®
The Evolution of the IT Risk
Assessment
February 15, 2017
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
© 2017 Wolf & Company, P.C.
Housekeeping Items
• This presentation will last about 45 minutes.
• Today’s presentation slides can be downloaded by going to
http://www.wolfpacsolutions.com/2017-webinar-archive . Please
note, not all slides will be included in the posted presentation as
some of this session will consist of a live demonstration.
• You have two options for audio today. You may dial in by phone or
listen through your computer.
• We will have time for Q & A at the end of the presentation. Submit
your questions by using the “questions box” located on the webinar’s
control panel.
2
Today’s Presenter
Puja Ghiya
WolfPAC Business Analyst
Phone: 617-261-8134
Email: [email protected]
3
Today’s Agenda
• Recap of Last Webinar
• Management of Controls Inventory
– Master and Local Controls
– Mapping of Controls to Framework
– Mapping of Controls to Threats
• Common Controls
• Q&A
4
IT 4.0 Homepage
Streamlined Administrator and
User capabilities
Role Based Access
5
Risk Assessment
IT 4.0
One Questionnaire
 Selection Assessment
 Technology Risk Assessment
 Multifactor Authentication Risk
Assessment
Reports
Selection
Assessment
Reports
Technology/
Application Risk
Assessment
Reports
Multifactor
Authentication
Reports
Complete 1 assessment questionnaire and
derive different results via reports
Risk Assessments in IT 4.0
A Consistent Five(5) Step Process…..
 First Step: Answer the Questions
 Second Step: Complete Threat Assessment
 Third Step: Select Controls
 Fourth Step: Complete Controls Assessment
 Fifth Step: Review Assessment Results
7
Contextual Questionnaire
Dynamic / Interpretive Logic
Easy to get through the questions
Threats and Impacts are identified
Sequential workflow which guides through the process
Copy function is available
8
Sample: Technology Questionnaire
Anti-Virus Software for the
institution (Symantec
AntiVirus)
Off the Shelf Software which is
for internal use (Acrobat)
1. What best describes this technology?
• Security Software/Appliance
What best describes this security
software/appliance?
• Anti-Malware
Does a third party host or manage this
technology?
• Technology is managed internally by
organization employees
2. What type of data does this technology store or
transmit?
• Internal Use
3. What type of customers/members directly
access this technology?
• Customers/Members do not have access
to this technology
1. What best describes this technology?
• End user off the shelf software
2. What type of data does this technology store
or transmit?
• Internal Use
3. What type of customers/members directly
access this technology?
• Customers/Members do not have
access to this technology
9
Sample: Hardware Questionnaire
Automated Teller Machines
(ATM)
1. Hardware Category
• ATM
Link Technologies
• ATM Manager Pro – Asset and Site
Management
2. What type of data does this device store,
transmit, or access?
• Internal Confidential
Storage Area Network (SAN)
1. Hardware Category
• Storage Area Network (SAN)/Network Attached
Storage (NAS)
2. What type of data does this device store, transmit, or
access?
• Regulatory Restricted
Link Data Types
• Personal Name
• Address
• Social Security Number or Tax ID
• Driver's License Number or State Issued ID
Card or Passport Number
• Date of Birth
• Biometric Data
• Financial Account Number
• Credit/Debit Account Number
• Telephone Number
• Login ID
• Password or PIN
Approximately how many regulatory restricted
records are stored or transmitted through this
system?
• >100,000
10
Controls Inventory
Inventory with over 900+ NIST controls
Frequent update to controls
Multi-framework Architecture to allow to mapping of Controls to different
framework/guidance
COSO
NIST
HIPAA
FFIEC Booklets
COBIT
Controls are mapped to threat
11
What are Common Controls?
Those controls whose implementation results in a security capability
that is inheritable by multiple information systems (IS).
Example 1: Information systems hosted in a data center will inherit
numerous security controls from the hosting provider, such as:
Physical and environmental security controls
Network boundary defense security controls
Example 2: Departmental-level policies or procedures that can be
leveraged by all information systems within the institution,
Security monitoring capabilities
12
Product Demonstration
13
Why it will help you?
 Management can focus on what is really important, from your IT risk
management standpoint and produce relevant results
 Quickly Identify gaps and implement additional controls to mitigate
losses
 Ensure all your IT controls, policies, procedures are documented in
a centralized location
 Optimize your resource utilization
 Process consolidation and consistency
 Configurable with changing IT regulatory landscape
 Robust reporting on threats and control facing your Organization
 Measure cybersecurity readiness
14
Questions?
Puja Ghiya
WolfPAC Business Analyst
Phone: 617-261-8134
Email: [email protected]
15