Central Bank of Libya

spotlessstareΑσφάλεια

29 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

86 εμφανίσεις


Information Technology (IT)
Internal Controls Presentation for the

Central Bank of Libya


Royce Walker


Financial Services Volunteer Corps

March 23
-

25, 2009

IT Internal Controls


Introduction

Topics of Discussion:


Definition of Internal Control


Overview of Internal Control/Risk Management
Frameworks


Information Technology Internal Controls



IT Internal Controls

Definition of Internal Control



Internal Control is a process, effected by an entity’s board
of directors, management and other personnel. This
process is designed to provide reasonable assurance
regarding the achievement of objectives in effectiveness
and efficiency of operations, reliability of financial
reporting, and compliance with applicable laws and
regulations.


Source: The Committee on Sponsoring Organizations of the Treadway Commission.


http://www.coso.org/resources.htm
.


IT Internal Controls

Internal Control/Risk Management Frameworks

Enterprise
-
wide Frameworks


The Cadbury Committee (United Kingdom)


The Canadian Criteria of Control Committee (CoCo) (Canada)


The Committee on Sponsoring Organizations (COSO) (United
States)

IT Frameworks


The Information Systems Audit and Control Association


Control
Objectives for Information Technology (COBIT)


Information Technology Infrastructure Library (ITIL)


The International Organization for Standardization (ISO)

IT Internal Controls

Information Technology Internal Controls


Governance


Who is in charge of IT?


Governance is one of the most important controls. If
someone or some group is not actively overseeing the IT
function, the result will be chaos.

IT Internal Controls

Governance (continued)



Achieved through management structure, assignment of
responsibilities and authority, establishment of policies,
standards and procedures, allocation of resources,
monitoring, and accountability.


Required to ensure tasks are completed appropriately,
accountability is maintained, and risk is managed for the
entire enterprise.


Responsibility of the board of directors and executive
management.


Fundamentally concerned with two issues: 1) IT delivers
value, 2) IT risks are mitigated.


Source: Federal Financial Institutions Examination Council, Information Security, IT Examination Handbook, and Information Sy
ste
ms and Control
Association CISA Review Manual 2006, Chapter 2, IT Governance


IT Internal Controls

Governance (continued)


Management Structure

IT should be governed/supported by:



Board of Directors.



IT officers and supervisory personnel.



IT employees.



IT users.



Auditors.



Service providers and contractors.


IT Internal Controls

IT Risk Assessment

An IT risk assessment includes three parts:

1.
Gathering technical and non
-
technical information about
the IT function.

2.
Analyzing the information to


classify and rank sensitive data, systems, and
applications.


assess threats and vulnerabilities.


evaluate control effectiveness.

3.
Setting priorities for responses.


IT Internal Controls

IT Risk Assessment (continued)

Necessary Information

Examples of technical information include:


Data and systems to be protected (electronic and paper).


Network diagrams of internal and external connectivity.


Hardware, software, database file inventories.

Examples of non
-
technical information include:


Policies, standards, and procedures for security.


Vendor contracts, including insurance coverage


Reports of security monitoring, self
-
assessments, metrics,
and independent tests.


IT Internal Controls

IT Risk Assessment (continued)


Classify/Rank Sensitive Data, Systems, and Applications


Assess/classify relative importance of information systems,
classify data to identify and rank data, systems, and
applications in order of importance.

Assess Threats and Vulnerabilities

Determine which threats and vulnerabilities deserve priority
attention relative to value of the information or information
systems being protected.



IT Internal Controls

IT Risk Assessment (continued)


Evaluate Control Effectivenes
s

Identify controls that will mitigate impact threat/vulnerability.


Preventive Control


Keeps something from occurring.


Detective Control


Finds something after it occurred.


Corrective Control


Corrects problems that occurred.

Assign Risk Ratings

Risk ratings should be assigned to information systems and
data to establish importance and criticality.


IT Internal Controls

Information Security Strategy


Typical steps to building an information security strategy
include:


Defining control objectives.


Identifying and assessing approaches to security.


Establishing of benchmarks and metrics.


Preparing and implementing testing plans.

IT Internal Controls

Information Security Strategy (continued)


Control Framework Considerations


Using a widely recognized technology standard, such as:

COBIT, ITIL, ISO 17799, etc.

Policies and Procedures


Primary component of strategy; guides decisions made by
users, administrators, and managers.


Inform individuals of their responsibilities, specify ways of
meeting responsibilities.


Provide guidance in acquiring, configuring, and auditing
information systems.

IT Internal Controls

Information Security Strategy (continued)


Technology Design


Provides effective network
-
level monitoring, limits
intruder’s ability to traverse the network, offers minimum
level of services required by business needs.


If updated in a timely manner, mitigates newly discovered
threats and vulnerabilities.

IT Internal Controls

Information Security Strategy (continued)


Outsourced Security Services


Security services may be outsourced to obtain greater
expertise, greater range of services, and lower costs.


Institution retains same responsibilities for security as if
those services were performed in
-
house.


Sufficient expertise is needed to oversee and manage
outsourced security service relationship properly.


Detailed contract is needed for scope and nature of services
as well as for expected and required service levels.

IT Internal Controls

Information Security Internal Controls

Internal controls should be established to minimize IT Risk.


Access Control


Physical and Environmental Protections


Encryption


Malicious Code Prevention


Systems Development, Acquisition, and Maintenance


Personnel Security


Data Security


Service Provider Oversight


Business Continuity Considerations


Insurance


Monitoring


IT Internal Controls

Access Control

Goal of access control is to allow access by authorized
individuals and devices and to disallow access by all others.


Limit to specifically authorized persons.


Authorize only individuals whose identity is established.


Limit activities to those required for business purposes.


Approve device installation in accordance policy.


Use change controls for devices and software used inside
the external perimeter, configure institution devices to
accept authorized connections from outside the perimeter.

IT Internal Controls

Access Rights Administration

Implement an effective process to administer access rights.


Assign users and devices only the access required to
perform their required functions (business need).


Update access rights based on personnel and system
changes.


Review users’ access rights at periodic intervals.


Design acceptable
-
use policies and require users to agree
to them in writing.


Review exception reports.

IT Internal Controls

Authentication

Use effective authentication methods.


Select authentication mechanisms based on risk associated
with application or services.


Consider when multi
-
factor authentication is appropriate.


Encrypt transmission and storage of authenticators (e.g.,
passwords, personal identification numbers (PINs), digital
certificates, biometric templates).

IT Internal Controls

Authentication (continued)

Shared Secret Systems



Uniquely identify user by matching
knowledge on system to knowledge only system and user are
expected to share.



Passwords, pass phrases, current transaction knowledge.


Password string


C2$v73#L


Pass phrase


My favorite candy is peppermint.


Current transaction knowledge


Account balance on
the last statement mailed to the user/customer.


Controls should prevent user from re
-
using shared secrets
that were compromised, or recently used by user.

IT Internal Controls

Authentication (continued)

Shared Secret Systems (continued)


Passwords and pass phrases should be difficult to guess.


Strength is lack of disclosure of and about the secret,
difficulty in guessing it, length of time before it is changed.


User should select passwords and pass phrases without
assistance from other users. (Exception


Temporary
password to create new account).


IT Internal Controls

Authentication (continued)

Shared Secret Systems (continued)


Automated tools can assist enforcement of shared secret
system policies.


Length


Complexity


Periodic changes (e.g., every 30, 60, 90 days)


Lock out after unsuccessful password attempts


Disallow re
-
use of password

IT Internal Controls

Authentication (continued)


Other Authentication Systems

Token Systems



Two
-
factor authentication of something
user has and something user knows.

Public Key Infrastructure (PKI)


Combines hardware
components, system software, policies, practices, standards
for authentication, data integrity, defense against customer
repudiation, and confidentiality.

Biometrics



Verifies user by reference to unique physical or
behavioral characteristics (e.g., thumbprint, iris pattern). May
or may not require use of a token.




IT Internal Controls

Authentication (continued)


Other Authentication Systems (continued)

Authenticator Reissuance



Needed when user forgets
shared secret, loses token, biometric identifier changes.

Behavioral Authentication



Assurance gained from
comparing connection
-
related or activity
-
related information
with expectations.

Device Authentication



Supplements authentication of
individuals or when assurance is needed that the device is
authorized to be on the network.




IT Internal Controls

Network Access

Secure access to computer networks through multiple layers
of access controls to protect against unauthorized access.


Group servers, applications, data, users into security
domains (e.g., untrusted external networks, external
service providers, various internal user systems).


Establish access requirements within/between domains.


Implement technological controls to meet access
requirements consistently.


Monitor cross
-
domain access for security policy violations
and anomalous activity.



IT Internal Controls

Network Access (continued)

Firewalls



Devices (computers, routers, and software) that
mediate access between different security domains. All
traffic between security domains must pass through the
firewall, regardless of the direction of the flow.

Malicious Code Filtering



Devices that act as a control
point to enforce the institution’s security policy over
incoming communications (e.g., anti
-
virus, anti
-
spyware, and
anti
-
spam filtering, blocking of downloading of executable
files, and other actions).

IT Internal Controls

Network Access (continued)

Outbound Filtering



Devices that inspect outbound
communications for compliance with the institution’s security
policy (e.g., forbid origination of outbound communications
from certain computers).

Network Intrusion Prevention System (IPS)



Devices that
allow or disallow access based on an analysis of packet
headers and packet payloads (similar to firewalls).

Intrusion Detection System (IDS)



Software and/or devices
designed to detect unwanted attempts to access, manipulate,
disabling computer systems or information.


IT Internal Controls

Network Access (continued)


Vulnerability Assessment Systems


Systems to identify,
quantify, prioritize vulnerabilities in networked systems.


Data Loss Prevention
-


System to identify, monitor, and
protect data while it is being used, stored, transmitted;
designed to detect and prevent the unauthorized use and
transmission of confidential information.


Security Information Management System (SIMS)
-

Consolidates reports from firewalls, IPS, IDS, and system
and event logs into a central repository for trend analysis.

IT Internal Controls

Operating System Access

Secure access to operating systems of all system components.


Secure access to system utilities.


Restrict and monitor privileged access.


Log and monitor user/program access to sensitive
resources and alert on security events.


Update operating systems with security patches.


Secure devices that can access the operating system
through physical and logical means.



IT Internal Controls

Application Access

Control access to applications.


Use authentication and authorization controls appropriately
robust for the risk of the application.


Monitor access rights to ensure they are the minimum
required for user’s current business needs.


Use time
-
of
-
day limitations on access as appropriate.


Log access and security events.


Use software that enables rapid analysis of user activities.

IT Internal Controls

Remote Access

Secure remote access to and from systems.


Disable remote communications if no business need exists.


Control access via management approval and review.


Implement robust controls over configurations at both ends
of the remote connection to prevent malicious use.


Log and monitor all remote access communications.


Secure remote access devices.


Use strong authentication and encryption to secure
communications.

IT Internal Controls

Physical and Environmental Protection

Define physical security zones and implement preventive and
detective controls in each zone to protect against:


Physical access by malicious or unauthorized people.


Damage from environmental contaminants.


Electronic access through active or passive electronic
emissions.

IT Internal Controls

Physical and Environmental Protection (continued)


Data Center Security

Major objective is to limit risk of exposure from internal and
external sources.


Choose an area relatively safe from exposure to fire, flood,
explosion, or similar environmental hazards.


Deter intruders with guards, fences, barriers, surveillance
equipment, etc.


Ensure air conditioning equipment maintains temperature
for optimal equipment operation.

IT Internal Controls

Physical and Environmental Protection (continued)


Data Center Security (continued)


Record access by vendors and other persons not assigned
to data center.


Secure doors and windows with switches that activate
alarm systems.


Do not identify location by signage or other indicators.


Use detection devices (e.g., security cameras) to prevent
theft and safeguard equipment.

IT Internal Controls

Physical and Environmental Protection (continued)


Data Center Security (continued)


Minimize risk from environmental threats with fire
suppression systems, smoke alarms, raised flooring, and
heat sensors.


Use maintenance logs to determine whether devices are
appropriately maintained.


Periodically test the devices to determine they are
operating correctly.

IT Internal Controls

Physical and Environmental Protection (continued)


Data Center Security (continued)


Require visitors to sign in and wear proper IDs so that they
can be monitored and identified easily.


Install power supply conditioning equipment (e.g., surge
protection).


Install uninterruptible power supply equipment that will
activate immediately in the event of power loss from the
main power supply.

IT Internal Controls

Physical and Environmental Protection (continued)


Cabinet and Vault Security


Install protective containers designed to meet fire
-
resistant
and theft
-
resistant standards.


Physical Security In Distributed Environments


Protect personal computers in unrestricted areas such as
lobbies by securing them to workstations, locking or
removing disk drives and unnecessary physical ports, and
activating screensaver passwords or automatic timeouts.

IT Internal Controls

Encryption

Implement encryption to mitigate risk of disclosure or
alteration of sensitive information in storage and in transit.


Encryption strength sufficient to protect information from
disclosure until disclosure poses no material risk.


Effective key management practices.


Robust reliability.


Appropriate protection of the encrypted communication’s
endpoints.

IT Internal Controls

Malicious Code Prevention

Implement appropriate controls to prevent and detect
malicious code, and engage in user education.


Malicious code is any program that acts in unexpected and
potentially damaging ways.


Common types of malicious code are viruses, worms,
Trojan horses, monitoring programs such as spyware, and
cross
-
site scripts, key
-
stroke loggers, and screen
-
shot
transmissions.

IT Internal Controls

Malicious Code Prevention (continued)


Controls To Protect Against Malicious Code

Controls use technology, policies and procedures, and
training, all applied in a layered manner from perimeters
inward to hosts and data. Controls are applied at the host,
network, and user levels.

Host Level


Host hardening, including patch application and security
-
minded configurations of the operating system (OS),
browsers, and other network
-
aware software.

IT Internal Controls

Malicious Code Prevention (continued)


Controls To Protect Against Malicious Code (continued)

Network Level


Limit transfer of executable files through the perimeter,
and use IDS and IPS to monitor incoming and outgoing
network traffic.

User Level


User education in awareness, safe computing practices,
indicators of malicious code, and response actions.


IT Internal Controls

Systems Development, Acquisition, and Maintenance

Ensure that systems are developed, acquired, and maintained
with appropriate security controls.


Ensure systems are developed and implemented with
appropriate security features enabled.


Ensure software is trustworthy by implementing
appropriate controls in the development process, reviewing
source code, reviewing the history and reputation of
vendors and third party developers, and implementing
appropriate controls outside of the software to mitigate
unacceptable risks from any deficiencies.

IT Internal Controls

Systems Development, Acquisition, and Maintenance
(continued)


Maintain appropriately robust configuration management
and change control processes.


Establish an effective patch management process.


Use a separate system to test software changes/patches
before moving into the production environment.

IT Internal Controls

Personnel Security

Mitigate risks posed by employees and other internal users.


Perform background checks/screening of new employees.


Obtain agreements covering confidentiality, nondisclosure,
and authorized use.


Use job descriptions, employment agreements, and training
to increase accountability for security.


Provide training to support awareness/policy compliance.


IT Internal Controls

Data Security

Control and protect access to paper, film, and computer
-
based
media to avoid loss or damage.


Develop a data classification policy.


Establish/ensure compliance with policies for handling and
storing information,


Ensure safe and secure disposal of sensitive media.


Secure information in transit or transmission to third
parties.

IT Internal Controls

Service Provider Oversight

Exercise security responsibilities for outsourced operations.


Conduct due diligence in service provider research and
selection.


Obtain contractual assurances regarding security
responsibilities, controls, and reporting.


Get nondisclosure agreements regarding systems and data.


Require independent review of service provider’s security
though appropriate audits and tests.


Coordinate incident response policies and contractual
notification requirements.

IT Internal Controls

Business Continuity Considerations

Implement an effective business continuity plan.


Identify personnel with key security roles during
continuity plan implementation, and train personnel in
those roles.


Identify security needs for back
-
up sites and alternate
communication networks.


Periodically test the business continuity plan.


Update the plan when business processes change or new
technologies are implemented.

IT Internal Controls

Insurance

Evaluate the extent and availability of insurance coverage in
relation to the specific risks being mitigated.


Insurance can be an effective method to transfer risks from
the institution to insurance carriers.


Insurance not a substitute for an effective security
program.


Insurance companies typically require companies to certify
that certain security practices are in place.

IT Internal Controls

Security Monitoring

Assure adequacy of risk mitigation strategy/implementation.


Monitor to identify policy violations, anomalous behavior.


Monitor to identify unauthorized configuration, conditions
that increase risk of intrusion, or other security events.


Analyze results to accurately and quickly identify, classify,
escalate, report, and guide responses to security events.


Respond to intrusions, other security events.


Continuously gather and analyze information regarding
new threats, vulnerabilities, actual attacks, effectiveness of
existing security controls.


IT Internal Controls

Conclusion


I hope this presentation has given you a better understanding
of internal controls that can be implemented for information
technology to protect the institution and its customers.


Thank you for your interest and attention today!!!

IT Internal Controls

Bibliography

1. The Committee on Sponsoring Organizations of the Treadway
Commission.


http://www.coso.org/resources.htm
.

2.
Federal Financial Institutions Examination Council, IT Examination
Handbook, 2006.

3.
Information Systems Audit and Control Association, CISA Review
Manual, 2006.