Digital Threats VS COBIT5 For Risk Final PDF Free Download

1y ago

15 Views

1 Downloads

4.87 MB

70 Pages

Report/dmca

Download PDF

Transcription

วิทยากร Metha SuvanasarnCGEIT,CRISC,CRMA,CIA,CPA �ของ �มเด็จพระศรี นคริ นทรา บรมราชชนนี �� หม่ �รมการตรวจสอบ ��น บริ ษทั ศรี อยุธยาประกันภัย จํากัด (มหาชน) �รมการตรวจสอบ ��น บริ ษทั ศรี อยุธยาเจอเนอรัล ประกันภัย จํากัด อุปนายกสมาคม ISACA (Information Security Audit and Control Association) Bangkok Chapter » µ µ ªµ (TISA – Thailand Information SecurityÉ́ ́ ³ µ Á « Association) �าหนดผลตอบแทนของ ธพว. ผูบ้ รรยาย ทางด้าน Corporate Governance, IT Governance, µ · µ ªµ Á Ȩ́ µ ª » Â ³ µ ª µ Ä µ µ ªµ Á Ȩ́ Â ³ µ ª µo ¡ ·ª Á r ª Ế Á ºÉ IT Audit for Non-ITAuditor; COBIT5 µ µo Á¼o ̧ ªµ nµ Ç Ȩ́Á Ȩ́ ª o Corporate Governance, IT Governance, µ · µ ªµ Á Ȩ́ µ ª » Â ³ µ ª µ Ä µ µ ªµ Á Ȩ́ Â ³ µ ª µo ¡ ·ª Á r Â ³ ºÉ Ç Á nนDigital Economy Á Â¡ n nª Ä n Ȩ́ µ ¼o ª µ Ä Â n ³ Á «Å (สตท) Á¼o ̧ ªµ Á Â¡ n ªµ ¼o nµ Ç Ȩ́Á Ȩ́ ª GRC, ITG, IT Audit and Non – IT Audit, การบริ หารความÁ Ȩ́ µ ª » µ Ä Â ³ µ ª µ Ä µ µ ªµ Á Ȩ́ µ · µ Â ³ µ Â ¼ µ µ (Integrated Management) Â ³ ºÉ Ç Ä Áª ÈÅ Ár¡ ºÉ Â n µ Á ¼o Ȩ́ www.itgthailand.com และwww.itgthailand.wordpress.com 2016ISACA. All Rights Reserved.2

วิทยากร วรางคณา มุสิกะสั งข์warangkana.musikhasungka@th.pwc.com, 02-344-1055การศึกษา อนุ ปริญญานิตศิ าสตร์ �แหงปริญญาตรี สถิตศิ าสตร์บณั ฑิต �าลัยปริญญาโท MBA In Financial and Banking, �าลัยการทํางาน ปัจจุบนัDirector - Risk Assurance Services, PricewaterhouseCoopers µÎ Â n ºÉ อุปนายกสมาคม ISACA Bangkok ��ีพบัญชี ด้านวางระบบบัญชี สภาวิชาชีพบัญชี �์คณะอนุ �เสริมให้มกี �และ ERP �กลางและขนาดย่อม สภาวิชาชีพบัญชี �์ ³ µ r ºÉ ๆ ¼o µ ª́ oÁ ªȨ́ µ ³ Á · ª µ Á Ȩ́ ��และ IT Governance สําหรับ ISACA Bangkok Chapterผูด้ าํ เนินรายการ Â ³ ¼o µ ª́ oÁ ªȨ́ µ ³ Á · ª µ Á Ȩ́ �� และ IT Governance สําหรับสมาคมผูต้ �ะเทศไทย 2016 ISACA. All Rights Reserved.3

Digital society Digital technology has become the world’s touchpoint,connecting, informing, and enabling life at every level,from individuals to institutions. For today’s businesses,digital is integral — woven so deeply into strategy,infrastructure, operations, and products/services thatin a very real sense, business and IT have becomeone. IT is business — which means IT risks are businessrisks. 2016 ISACA. All Rights Reserved.5

Digital trust The goal is clear but the path there is fraught. Fortheir digital investments to deliver the expectedbenefits, companies need to have trust in their data,systems, and processes. They needto have the right talent to keep them running, the right governance structures, controls, and riskmanagement processes to keep them healthy, safe, secure,and compliant. And they need to instil the flexibility that will allow them toevolve as business needs change. 2016 ISACA. All Rights Reserved.6

Emerging RisksSocial MediaIndustry:AviationWhen:July 2009Category:Crisis managementIn 2009 singer and song-writer, Dave Carroll, took a flight with United Airlines. The neckof his 3,500 guitar was broken during the flight so he complained to United to askthem for compensation. Dave tried to make a claim for 9 months but was refused byUnited because he had apparently waited more than 24 hours before making the claim.He apparently tried phone calls, emails and even suggested that United give him flightvouchers instead of money, but he continued to be refused.So, he decided to write a song and make a music video to tell his story and vent hisfrustration, called “United Breaks Guitars”. He put it on YouTube and it went viral. After150,000 views United offered payment to make the video go away, however, Davedecided to leave it running.Mainstream media picked up on the story and Dave is reported to have done over 200interviews in the first few months after launching the video. The BBC reported thatUnited’s stock price dropped by 10% within three to four weeks of the release of thevideo – a decrease in valuation of 180 million.View the video here:https://www.youtube.com/watch?v 5YGc4zOqozoThe video is still live and at time of writing the video has received over 15.5 millionviews. This goes to show how powerful social media can be for disgruntled customers. 2016 ISACA. All Rights Reserved.11

Emerging RisksSocial MediaIndustry:Policing / Public SectorWhen:April 2014Category:Hashtag hijackingIn April 2014 the New York Police Department (NYPD) started a campaign to encourage New Yorkers to share photos of themselves with a memberof the NYPD in an attempt to show the positive face of NYPD. They created the hashtag “#myNYPD” and posted to Twitter asking for members torespond with their photos.Unsurprisingly, the hashtag was soon hijacked by people who used it to reveal an uglier side to policing. It became a “bashtag” with hundreds ofusers posting photos showing alleged police brutality, as well as some other comical tweets poking fun at the police.This sort of thing was quite predictable and goes to show that campaigns such as this need serious thought to address the risks of them backfiring. 2016 ISACA. All Rights Reserved. Sources: 12

2 Â r µÎÂ Á Ȩ́ 60 พร้ อมเพย์ ฉุดรายได้ ค่าฟี 4% นายปรี ดี ดาวฉาย กรรมการผูจ้ ดั การ KBANK เปิ ดเผยว่า ธนาคารอยูร่ ะหว่างทําแผน » r ª ¹ Â º ªµ Á Ȩ́ Ä µo nµ ๆของปี 2560 จะส่ ��ร � �พร้อมเพย์ การเกิดนวัติ µ µ Á · Ä n Ç Á n Â ¡ ·Á µÎ ³ Á · Ȩ́ ³ nงผลกระทบÉ́ µ Ã Á · �าฟี ในการโอนเงินต่าง ๆ กรณี �� Ȩ́ ลดลงประมาณ 4% �ค่าฟี อยู 37,526 ล้านบาท นางกิตติยา โตธนะเกษม รองผูจ้ ดั การใหญ่อาวุโส SCB กล่าวว่า �Â ³ Á · ªµ Á Ȩ́ µ µ Ä o · µ ¡ o Á¡ rÄ 2560 เช่นกัน ��ฟี �งน้อย 4 % Ȩ́ผ่านมา ธนาคารมี่ Ȩ́ รายได้จากค่าฟี อยู 32,704 ล้านบาทupdated: 14 ต.ค. 2559 เวลา 06:20:00 น.ประชาชาติธุรกิจ 2016 ISACA. All Rights Reserved.14

Digital / Digital Era คืออะไร?Digital คือวิวฒั นาการÂ ³ ³ ª µ Á¡ ºÉ µ Á · Ã nµ É́ º Ȩ́Á µoÄ ¹ ³ n µ Á Ȩ́ Â µ µ¡ Âª o Ä nÂ ³ Á Ã Ã ª Ế นวตกรรม Ȩ́Á · Ê¹ nµ รวดเร็ ว1. Ȩ́ ³ ต่อผูม้ ีส่วนได้เสี ย µ µÎ ¼o nª Å Áo ̧Å o2. Ȩ́Á Ȩ́ ª o µ µ Ȩ́ µ µ oµ » nµÁ¡ ·É Ä o ªo µ · µ ªµ Á Ȩ́ Ȩ́Á µ³ Ȩ́ » Â ³ µ Ä o ¡ µ Ä oÁ · ³ โยชน์สู งสุ ด3. และ มีขอ้ มูล/ µ Á « Ȩ́Á¡ ̧ ¡ » µ¡ ¼ Á¡ ºÉ » µ · Ä ² n ¼oȨ́Á Ȩ́ ª o Å o 2016 ISACA. All Rights Reserved.16

Digital transformation and Governance of ITCreating new business models where digital meets physicalForces for business change - Risk - ThreatChief among forces for transformation are the surge in devices for mobile connectivity,such as smart phones and tablets, and the creation of social networks, such as Facebookand Twitter.Both of these developments are creating an exponential explosion in data, which, in turn,requires business analytics to make sense of the information.Shifting global connectivity and customer empowerment drive digital ing/pdf/manufacturing/Digital-ransformation.pdf 2016 ISACA. All Rights Reserved.17

Digital transformation and InfrastructureCreating new strategy & business models - Risk & ThreatDigital transformation is becoming pervasive across functions, industries and geographies. 2016 ISACA. All Rights df/manufacturing/Digital-transformation.pdf18

Digital transformation - Risk & Threat PerspectiveCreating new business models where digital meets physicalFrom individuals to businesses to industries Digital transformation drivers are pushing industries along the physical-digital continuum. 2016 ISACA. All Rights df/manufacturing/Digital-transformation.pdf19

Equip yourself Create forum internally for better control Create guidelines What the company will and will not do online What employees can and cannot do online The policies should be provided at the time of hiring Provide training 2016 ISACA. All Rights Reserved.21

Changing from cybersecurity to cyber resiliency It is not if but when! Businesses need to accept that their security willbe compromised “Cyber resilience can be defined as the ability toresist, react to, and recover from cyberattacks.” Businesses should focus on their criticalinformation assets Continuity, crisis management, incidentresponse, monitoring and detection 2016 ISACA. All Rights Reserved.23

Government has a solemn obligation to protect our people against systemic threatsto our national and economic security.Cyber attacks can not be handled exclusively by our governments law enforcement,military and intelligent services, nor are federal regulations able to keep pace withever evolving cyber threats. .Through law and rule making congress and federal agencies intact solutions for ournations challenges Companies then react with compliance. But laws and regulations alone cannot protect us from the emerging cyber threats .Our cyber advisories constantly deploy new and evolving methods to exploitvulnerability’s and inflict harm on our country Just weeks ago the Pegasus attack represented an unprecedented attack on ApplesiOS platform. No static checklist, no agency role, no reactive regulation alone iscapable of thwarting a threat we can not foresee.The federal government cannot regulate cyber risk out of existence. What we can dois work with you. Business leaders, technical experts and cybersecurity professionals,to better manage cyber k/

Commerce believes this requires a new proactive collaborative approachbetween government and industry. One not reliant on static requirements but onvigilant continuous cyber risk management.We need is a joint defense posture with real public private partnerships.These are nice words but actually how do we turn them into action and reliableprotection.We need government and industry to speak the same language of cyber riskbecause we can not work together without understanding each other.We new laws to facilitate continuous candid collaboration between industries andagencies outside of the enforcement space.We need to work together to counter threats and deploy technical solutions thatbake securities into innovation.The Cyber Security Framework is the primary tool to evaluate cyber securityposture The Cyber Security Framework is the primary tool to evaluate cyber security posture Last month the FTC used the Cyber Security Framework lexicon of Identify, Protect, Detect, Respond, and Recover. TheFTC detailed over 60 enforcement actions for data-breaches in a manor that CEO’s and CIOS can easily plug them into their ownoperations to improve their cyber security .”Commerce Secretary, Penny Pritzker 27 September 2016US Chamber of Commerce Annual Cyber Security Summit

Emerging RisksSocial Media Companies face several financial risksAccess controlsExternal threatsCareless employeesData classification andgovernance Sharing of confidentialinformation Use of offshore organisationsand 3rd parties Information SecurityFinancialRisk FactorsReputational Employee misuse / inappropriatecommunications Negative impact to the brand Loss of employee, customer and / orinvestor confidence 2016 ISACA. All Rights Reserved.Regulatory /Complianceassociated with a breach: DPA – Fines Stock price decline Crisis management / Remediationefforts Lack of good governance leading to: Reduced employeeproductivity Increased processcomplexity Loss of competitiveadvantage Disruption of businessOperationalactivities Insufficient moderationleading to poor content Enforcement actions from government – EUregulation Compliance with self-regulatory frameworks (i.e.US-EU Safe Harbor, TRUSTe) Data retention / personal data off-shore29

People matter There is no technical quick fixRisks come from your people and should be fixed by your people“ so if every time there’s a problem and the only thing your CIO/ITmanager is suggesting is technology, you should poke them with astick. You should say, ‘Wait a minute, where’s the process changeor the other things that always have to go with technology to makeit work.’John Pescatore, Gartner Role-based or role-specific training Training based on individual-risk exposure: “Identifying risk factors at theindividual level saves time and money, as the organization likely does notneed to train John and Jan equally.”(Pendergast, ISACA Journal vol 5, 2016) 2016 ISACA. All Rights Reserved.30

2016 NORTH AMERICANPULSE OF INTERNAL AUDIT by IIAInternal audits is uninformed about the expertise needed to address cybersecurityOrIt lacks the resources to hire the necessary skills 2016 ISACA. All Rights Reserved.32

COBIT and Other IT/ ManagementStandards & Best PracticesOrganisations will consider and use a variety of IT models, standards and best practices. Thesemust be understood in order to consider how they can be used together, with COBIT acting as theconsolidator (‘umbrella’).COSOCOBITISO 17799ISO 9000WHATSource: ITGI 2016 ISACA. All Rights Reserved.ITILISO 20000HOWSCOPE OF COVERAGE34

Governance of Enterprise IT (GEIT)COBIT 5 Goals Cascade OverviewSTAKEHOLDER NEEDS ANDENTERPRISE GOALSCOBIT 5 Enterprise Goals /Business BSCDETAILED MAPPING ENTERPRISEGOALS — IT-RELATED GOALSIT-related GoalsDETAILED MAPPING IT-RELATEDGOALS — IT-RELATED PROCESSES 2016 ISACA. All Rights Reserved.Resource : ISACA38

Risk Function PerspectiveCOBIT 5 for Riskidentifies all COBIT 5processes that arerequired to support therisk function: Key supportingprocesses– dark pink Other supportingprocesses – light pinkCore risk processes,shown in light blue arealso highlighted—theseprocesses support the riskmanagement perspective: EDM03 Ensure riskoptimization. APO12 Manage risk. 2016 ISACA. All Rights Reserved.47

Processes for Governance of Enterprise ITEvaluate, Direct and MonitorEDM01 Ensure Governance Framework Settingand MaintenanceEDM02 Ensure Benefits DeliveryAlign, Plan and OrganiseAPO01 Manage the IT Management FrameworkAPO02 Manage StrategyAPO03 Manage Enterprise ArchitectureAPO04 Manage InnovationAPO05 Manage PortfolioAPO06 Manage Budget and CostsAPO07 Manage Human ResourcesEDM03 Ensure Risk OptimisationEDM04 Ensure Resource OptimisationEDM05 Ensure Stakeholder TransparencyAPO08 Manage RelationshipsAPO09 Manage Service AgreementsAPO10 Manage SuppliersAPO11 Manage QualityAPO12 Manage RiskAPO13 Manage SecurityBuild, Acquire and ImplementBAI01 Manage Programmes and ProjectsBAI07 Manage Change AcceptanceBAI02 Manage Requirements Definitionand TransitioningBAI03 Manage Solutions Identification and Build BAI08 Manage KnowledgeBAI04 Manage Availability and CapacityBAI09 Manage AssetsBAI05 Manage Organisational Change Enablement BAI010 Manage ConfigurationBAI06 Manage ChangesDeliver, Service and SupportDSS01 Manage OperationsDSS02 Manage Service Requests and IncidentsDSS03 Manage ProblemsDSS04 Manage ContinuityDSS05 Manage Security ServicesDSS06 Manage Business ProcessControlsProcesses for Management of Enterprise ITMonitor, Evaluateand AssessMEA01 Monitor,Evaluate and AssessPerformance andConformanceMEA02 Monitor,Evaluate and Assessthe System ofInternalControlMEA03 Monitor,Evaluate and AssessCompliance WithExternalRequirements

Alignment with other standards COBIT 5 for Risk—much like COBIT 5 itself—is an umbrella approach for the provisioningof risk management activities. COBIT 5 for Risk is positioned in contextwith the following risk-related standards: ISO 31000:2009 – Risk Management ISO 27005:2011 – Information security riskmanagement COSO Enterprise Risk Management 2016 ISACA. All Rights Reserved.51

the success of these efforts depends in large parton obtaining the support and cooperation of keyplayers: IT, executive management, and the board2016 NORTH AMERICANPULSE OF INTERNAL AUDIT by IIA 2016 ISACA. All Rights Reserved.62

IT audit function in the digital journeyIT audit as an“outsider” comingin after the fact ”advisor” foradvancing thecompany’sbusiness strategy(IT – Business –Audit Strategy)Continuous riskassessment(rather than anannual riskassessment)Leveraginganalytics tosupportcontinuous audit,continuousmonitoring, andvalueidentificationCulture fromretrospective toproactiveDisappearing ofdistinctionbetween tech andnon-tech auditingKress, ISACA journal vol 1, 2016 2016 ISACA. All Rights Reserved.64

กลุ่มผลิตภัณฑ์Business FrameworkEnabling ProcessesImplementationEnabling InformationแปลProcess Assessment ProgrammeInformation SecurityAssuranceRiskProcess Assessment ModelSelf-Assessment GuideAssessor Guide 2016 ISACA. All Rights Reserved.69