Upload
barun-kumar
View
190
Download
5
Embed Size (px)
Citation preview
© 2014 ISCA
IT Seminar for Auditors
10 June 2014, Tuesday
6.30 pm – 9.30pm
© 2014 ISCA
Auditors in the Evolving World of IT
Barun Kumar Director, MANTRAN Consulting Pte Ltd
© 2014 ISCA
Agenda
© 2014 ISCA
Agenda
Auditors in the Evolving World of IT
• Evolving trends in IT
• Impact on audit
• Q&A
4
© 2014 ISCA
Evolving trends in IT
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Some of the key evolving trends in IT are as follows
6
IT Trends
Cloud Computing
Big Data
Bring Your Own
Devices
Social Media
Data privacy
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Cloud Computing
• A model of network computing where a program or application runs on connected servers (through a communication network such as the Internet) rather than on a local computing device
• The computing process may run on one or many connected computers at the same time, utilizing the concept of virtualization
• Characteristics of cloud computing
– on-demand self-service
– broad network access
– resource pooling
– rapid elasticity
– measured service
7
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Cloud Computing
SaaS
PaaS
Models
IaaS
8
• Software is licensed on a subscription basis and is centrally hosted on the cloud
• Reduce IT support costs by outsourcing hardware and software maintenance and support
• Provider provides a computing platform and a solution stack as a service (i.e., networks, servers, storage, and other services that are required to host company’s application)
• Company creates an application or service using tools and/ or libraries from the provider and also controls software deployment and configuration settings
• Provider provides computers –physical or (more often) virtual machines – and other resources
• Support large numbers of virtual machines and the ability to scale services up and down according to customers' varying requirements
• Providers supply these resources on-demand from their large pools installed in data centres
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Cloud Computing
9
Private Cloud: solely for a single organization
Public Cloud: services are rendered over a network that is
open for public use
Community Cloud: shares infrastructure between several organizations from a specific
community with common concerns
Hybrid Cloud: composition of two or more clouds (private,
community or public)
Deployment Models
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Big Data
• Any collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications
• Additional information derivable from analysis of a single large set of related data, as compared to separate smaller sets with the same total amount of data
• Some facts
– 90% of the data in the world today has been created in the last two years alone
– data comes from everywhere: sensors used to gather climate information, posts to social media sites, digital pictures and videos, etc.
10
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Big Data
11
Volume
Variety Velocity
Enterprises are awash with ever-growing data of all types, easily amassing terabytes -
even petabytes - of information
For time-sensitive processes such as catching fraud, big data must be used as it streams into
your enterprise in order to maximize its value to your
business
Big data extends beyond structured data, including unstructured data such as text, sensor data, audio, video, click streams,
log files and more
Structured and Unstructured
Data
Dimension
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Social Media
• Social interaction among people in which they create, share or exchange information and ideas in virtual communities and networks
– Organizations use social media!
– Their employees also use social media!
12
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Bring Your Own Devices
• Permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications
– Increased productivity
– Better employee morale
– Attract new hires
13
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
Data Privacy
• Increasing awareness of data privacy requirements (specially related to personal data)
• Personal Data Protection Act 2012 (PDPA)
– Singapore law governing the collection, use, disclosure and care of personal data
– Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access
14
© 2014 ISCA
Evolving trends in ITIn partnership with Mantran Consulting Pte Ltd
PDPA
• Concepts
– Consent
– Purpose
– Reasonableness
• Timeline
– Formation of the Personal Data Protection Commission (PDPC) on 2 January 2013
– DNC Registry came into effect on 2 January 2014
– Main data protection rules will come into force on 2 July 2014.
15
© 2014 ISCA
Impact on Audit
© 2014 ISCA
Impact on AuditIn partnership with Mantran Consulting Pte Ltd
These trends bring new challenges, which must be addressed by IT audit. Some examples are as follows:
• Responsibility for security in cloud computing
• Data access in Big Data
• Managing legal challenges arising from use of social media
• Securing personnel devices connected to corporate network
• Compliance with data privacy requirements
17
© 2014 ISCA
Cloud ComputingIn partnership with Mantran Consulting Pte Ltd
Challenges and Solutions
• Challenges
– CSP controls access to data
– CSP can complicate data privacy due to virtualization (data may not remain on the same system, or in the same data centre or even within the same provider's cloud)
– Legal concerns over jurisdiction
– Other security challenges
• Solutions
– Data encryption
– Choices for how and where data is stored
– SSAE16, SS584 (Multi-Tier Cloud Security (MTCS)), etc.
– Regular Vulnerability Assessment and Penetration Testing (VAPT)
18
© 2014 ISCA
Big DataIn partnership with Mantran Consulting Pte Ltd
Challenges and Solutions
• Challenges
– Increasing popularity of Big Data and increasing awareness of Data Privacy is creating issues for organizations
– Organizations must address Data privacy issues
– Using data for audit
• Solutions
– Compliance with Data Privacy requirements
– Policy around Big Data (e.g. collection limitation, purpose specification, use limitation, data quality, security safeguards, openness, individual participation and accountability)
– CSA – Top Ten Big Data Security & Privacy Challenges
– SIEM, fraud management tools, data analysis, etc
19
© 2014 ISCA
Big DataIn partnership with Mantran Consulting Pte Ltd
CSA – Top Ten Big Data Security & Privacy Challenges
• Secure computations in distributed programming frameworks
• Security best practices for non-relational data stores
• Secure data storage and transactions logs
• End-point input validation/filtering
• Real-Time Security Monitoring
• Scalable and composable privacy-preserving data mining and analytics
• Cryptographically enforced data centric security
• Granular access control
• Granular audits
• Data Provenance
20
© 2014 ISCA
Social MediaIn partnership with Mantran Consulting Pte Ltd
Challenges and Solutions
• Challenges
– Social engineering and data leakage
– Employees
– Lack of Social Media Policy
– Cyber security and malicious applications
– Reputation loss
– Legal issues
• Solutions
– Social Media Policy
21
© 2014 ISCA
Bring Your Own DevicesIn partnership with Mantran Consulting Pte Ltd
Challenges and Solutions
• Challenges
– End node security
– Data breach (e.g., through loss of device or employee leaving organization)
– Phone number problem
– Scalability and capability
• Solutions
– BYOD policy
– End node security solutions
– Approved device list
22
© 2014 ISCA
Data PrivacyIn partnership with Mantran Consulting Pte Ltd
Challenges and Solutions
• Challenges
– Cloud computing
– Big data
– Social media
– Increasing compliance requirement
• Solutions
– Awareness of compliance requirements
– Compliance
23
© 2014 ISCA
Impact on AuditIn partnership with Mantran Consulting Pte Ltd
What should auditors do?
• Assess the usage of various evolving IT trends
• Assess the risks due to use of these evolving IT trends
• Develop work programs to address these risks
24
© 2014 ISCA
Q & A
© 2014 ISCA
© 2014 ISCA
This Presentation (the Presentation) has been prepared by ISCA for the exclusive use of the recipients to whom it is addressed.
Each recipient agrees that it will not permit any third party to, copy, reproduce or distribute to others this Presentation, in whole or in part, at any time without the prior written consent of ISCA, and that it will keep confidential all information contained herein not already in the public domain.
The Preparers expressly disclaim any and all liability for representations or warranties, expressed or implied, contained in, or for omissions from, this Presentation or any other written or oral communication transmitted to any interested party in connection with this Presentation so far as is permitted by law. In particular, but without limitation, no representation or warranty is given as to the achievement or reasonableness of, and no reliance should be placed on, any projections, estimates, forecasts, analyses or forward looking statements contained in this Presentation which involve by their nature a number of risks, uncertainties or assumptions that could cause actual results or events to differ materially from those expressed or implied in this Presentation.
In furnishing this Presentation, the Preparers reserve the right to amend or replace this Presentation at any time and undertake no obligation to update any of the information contained in the Presentation or to correct any inaccuracies that may become apparent.
This Presentation shall remain the property of ISCA.
Important disclaimer