You can read the full article here.
You can read the full article here.
Does your company perform a risk assessment? If you said yes, what did you mean by “risk assessment”?
I ask because often when people say “risk assessment” they are thinking “gap analysis”. As an IT auditor sometimes our instinct is to select our favorite security framework (probably ISO 27001 or NIST 800-53) and begin identifying gaps in the control environment.
Even when we have “great” audit findings, often we don’t have the context to make meaningful recommendations in a business context. That’s because we need to re-think the definition of risk assessment. (For further reading, Norman Marks provides a great Internal Audit perspective and the Department of Health and Human Services discusses risk analysis in detail as related to HIPAA.)
When is the last time you suggested a $1,000,000 solution for a $100 problem?
A better risk assessment process begins with context and starts several steps before the gap analysis begins. A well designed risk assessment should drive what level of control is appropriate based on quantified risk and the Company’s risk tolerance. This also gives auditors the tools to make better recommendations.
Here are three things you may want to consider as part of your risk assessment tool belt:
First, consider the context. Are there known external threats or internal vulnerabilities specific to your organization? Are there important corporate initiative that drive business success? Do these factors impact some systems or business units differently than others? How do these facts impact the Company’s risk tolerance and the level of controls required to reduce risk to an acceptable level?
Second, consider the business side of the equation (often called people, processes, and technology). Are there business functions that impact the Company’s ability to earn revenue or that drive profits? How are these business processes supported by technology? What is the appropriate level of control for these systems and processes? Which systems merit a more thorough assessment than others?
Third, inventory your digital assets. What are your “crown jewels” and where do they live (in which applications). For example, where does your Company store mission critical data, where is private employee and customer data? This information will help an assessor make a more accurate judgement when recommending the depth of controls necessary secure a system.
As IT auditors and risk management professionals we should re-think what we call a “risk assessment” and how appropriate consideration of risk will drive future audits and gap analysis.
For more information from the risk3sixty team on how to assess, quantify, and visualize IT related risk contact us.
Our team was recently tasked with developing an audit plan for Microsoft Office 365. While there are plenty of tools available to assist organizations with performing ongoing audits of user privileges and object permissions in Microsoft Office 365, we were hard pressed to find any solid thought leadership on auditing Office 365 beyond user and object permissions.
It almost appears that because Office 365 is a cloud solution, many organization assume much of the risk surrounding the platform is transferred to Microsoft. After digging into the product with a few of our clients and assessing how the product integrates into their business operations, our risk assessment identified a few areas of concern where the Internal IT Audit department can add great value to the organization.
Control Objective 1:
In regards to Office 365 and the business needs it addresses in the organization, what is the first thing we should care about? For starters,
This resulted in our first Control Objective sounding something like the following:
Control Objective 2:
Now that we have thought through risks surrounding the implementation of Office 365, what do we care about next? We think Logical Access is a logical next Control Objective.
In regards to Logical Access surrounding management of the system,
Our second control objective reads like this:
Control Objective 3:
Next, our risk assessment revealed that there are a lot of things that go wrong when running on-premises AD and Exchange Server in conjunction with Office 365. Misconfiguration of the sync tools can cause availability and licensing issues, poor management of user objects in the on-premises AD can find their way into the Azure AD instance and more.
Some of the things we care about include:
Our third Control Objective reads like this:
Control Objective 4:
Finally, we decided that we care a lot about assessing the implementation of any Office 365 security and confidentiality tools and making sure these are implemented in accordance with company policy, but also try to gain assurance the tools are operating effectively.
Some things we care about in this Control Objective include:
Our fourth Control Objective reads like this:
We have had a ton of positive reception while developing this program! As we continue to see more environments and learn more about Office 365 and the concerns on executive’s minds, we will continue to build out our program.
If your organization needs help assessing your Office 365 environment or you have some wisdom to share that might help us improve our program, please send us a message on our Contact Page or in the comments below.
Our team is very excited to announce that Robin Bienfait has joined the risk3sixty advisory board.
Two years ago we had the pleasure of meeting Robin at Geogia Tech where she was giving a presentation on technology, innovation. and leadership. Since then we have exchanged many ideas about the future of entrepreneurship, technology, information security, and technology risk management. After dozens of great conversations it became clear to us that Robin’s experience as a technology/innovation executive and passion for helping entrepreneurs succeed would be invaluable to our team.
Going forward Robin will be working with our team to provide strategic direction as we further grow our information security, compliance, and technology risk management tools and services. She will also continue to challenge our executive team to run a great business where people want to come to work.
Presently the Chief Executive Officer and Founder of Emnovate, Robin previously excelled in executive and c-suite-level positions for Samsung Electronics, BlackBerry and AT&T. Her roles have included Chief Enterprise Innovation Officer at Samsung Electronics, Chief Information Officer / Chief Technology Officer / Chief Information Security Officer for BlackBerry, and Chief Compliance Officer at AT&T.
Robin holds 15 patents and has served on the advisory boards of Cisco and Hewlett Packard. She is an active innovator and engineer with a master’s degree in technology management from Georgia Tech. Robin is also a partner with Valor Ventures, Georgia’s first women owned venture capital firm.
Read Robin’s full profile.
We are an Atlanta-based Technology Risk Management (TRM) firm focused on IT audit, risk, and compliance consulting and software solutions. Risk3sixty’s management-level consulting team leverages deep industry experience and unique technology solutions to enhanced risk visibility, reduce the burdens of compliance, and create actionable programs which enable executives and their management teams to make better decisions.
Read more about Our Company.
In 2015, Symantec was caught issuing improperly signed cryptographic certifications which could be used to break HTTPS and put internet users at risk. Some of the improperly issued certificates were issued to Google owned domains, which if used maliciously, could allow for impersonation of HTTPS protected Google websites.
Understandably, Google was very upset and responded by requiring Symantec to publicly log all certificates it issued for scrutiny by the security community, else Google threatened to retool its popular web browser, Google Chrome to flag all Symantec issued certificates as potentially unsafe. This would undoubtedly lead to many websites opting to drop Symantec for another Certificate Authority.
Nearly a year and a half since Symantec’s transgressions, it appears the popular Certificate Authority is at it once again, caught issuing 108 certificates in violation with strict industry guidelines for issuing cryptographic certificates.
The internet was not designed with security in mind. Before the development of secure transmission protocols, all data was passed back and forth between websites unencrypted and easily deciphered by any third party able to intercept the data (similar in nature to wire taps on telephone lines).
To ensure both the confidentiality and integrity of data being passed back and forth between an end user and a website, encryption is necessary, but encrypting data passing from one party to another is not enough. There must also be a way to authenticate that the website you wish to create a secure connection with is who it says it is. The need to authenticate the identity of websites to end users is a major reason why Certificate Authorities are so important.
A certificate binds a public encryption key to an identity. At a minimum, the certificate offers Domain Validation, but some organizations may opt for further authentication of their identity on the web and obtain Organization Validation or even further, Extended Validation. (Read more about the differences between Cert types here.)
Domain Validation is quick and typically an automated process, but for an organization to obtain Organization Validation or Extended Validation, the Certificate Authority is expected to perform additional investigation into the organization requesting the Certificate, verifying identity with both the requester and independent third parties. Once verified, the Certificate Authority issues a cryptographically signed certificate created using a secret cryptographic key which only the Certificate Authority should have access to (meaning it should be impossible for the certificate to be forged).
Our computers and smartphones are preconfigured to trust any certificates issued by a long list of Certificate Authorities. Industry best practices dictate that any organization acting as an official Certificate Authority follow the WebTrust guidelines for Certificate Authorities, which include verification of the identity of therequester of a Certificate prior to the certificate’s issuance. This concept of intrinsic trust between end users and Certificate Authorities is referred to as the “Web of Trust” in cryptographic terms.
When Symantec issued Organization Validated certificates which Google never authorized for Google owned websites, Symantec broke the Web of Trust. A malicious entity could leverage these certificates to create a forged malicious website that looks identical to a legit Google website, and our computers would never know the difference.
It will be interesting to see how the industry responds to the latest careless behavior by Symantec. It might be possible that Google and the other browser publishers respond by warning users anytime they visit a site with a certificate published by Symantec, which would definitely hurt the organization’s business.
Please leave any questions, comments or corrections you might have!
This update is long overdue, but we started a business!
After two years of blog posts we decided to take the leap and make risk3sixty a full fledged consulting company. Specifically, focusing on world-class IT Audit, Cyber Risk, and Compliance PMO services.
After talking to many of our clients and colleagues we realized the world wants a boutique consulting firm like risk3sixty. As one of our clients put it: a firm that “possesses a unique balance of technical, business, interpersonal and leadership skills who are are customer focused, value conscious, strategically minded, and capable of delivering results that make a positive difference.” (Check out our Value Proposition)
Right now we are focused on hiring the best manager-to-partner level candidates we can find and also growing the Atlanta market, but we have (and love) clients all over the US and abroad. In general our strategy is to hire the best manager-level-and-above consultants in our network and give them the tools and resources to over-serve our clients. We think this is a pretty big departure from the model traditional CPA and Consulting firm model that will make both our clients and team-mates happier.
Although we are consulting for ourselves full-time these days our blog is still alive and well. In fact, our goal is to increase the number of quality blog posts including posts from our team members with expertise in a wide range of IT Audit, Security, and Risk related topics.
We promise not to spam you with a sales pitch or clickbait. Our content will remain relevant and hopefully provide even better reading material to people in our industry. Going forward you should still see at least one post per week and as always, we welcome your comments, suggestions, and feedback.
Until recently the security concerns associated with IoT devices have been mostly speculative. It’s easy to ignore how a webcam or a inexpensive gadget might be a cyber-security concern. Most people don’t think in terms of security.
For me this is part of what makes the IoT space interesting. Consider what’s happening: 1) The number of internet connected devices is exploding, 2) Most of these devices have little or no security, and 3) There’s no obvious reason to fix these security problems. What we’re left with is a problem that is only going to get bigger and evolve over time.
As IoT-type devices find there way into hospitals, homes, and the personal lives of users there is no question security concerns will become more potent; however, at that point will it be too late? Is there a proactive approach to IoT security we should consider or will it get worse before it gets better?
Here are some quick reads for the week of September 5, 2016. If you have interesting links of your own share them in the comments.
“CISO” is still a relatively new executive role and it seems like most companies are still trying to figure out who or what constitutes an effective Chief Information Security Officer. As it stands, it seems like the title CISO falls somewhere between Director of IT and Chief Compliance Officer for most organizations. But instead of being empowered this ambiguity blurs the line of authority and ownership and makes it difficult to run an effective security organization.
I think the roles and responsibilities of a CISO will vary, for the time being, based on an organization’s need and maturity, but regardless of how an organization decides to brand the title CISO the role has to be clearly defined and clear lines of authority established.
I’ve seen a number of organizations hire a CISO with the misconception that one person can make all security and compliance problems disappear, but that’s just not the case. If we’re going to get serious about security the entire leadership has to buy-in (and that includes with budgets). Security has to be a sustainable business process – not a fire to be put out (which is the current climate at many organizations).
Look no further than the number of jobs most CISOs have held in the past 5 years. Average tenure for a CISO hovers somewhere around 17 months across almost all organizations. That fact alone points to something interesting and problematic in the world or information security.
Over the past few months I’ve had several leaders of Internal Audit departments ask: “How can we build cyber-security into our annual audit plan?”
After a few conversations I decided to put together a whitepaper to help the less-than-technical Chief Audit Executive (CAE) put together a well thought out IT Risk Assessment that helps identify and prioritize potential audit projects that tackle the subject of IT risk.
Here are some quick reads for the week of August 29, 2016. If you have interesting links of your own share them in the comments.
There is hardly a company I have consulted with that doesn’t rely on outdated technology to support critical components of their business. In fact, most larger companies aren’t relying on just one out-of-date technology, but many of them.
Whether because of M&A activity or lack of capital expenditure on IT initiatives unpatched servers, unsupported AS/400 and windows servers, and custom systems only a handful of developers understand all continue to thrive in the basements of the best-known companies.
Left unchecked, these factors present significant risk to organizational sustainability, but fly under the radar in lieu of more visible IT initiatives like cloud, cyber, or big data. However, over the next few years it seems likely companies will have to re-assess their risk profile to account for much needed transitions to newer technology platforms.
So, from that perspective, the Delta outage isn’t a surprise. In fact, I wonder to myself if it is instead a sign of things to come?