringDE.CM
Detection Processes DE.DP
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
RecoverRecovery Planning RC.RP
Improvements RC.IM
Communications RC.CO
Subcategory Informative References
ID.BE-1: The organization’s role in the supply chain is identified and communicated
COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
COBIT 5 APO02.06, APO03.01NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
COBIT 5 APO02.01, APO02.06, APO03.01ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6NIST SP 800-53 Rev. 4 PM-11, SA-14
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
ID.BE-5: Resilience requirements to support delivery of critical services are established
COBIT 5 DSS04.02ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14
15
Supporting Risk Management with Framework
16
Cyber Security Framework Implementation: 7-Step Process
1: Prioritize and
Scope
2: Orient
3: Create a
Current Profile
4: Conduct a
Risk
Assessment
5: Create a
Target Profile
6: Determine,
Analyze, and
Prioritize Gaps
7:
Implementation
Action Plan
17
CA Firms have to enhance Cyber Security
• Systems and processes for securing information and related Assets
Policy
• Data Security and Information Protection
Cyber Security• Enhance Cyber
Security by using right knowledge, skills and tools
Trust in
Information & IS
18
RBI Guidelines on Cyber Security
The RBI guidance consists of the overall/introductory framework and guidance and three annexures:
1. An indicative set of baseline cyber security and resilience requirements.
2. Information on setting up and operationalising a cyber security operation centre (C-SOC).
3. A template for reporting cyber incidents to the RBI.
19
How to effectively organise data & information repository in a CAs office?
CA BABU JAYENDRAN
Sensitive Data in a CAs Office
Client Data
Financial Information
Bank Statements
Asset Details
Client Credentials
Login Credentials
Personal Information
Digital Signature
Organization Data
Clientele Information
Bank Accounts
Email Accounts
Need to Protect Data
Sensitive & Private Data Confidential / Non-
Disclosure Covenants Avoid Misuse / Abuse Professional Ethics
Compliance with Law Limit Liability Reputation & Image
Information Technology Law in India• Privacy Law - IT (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011
• Sensitive Data includes:
• Password
• Bank account / credit & debit card
• Medical records
• Biometric information
• Entity who collects, receives, possess, such information, shall provide a Privacy Policy for handling of or dealing in personal information.
• Disclosure to third party will require permission of provider
• Comply with reasonable security practices and procedures (meet ISO 27001 or equivalent requirements)
• Penalty up to Rs. 5 Crores who is negligent in safeguarding
Emerging Cyber Risks & Attacks• Ransomware
• Social Engineering
• Phishing - criminal activity that attempts to fraudulently obtain sensitive information: email
• Vishing - using the phone to solicit your personal information
• Smishing - uses cell phone text messages to lure consumers
• Malware
• Computer Viruses, Worms, Trojan horses, Spyware, Adware
• designed to interfere with normal computer operation, usually giving hackers a chance to gain access to your computer and collect sensitive personal information.
• DDoS - Distributed Denial of Service
• attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
• Data Leakage
• The unauthorized transfer of classified information from a computer or datacenter to the outside world – EMPLOYEES!!!
How to identify a phishing email?
Sources of Cyber Risks
• E-mail - Ransomware / Malware / Phishing Attacks
• Software downloads - free utilities / software / apps
• Lack of User Awareness
• Social Media
• Free Downloads / Freebies / Offers
• Carelessness
Governance – Policy, Procedures & Practices
• Set up a Privacy, Backup & Security Policy
• Consider exploring Cloud as Data Storage / Backup Option with auto sync features• Microsoft Azure, Amazon Cloud have these options at nominal cost
• Employee / Trainee Awareness & Declaration• Regular Confirmations from Staff on Confidentiality
• Office Resources not being used for personal purposes
• Unauthorized downloads / website usage prevention
• Client data not kept in private custody
• Internal Checks & Audits
• Client Awareness Workshops / email
Practical Tips for Protection - Organization Perspective
• Use only Licensed Software / Applications
• Disable Admin Access in employee
Computers
• Keep anti-virus / malware updated
• Backup the data at least once a week
• Ensure wi-fi is protected and password
is frequently changed
• Regularly scan wi-fi to identify the
users
• Tools like “Who is on my Wi-Fi” can help
• Download only from authorized
websites
• Consider encrypting of critical devices
• McAfee / Kaspersky / Symantec solutions
• Change Passwords Regularly
• Continuously educate users
How to audit cybersecurity risks?CA. ANAND JANGID
Market Response to Growing Cyber Risks and Assessing Auditor Responsibilities
• Various organisations are issuing guidance to help improve cyber preparedness:
• FFIEC
• FISMA
• ISACA
• NERC
• NCSC and
• MeiTY in India, ….
IS Auditing Standards
• Provide audit professionals with necessary guidance and information in this respect. Examples:
• ISO 27001,
• NIST,
• COSO framework,
• COBIT, ….
• Securities regulators
• Securities Exchange Board of India (SEBI) has set up a panel on cyber security to suggest measures to safe guard the capital markets from such attacks.
• Securities Exchange Commission (SEC), US, has stated that “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cyber security events and have clear procedures in place rather than waiting to react once a breach occurs
• Audit committees/Boards are expected to have an appropriate understanding of the business implications of cyber risks.
Assessing Auditor’s Responsibilities
• Primary focus continues to be on access controls and changes to systems and data that would impact the financial statements and the effectiveness of internal control over financial reporting (ICFR).
• Consider whether cyber risk (like other business risks) represents a risk of material misstatement to the financial statement as part of the audit risk assessment activities.
• Focus should be on understanding the cyber risks affecting the entity and the actions being taken to address these risks.
Assessing Auditor’s Responsibilities
• In relation to cyber security threats which could impact the IT systems of the entity, the key focus for auditors should be on controls and systems, which directly impact the data that is used and relied upon in the audit.
• In situations where material cyber security related breach is discovered, the auditor would need to consider the impact on financial reporting, including disclosures, and the impact on ICFR.
Cyber Security Breach and Audit RiskAssessment Strategy
Auditor may adopt following audit risk assessment strategy for cyber risks:
• Obtain a high-level understanding, primarily via inquiry, of the processes and controls implemented by the entity to manage cyber risks
Areas of review
• Privileged account access
• Governance/Risk management program
• Security monitoring/Incident management program
• Security awareness program
• Threat and vulnerability management program
• Patch management program
• Vendor risk management program
• Data classification program
Audit Approach
• Evaluate the information obtained to assess the risk of material misstatement to the financial statements.
• Communicate relevant observations for strengthening the cyber control environment, as appropriate to the management and Audit Committee.
Suggested approach when a breach occurs
• Gain an understanding of management’s approach to investigating the breach
• Evaluate the actions taken by management in response to the investigation
• Assess the effect of the breach on audit
Common Areas Exploited in Cyber Attacks
Common Areas Exploited in Cyber Attacks
• Let us be pro-active & not reactive
• Let the change begin now
• Invest in tools today for a better tomorrow
• Exercise precaution in the cyber world
• Develop safeguard policies and constantly monitor
• Educate kids, youngsters, family, trainees, employees
“Trust, but ensure you verify!”
41
Some questions for consideration of panel
• How to effectively organise data & information repository in a CAs office?
• How to identifying risks and relevant tools to protect such confidential information?
• What are the Best practices, frameworks and regulations relevant to data protection?
• How is SPDI as per Information Technology Act applicable to CAs?
• How to implementing data privacy, in the context of recent Supreme Court judgement?
• How to implement Cybersecurity to protect confidential information?
Questions?43
Questions?
