ISCA Slides - Barun Kumar v1.0

© 2014 ISCA

IT Seminar for Auditors

10 June 2014, Tuesday

6.30 pm – 9.30pm

© 2014 ISCA

Auditors in the Evolving World of IT

Barun Kumar Director, MANTRAN Consulting Pte Ltd

© 2014 ISCA

Agenda

© 2014 ISCA

Agenda

Auditors in the Evolving World of IT

• Evolving trends in IT

• Impact on audit

• Q&A

4

© 2014 ISCA

Evolving trends in IT

© 2014 ISCA

Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd

Some of the key evolving trends in IT are as follows

6

IT Trends

Cloud Computing

Big Data

Bring Your Own

Devices

Social Media

Data privacy

© 2014 ISCA


Cloud Computing

• A model of network computing where a program or application runs on connected servers (through a communication network such as the Internet) rather than on a local computing device

• The computing process may run on one or many connected computers at the same time, utilizing the concept of virtualization

• Characteristics of cloud computing

– on-demand self-service

– broad network access

– resource pooling

– rapid elasticity

– measured service

7

© 2014 ISCA


Cloud Computing

SaaS

PaaS

Models

IaaS

8

• Software is licensed on a subscription basis and is centrally hosted on the cloud

• Reduce IT support costs by outsourcing hardware and software maintenance and support

• Provider provides a computing platform and a solution stack as a service (i.e., networks, servers, storage, and other services that are required to host company’s application)

• Company creates an application or service using tools and/ or libraries from the provider and also controls software deployment and configuration settings

• Provider provides computers –physical or (more often) virtual machines – and other resources

• Support large numbers of virtual machines and the ability to scale services up and down according to customers' varying requirements

• Providers supply these resources on-demand from their large pools installed in data centres

© 2014 ISCA


Cloud Computing

9

Private Cloud: solely for a single organization

Public Cloud: services are rendered over a network that is

open for public use

Community Cloud: shares infrastructure between several organizations from a specific

community with common concerns

Hybrid Cloud: composition of two or more clouds (private,

community or public)

Deployment Models

© 2014 ISCA


Big Data

• Any collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications

• Additional information derivable from analysis of a single large set of related data, as compared to separate smaller sets with the same total amount of data

• Some facts

– 90% of the data in the world today has been created in the last two years alone

– data comes from everywhere: sensors used to gather climate information, posts to social media sites, digital pictures and videos, etc.

10

© 2014 ISCA


Big Data

11

Volume

Variety Velocity

Enterprises are awash with ever-growing data of all types, easily amassing terabytes -

even petabytes - of information

For time-sensitive processes such as catching fraud, big data must be used as it streams into

your enterprise in order to maximize its value to your

business

Big data extends beyond structured data, including unstructured data such as text, sensor data, audio, video, click streams,

log files and more

Structured and Unstructured

Data

Dimension

© 2014 ISCA


Social Media

• Social interaction among people in which they create, share or exchange information and ideas in virtual communities and networks

– Organizations use social media!

– Their employees also use social media!

12

© 2014 ISCA


Bring Your Own Devices

• Permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications

– Increased productivity

– Better employee morale

– Attract new hires

13

© 2014 ISCA


Data Privacy

• Increasing awareness of data privacy requirements (specially related to personal data)

• Personal Data Protection Act 2012 (PDPA)

– Singapore law governing the collection, use, disclosure and care of personal data

– Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access

14

© 2014 ISCA


PDPA

• Concepts

– Consent

– Purpose

– Reasonableness

• Timeline

– Formation of the Personal Data Protection Commission (PDPC) on 2 January 2013

– DNC Registry came into effect on 2 January 2014

– Main data protection rules will come into force on 2 July 2014.

15

© 2014 ISCA

Impact on Audit

© 2014 ISCA

Impact on AuditIn partnership with Mantran Consulting Pte Ltd

These trends bring new challenges, which must be addressed by IT audit. Some examples are as follows:

• Responsibility for security in cloud computing

• Data access in Big Data

• Managing legal challenges arising from use of social media

• Securing personnel devices connected to corporate network

• Compliance with data privacy requirements

17

© 2014 ISCA

Cloud ComputingIn partnership with Mantran Consulting Pte Ltd

Challenges and Solutions

• Challenges

– CSP controls access to data

– CSP can complicate data privacy due to virtualization (data may not remain on the same system, or in the same data centre or even within the same provider's cloud)

– Legal concerns over jurisdiction

– Other security challenges

• Solutions

– Data encryption

– Choices for how and where data is stored

– SSAE16, SS584 (Multi-Tier Cloud Security (MTCS)), etc.

– Regular Vulnerability Assessment and Penetration Testing (VAPT)

18

© 2014 ISCA

Big DataIn partnership with Mantran Consulting Pte Ltd


• Challenges

– Increasing popularity of Big Data and increasing awareness of Data Privacy is creating issues for organizations

– Organizations must address Data privacy issues

– Using data for audit

• Solutions

– Compliance with Data Privacy requirements

– Policy around Big Data (e.g. collection limitation, purpose specification, use limitation, data quality, security safeguards, openness, individual participation and accountability)

– CSA – Top Ten Big Data Security & Privacy Challenges

– SIEM, fraud management tools, data analysis, etc

19

© 2014 ISCA

Big DataIn partnership with Mantran Consulting Pte Ltd

CSA – Top Ten Big Data Security & Privacy Challenges

• Secure computations in distributed programming frameworks

• Security best practices for non-relational data stores

• Secure data storage and transactions logs

• End-point input validation/filtering

• Real-Time Security Monitoring

• Scalable and composable privacy-preserving data mining and analytics

• Cryptographically enforced data centric security

• Granular access control

• Granular audits

• Data Provenance

20

© 2014 ISCA

Social MediaIn partnership with Mantran Consulting Pte Ltd


• Challenges

– Social engineering and data leakage

– Employees

– Lack of Social Media Policy

– Cyber security and malicious applications

– Reputation loss

– Legal issues

• Solutions

– Social Media Policy

21

© 2014 ISCA

Bring Your Own DevicesIn partnership with Mantran Consulting Pte Ltd


• Challenges

– End node security

– Data breach (e.g., through loss of device or employee leaving organization)

– Phone number problem

– Scalability and capability

• Solutions

– BYOD policy

– End node security solutions

– Approved device list

22

© 2014 ISCA

Data PrivacyIn partnership with Mantran Consulting Pte Ltd


• Challenges

– Cloud computing

– Big data

– Social media

– Increasing compliance requirement

• Solutions

– Awareness of compliance requirements

– Compliance

23

© 2014 ISCA

Impact on AuditIn partnership with Mantran Consulting Pte Ltd

What should auditors do?

• Assess the usage of various evolving IT trends

• Assess the risks due to use of these evolving IT trends

• Develop work programs to address these risks

24

© 2014 ISCA

Q & A

© 2014 ISCA

© 2014 ISCA

This Presentation (the Presentation) has been prepared by ISCA for the exclusive use of the recipients to whom it is addressed.

Each recipient agrees that it will not permit any third party to, copy, reproduce or distribute to others this Presentation, in whole or in part, at any time without the prior written consent of ISCA, and that it will keep confidential all information contained herein not already in the public domain.

The Preparers expressly disclaim any and all liability for representations or warranties, expressed or implied, contained in, or for omissions from, this Presentation or any other written or oral communication transmitted to any interested party in connection with this Presentation so far as is permitted by law. In particular, but without limitation, no representation or warranty is given as to the achievement or reasonableness of, and no reliance should be placed on, any projections, estimates, forecasts, analyses or forward looking statements contained in this Presentation which involve by their nature a number of risks, uncertainties or assumptions that could cause actual results or events to differ materially from those expressed or implied in this Presentation.

In furnishing this Presentation, the Preparers reserve the right to amend or replace this Presentation at any time and undertake no obligation to update any of the information contained in the Presentation or to correct any inaccuracies that may become apparent.

This Presentation shall remain the property of ISCA.

Important disclaimer

Documents

ISCA Slides - Barun Kumar v1.0