AUDITING • Characterized by CAATs (Computer Assisted

• Systematic process of objectively obtaining and Audit Techniques) which refers to the use of
evaluating evidence regarding assertions. technology to help evaluate controls by
INTERNAL AUDITING extracting and examining relevant data.
• Independent appraisal function established • IT governance as part of corporate governance
within an organization to examine and evaluate
its activities as a service to the organization. FRAUD AUDITS
IT AUDITS • Investigation services where anomalies are
• CIA (The Central Intelligence Agency) has suspected, to develop evidence to support to
been active in the Philippines almost since the deny fraudulent activities.
agency’s creation in the 1940s. The CIA's main • Auditor here is more like detective.
headquarters for Southeast Asia is located in • No materiality
Manila, the capital of the Philippines. The CIA • Goal is conviction if no enough evidence.
was founded in 1947 and first played a major • CFE (Certified Fraud Examiner) or ACFE
role in the Philippines three years later. Philippines is the 97th out of 136th local
• IIA (Institute of Internal Auditors) is an chapters of ACFE International worldwide.
international professional association. Dedicated in education professional in fighting
• IT audits provide audit services where fraud. After a rigorous qualification process,
processes or data, or both, are embedded in certification for CFE will be given to the ACFE
technologies. member who is assigned as CFE.
Subject to ethics, guidelines, and standards of the
profession (if certified): EXTERNAL AUDITS
• CISA (Certified Information Systems Auditor) • In all material respects, financial statements are
is a globally recognized standard for appraising a fair representation of organization’s
an IT auditor’s knowledge, expertise, and skills transactions and account balances.
in assessing vulnerabilities and instituting • Sarbanes-Oxley Act (Government Law on Data
technology controls in an enterprise Privacy and Corruption)
environment. • FASB-PCAOB (financial accounting standard)
• Most close associated with ISACA (The  CPA Certified Public Accountant
Institute of Internal Auditors (IAA))  AICPA (Organization)
Philippines which it is a professional
organization dedicated to the advancement of EXTERNAL VS. INTERNAL
the internal audit profession in the country. External
• Joint with internal, external, and fraud audits. • Independent auditor (CPA)
• Scope of IT is increasing • Independence defined by SEC/S-OX/AICPA
• Required by SEC for publicly-traded  Assessing the reliability of financial data.
companies • Product is formal written report that expresses
• Referred to as a “financial audit” and opinion about the reliability of the
• Represents interests of outsiders, “the public” assertions in FS.
(e.g. stockholders) • GAAP (Generally Accepted Accounting
• Standards, guidance, certification governed by Principles) are based on PFRS (Philippine
AICPA, FASB, PCAOB; delegated by SEC Financial Reporting Standards). These
who has final authority. standards are issued by the FRSC (Financial
Reporting Standards Council) and aim to
Internal ensure transparency, comparability, and
• Auditor is often CIA or CISA reliability of financial statements.
• Is an employee of organization imposing
independence on self ATTEST
• Optional per management requirements • Written assertions
• Broader service than financial audit; (e.g. • Practitioner’s written report
operational audits) • Formal establishment of measurement criteria
• Represent interest of the organization. or their description.
• Standards, guidance, certification governed by • Limited to:
IIA (Institute of Internal Auditors (IIA) is an  Examination
international professional association) and  Review
ISACA ( Institute of Internal Auditors (IIA)  Application of agreed-upon procedures
Philippines is a professional organization
dedicated to the advancement of the internal
audit profession in the country.)

FINANCIAL AUDITS
• Independent attestation performed by an expert
(such as auditor or a CPA) who expresses an
opinion regarding the presentation of financial
statements. ASSURANCE

• Should be similar to a trial by judge. • Professional services that are designed to

• Culmination of systematic process involving: improve the quality of information, both

 Familiarization with the organization’s financial and non-financial, used by decision-

business. makers.

 Evaluating and testing internal controls.

• IT Audit Group in “Big Four” AUDITS
 IT Risk Management • Systematic process
 I.S. Risk Management • 5 primary management assertions, and
 Operational Systems Risk Management correlated audit objective and procedures:
 Technology & Security Risk Services  Existence or Occurrence
 Typically a division of assurance services  Completeness
 Rights & Obligations
AUDITING STANDARDS  Valuation or Allocation
• Set by AICPA  Presentation or Disclosure
• Authoritative
• 1. Generally Accepted Auditing Standards PHASES
(GAAS) 1. Planning
The AASC is the body authorized to 2. Obtaining evidence
establish and promulgate generally accepted  Tests on Controls
auditing standards (GAAS) in the Philippines. At  Substantive Testing
present, AASC pronouncements are mainly adopted  CAATTs
from the standards and practice statements issue by  Analytical procedures
the International Auditing and Assurance Standards 3. Ascertaining reliability
Board (IAASB)  Materiality
• Three (3) categories: 4. Communicating results
 General Standards  Audit opinion
 Standards of Field Work
 Reporting Standards AUDIT RISK FORMULA
• 2. Statements on Auditing Standards (SASs) Audit Risk
SAS #1 issued by AICPA in 1972 • Probability that an auditor will give an
inaappropriate opinion on the FS.
• Statements will contain materials misstatement
which the auditor fails to find.

Inherent Risk
• Probability that material misstatements have
occurred.
Material vs. Immaterial
• Includes economic conditions, etc.
• Relative risk (e.g., cash)
Control Risk • Usually three members
• Probability that the internal controls will fail to • Outsiders (S-OX now requires it
detect material misstatements. • Fiduciary responsibility to shareholders
• Serve as independent check and balance system
Detection Risk • Interact with internal auditors
• Probability that the audit procedures will fail to • Hire, set fees, and interact with external
detect material misstatements. auditors
• Substantive procedures • Resolved conflicts of GAAP between external
auditors and management.
Audit Risk Model
• Determines total amount of risk associated with WHAT IS AN IT AUDIT?
an audit, and describes how this risk can be • most accounting transactions to be in electronic
managed. form without any paper documentation because
����� ���� (��) = Control Risk (CR) × electronic storage is more efficient. … These
Detection Risk (DR) × Inherent Risk (IR)
technologies greatly change the nature of audits,
Example:
which have so long relied on paper documents.

IR = 40%
THE IT ENVIRONMENT
CR = 60%
• The I.T. Environment complicates the paper
AR = 5% (fixed)
• systems of the past.
�% = 60% × DR × 40%
 Concentration of data
60% × 40%
DR = 5%  Expanded access and linkages
�� = �. �%  Increase in malicious activities in systems
vs. paper
• Relationship between tests of controls and  Opportunity that can cause management
substantive tests fraud (i.e.,
�% = 60% × DR × 40% = 4.8%  override)
�% = 40% × DR × 40% = 3.2% • Audit planning
• The lower the CR, the more reliable the • Tests of controls
internal controls is. The lower the DR, fewer • Substantive tests
substantive tests are necessary.  CAATTs (Compute Assisted Audit Techniques)
• Substantive tests are labor intensive. is a method of gathering and reviewing
electronic records. CAAT is used to simplify
ROLE OF AUDIT COMMITTEE or automate the data analysis and audit
• Selected from board of directors process, and it involves using computer
 software to analyze large volumes of • It also requires establishment of internal
electronic data for anomalies. accounting controls sufficient to meet
objectives.
INTERNAL CONTROL 1. Transactions are executed in accordance with
• Policies, practices, procedures which is management’s general or specific authorization.
designed in order to safeguard assets, ensure 2. Transactions are recorded as necessary to
accuracy and reliability, promote efficiency, prepare financial statements (i.e., GAAP), and
and measure compliance with policies. to maintain accountability.
3. Access to assets is permitted only in
BRIEF HISTORY - SEC accordance with management authorization.
SEC acts of 1933 and 1934 4. The recorded assets are compared with
• Ivan Kreuger’s Contribution to U.S. Financial existing assets at reasonable intervals.
Reporting,: Accounting Review, Flesher &
Flesher 2. Illegal Foreign payments
• All corporations that report to the SEC are
required to maintain a system of internal BRIEF HISTORY - COSO
control that is evaluated as part of the annual Committee on Sponsoring Organizations - 1992
external audit. 1. AICPA (the national, professional organization
for all Certified Public Accountants, the AICPA's
BRIEF HISTORY - COPYRIGHT mission is to power the success of global business) ,
Federal Copyright Act 1976 AAA (Authentication, authorization, accounting,
1. Protects intellectual property in the U.S. or AAA protocols, centralize access controls for
2. Has been amended numerous times since network access and network device administration),
3. Management is legally responsible for FEI 9 Financial Executives International (FEI) is
violations of the organization a leading association comprised of Members who
4. U.S. government has continually sought hold positions as Chief Financial Officers, Chief
international agreement on terms for protection Accounting Officers, Controllers, Treasurers, and
of intellectual property globally vs. Nationally Tax Executives at companies in every major
industry.)
BRIEF HISTORY - FCPA IMA (Founded in 1919, IMA states in its mission
Foreign Corrupt Practices Act 1977 that its role is to provide a forum for research,
1. Accounting Provisions practice development, education, knowledge
• FCPA requires SEC registrants to establish and sharing, and the advocacy of the highest ethical and
maintain books, records, and accounts. best business practices in management accounting
and finance.),
IIA (practical, accredited modular course, information through organizing, indexing, and
providing a thorough grounding in the practice and manipulating data) method.
principles of audit, governance, risk, and assurance.) • Specific controls vary w/different technologies.
2. Developed a management perspective model for
internal controls over a number of years 4. Limitations
3. Is widely adopted • Possibility of circumvention
• Possibility of error
BRIEF HISTORY - S-OX • Management override
1. Section 404: Management Assessment of • Changing conditions
Internal Control
• Management is responsible for establishing and EXPOSURE AND RISK
maintaining internal control structure and Types of Risk
procedures. • Destruction of assets
• Must certify by report on the effectiveness of • Theft of assets
internal control each year, with other annual • Corruption of information or the I.S.
reports. • Disruption of the I.S.
1. Section 302: Corporate Responsibility for
Incident Reports THE P-D-C MODEL
• Financial executives must disclose deficiencies • Preventive controls
in internal control, and fraud (whether fraud is • Detective controls
material or not). • Corrective controls
• Predictive controls
MODIFYING ASSUMPTIONS
2. Management responsibility SAS 78: Consideration of Internal
3. Reasonable assurance Control in a Financial Statement Audit
 no I.C.S. (Internal control system (ICS) is a • COSO (Tradeway Commission)
system of financial and other controls  The control environment
arranged by the management for the  Risk assessment
purposes of well-ordered and effective  Information & communication
performance of the company.) is perfect  Monitoring
 Benefit => costs  Control activities

4. Methods of data processing 1. Control Environment - ELEMENTS

• Objectives same regardless of DP (Data • Describe how each one would adversely affect
processing (DP) refers to the extraction of internal control.
• The integrity and ethical values • Identify and record all valid economic
• Structure of the organization transactions
• Participation of audit committee • Provide timely, detailed information
• Management’s philosophy and style • Accurately measure financial values
• Procedures for delegating • Accurately record transactions
• Management’s methods of assessing Information & Communication - TECHNIQUES
performance • Auditors obtain sufficient knowledge of I.S.’s
• External influences to understand:
• Organization’s policies and practices for  Classes of transactions that are material
managing human resources  Accounting records and accounts used
 Processing steps:initiation to inclusion in
Control Environments - TECHNIQUES financial statements (illustrate)
• Describe possible activity or tool for each.  Financial reporting process (including
• Assess the integrity of organization’s disclosures)
management
• Conditions conducive to management fraud 4. Monitoring
• Understand client’s business and industry • By separate procedures (e.g., tests of controls)
• Determine if board and audit committee are • By ongoing activities (Embedded Audit
actively involved Modules – EAMs and Continuous Online
• Study organization structure Auditing - COA)

2. Risk Assessment 5. Control Activities

• Changes in environment
• Changes in personnel
• Changes in I.S.
• New IT’s
• Significant or rapid growth
• New products or services (experience)
• Organizational restructuring
• Foreign markets
• New accounting principles

3. Information & Communication - ELEMENTS

• Initiate, identify, analyze, classify and record
economic transactions and events.
PHYSICAL CONTROLS IT RISKS MODEL
1. Transaction authorization • Operations
Example: • Data management systems
• Sales only to authorized customer • New systems development
• Sales only if available credit limit • Systems maintenance
• Electronic commerce (The Internet)
• Computer applications
2. Segregation of duties
Examples of incompatible duties: MODULE 2
• Authorization vs. processing [e.g., Sales vs. IT Governance
Auth. Cust.] • Helps align IT strategy with business strategy.
• Custody vs. recordkeeping [e.g., custody of • 5 area to focus:
inventory vs. DP of inventory]  Strategic alignment
• Fraud requires collusion [e.g., separate various  Value delivery
steps in process]  Resource management
 Risk management
3. Supervision  Performance measures
• Serves as compensating control when lack of
segregation of duties exists by necessity. WHY IS IT IMPORTANT?
• Compliance with regulations
4. Accounting records • Competitive advantage
• (audit trails; examples) • Support of enterprise goals
• Growth and innovation
5. Access Controls • Increase in intangible assets
• Direct (the assets) • Reduction of risk
• Indirect (documents that control the assets)
• Fraud WHO IS INVOLVED?
• Disaster Recovery • Team leaders
• Managers
6. Independent verification • Executives
Management can assess: • Board of Directors
• The performance of individuals • Stakeholders
• The integrity of the AIS
• The integrity of the data in the records
• Examples
IT GOVERNANCE FRAMEWORK IS GOVERNANCE
• Consists of leadership, organizational
structures and processes that safeguard
information.
• Security over information assets.
• Benefits of IS Governance.
• IS is a top-down process.

MEASURING IT GOVERNANCE PERFORMANCE

• Measuring IT performance is a key concern as
CHALLENGES AND CONCERNS RELATIVE it demonstrates the effectiveness and added
TO IT GOVERNANCE business value of IT.
Aligning IT and Business Strategy • Commonly seen as the IT “Black Hole” – costs
• Corporate Mission – Business Goals – IT continually rise without clear evidence of value
Strategy derived from the IT function.
• Requires involvement from many levels and • Traditional performance measurement methods
activities within the enterprise. require monetary values which are hard to
• Lack of alignment leads to adverse business apply to IT systems.
issues.
• Strong IT Governance contributes toward IT GOVERNANCE PERFORMANCE
proper alignment. MANAGEMENT APPROACHES

ENSURING VALUE AND EFFECTIVENESS

• IT issues are the least understood, despite
increasing reliance placed on IT.
IT BALANCED SCORECARD
• Initiate IT governance structures with the right
• One of the most effective means to aid an
level of executive involvement.
organization in achieving IT and business
• Board of Director’s require essential IT related
alignment.
skills
• Provides a systematic translation of the IT • Switched to a broad control framework rather
strategy into tangible success factors and than continually raising the bar.
metrics.
• Gives a balanced view of the value added by IT COBIT – Control Objectives for Information and
to the business. Related Technology
• Calculating the value of IT investments is a Harley Davidson chose COBIT because
business issue for which business managers are • An internationally accepted standard for IT
ultimately responsible for. governance and control
• Provides a common language for management,
HARLEY DAVIDSON IT GOVERNANCE end users and IT audit professionals
CASE STUDY • A means for benchmarking controls
Harley Davidson is the oldest producer of compliance
motorcycles and has achieved 20 consecutive years • Low implementation cost
of record growth. Until 2003, Harley Davidson • Cohesiveness with other standards
focused solely on manufacturing and selling high • External auditor signed off on the framework
quality motorcycles.
It was important for management and IT to
They realized that for continued growth, they must understand the importance of effective, value-
unite management and the IT and Audit functions focused controls.
with a common governance while maintaining their
unique company culture. By focusing on IT business value and their control
needs, COBIT provided tool to spur internal change
• Until 2003, Harley Davidson had limited IT while maintaining their position as an industry
controls in place and the employees had limited leader.
knowledge of control and risk.
• There were limited: Standardized user access
processes, change management processes or
backup and recovery processes.
• Harley Davidson created a new IT compliance
department to manage control and risk in the
company.
• This department implemented the COBIT
framework to focus on key value areas of the
business.
 CHAPTER 3 • Knowledge of techniques for identification,
PROTECTING PERSONAL & authentication, and restriction of users to
INSTITUTIONAL INFORMATION ASSETS & authorized functions and data (e.g. dynamic
DATA passwords, challenge/response, menus, profiles)
Protection of Information Assets • Knowledge of security software (e.g. single
• Evaluate the design, implementation, and sign-on, intrusion detection systems (IDS),
monitoring of logical access controls to ensure automated permissioning, network address
the integrity, confidentiality, and availability of translation)
information assets. • Knowledge of security testing and assessment
• Evaluate network infrastructure security to tools (e.g. penetration testing, vulnerability
ensure integrity, confidentiality, availability scanning)
and authorized use of the network and the • Knowledge of network and Internet security
information transmitted. (e.g. SSL, SET, VPN, tunneling)
• Evaluate the design, implementation, and
monitoring of environmental controls to Some Possible Threats
prevent and/or minimize potential loss. 1. Email Interception
• Evaluate the design, implementation, and Methods
monitoring of physical access controls to  Script Monitor
ensure that the level of protection for assets and  Running a script on a server that receives
facilities is sufficient to meet the organization's email traffic, monitoring emails for certain
business objectives. keywords or number patterns.
 Account Emulation
Knowledge Statements  Stealing someone’s user id and password to
• Knowledge of the processes of design, gain access to their email account.
implementation, and monitoring of security
(e.g. gap analysis, baseline, tool selection) Defenses
• Knowledge of encryption techniques (e.g. DES,  Digital Certificates
RSA)  authenticate you as the sender and are
• Knowledge of public key infrastructure (PKI) extremely difficult to forge. Allows very
components (e.g. certification authorities (CA), strong encryption of email communications.
registration authorities)  PGP
• Knowledge of digital signature techniques  “Pretty Good Privacy” allows strong
• Knowledge of physical security practices (e.g. encryption of your text. Can be
biometrics, card swipes) incorporated easily into any text oriented
program.
Standard Encryption Dual Keys Continued
• Encrypted message is generated using
recipients public key and your private key.
• Only the intended recipient with the
corresponding private key will be able to
• Text is encrypted and sent by the originator
decrypt.
• Ciphertext is decrypted by recipient
• NSA hates this to be in the hands of the general
• Same key is used for encryption and decryption
public… but you have the right to privacy.
• If key is intercepted or deciphered, encryption
becomes useless
What is a Digital Certificate?
• This is how WWII was won...
• Acts as a virtual signature
• Very hard to forge
Strong Cryptography
• Can be used for encryption or authentication
• “There are two kinds of cryptography in this
• Resides in the Browser/Email Client/OS
world: cryptography that will stop your kid
• Free digital certificates are available
sister from reading your files, and cryptography
• PGP Freeware is available
that will stop major governments from reading
your files. This book is about the latter.” --
What is PGP?
Bruce Schneier, Applied Cryptography:
• Created by Phil Zimmerman
Protocols, Algorithms, and Source Code in C.
- PGP is now a subsidiary of Network
• 40 bit cryptography is considered weak. This
Associates
can be intercepted and deciphered in seconds
• Secures e-mail and files
using today’s tools.
• Based on “Public Key” Cryptography
• By contrast, 128 bit cryptography is considered
• Users whom have never met can exchange
technically infeasible to crack. Most banks
encrypted documents.
require a 128 bit browser for online banking.
• Freeware

Dual Key Cryptography

• Key pair is generated - public and private key.
• Public key is sent to server and exchanged with
others
• Private key is guarded by the user
How To Encrypt a Message (1)
Clicking on the Security button in Netscape
Communicator opens the Security Window below:

• Once keys have been exchanged, address an

email to the other party.
• Click on the Security button and select the
option for encrypting message.
• Obtain and install a certificate using the step by
• That’s it!
step instructions at the issuing website.

2. Email Spoofing
An email that has a digital certificat attached
• Happens when someone impersonates an email
will display this icon in Communicator. You can
user, sending messages that appear to be from
click on the icon to examine the cert. Certs emailed
the victim’s email address.
to you are automatically added to Communicator’s
• Spoofing can be prevented by using your
database.
Digital Certificate or PGP to “Digitally Sign”
your email message.
• Even Certificates can be spoofed, although
difficult. Check the “Certificate Fingerprint” of
the message to be sure it’s authentic.

Shopping Securely

You can search for certificates on public

directories (LDAP) directly from within
Communicator.
• Users must exchange “public keys”.
• Can be done via LDAP directory or email
exchange.
• You should never input sensitive info such as Key Strength Comparison
Credit Card numbers into a non-secure website. • Most browsers ship with a default of 40 bit
• Make sure website is certified by a trusted encryption capabilities.
Certificate Authority (CA) • You must upgrade to a 128 bit encryption
capable browser for most online banking.
How to Shop Securely

• When you enter a secure site, Communicator’s

Security icon will change as shown: Strong Encryption Browsers
• Click on the Security button to examine which • Netscape Communicator is freely available for
CA asserts that this site is safe. all platforms with 128 bit encryption capability
and full features.
Hacking In to Your Computer • 128 bit capable version of Microsoft Internet
• DSL and Cable internet access means round the Explorer is available for Windows and
clock connections of home and small business Macintosh. (Mac version has limited features.)
computers to the Internet. • You may have to install additional plug ins to
• Greatly increases the chance of attack. get 128 bit capabilities out of MSIE.
• Physical access is always a danger, too.
• Hackers can gain access to your personal files, 3. Web Data Interception
Quicken data, etc. 4. Network & Volume Invasion
5. Marketing Data / Spam & Junk Mail
Stopping Hackers 6. Viruses, Worms, Trojan Horse
• Set up a personal/home firewall. Viruses
• Encrypt your sensitive files!!! • Computer viruses are 100% man made.
- PGP, all platforms. • Can be transmitted via email, disk, network,
- Mac OS 9 Built-In Encryption Feature etc…
• Don’t give out your passwords to anyone! • Most are harmless experiments.
• Use difficult passwords - not simple dictionary • Some are intended to wreak havoc on
style words. individuals and networks.
Virus Protection Safeguarding Customer Information
• Get a virus protection package and install it on Gramm-Leach-Bliley Act (GLBA) Compliance
your computer. Why was GLBA enacted?
• Check the vendor’s website for downloadable • Section 501 of the Gramm-Leach-Bliley Act
updates and alerts on new viruses. requires Financial Institutions to establish
• Don’t open email or attachments from standards relating to administrative, technical
unknown sources. and physical information safeguards to protect
customer records and information.
7. Password Cracking Safeguard Objectives:
Password Strength • Ensure security and confidentially of customer
• Simple words out of a dictionary make bad records and information.
passwords. • Protect against any anticipated threats or
• Use mixed upper and lower case characters. hazards to the security of the records.
• Use non-alphanumeric characters such as: • Protect against unauthorized access or use of
~!@#$%^&*()_+=-{}[]|\:;”’/?.>,<` records or information which could result in
• Avoid sharing passwords, even with friends harm or inconvenience to customer.
and family.
Information Security Plan
Examples: • Written to insure security and confidentiality of
• Using a simple passphrase such as “coffee” is non-public customer financial information
simple to hack, takes about 40 minutes to break. (NPI).
• Using random alphanumerics is significantly • Protect against any anticipated threats and
more difficult: A passphrase such as “bR1a9Az” hazards.
take about 22 years to crack. • Protect against unauthorized access or use.
• Using the full range of the keyboard with truly
random characters is totally infeasible to crack. Non-public customer information (NPI)
A passphrase like “,ThX1pD<V+” would take • Credit card numbers
3.8 x 108 years to crack. • Social Security numbers
• Drivers license numbers
Most Possible Threats • Student loan data
• Mail bomb • Income information
• Denial of Service (DoS) • Credit histories
• Piracy of Intellectual Property • Customer files with NPI
• NPI Consumer information
• Bank Account data
Financial Institutions 3. Bank Fraud 669 --14%
• Including Colleges and Universities must 4. Government Documents/Benefits Fraud 396 --
ensure that their security programs provide 8%
adequate protection to customer information in 5. Loan Fraud 356 --7%
whatever format – electronic or hardcopy. 6. Employment-Related Fraud 260 -- 5%
7. Attempted Identity Theft 477 --10%
FTC Ruling 8. Other 710 -- 15%
• consumer’s information is not a privacy issue
but is one of security. What is Identity Theft?
• Compliance with FERPA does not exempt • Under ID Theft Act, identity theft is defined
colleges and universities from GLBA very broadly as:
safeguarding regulations. knowingly using, without authority, a means
of identification of another person to
FERPA vs.. GLBA commit any unlawful activity.
• The Family Education Rights and Privacy Act • (unlawful activity: a violation of Federal law,
addresses the privacy of student information. or a felony under State or local law).
• Gramm- Leach-Bliley Act addresses the • When someone steals your identity, they are
security of customer records and information. usually using your credit to obtain goods and
services for themselves that “you” will have to
University Actions pay for.
• Has established a committee to insure
compliance. How Does an Identity Thief Get Your Information?
• Committee meets regularly to review and • Stealing files from places where you work, go
insure compliance with the act. to school, shop, get medical services, bank, etc.
• Performs risk assessment and regular testing. • Stealing your wallet or purse.
• Oversees service providers and contracts. • Stealing information from your home or car.
• Trains staff to maintain security and • Stealing from your mailbox or from mail in
confidentially. transit.
• Sending a bogus email or calling with a false
Why Protect your Identity? promise or fraudulent purpose.
• Identity Theft For example: pretending to be from a bank,
Statistics on Identity Theft in New Jersey creating a false website, pretending to be a
4802 Complaints / year real company, fake auditing letters.
1. Credit Card Fraud 2,350 -- 49%
2. Phone or Utilities Fraud 867--18%
How Does an Identity Thief Use Your Information? Prevention
• Obtains Credit Cards in your name or makes Guard against fraud:
charges on your existing accounts (42%). • Sign cards as soon as they arrive.
• Obtains Wireless or telephone equipment or • Keep records of account numbers and phone
services in your name (20%). numbers.
• Forges checks, makes unauthorized EFTs, or • Keep an eye on your card during transactions.
open bank accounts in your name (13%). Also be aware of who is around you, is anyone
• Works in your name (9%). else listening?
• Obtains personal, student, car and mortgage • Check your credit report and credit card
loans, or cashes convenience checks in your monthly statements.
name (7%).
• Other uses: obtains drivers license in your Annual credit bureau report
name. • New Jersey residents are entitled to one free
annual credit report.
Victims of Identity Theft • If you are denied credit, you are allowed to
• If your identity is stolen, do the following request one free copy of your credit report.
immediately: • Check your report for accurate information,
 Contact the fraud department of the three open accounts, balance information, loan
major credit bureaus (Equifax, Experian, information, etc.
Trans Union).
 Contact your creditors and check your Credit Bureau Links
accounts. • Equifax – www.equifax.com
 File a police report. - To order a report, 1-800-685-1111
 File a complaint with the FTC. - To report fraud, 1-800-525-6285
• Experian – www.experian.com
Recovery - To order a report, 1-888-397-3742
• Take back control of your identity: - To report fraud, 1-888-397-3742
 Close any fraudulent accounts. • Trans Union – www.tuc.com
 Put passwords on your accounts. - To order a report, 1-800-916-8800
 Change old passwords and create new PIN - To report fraud, 1-800-680-7289
codes.
Have you been a Victim?
You may be a victim if:
• You are denied credit.
• You stop getting mail.
• You start getting collection calls/mail. Actions to prevent Others from becoming Victims
• You start getting new bills for accounts you do • Determine what information you need.
not have or services you did not authorize. • Provide a secure workplace.
• Your bank account balances drops. • Always ask for a student’s ID or debtors
account number.
Damages • Keep prying eyes away from customer’s
• Time information.
• Money • Don’t expose NPI information to the outside
• Credit rating world.
• Reputation • Take care when you provide employee’s or
customers’ personal information to others.
Good Practices • Know & explain how you handle personal
• Photocopy the contents of your wallet/purse. information.
• Photocopy your passport (keep a copy at home • Ask for written permission prior to sharing
and one with you when you travel). personal information.
• Empty your wallet/purse of non-essential • Report problems or concerns to managers or
identifiers. supervisors.
• Do not use any information provided by the
people who may be trying to scam you look it Remember to always maintain confidentiality,
up yourself. security and integrity :
• Shred documents before you depose of them. Avoid:
 unauthorized disclosure
“GLBA requires us to PROTECT  removing information from your office
CONSUMERS from substantial harm or  sharing information
inconvenience.”  tossing information in the trash
 down loading or e-mailing information.
What can we do to guard NPI?
• Keep confidential information private. General Privacy
• Use care when asking or giving SSN. • Do not provide correcting information for
• Use secure disposal methods. account verification questions.
• Protect the privacy of data transmissions. • Be suspicious.
• Improve procedures. • Be paranoid.
• Don’t be afraid to say no when asked for
information that is not required to conduct the
current business transaction.
What are university assets? • Acceptable Use of Network &Computing
University Assets Resources:
Are customer information and records assets? - Agreement for Accessing Information
Safeguarding Information - Acceptable Use Policy
• Information takes many forms. - Guidelines for Interpretation of Acceptable
• Information is stored in various ways. Use
• Data assets have unique risks. - Acceptable Use Supplement
Your Role: - Basics
 Ensure Physical Security.
 Select and Protect hard to guess passwords. Potential Damages to Any U.
 Avoid email traps and disclosures. • Reputation
 Back up files. • Violation of federal and state laws
 Log off your computer when not in use. • Fines
 Do not open emails with attachments from • Reparation costs
unknown sources. • Recovery costs
 Obliterate data before giving up your computer. • Increased prevention costs
 Recognize social engineering tactics.
Expectations
Check your work area! • All University employees are responsible for
• Do you leave NPI reports on your desk? securing and caring for University property,
• Is NPI stored in unlocked file cabinets? resources and other assets.
• Keep computer disks secure. • University relies on the attention and
• Do not save NPI on your computer C drive. cooperation of every member of the community
to prevent, detect and report the misuse of
Your role…. university assets.
The University has many policies and procedures to
help you, learn them. Prevention
• Protect yourself
University Regulations & Guidelines related to • Protect others
Safeguarding
Standards for University Operations Handbook: Safeguarding customer information and
• Confidentiality university asset is everyone’s job!
• Accounting for Financial Resources
 Information Security Management (ISO/IEC • What control measures there were focussed
17799:2000) & Certified Risk Analysis almost entirely on computer data, to the
Methodology Management (CRAMM) exclusion of other forms of information
ISO - International Standardization Organization
CODE OF PRACTICE
Migrating • 1993: in conjunction with a number of leading
• Migrating from compliance with the IM&T UK companies and organizations produced an
(Info. Management Tech) Security Manual to ISM Code of Practice - incorporating the best
compliance with BS7799 Overview information security practices in general use.
• Addressed all forms of information;
What is Information Security Management (ISM)? e.g.computer data, written, spoken, microfiche
• An enabling mechanism whose application etc
ensures that information may be shared in a
manner which ensures the appropriate Code of Practice - Aims
protection of that information & associated • To provide
information assets. - A common basis for organizations to
develop, implement, and measure effective
Basic Components information security management practice
• Confidentiality: protecting sensitive - Confidence in inter-organisational dealings
information from unauthorized disclosure
• Integrity: safeguarding the accuracy and Balance
completeness of information/data. • A common concern amongst organizations is
• Availability: ensuring that information and that the application of security measures often
associated services are available to users when has an adverse impact on, or interferes with,
required. operational processes
• BS7799 processes are flexible enough to ensure
Problem that the right balance can be struck - security
• Until early 90’s information was handled by with operational efficiency!
many organizations in an ad hoc and, generally,
unsatisfactory manner Assets - Examples
• In a period of increasing need to share Software
information, there was little or no assurance • Application software, system software,
that such information could or would be development tools
safeguarded
Physical Controls
• Computer equipment, magnetic media, Each of these Categories contains a number
furniture, accommodation of security controls, mandatory or otherwise, which
can be implemented as part of the information
Services security risk management strategy
• Heating, lighting, power, air-conditioning
The same controls will not, necessarily apply across
Information the board, owing to the varying nature of
• Databases, system documentation, data files, organizations, risk factors etc
user manuals, continuity plans, backup
processes The Crux of the Matter
• Information is subject to numerous risks; which
The Standard can be grouped together under the generic
• And headings of:
- Personnel Security. Measures to reduce - Accidental
risks of human error, theft, fraud or misuse - Natural
of facilities - Deliberate
- Physical/Environmental Security. • A risk being the product, in this case, of the
Prevention of unauthorized access, threat to information and its assets, and
interference to IT services and damage vulnerability to the threats
- Computer and Network Management. To
Ensure correct and secure operation of Risk Analysis
computer and network facilities • The point is:
- System Access Control. Controls to - An effective risk management strategy
prevent unauthorized access to computer cannot be implemented until the risks are
systems identified and measured (that is, analyzed)
- System Development and Maintenance. A • It almost goes without saying, that Analysis
security program complementing should be based upon a sound and proven
development/maintenance of IT systems methodology
- BCP. Measures to protect critical business • therefore the we will use CRAMM
processes from major failures and disasters
- Compliance. To avoid breaches of CRAMM
statutory or contractual requirements and • Developed in 1985, CRAMM Risk Analysis
ensure the ISMS is operational Methodology is a complete package, containing:
 - the risk analysis process itself
- associated documentation (inc. Report
functionality; results and conclusions)
- training
- software support tools

3 Stages
CRAMM offers a 3-staged approach that allows an
organization to:

1. Identify and value assets

2. Assess the threats and vulnerabilities to those And then……..

assets • Develop and implement security policies which

3. Select appropriate recommended comply with your specific requirements in

countermeasures terms of BS7799

• Review and Maintain

CRAMM Version 4.0 • Simple, isn’t it?

• This version, the latest, includes • No, it is appreciated that compliance with

- Full support for BS7799 including BS7799 is a significant undertaking

• GAP analysis • But, as the benefits themselves are

• Implementation of a security significant…it is not only good practice, but

improvement program makes good sense to adopt the standard

• Statement of Applicability
• Risk Modeling for multi-role You are Not Alone

organizations • CRAMM risks models are being developed for

• AND undertake a Risk Analysis ! specific organizations (e.g. Acute Trusts)

• A fit with BS7799: Part 2 • Such models will encompass approximately 90

- 95% of organizations
• Pioneer Projects - results of which will be fed
into the overall implementation process
• Training
• Development and maintenance program
• FAQs
• Help Desk
• User Groups