Vous êtes sur la page 1sur 44

Current Trends in Information

Technology: Which way for

Modern IT Auditors?
Joseph Akoki, ACA, MCP,

Information Security & Risk Insights

Africa Accra 2014
Technology is like a fish. The longer it stays on
the shelf the less desirable it becomes
Andrew Heller
What I did in my youth is hundred times easier
today technology breeds crime-
Frank Abagnate
There will come a time when it isnt they are
spying on me through my phone anymore.
Eventually it will be my phone is spying on
me Philip K. Dick
Information Security & Risk Insights Africa
Accra 2014
Technology changes twice every year,
the only way not be left behind is to
respond to changes if not you will be
twice behind Anonymous
We are going closer and closer to the
year when cars will run with water BANK
PHB Nigeria

Information Security & Risk Insights Africa

Accra 2014
With a 13% increase in identity fraud between
2010 and 2011, a study conducted by Javelin
Strategy &Research showed that consumers may
be putting themselves at a higher risk for identity
theft as a result of their increasingly intimate
social media behaviors.

Information Security & Risk Insights Africa

Accra 2014
Point to note

Audit failure most times is not caused by

receiving brown envelopes but most times
it is not adhering to audit quality control

Information Security & Risk Insights Africa

Accra 2014
6 5/27/2014

So it is said that if you know your enemies and
know yourself, you can win a hundred battles
without a single loss.
If you only know yourself, but not your
opponent, you may win or may lose.
If you know neither yourself nor your enemy,
you will always endanger yourself

- Quotation from The Art Of War by Sun



7 5/27/2014

Competency( human resources) Danger/audit
Time & deadlines
Enemies(auditee) Quality
Law & regulation

Business process of the auditee

Danger/ audit
Risk assessment by magt failure
Changing technology

NB: Audit failure is where audit has failed to fulfill its objective of providing reliable
evidence upon which audit opinion could be based.
Trend Drivers
Information Security & Risk Insights Africa
Accra 2014
Training Objectives:

1. Identify the technologies that will have the greatest impact on

banking business and audit functions

2. Explain why understanding trends and new technologies can

help an organization prepare for the future
3. Explore the risk inherent in these emerging technologies and
audit planning can respond adequately

Information Security & Risk Insights Africa

Accra 2014
Obtaining a broad view of
emerging trends and new
technologies as they relate
to business can help an
organization anticipate and
prepare for the future
Organizations that can most
effectively grasp the deep currents
of technological evolution can use
their knowledge to protect
themselves against sudden and fatal
technological obsolescence

Information Security & Risk Insights Africa

Accra 2014
Trend from The
Drivers McKinsey
example Quote from
Quarterly The McKinsey
Customers Quarterly

The emerging affluent segmentyoung,

educated, and consumption-oriented urban
professionalscould account for up to a third of
all retail-banking revenues in the coming three to
five years:
They are tech savvy, preferring online-banking and
smartphone applications; reluctant users of branches
(bricks and mortal) ; and price conscious and service
(February 2012, Mikls Dietz, dm Homonnay, and Irene Shvakman)
News: Headline
IBM Develops NFC Authentication Technology
Barclays Puts the Safety Deposit
Gartner: Majority of Box in the Cloud. Barclays online
Banks Will Turn to banking customers will now be
able to scan and upload
Cloud for Processing important documents a cloud-
Transactions By 2016. based document storage
What Banks Should Know About
Disaster Recovery in the Cloud.
The cloud offers faster recovery
from disasters, but banks need to
be on the same page with their
providers on issues like data
ownership and interoperability.
Information Security & Risk Insights Africa
Accra 2014
The need to know the trend:

The jagged economic landscape complicated by

advancing technologies, such as cloud, social media
and mobile devices can challenge the ability of an
IT auditor to provide comfort to executives already
overwhelmed with rapidly expanding opportunities
and pressures caused by shrinking margins.

Information Security & Risk Insights

Africa Accra 2014
Pace of technological innovation is
Medical knowledge is doubling every eight
50% of what students learn in their freshman
year of college is obsolete, revised, or taken
for granted by their senior year
All of todays technical knowledge will
represent only 1 percent of the knowledge that
will be available in 2050
Potential business impact:
Shortened time-to-market for products and
Tighter competition based on new technologies
Tighter monitoring requirements
Information Security & Risk Insights Africa
Accra 2014
The Digital Disruption
The digital revolution is disrupting every industry.
Creating new possibilities and changing the ways
business is done.
The only way to compete is to evolve !!!
The five post digital
forces affecting business:
cloud, mobile, social, analytics and
Information Security & Risk Insights Africa
cyber Accra 2014
News: Headline
IBM Develops NFC Authentication Technology

IBM announced it has developed a new

mobile payments authentication security
technology based on near-field
communication(NFC) technology.
According to IBM, a user engaging in a mobile
transaction would hold a contactless smartcard
next to the NFC reader of the mobile device and
after keying in their PIN, a one-time code would
be generated by the card and sent to the server
by the mobile device. The technology is based
on end-to-end encryption between the
smartcard and the server using the National
Institute of Standards & Technology (NIST) AES
(Advanced Encryption Standard) scheme.
technologies on &
Security the
Insights require
Africa users
to carry an additional device, such as2014
Accra a random
password generator, IBM stated
News: Headline
IBM Develops NFC Authentication Technology
Barclays Puts the Safety Deposit
Gartner: Majority of Box in the Cloud. Barclays online
Banks Will Turn to banking customers will now be
able to scan and upload
Cloud for Processing important documents a cloud-
Transactions By 2016. based document storage
What Banks Should Know About
Disaster Recovery in the Cloud.
The cloud offers faster recovery
from disasters, but banks need to
be on the same page with their
providers on issues like data
ownership and interoperability.
Information Security & Risk Insights Africa
Accra 2014
Continuity Across
Devices With more users working
across multiple devices, we
see a move to provide the
missing link in todays
computing experience the
ability to pick up the session
on a different device in
exactly the same place you
left off.

Innovation will occur behind

the scenes, to provide a
continuous experience for
Information Security & Risk Insights Africa
users across call logs,Accra text 2014

messages, notes and

All Encompassing Smartphones
Nowadays, consumers
are increasingly relying
on their smartphones for
just about everything.
From researching
purchasing decisions to
mobile commerce,
expect to see more
brands start to innovate
and cater to the needs
of mobile audiences,
both customers and
Information to allow for Africa
& Risk Insights more
seamless use and Accra 2014

integration of
IPv6: Major surgery for the
Internet IPv6 is the new
Internet protocol
replacing IPv4.

Protecting IPv6 is not

just a question of
porting IPv4
capabilities. There are
changes to the Accra 2014
Information Security & Risk Insights Africa

protocol which need

IPv6: Major surgery for the
Internet contd
The Difference Between IPv6 and IPv4 IP Addresses
An IP address is binary numbers but can be stored
as text for human readers. For example, a 32-bit
numeric address (IPv4) is written in decimal as four
numbers separated by periods. Each number can
be zero to 255. For example, could be
an IP address.
IPv6 addresses are 128-bit IP address written in
hexadecimal and separated by colons. An
example IPv6 address could be written like this:

Information Security & Risk Insights Africa

Accra 2014
Others are:
T+3 becoming T
Instant transfers
ATM accepting cash and cheques
Cheques scanned with mobile phones
Wearable technologies
Virtualisation of all kinds- virtual customers , staff
and projects
Information Security & Risk Insights Africa
Accra 2014
Cloud Computing

Information Security & Risk Insights Africa

Accra 2014
Contending With Cloud Services
Small, medium and large enterprises
are beginning to adopt cloud services
PaaS and SaaS at a greater rate. This
trend presents a big challenge for
network security, as traffic can go
around traditional points of inspection.
Additionally, as the number of
applications available in the cloud
grows, policy controls for Web
applications and cloud services will
also need to evolve.

But as theInformation
cloud evolves, so
Security & Risk Insights Africa
Accra 2014

too must network security.

What is cloud computing?
Cloud Computing is not:
Any specific technology, such as VMware or SalesForce
Grid computing
Web hosting

Cloud Computing is:

An IT delivery approach that binds together technology infrastructure,
applications, and internet connectivity as a defined, managed service that
can be sourced in a flexible way
Cloud computing models typically leverage scalable and dynamic resources
through one or more service and deployment models
The goal of cloud computing is to provide easy access to, and elasticity of, IT

Information Security & Risk Insights Africa

Accra 2014
Key Areas to Focus on
during Audit
Identity and Access Management:
Verify that only approved personnel are granted access to servicebased on their roles and
that access is removed in a timely manner upon the personnel's termination of employment
and/or change in their roles that does not require the said access.
Physical Security
Hosting & Data Logical Security
Segregation of tiers; hosting encryption methods
Accessibility from the open Internet, over permissive rules that open wide range of ports
Authentication & Authorization
Length / strength of passwords, systems to enforce / control password security / reset rules
Use of hardware / software token. Management of key fobs
Only authorized users are granted access rights after proper approval
Access for transferred employees is modified in a timely manner
Unauthorized access to cloud computing resources is removed promptly
Periodic review of super-user and regular access to cloud applications
Connection & Data Transmission
Secure connectivity such as VPN IPSec, SSL, HTTPS where secure data is being transmitted for
regular users or administrators
Key Areas to Focus on during
Auditing Cloud Computing in Five Relevant Areas Audit Objective(s)
Technology Risks:
Unique risks related to the use of virtual operating system with cotenants.
Is your primary service provider utilizing another sub-service provider? For e.g.
there are several examples where a SaaS provider is utilizing an IaaS provider.
Do you know whether your primary service provider is protecting you
adequately from the risks inherent with utilizing an IaaS provider?
Hypervisor technology utilized and whether it is patched
Process for monitoring and patching for known vulnerabilities in hypervisor
Segregation of duties (SoD) considerations both from a technology as well as
business perspective, for e.g. from a technology SoD perspective does one
person have access to the host and guest operating systems as well as the
guest database. From a business perspective, for financially significant
applications, just because an application is in the cloud does not diminish the
importance of segregating access within the application
Logging of access to the applications and data, where relevant
Protection of access logs from inadvertent deletion or unauthorized access
Common Observations When
Auditing Cloud Computing
Password settings for cloud resources (applications, virtual servers etc.) does not comply
with user organizations password policies. Sometimes the cloud vendor resources do not
support the user organizations policy requirements, but several times, the cloud
administrators at the user organizations are not aware
Port settings on Cloud server instances not appropriately configured (administrator added
exceptions to administer cloud from their home computer and mobile device)
Lack of policy and procedures for appropriate handling of security and privacy incidents
Terminated users found to be active on applications in the cloud (even though the
individuals network access was terminated) and there was no IP range restriction
Employees transferred out of a certain department had access to Cloud resources even
though they transferred to another department a few months ago
Service providers SOC report was not reviewed for impact to user organization
Sensitive data (PII) in the cloud was found to be not encrypted. Sometimes the user
organization is not aware that sensitive data resides in the cloud. Most commonly, with the
use of cloud for test environments, sensitive data is not scrambled/de-identified before
being sent to the cloud. It might even be your third-party development vendor doing that
Use of shared accounts to administer the cloud
Good Practices in Cloud
Sensitive data is encrypted before sending to the cloud
Making sure that multiple people receive notifications from the cloud service
provider and that list of individuals/email id is periodically reviewed and
updated. This is simple to implement and very beneficial
Several cloud service providers offer the option of IP range restriction. That
could be a great tool in utilizing a cloud-based services but having the
security comfort of in-house IT
Use of secure connection when connecting to the cloud, anytime sensitive
data is exchanged
Access to cloud computing resources is integrated with the user
organizations identity and access management process instead of being
handled one-off
Use of multi-factor authentication (MFA) such as hardware/software tokens,
mobile authentication (particularly if the mobile phone is a company
resource) for administration of cloud resources. This could also protect in case
the user organizations employees are subject to phishing attack
Review proper independent review report/certification: sometimes a SOC
report is not sufficient
Top Risk Areas
Privileged use Who at the cloud provider will have access to your data? What controls does the
access provider have over these peoples access? How does the provider hire and fire

Regulatory How will using the cloud affect your ability to comply with regulatory requirements (e.g
Compliance SOX, GLBA, HIPPA, PCI). Has the provider undergone any kind of third party audit or
Data Location Where will the data be stored? Will it be replicated out of the country? Can the customer
and Ownership restrict where the data is stored? Who owns the data once it is in the cloud

Data Segregation How does the provider ensure that its other customers can not see my data ? What type
of encryption is in place? How are the keys managed

Recovery What happens to my data in the event of a disaster? Is it backed up or replicated

somewhere? How can I access my backups? How long does it take to restore my data?

Forensic Support If any kind of legal investigation is required because of illegal activity- can the provider
support the customer ?
Long Term What is the providers financial posture, will they be around in the next 5-15 years, if they
Viability fail how does the customer get his data back
Third Party What third party relationships does your cloud provide have inplace
Due Diligence Have you performed extensive due diligence on your cloud provider

Information Security & Risk Insights Africa Accra 2014

Cloud providers key Risk Understand the cloud providers key risks and performance indicators
and Performance and how this can be monitored and measured from a customers
Indicators perspective

Information Security & Risk Insights Africa Accra 2014

Auditing Mobile Computing

Information Security & Risk Insights Africa

Accra 2014
10 Steps for Auditing Mobile Computing
Security Test
Ensure that mobile device Evaluate disaster recovery
management software is running the processes in place to restore
latest approved software and patches.
mobile device access should a
Verify that mobile clients have

disaster happen.
protective features enabled if they are
required by your mobile device Evaluate whether effective
security policy. change management processes
Determine the effectiveness of device exist.
security controls around protecting Evaluate controls in place to
data when a hacker has physical
access to the device
manage the service life cycle of
personally owned and company-
Evaluate the use of security monitoring
software and processes. owned devices and any
Verify that unmanaged devices are associated accounts used for the
not used on the network. Evaluate gateway
controls over unmanaged devices.
Evaluate procedures in place for
tracking end user trouble tickets.
Ensure that appropriate security Information Security & Risk Insights Africa
policies are in place for your mobile Accra 2014
Auditing Mobile Device Mgt
Once installed, an MDM solution can enforce numerous
security policies. Auditors should verify these policies are in

Anti-malware and firewall policy. Mandates installation of

security software to protect the devices apps, content,
and operating system.
App/operating system update policy. Requires devices to
be configured to receive and install software updates and
security patches automatically.
App-vetting policy. Ensures that only trustworthy white
listed apps can be installed; blocks black listed apps
that could contain malicious code.
Encryption policy. Ensures that the contents of the devices
business container are encrypted and secured.
Information Security & Risk Insights Africa
Accra 2014
Auditing Mobile Device Mgt
PIN policy. Sets up PIN complexity rules and expiration
periods, as well as prevents reuse of old PINs.
Inactive-device lockout policy. Makes the device
inoperable after a predetermined period of inactivity, after
which a PIN must be entered to unlock it.
Jail break policy. Prohibits unauthorized alteration of a
devices system settings configured by the manufacturer,
which can leave devices susceptible to security
Remote wipe policy. Erases the devices business container
contents should the device be lost or stolen.
Revoke access policy. Disconnects the employees device
from the organizations network when the MDMs remote
monitoring feature determines that it is no longer in
AUDITING Social Media

Information Security & Risk Insights Africa

Accra 2014
Social Media
IT auditors should be mindful of the risks
associated with social media, and take
steps to validate that the institution has
established an effective social media risk
management program commensurate with
the degree of the institutions use of social
media. In auditing social media, internal
auditors should consider the following steps:
Program Governance and
Evaluate how the institution assigns
accountability for social media activities.
Review social media-related policies and
procedures for consistency with stated social
media objectives.
Assess the institution's process to stay informed
of actual and proposed social media activities.
Evaluate procedures to review and approve
social media content before publication.
Determine how social media risks are
periodically assessed and documented.
Alignment of Activities with
Enterprise Strategy
Determine if the institution has documented
formally an enterprise-wide social media
Review the documented social media strategy
for specific objectives and defined metrics
against which progress is measured, including
risk appetite.
Evaluate the process by which business line
social media practices are reviewed for
consistency with the institution's enterprise-wide
social media strategies.
Compliance with Laws and
Discuss with legal and compliance personnel
how legal and regulatory requirements are
assessed for applicability to social media
Assess the completeness of the institution's
inventory of laws and regulations applicable to
social media activities.
Evaluate how legal and compliance are
involved in the use of new social media
technologies that may impact compliance with
legal and regulatory requirements
Operational Risk Management

Determine if technological tools have been used to

monitor and restrict social media usage, and consider
opportunities to automate new and existing
preventative and detective controls.
Evaluate how the institution provides and rescinds
access to social media platforms, including standards for
reviewing and approving access as appropriate.
Discuss with management the types of training provided
to employees with access to the institution's social media
Determine if third-party social media tools and software
solutions are evaluated for operational and compliance
impacts in accordance with the institution's
documented vendor management program, if
Reputational Risk
Evaluate whether management distinguishes
consumer complaints received through social
media platforms from social media incidents.
Determine if management has identified
complaint and incident scenarios that require
escalation to legal, compliance, senior
management, or other parties.
Assess how social media exchanges are
monitored for integrity and fairness to
Last word for the modern day IT
The current trends in IT presently
and in the future demands IT
auditors to be IT savvy, current
and evolving so we have to:
Learn- moving with Technology
Train- build capacity

Share- leveraging
Information Security & Risk Insights Africa
Accra 2014

Information Security & Risk Insights Africa

Accra 2014