Digital Threats VS COBIT5 for Risk final · 2018-07-13 · Auditor; COBIT5 ++ • ¼Áo ¸¥ ªµ¤...

© 2016 ISACA. All Rights Reserved.

IIAT & ISACA & SET

IA Clinic 11/2559

By ISACA Bangkok Chapter

26 November 2016

Digital Threats VS COBIT5 for Risk

© 2016 ISACA. All Rights Reserved. 2

วทยากร Metha SuvanasarnCGEIT,CRISC,CRMA,CIA,CPA

• อนกรรมการตรวจสอบของ มลนธขาเทยมในสมเดจพระศรนครนทรา บรมราชชนน• ประธานกรรมการตรวจสอบคณะเศรษฐศาสตร มหาวทยาลยเชยงใหม• กรรมการอสระและกรรมการตรวจสอบ ประธานกรรมการสรรหาและกาหนดผลตอบ

แทน บรษท ศรอยธยาประกนภย จากด (มหาชน)• กรรมการอสระและกรรมการตรวจสอบ ประธานกรรมการสรรหาและกาหนดผลตอบแทน บรษท ศรอยธยา

เจอเนอรล ประกนภย จากด• อปนายกสมาคม ISACA (Information Security Audit and Control Association) Bangkok Chapter• ° »��µ¥� ¤µ�¤��ª µ¤¤ É��°�£¥¦ ³ �� µ¦ �Á�«�(TISA – Thailand Information Security

Association)• กรรมการสรรหาและกาหนดผลตอบแทนของ ธพว.• ผบรรยาย ทางดาน Corporate Governance, IT Governance, �µ¦ �¦ ·®µ¦ �ª µ¤Á É¥��µ¦ �ª ��»¤Â ³ �µ¦�¦ ª � °�£µ¥Ä��µ¤�µ��ª µ¤Á É¥��Â ³ �µ¦ �¦ ª � °��oµ��° ¤¡ ·ª Á�° ¦ r�¦ ª ¤�Ê�Á¦ ºÉ°��IT Audit for Non-ITAuditor; COBIT5 ++

• �¼oÁ�¥��ª µ¤�nµ��Ç��ÉÁ�É¥ª �o°��µ��oµ��Corporate Governance, IT Governance, �µ¦ �¦ ·®µ¦ �ª µ¤Á É¥��µ¦ �ª ��»¤Â ³ �µ¦ �¦ ª � °�£µ¥Ä��µ¤�µ��ª µ¤Á É¥��Â ³ �µ¦ �¦ ª � °��oµ��° ¤¡ ·ª Á�° ¦ r�Â ³ ° ºÉ�Ç�Á�nน Digital Economy Á�¥Â¡ ¦ n nª �Ä®�n�É ¤µ�¤�¼o�¦ ª � °�£µ¥Ä�Â®n��¦ ³ Á�«Å�¥�(สตท)

• �¼oÁ�¥��ª µ¤Á�¥Â¡ ¦ n�ª µ¤ ¦ ¼o�nµ��Ç��ÉÁ�É¥ª ��GRC, ITG, IT Audit and Non – IT Audit, การบรหารความÁ É¥��µ¦ �ª ��»¤£µ¥Ä�Â ³ �µ¦ �¦ ª � °�£µ¥Ä��µ¤�µ��ª µ¤Á É¥��µ¦ �¦ ·®µ¦ Â ³ �µ¦ ��Â��¼¦ �µ�µ¦ �(Integrated Management) Â ³ ° ºÉ��Ç�Ä�Áª È�Å��rÁ¡ ºÉ° ��¤Â®n��µ¦ Á¦ ¥�¦ ¼o�É�www.itgthailand.com และ www.itgthailand.wordpress.com


วทยากร วรางคณา มสกะสงข[email protected], 02-344-1055

การศกษา อนปรญญานตศาสตร มหาวทยาลยรามคาแหงปรญญาตร สถตศาสตรบณฑต จฬาลงกรณมหาวทยาลยปรญญาโท MBA In Financial and Banking, จฬาลงกรณมหาวทยาลย

การทางาน ปจจบนDirector - Risk Assurance Services, PricewaterhouseCoopers

�ÎµÂ®�n�° ºÉ�อปนายกสมาคม ISACA Bangkok Chapter

คณะกรรมการวชาชพบญช ดานวางระบบบญช สภาวชาชพบญช ในพระบรมราชปถมภคณะอนกรรมการโครงการสงเสรมใหมการนาโปรแกรมบญชและ ERP มาใชในธรกจขนาดกลางและขนาดยอม สภาวชาชพบญช ในพระบรมราชปถมภ

�¦ ³ ��µ¦ �r° ºÉ�ๆ�¼o�¦ ¦ ¥µ¥®ª�o° Á�É¥ª ��µ¦�¦ ³Á¤ ·��ª µ¤Á É¥�การตรวจสอบทางดานเทคโนโลยสารสนเทศและ IT Governance สาหรบ ISACA Bangkok Chapter

ผดาเนนรายการ Â¨ ³�¼o�¦ ¦ ¥µ¥®ª�o° Á�É¥ª ��µ¦�¦ ³Á¤ ·��ª µ¤Á É¥�การตรวจสอบทางดานเทคโนโลยสารสนเทศ และ IT Governance สาหรบสมาคมผตรวจสอบภายในแหงประเทศไทย


Digital threat : Are you at risk ?


Digital society

Digital technology has become the world’s touchpoint,connecting, informing, and enabling life at every level,from individuals to institutions. For today’s businesses,digital is integral — woven so deeply into strategy,infrastructure, operations, and products/services thatin a very real sense, business and IT have becomeone.

IT is business — which means IT risks are businessrisks.


Digital trust

The goal is clear but the path there is fraught. Fortheir digital investments to deliver the expectedbenefits, companies need to have trust in their data,systems, and processes.

They need

to have the right talent to keep them running,

the right governance structures, controls, and riskmanagement processes to keep them healthy, safe, secure,and compliant.

And they need to instil the flexibility that will allow them toevolve as business needs change.


Social Media risk

7


Global State of Information Security Survey2017 (GSISS 2017)


GSISS 2017 by Financial services


Cyber Security – confidence in your digitalfuture


Emerging RisksSocial Media

Industry: Aviation When: July 2009 Category: Crisis management

In 2009 singer and song-writer, Dave Carroll, took a flight with United Airlines. The neckof his $3,500 guitar was broken during the flight so he complained to United to askthem for compensation. Dave tried to make a claim for 9 months but was refused byUnited because he had apparently waited more than 24 hours before making the claim.

He apparently tried phone calls, emails and even suggested that United give him flightvouchers instead of money, but he continued to be refused.

So, he decided to write a song and make a music video to tell his story and vent hisfrustration, called “United Breaks Guitars”. He put it on YouTube and it went viral. After150,000 views United offered payment to make the video go away, however, Davedecided to leave it running.

Mainstream media picked up on the story and Dave is reported to have done over 200interviews in the first few months after launching the video. The BBC reported thatUnited’s stock price dropped by 10% within three to four weeks of the release of thevideo – a decrease in valuation of $180 million.

The video is still live and at time of writing the video has received over 15.5 millionviews. This goes to show how powerful social media can be for disgruntled customers.

View the video here:https://www.youtube.com/watch?v=5YGc4zOqozo



Sources: http://www.bbc.co.uk/news/world-us-canada-27136631

Industry: Policing / Public Sector When: April 2014 Category: Hashtag hijacking

In April 2014 the New York Police Department (NYPD) started a campaign to encourage New Yorkers to share photos of themselves with a memberof the NYPD in an attempt to show the positive face of NYPD. They created the hashtag “#myNYPD” and posted to Twitter asking for members torespond with their photos.

Unsurprisingly, the hashtag was soon hijacked by people who used it to reveal an uglier side to policing. It became a “bashtag” with hundreds ofusers posting photos showing alleged police brutality, as well as some other comical tweets poking fun at the police.

This sort of thing was quite predictable and goes to show that campaigns such as this need serious thought to address the risks of them backfiring.


2 Â��r�ÎµÂ��¦ �Á É¥��60 พรอมเพยฉดรายไดคาฟ 4%

นายปรด ดาวฉาย กรรมการผจดการ KBANK เปดเผยวา ธนาคารอยระหวางทาแผน�¥»��r¦ ª ¤�¹�Â��¦ �¤º°�ª µ¤Á É¥�Ä��oµ��nµ��ๆของป 2560 จะสงผลกระทบตอผลการดาเนนงานของธนาคาร โดยเฉพาะการใหบรการการโอนเงนผานพรอมเพย การเกด นวต�¦ ¦ ¤�µ��µ¦ Á�·�Ä®¤n�Ç�Á�n��Â°�¡ ¨ ·Á��É��µ¦ Ã°�Á�·��Îµ¦ ³ Á�·��É�³ nงผลกระทบโดยตรงตอรายไดคาฟในการโอนเงนตาง ๆ กรณพรอมเพยคาดวาจะกระทบรายไดคาฟลดลงประมาณ 4% ธนาคารมรายไดจากคาฟอย�É�37,526 ลานบาท

นางกตตยา โตธนะเกษม รองผจดการใหญอาวโส SCB กลาววา ธนาคารไดมการทาÂ��¦ ³ Á¤·��ª µ¤Á É¥��µ��µ¦ Ä®o�¦ ·�µ¦ ¡ ¦ o° ¤Á¡ ¥rÄ��2560 เชนกน คาดวาพรอมเพยจะกระทบตอรายไดคาฟของธนาคารลดลงอยางนอย 4 % ��Éผานมา ธนาคารมรายไดจากคาฟอย�É�32,704 ลานบาท

updated: 14 ต.ค. 2559 เวลา 06:20:00 น.ประชาชาตธรกจ


Q1. How the enterprise toaddress emerging risk?


Digital / Digital Era คออะไร?

Digital คอววฒนาการÂ ³ �¦ ³ �ª ��µ¦ Á¡ ºÉ°�µ¦ Á�·�Ã�° ¥nµ�¥É�¥º��ÉÁ�oµÄ��¹��¦ ³ ��n°�µ¦ Á�É¥�Â��µ� £µ¡ Âª �o° ¤Ä®¤nÂ ³ Á��Ã�Ã ¥¦ ª ¤�Ê�นวตกรรม�ÉÁ�·��¹Ê�° ¥nµ�รวดเรว

1. �É¤��¦ ³ ��ตอผมสวนไดเสย

2. �ÉÁ�É¥ª �o°��µ¦ �Îµ��µ¦ ¦ �¬µ��É µ¤µ¦ � ¦ oµ��»��nµÁ¡ ·É¤�Ä®o��¼o¤ nª �Å�oÁ ¥Å�o�oª ¥��µ¦ �¦ ·®µ¦ �ª µ¤Á É¥��ÉÁ®¤µ³ ¤�É »��Â ³�µ¦ Ä�o�¦ ¡ ¥µ�¦ Ä®oÁ�·��¦ ³ โยชนสงสด

3. และ มขอมล/ µ¦ �Á�«�ÉÁ¡ ¥�¡ °�¤�»�£µ¡ ¼��Á¡ ºÉ° �� »��µ¦ �� ·�Ä�² �n°�¼o�ÉÁ�É¥ª �o°�Å�o��


Digital transformation and Governance of ITCreating new business models where digital meets physical

Forces for business change -> Risk -> Threat

Chief among forces for transformation are the surge in devices for mobile connectivity,such as smart phones and tablets, and the creation of social networks, such as Facebookand Twitter.

Both of these developments are creating an exponential explosion in data, which, in turn,requires business analytics to make sense of the information.

Shifting global connectivity and customer empowerment drive digital transformation

https://www-07.ibm.com/sg/manufacturing/pdf/manufacturing/Digital-ransformation.pdf


Digital transformation and InfrastructureCreating new strategy & business models -> Risk & Threat

Digital transformation is becoming pervasive across functions, industries and geographies.

https://www-07.ibm.com/sg/manufacturing/pdf/manufacturing/Digital-transformation.pdf


Digital transformation -> Risk & Threat PerspectiveCreating new business models where digital meets physical

From individuals to businesses to industries

Digital transformation drivers are pushing industries along the physical-digital continuum.

https://www-07.ibm.com/sg/manufacturing/pdf/manufacturing/Digital-transformation.pdf


Digital Trends and Emerging Risks

Corporate data/Information

Cloud

Mobile

Social

Cyber

AnalyticsBig data


Equip yourself

Create forum internally for better control

Create guidelines

What the company will and will not do online

What employees can and cannot do online

The policies should be provided at the time of hiring

Provide training


Growing Gap btw business and cyber attackercapabilities

Audit Insights Cyber Security 2015


Changing from cybersecurity to cyber resiliency

It is not if but when!

Businesses need to accept that their security willbe compromised

“Cyber resilience can be defined as the ability toresist, react to, and recover from cyberattacks.”

Businesses should focus on their criticalinformation assets

Continuity, crisis management, incidentresponse, monitoring and detection

https://gfacr.org/tag/cyber-security-framework/

Government has a solemn obligation to protect our people against systemic threatsto our national and economic security.Cyber attacks can not be handled exclusively by our governments law enforcement,military and intelligent services, nor are federal regulations able to keep pace withever evolving cyber threats. ….Through law and rule making congress and federal agencies intact solutions for ournations challenges Companies then react with compliance. ……But laws and regulations alone cannot protect us from the emerging cyber threats….Our cyber advisories constantly deploy new and evolving methods to exploitvulnerability’s and inflict harm on our country……Just weeks ago the Pegasus attack represented an unprecedented attack on ApplesiOS platform. No static checklist, no agency role, no reactive regulation alone iscapable of thwarting a threat we can not foresee.The federal government cannot regulate cyber risk out of existence. What we can dois work with you. Business leaders, technical experts and cybersecurity professionals,to better manage cyber risk.

Commerce believes this requires a new proactive collaborative approachbetween government and industry. One not reliant on static requirements but onvigilant continuous cyber risk management.We need is a joint defense posture with real public private partnerships.These are nice words but actually how do we turn them into action and reliableprotection.We need government and industry to speak the same language of cyber riskbecause we can not work together without understanding each other.We new laws to facilitate continuous candid collaboration between industries andagencies outside of the enforcement space.We need to work together to counter threats and deploy technical solutions thatbake securities into innovation.The Cyber Security Framework is the primary tool to evaluate cyber securityposture…

The Cyber Security Framework is the primary tool to evaluate cyber security posture…Last month the FTC used the Cyber Security Framework lexicon of Identify, Protect, Detect, Respond, and Recover. TheFTC detailed over 60 enforcement actions for data-breaches in a manor that CEO’s and CIOS can easily plug them into their ownoperations to improve their cyber security…….”Commerce Secretary, Penny Pritzker 27 September 2016US Chamber of Commerce Annual Cyber Security Summit


2016 NORTH AMERICANPULSE OF INTERNAL AUDIT by IIA


Q2. IT Risk managements andCybersecurity



Risk Factors

Financial

Operational

Regulatory /Compliance

Information Security

• Companies face several financial risksassociated with a breach:

• DPA – Fines• Stock price decline• Crisis management / Remediation

efforts

• Lack of good governance leading to:• Reduced employee

productivity• Increased process

complexity• Loss of competitive

advantage• Disruption of business

activities• Insufficient moderation

leading to poor content

• Enforcement actions from government – EUregulation

• Compliance with self-regulatory frameworks (i.e.US-EU Safe Harbor, TRUSTe)

• Data retention / personal data off-shore

• Employee misuse / inappropriatecommunications

• Negative impact to the brand• Loss of employee, customer and / or

investor confidence

Reputational

• Access controls• External threats• Careless employees• Data classification and

governance• Sharing of confidential

information• Use of offshore organisations

and 3rd parties


People matter

There is no technical quick fix

Role-based or role-specific training

Training based on individual-risk exposure: “Identifying risk factors at theindividual level saves time and money, as the organization likely does notneed to train John and Jan equally.” (Pendergast, ISACA Journal vol 5, 2016)

Risks come from your people and should be fixed by your people

“ so if every time there’s a problem and the only thing your CIO/ITmanager is suggesting is technology, you should poke them with astick. You should say, ‘Wait a minute, where’s the process changeor the other things that always have to go with technology to makeit work.’

John Pescatore, Gartner


Internal audits is uninformed about the expertise needed to address cybersecurityOr

It lacks the resources to hire the necessary skills



Governance of Enterprise IT (GEIT)


Organisations will consider and use a variety of IT models, standards and best practices. Thesemust be understood in order to consider how they can be used together, with COBIT acting as theconsolidator (‘umbrella’).

COBIT

ISO 9000

ISO 17799

ITILISO 20000

COSO

WHAT HOW

COBIT and Other IT/ ManagementStandards & Best Practices

SCOPE OF COVERAGESource: ITGI


COBIT 5 Principles

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.


COBIT 5 Enablers


Governance Objective:Value Creation


Governance of Enterprise IT (GEIT)

Resource : ISACA

COBIT 5 Goals Cascade Overview

STAKEHOLDER NEEDS ANDENTERPRISE GOALS

COBIT 5 Enterprise Goals /Business BSC

DETAILED MAPPING ENTERPRISEGOALS — IT-RELATED GOALS

IT-related Goals

DETAILED MAPPING IT-RELATEDGOALS — IT-RELATED PROCESSES


COBIT 5 Process Reference Model

Governance Process: 5EDM processes

Management Process: 4 Domains, 32 Processes

13 10 6 3


COBIT 5 for Risk Overview


COBIT 5 for Risk Overview (Cont.)


Target Audience


Target Audience (Cont.)


Risk Function Perspective

COBIT 5 for Riskidentifies all COBIT 5processes that arerequired to support therisk function: Key supporting

processes– dark pink Other supporting

processes – light pinkCore risk processes,shown in light blue arealso highlighted—theseprocesses support the riskmanagement perspective: EDM03 Ensure risk

optimization. APO12 Manage risk.

47

Evaluate, Direct and MonitorEDM01 Ensure Governance Framework Setting EDM03 Ensure Risk Optimisation

and Maintenance EDM04 Ensure Resource OptimisationEDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency

Processes for Governance of Enterprise IT

Align, Plan and OrganiseAPO01 Manage the IT Management Framework APO08 Manage RelationshipsAPO02 Manage Strategy APO09 Manage Service AgreementsAPO03 Manage Enterprise Architecture APO10 Manage SuppliersAPO04 Manage Innovation APO11 Manage QualityAPO05 Manage Portfolio APO12 Manage RiskAPO06 Manage Budget and Costs APO13 Manage SecurityAPO07 Manage Human Resources

Processes for Management of Enterprise IT

Build, Acquire and ImplementBAI01 Manage Programmes and Projects BAI07 Manage Change AcceptanceBAI02 Manage Requirements Definition and TransitioningBAI03 Manage Solutions Identification and Build BAI08 Manage KnowledgeBAI04 Manage Availability and Capacity BAI09 Manage AssetsBAI05 Manage Organisational Change Enablement BAI010 Manage ConfigurationBAI06 Manage Changes

Deliver, Service and SupportDSS01 Manage Operations DSS04 Manage ContinuityDSS02 Manage Service Requests and Incidents DSS05 Manage Security ServicesDSS03 Manage Problems DSS06 Manage Business Process

Controls

Monitor, Evaluateand Assess

MEA01 Monitor,Evaluate and Assess

Performance andConformance


the System ofInternalControl


Compliance WithExternal

Requirements


Alignment with other standards

COBIT 5 for Risk—much like COBIT 5 itself—is an umbrella approach for the provisioningof risk management activities.

COBIT 5 for Risk is positioned in contextwith the following risk-related standards:

ISO 31000:2009 – Risk Management

ISO 27005:2011 – Information security riskmanagement

COSO Enterprise Risk Management


™ [CSX]™ [CSX]


CYBER ATTACKS AREBECOMING AN EVERY-DAY

OCCURRENCE… YETTHERE STILL AREN’T

ENOUGH SKILLEDPROFESSIONALS TO HELPCOMPANIES PROTECT AND

DEFEND THEIR ASSETS.


For more information, visit us athttps://cybersecurity.isaca.orgFor more information, visit us athttps://cybersecurity.isaca.org


Q3. What are Auditorrole/focus area /approach?



the success of these efforts depends in large parton obtaining the support and cooperation of keyplayers: IT, executive management, and the board


IT Audit Plan - Process -> Performing and Risk Assessment

Source : GTAG


IT audit function in the digital journey

Kress, ISACA journal vol 1, 2016

IT audit as an“outsider” coming

in after the fact”advisor” foradvancing the

company’sbusiness strategy(IT – Business –Audit Strategy)

Continuous riskassessment

(rather than anannual risk

assessment)

Leveraginganalytics to

supportcontinuous audit,

continuousmonitoring, and

valueidentification

Culture fromretrospective to

proactive

Disappearing ofdistinction

between tech andnon-tech auditing


Digital transformation is resulting in increased expectations ofInternal Audit to deliver quality, impact, and value

IIA International conference, 2016


Process Assessment Programme

Process Assessment Model

Self-Assessment Guide

Assessor Guide

แปล

RiskAssuranceInformation Security

Implementation Enabling InformationEnabling ProcessesBusiness Framework

กลมผลตภณฑ

69

Digital Threats VS COBIT5 for Risk final · 2018-07-13 · Auditor; COBIT5 ++ • ¼Áo ¸¥ ªµ¤...

Documents

Transcript of Digital Threats VS COBIT5 for Risk final · 2018-07-13 · Auditor; COBIT5 ++ • ¼Áo ¸¥ ªµ¤...