Creating Value through Innovative IT Auditing

Redefine Cybersecurity, Explore Innovative Strategies and Develop Trust

Creating Value through Innovative

IT Auditing

Ronnie Koh

Jointly Organized By :

By Increasing both

Breadth

and

Depth

in our Audit Coverage

for Digital Bank & Cyber Security

How do we create value?

By Investing in

Our People

– Creating Value-Driven Talent

Pool

Why do we need to innovate?

Cyber

Threats

New

Technology

Growing

Expectations

Adapt to

changing

environment and

uncertainties

Competent

Risk

Managers

Regulatory

Changes

Insider

Threats

New

Competitors

Expectations from

Board of Directors

Jointly Organized By :

Why do we need to innovate?

Traditional

Auditing

Effort

Past

Present

Future

Continuous

Auditing

Predictive

Auditing

Reactive

Proactive

Increase focus

on proactive &

preventive

risk

identification

“SHIFT LEFT”

How did we transform? The 4Ps

Proactive

•

Special Review

(Project Life

Cycle) of VA/PT

Process

Preventive

•

Independent

Security

Assessment

•

Source Code

Review

Predictive

•

Data Modelling

for Predictive

Analysis (e.g.

Identify Insider

Threats)

•

Cyber

Intelligence

•

Early IT incident

intervention

Productive

•

Continuous

Assessment

(Automated

Checks)

Jointly Organized By :

Where were we and where are we now?

Before 2013

Pockets of cyber

security review

(mainly security

surveillance)

Between 2013 & 2014

1. Perform preliminary gap

assessment referencing

SANS Top 20 Controls

2. Create IT Audit training

roadmap

Between 2014 & 2015

1. Commence iTransformation

2. Kick-start staff training

3. Setup cyber security test lab

4. Establish cyber security audit framework

5. Roll out cyber security audit projects

6. Create cyber security awareness in

Group Audit

Between 2015 & 2016

1. iTransformation Continuation

2. Continuous staff training

3. Enhance cyber security test lab

4. More in-depth cyber security audit projects

5. Introduce static & dynamic scanning tools

2016 Onwards..

1. Insider threat analysis

2. Cyber wargaming

3. Cyber security intelligence

4. Extend Cyber security Lab to

What is our ‘secret’ formula?

PEOPLE

TOOLS

FRAMEWORK

Breadth & Depth – Our Framework

Cyber Security

Framework

Policies &

Procedures

Agreement

Contract

Security Controls

and Surveillance

Security

Awareness

VA/PT Vulnerabilities Review

Key Mgmt (SSL/HSM)

Dynamic & Static Security Assessment for Web

/ Mobile Apps

High Level Dynamic Assessment for Web /

Mobile Apps

Network

Vulnerability

Assessment

Social

Engineering

Secure SDLC

Review

In-depth Security Source Code Assessment

Cyber Security Focus on Subsidiaries

LEGEND

Existing Cyber Security Coverage

New Cyber Security Coverage

Breadth & Depth – Equipping Our People

Group Audit iTransformation

Business

Auditor

_{(Application)}

IT Auditor

1. IT Governance

2. In-depth review of

automated control

i.e. design and

implementation

3. IT General Controls

(e.g. app resiliency,

capacity

management)

4. System Security

1. Business Governance

2. Business process and

operation

3. Testing manual and

automated control

More

efficient

&

business-focused

audit through reviewing

business risk & processes from end-to-end covering both

manual and automated controls!

Jointly Organized By :

Breadth & Depth – Equipping Our People

Group Audit iTransformation

NextGen IT Auditor

System

Management &

Cyber Security

(e.g. Cryptography, Source

Code Review, Penetration

Testing and Vulnerability

Assessment)

Integrated Auditor

System set-up

controls

(e.g. Parameter setup)

Application Security

(e.g. Audit trails)

Input Controls

Pre-processing

(e.g. Input validation)

Processing

Controls

(e.g. Business Logics)

Output Controls

Books, records & reports

Breadth & Depth – Equipping Our People

External / Internal Training

1. Cyber Security

Test Lab

Development

2 Secure

Source Code

Scanning

Enhance cyber security review capability in GA IT Audit…



Targeted training referencing the IT Audit Training Roadmap

Jointly Organized By :

Breadth & Depth – Equipping Our People

Future Initiatives

1. Cyber Security

Test Lab

Development

2 Secure

Source Code

Scanning

2. Digital

Banking

Coverage

Training

6.

Incorporate

Cyber

Intelligence

for Predictive

Capability

4. Source

Code

Review

Training

3. Extension

of Cyber Lab

to regional

countries

1. OJT

Hands-on

Security

Assessment

(VAPT)

5.

Analytical-Based Auditing

Approach to

Review

Jointly Organized By :

Breadth & Depth – Investing in Tools

1. Cyber Security

Test Lab

Development

2 Secure

Source Code

Scanning

Cyber Security Tools Training / Practice



Cyber Security Test Lab



SANS Security Training (or equivalent;

learning how to use the tools)



Code Scanning Tool Training



On-the Job (OJT) training in using

these tools in cyber security reviews

•

Security Operations

•

VA/PT process

•

Independent Assessment

HP WebInspect

Security Testing Tools

Operating Environment

Creating Cyber Security Awareness

App/Software Vulnerabilities

Web Vulnerabilities

Credit Card Hacking Data Breach

Mobile Hacking

Phishing Attack

 Rombertik Malware

May 2015 June 2015 July 2015 August 2015

 Mumblehard Linux Malware

 Venom Vulnerability

 Apple Safari Browser Vulnerability

 LogJam SSL Attack

 iOS Messaging Vulnerability

 Skype Crash Vulnerability

 Magento Hacking

 SingPass Phishing Emails

 Apple Pay Hacking

 Whatsapp Account Hijack

 iPhone Password Hacking

 Samsung Mobile Sofware Vulnerability

 OpenSSL Vulnerability

 IE Browser Zero-Day Vulnerability

 Vehicle Hacking

 OpenSSH Brute Force

 ATM Skimming

 Apple Pay Hacking

 Whatsapp Account Hijack

 iPhone Password Hacking

 Samsung Mobile Sofware Vulnerability

 Java Zero-Day Vulnerability

 UEFI BIOS Rootkit Hacking

 US Census Bureau Hacking

 United Airlines Hacking

 Mac OS Zero-Day Vulnerability

 Windows Update Malware

 Certifi Gate Android Vulnerability

 Android Endless Reboot Bug

 Credit Card Skimming

 Elise Malware

App/

Software

Vulnerabilities

Hacking

Mobile

Data

Breach

Jointly Organized By :

Creating Cyber Security Awareness

Creating Value through Innovation

Watch Video

Jointly Organized By :

THE FUTURE OF AUDITING

IS