Expanding Client Offerings Through IT Audit/Security

Michael Hammond, CISA, CRISC, CISSP, C|EHDirector, IT Audit & Security ServicesO’Connor & Drew P.C.

#SuperConf15

Objectives

• Why IT controls are just as important as financial controls

• What type of IT Audit & Security services can your firm offer?

• What type of clients need IT Audit and Security services?

• How to get started with IT Audit & Security.

#SuperConf15

Why IT controls are just as important as financial controls

Do you use one of these for your business?

#SuperConf15

Why IT controls are just as important as financial controls

Our clients use technology every day• Client proprietary data resides on computers• Client financial transactions are conducted on

computers• We trust the “cloud” to hold our backups; CRM,

sales pipeline data

#SuperConf15

Why IT controls are just as important as financial controls

• Common IT Control Types:• IT General Controls (ITGC)

• ITGC’s are required as a foundation to support sound business processes and prevent risk to data that reside on computers, networks, wireless, and software applications.

• The IT staff often have complete access to the network. These individuals can read and modify company sensitive files

#SuperConf15

Why IT controls are just as important as financial controls

• Segregation of duty – dual controls in place to ensure no one person has the keys to everything• Does accounts payable/receivable really

understand what IT is spending?• Is IT purchasing excess equipment and selling

it on online auction sites?

#SuperConf15

Why IT controls are just as important as financial controls

• CIA Triad

Availability#SuperConf15

Why IT controls are just as important as financial controls

• Confidentiality - Controls to protect sensitive data from falling into the wrong hands

• Access controls• Encryption• User IDs/passwords

#SuperConf15

Why IT controls are just as important as financial controls

• Integrity – Controls to maintain consistency, accuracy, and trustworthiness of the data

• Access controls• File permissions• Version control

#SuperConf15

Why IT controls are just as important as financial controls

• Availability - Controls to ensure applications are available when needed

• Redundancy• Patching• Adequate bandwidth• Disaster Recovery Plans

#SuperConf15

What type of IT Audit & Security services can your firm offer?

• Regulatory Control Testing• Financial services companies• State data protection laws

• MA 201 CMR 17.00 & California Civil Code §1798.82

• HIPAA• FTC Safeguards• Sarbanes Oxley (SOX)• FISMA• IRS 1075

#SuperConf15

What type of IT Audit & Security services can your firm offer?

• Non – Regulatory• Independent Vulnerability Assessments

• Reviewing desktop/servers/network devices for common exposure

• Anti-virus coverage• Firewall service disclosure• Default passwords• Missing patches

#SuperConf15

What type of IT Audit & Security services can your firm offer?

• Non – Regulatory• Independent Vulnerability Assessments

(cont)• Wireless security• Confidential data review• Backup infrastructure• Remote firewall testing (what’s exposed

from the outside)

#SuperConf15

What type of IT Audit & Security services can your firm offer?

• Non – Regulatory• AICPA Service Organization Control

Reports 2 / 3• These reports are intended to meet the needs of a broad range

of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.

#SuperConf15

What type of IT Audit & Security services can your firm offer?

• Non – Regulatory• Penetration Testing• PCI-DSS (Credit Cards)

• Staff augmentation• Provide assistance to management to

perform internal control testing

#SuperConf15

What type of IT Audit & Security services can your firm offer?

• Typical Client Engagements • Vulnerability Assessment

• Typically 2 week engagement• 2-3 days onsite

• Risk rated reports to clients of security issues facing their networks

• Default passwords• Unpatched systems• Insecure wireless and network connections

• PCI-DSS - “May need more lawyers than IT staff”

• Staff certifications• QSA/DSS/PSA/

#SuperConf15

What type of clients need IT Audit & Security Services?

• Does your client have a computer?• Does your client have employees?

Therefore:• Your clients need IT Audit & Security

Services • They may be in regulated industries• They may be hearing of other companies getting

hacked• They may want to know where they stand

#SuperConf15

What type of clients need IT Audit & Security Services?

• Data breaches continue, and experts estimate it will only get worse

https://www.privacyrights.org/data-breach/new

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

2012 2013 2014 2015

Records Breached

#SuperConf15

How to get started with IT Audit & Security

• Staff – needed education• Common certifications

• CISA – Certified Information Systems Auditor• CISSP - Certified Information Systems Security Professional• CRISC - Certified in Risk and Information Systems Control• C|EH – Certified Ethical Hacker

• Training – Most certifications require 120 CPEs over 3 years

#SuperConf15

How to get started with IT Audit & Security

• Staff – desired experience

• Microsoft Windows Server/AD administrators (MCSE/MCP)

• Network administrators (CCNA/CCNP)• Security administrators (CISSP/Security+)

#SuperConf15

How to get started with IT Audit & Security

• Technology – minimal investment• Use existing workpaper system• Vulnerability scanning software

($1,500-$15,000)• PCI-DSS cert ($25,000+)• Laptops with more memory for

virtualization

#SuperConf15

Value for your firm

• Clients appreciate being able to obtain the additional service

• Additional revenue stream for your firm

• Not seasonal – steady (busy) workflow

#SuperConf15

Value for your firm

• Reoccurring• Vulnerability assessments, minimum –

quarterly• Penetration testing, minimum – annual• SOX controls are annual, control testing

throughout the year• FTC safeguards are required annually, but

without a year end

#SuperConf15

Value for your firm

• OCD is 2.5 years into offering this service

• Exceptional revenue growth• $300k first year (CY 2013)• $750k second year (CY 2014)• $1.5Mest third year (CY 2015)

• Adding jobs• 7 full time staff, soon to be 8

#SuperConf15

Barriers to entry

• #1 – Staff, staff, staff• Market demand is fierce; finding

qualified staff with 5+ year experience is almost impossible

• Salaries exceed $100k

http://s3.amazonaws.com/DBM/M3/2011/Downloads/RHT_2015_salary-guide.pdf

#SuperConf15

Barriers to entry

• #2 – Specialization• Government / Private / Public?• Infrastructure / Web / App?

#SuperConf15

Demo’s

• Raspberry Pi’s• Social Engineering

#SuperConf15

Raspberry Pi

• A computer, which fits in the palm of your hand, and costs less than $40 can wreak havoc on a network

• An easy example to show clients how technology can get out of hand

#SuperConf15

Raspberry Pi

#SuperConf15

Live DemoSocial-Engineering Toolkit

#SuperConf15

IT risks are getting increasingly more

complex.Our clients IT controls

need to keep up.

#SuperConf15

Our Contact InfoEmail: mhammond@ocd.comLinkedIn: www.linkedin.com/in/michaelwhammondTwitter: @ocdcpa

#SuperConf15