An accountant is a valuable asset to any organization. He or she is a professional who performs accounting functions. Accounting is not only confined to tax and financial matters as per what people generally think.
1. SAV LLP
FOR INFORMATION ONLY - DISTRIBUTION IS PROHIBITED WITHOUT PERMISSION
Weakest links of an organization’s Cybersecurity Chain
and
Mitigation Options
An Auditor’s Perspective
SEPTEMBER 09, 2019
2. SAV LLP
This material is for educational purposes only. As it deals with technical matters which have broad application, it is not practical to include all situations. As well, this material and
the references contained therein may reflect laws and practices which are subject to change. Some content of this presentation has been copied or obtained from other
sources, hence the preparer takes no responsibility on content’s validity and accuracy. For this reason a particular fact situation should be reviewed by a qualified professional.
The references can be shared upon formal request.
Although the presentation material has been carefully prepared, none of the persons involved in the preparation of the material accepts any legal responsibility for its contents
or for any consequences arising from its use.
Distribution of this presentation for commercial purposes is prohibited.
Disclaimer
3. SAV LLP
Cyber Security
There is a wide range of currently accepted
cybersecurity definitions. The National Institute of
Standards and Technology defines cybersecurity as
"the process of protecting information by
preventing, detecting, and responding to
attacks." Similar to financial and reputational risk,
cybersecurity risk affects a company’s bottom
line. It can drive up costs and impact revenue. It
can harm an organization’s ability to innovate
and to gain and maintain customers.
Myth about Cyber Security – Cyber risk can be
reduced, security posture can be improved, by
purchasing products and outsourcing support.
There is no absolute security. The only way
to prevent death is to already be dead,
otherwise there is always a risk.
Security is a balancing act of defending an
organization according to the
organization’s risk tolerance and profile.
In Summary - Cybersecurity is the combination of processes, practice and technologies designed to protect
network, computers, programs, data and information from attack, damage or unauthorized access.
4. SAV LLP
4
Cyber Threat
A cyber threat is an activity intended to compromise the
security of an information system by altering the availability,
integrity, or confidentiality of a system or the information it
contains.
Define what is at Risk (Physical and Digital)?
Do you know what your “worst possible day” looks like? (not
being able to transact, theft of sensitive information,
inability to perform physical function)
Once an organization identifies and qualifies risk and assets
associated with their key functions, it becomes inherently
easier to identify potential causes of a critically impactful
incident.
Consequently , the organization will be better prepared to
appropriately mitigate risks and spend security resources
sensibly.
5. SAV LLP
Threat Landscape
As per ENISA ( European
Union Agency For Network
and Information Security)
some of the main trends in
the 2018’s cyberthreat
landscape are:
Mail and phishing
messages.
Staff retention
Raising awareness at the
level of security and
executive management.
Automated attacks
through novel approaches
IoT environments
6. SAV LLP
Is Cybersecurity an IT Problem or a Human Problem?
DNA OF AN ATTACKER
Attackers are humans, with human goals
Humans are not perfect – some are good, some are bad, but they aren’t perfect
Perfection doesn’t exist in offence or defense
To defend against attack, your strategy must have capabilities to detect, respond and build
back up controls to prevent next steps.
However it is very important to know what is mission critical and what is trivial?
7. War Games
Learnings from
conventional war
to mitigate Cyber
Threat
Cu Chi Tunnels
in Ho Chi Minh
City during
Vietnam War
https://www.reddit.com/r/secretcompartments/comments/82fhg3/tunnels_used_by_viet_cong_forces_during_the/
8. SAV LLP
Role of a CFO / Head of Finance
The CFO’s role has always ranged from a fiduciary one
(a custodian preserving value) to a visionary one (an
architect creating value). This role is becoming much
more about strategy and the future rather than
stewardship and even more about value realization and
optimization.
IFAC (International Federation of Accountants) explains
that a professional CFO should:
1. Be an effective organizational leader and a key
member of senior management
2. Balance the responsibilities of stewardship with
business partnership
3. Act as the integrator and navigator for the
organization
9. SAV LLP
Cybersecurity – What do CFOs need to know?
Planning and Management
• How do we identify our critical assets
and associated risks and
vulnerabilities?
• How do we meet our critical
infrastructure operations and
regulatory requirements?
• What is our strategy and plan to
protect our assets?
• How robust are our incident response
and communication plans?
Assets
• How do we track what digital
information is leaving our organization
and where that information is going?
• How do we know who’s really logging
into our network, and from where?
• How do we control what software is
running on our devices?
• How do we limit the information we
voluntarily make available to a cyber
adversary?
10. SAV LLP
Cybersecurity Frameworks
What is a Framework
The framework is voluntary guidelines, and practices for
organizations to better manage and reduce cybersecurity
risk
Well accepted Cybersecurity Frameworks
Most frequent adopted cybersecurity frameworks are:
NIST Framework
PCI DSS (Payment Card Industry Data Security
Standard),
ISO 27001/27002 (International Organization for
Standardization),
CIS Critical Security Controls,
COBIT 2019
TSP 2017 (SOC2)
Why adopt a security framework
Framework takes out a lot of guesswork and shows you
often with supporting evidence, where to apply the
pressure.
Planning and implementing a framework can help
organizations understand the operational maturity
level and provide matrices that will feedback into the
organization.
13. SAV LLP
Weakest Links of the Cybersecurity Chain
Cybersecurity is a shared responsibility – people, processes, tools, and technologies work together
to protect an organization's assets.
Few of the common Weakest Links in cybersecurity chain are (and it is not tools) -
1. Weak tone at the top - Governance framework
2. Poor user management and access controls
3. Weak asset management
4. Lack of cyber policy
5. Lack of awareness regarding information sharing and breach reporting
6. Lack of monitoring of service providers
15. SAV LLP
Tone at the Top - Governance Framework
Governance Framework
Key initial steps
Who should be involved in the development of a cybersecurity program.
Identify known risks and established controls.
Establish a cross-organizational committee of senior executives that brings together the full range of enterprise knowledge and
capabilities. This should include IT and corporate security, as well as business owners.
Leadership is key
Selecting an executive with broad cross-functional responsibilities such as the CFO or COO to lead this committee can help broader
corporate adoption.
This effort should report to a specialized committee, such as the Audit or the Risk Committees, or in some cases, to the board itself.
Board and Senior Management involvement
The National Association of Corporate Directors (NACD) cites five cybersecurity principles for boards:
1. Cybersecurity is an enterprise-wide risk management issue, not just an IT issue
2. Legal implications of cyber risks
3. Adequate access to cybersecurity expertise, and regular discussions about cyber-risk management.
4. Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
5. Identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
16. SAV LLP
User Account Management and Access Control
Need to Know basis
The following are recommendations for user account management and access
control:
Centrally manage all user accounts e.g. Active directory, UUID.
Disable system accounts that cannot be associated with a business process
and owner.
Disabling accounts upon termination of an employee or contractor
Periodic user access review
Force users to automatically re-login after a standard period of inactivity.
Require strong passwords
Limit the number of privileged accounts.
Require two-factor authentication for privileged accounts
Control access to the computer system’s audit logs.
Make cybersecurity training and awareness mandatory for all personnel
17. SAV LLP
Asset Management
You can’t control something that you don’t know
The following are recommendations for asset management:
Deploy and maintain an automated asset inventory discovery tool that will also assist the entity in
building an inventory of systems connected to the organization's private and public network.
Use Dynamic Host Configuration Protocol (DHCP) server logging for asset inventory - it can help
detect unknown systems through this DHCP information.
Ensure that the inventory system is updated when newly acquired and approved equipment
connects to the network.
Deploy Network level authentication and Network Access Control (NAC). These services will assist in
preventing unauthorized devices from connecting to the network.
Utilize client certificates to validate and authenticate systems prior to connecting to an organization’s
network.
18. SAV LLP
Cyber Policy
Some of the key elements of a good cyber policy:
Scope – all information, systems, facilities, programs, data networks, and all users of technology in the
organization (both internal and external), without exception
Information classification – should provide content-specific definitions, rather than more generic
“confidential” or “restricted”
Management goals for secure handling of information in each classification category
Specific instruction on organization-wide security mandates (e.g. no sharing of passwords)
Specific designation of established roles and responsibilities
Consequences for non-compliance (e.g. up to and including dismissal or termination of contract)
The implementation of a policy is not a single event, but rather an iterative process revisited as business
models, relationships, and technology changes.
Absent policy, there can be no effective governance of the cybersecurity program as there can be no
clear guidance upon which to make program decisions.
19. SAV LLP
Information Sharing and Breach Reporting Requirements
Microsoft makes the following eight recommendations for information sharing.
1. Develop a strategy for information sharing and collaboration.
2. Design with privacy protections in mind.
3. Establish a meaningful governance process.
4. Focus sharing on actionable threat, vulnerability, and mitigation information.
5. Build interpersonal relationships.
6. Require mandatory information sharing only in limited circumstances.
7. Make full use of information shared, by conducting analyses on long-term trends.
8. Encourage the sharing of best practices.
The exchange of best practices with peer organizations can allow organizations to play a
proactive role, by engaging with each other as well as external organizations.
20. SAV LLP
Vendor Risk Management
Service Risks:
Volume of transactions processed
Concentration associated with service
Sensitivity risk of the data to which the vendor
could potentially have access
Compliance and regulatory risk related to the
service
Customer and financial impact
Vendor Risks:
Location of the vendor (subject to
multinational laws, regulations, etc.)
Previous data or security breaches
Extent of outsourcing performed by the
vendor
Performance history
Common Deficiencies with 3rd Party Vendors:
Incident Response Management Plan
Inadequate Security Awareness
Data Loss Prevention
Encryption for data at rest and in transit
Administrator Privilege Lockdown
Vulnerability testing or penetration testing
Common approaches to evaluating Third Party
Vendors and ongoing oversight Include:
Perform vendor evaluation as part of RFP
Desk assessments to evaluate requested
information
On-site visits as appropriate by either in-
house or contacted experts
Penetration tests of potential vendors
Outside independent reporting company
to continuously monitor the cyber posture
of any third-party vendor and ensure it’s on
par with the security risk level that the
evaluating organization accepts.
Process to alert the organization of
infractions or breaches, so that they can
easily work with vendors to correct and
improve their security posture.
To be successful, vendor risk management
should be an element of an enterprise risk
management program with established,
repeatable processes in place that are
consistent for all areas within the firm.
21. SAV LLP
Key Takeaways
Adversaries will always improve their tactics to compensate for emerging security technologies.
The only real defense is a layered approach, combining security products, risk management, sensible policies and procedures, proper
disaster recovery planning and human expertise.
A sound governance framework with strong leadership is essential to effective enterprise-wide cybersecurity. Board-level and senior
management-level engagement is critical to the success of firms’ cybersecurity programs, along with a clear chain of
accountability.
A well-trained staff can serve as the first line of defense against cyber attacks. Effective training helps to reduce the likelihood of a
successful attack by providing well-intentioned staff with the knowledge to avoid becoming inadvertent attack vectors (for
example, by unintentionally downloading malware).
One size doesn’t fit all. The level of sophistication of technical controls employed by an individual firm is highly contingent on that
firm’s individual situation. While a smaller firm may not be positioned to implement the included controls in their entirety, these
strategies can serve a critical benchmarking function to support an understanding of vulnerabilities relative to industry standards.
Many organizations typically use third-party vendors for services, which requires vendor access to sensitive firm or client information,
or access to firm systems. At the same time, the number of security incidents at companies attributed to partners and vendors has
risen consistently, year on year. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising
strong due diligence and developing clear performance and verification policies.
Cybersecurity is not only an IT problem, it is an enterprise-wide problem that requires an interdisciplinary approach, and a
comprehensive governance commitment to ensure that all aspects of the business are aligned to support effective cybersecurity
practices. Security isn’t simply one team’s job – it’s everyone’s job however security team need to lead the role to improve overall
organization’s security deployment
22. SAV LLP
Summary of Best Practices
Tone at the top – The business itself needs to take security seriously, not just write some policy, support security team with a budget and some
people and tools.
Basic IT Security Foundation
Asset Management – What you have, what you value most and where are they now? (You can’t protect it if you can’t find it)
Process / Procedures -
Access Controls - Authentication, Limit Administrative Accounts on Systems, Least Privilege Principle for Access
Data Management, Change Management, Problem Management
Network Security – UTM (Unified Threat Management) tool, and maintain BYOD away from main network
Endpoint Security – EDR (Endpoint Detection & Response) or at least some protection from downloads, attacks, data leakage prevention
Security Operations – Detect, Act and Defend against future Attacks
Encryption - A process of converting data into an unreadable form to prevent unauthorized access and thus ensuring data protection
People - Hire and train people to defend the network (including critical data) and not solely rely on technology
System Updates - Keep your systems UpToDate. Turn on auto update on all devices. Remove legacy applications that are at a sunset stage and
can’t be secured
Control Framework - Implement critical security controls framework such as NIST Cybersecurity Framework, PCI, COBIT, ISO 27K+
23. SAV LLP
THERE IS NO SINGLE SILVER BULLET FOR CYBER THREAT
Thank You PRESENTER –
SANJAY CHADHA CPA, CA, LPA, CISA, CITP
SAV LLP
CHARTERED PROFESSIONAL ACCOUNTANTS
HULLMARK CENTRE AT YONGE AND SHEPPARD
3M-4773 YONGE STREET, TORONTO, ON, M2N 0G2
TEL: 647.831.8322, 416.822.8570
EMAIL: INFO@SAVASSOCIATES.CA