Your browser version is outdated. We recommend that you update your browser to the latest version.

Cyber Security and Information Security

  • Virtually all IT risk and audit engagements encompass an element of information security.  Numerous assessments of information security practices, policies and procedures and configuration of the various aspects of the IT environment have been performed. 
  • Technology platforms assessed have included AS/400/iSeries, Windows, OS/390 (Top Secret and RACF), UNIX variants, Oracle database, SQL database, SAP, Oracle Financials, JD Edwards and various other 2nd tier and in-house developed applications.  
  • Network environments audited include network segmentation design and implementation and the various systems and services in use to protect the perimeter and network traffic including firewalls, routers and switches, IDS/IPS, DLP, event management systems, VPN, MPLS
  • Three projects are described in detail below:

 Client:

FX trading company  

Duration:

4 months   

Key Roles/ Services Performed:

Project manager/Assessment

Details:
  • Performed a Threat Risk Assessment (TRA) performed on the company's information technology assets supporting the company’s high and critical business functions
  • The end result of the TRA was a list of risks and vulnerabilities, each assigned with a value which provides for an opportunity to prioritize the vulnerabilities for further attention.  Values were based on the impact and severity of the vulnerability to the in-scope assets
  • The primary phases of the TRA were:
    • Phase 1 - Develop a profile of the assets and the value of the asset based on the level of injury that could be expected to arise in the event of compromise to the confidentiality, availability or integrity of the asset
    • Phase 2 - Determine a list of threats that may impact the assets and the extent/impact of this threat to confidentiality, availability and integrity
    • Phase 3 - Identify the safeguards that protect or reduce the impact of the threats, and associated vulnerabilities
    • Phase 4 - Determine a prioritized list of residual risks based on Asset Value x Threat Value x Vulnerability Value. and a course of action and response plan
  • The approach to the assessment was based on the The Harmonized Threat and Risk Assessment Methodology issued by the Communications Security Establishment (CSE) and the Royal Canadian Mounted Police (RCMP) complimented with other methodologies including Octave Allegro, SANS/NIST and Vera risk assessment methodologies.

Benefits to client:

Through the formal approach taken to asset valuation, threat determination and impact assessment, vulnerabilities were able to be identified and ranked according to their overall risk.  This allows vulnerabilities of greater risk to be targeted for earlier remediation, and for closer monitoring for the effectiveness of the associated safeguard. 

 

 

 

 Client:

Credit union   

Duration:

4 months   

Key Roles/ Services Performed:

Project manager/Assessment

Details:
  • Led and participated in a Cyber Security Assessment on the client’s new web and mobile banking environment. 
  • An initial phase to the engagement was to develop a range of IT policies for the parent company which were used for the second phase as a point of reference for the second phase, an assessment of the new online banking environment at the client’s subsidiary. 
  • Performed an assessment based on the framework and robust cyber security practices, prior to going live with the new environment.  
  • A combination of COBiT risk and control objectives and other cyber security methodologies were used as the framework for the engagement. 
  • Working with the client’s primary service provider, assessed the IT security risks impacting data integrity and confidentiality of customer data in the outsourced cloud environment. 
  • The report focused on the areas of risk and enhancements that are required to mitigate the risks to customer data confidentiality.

Benefits to client:

Our client and the outsourced service provider received a report that outlined areas for improvement and recommendations for addressing these areas. 

The report was able to be provided to the industry regulator who required an external assessment be performed prior to go-live operations.

 

 

 

 Client:

Major telecommunications and media company

Duration:

6 months   

Key Roles/ Services Performed:

IT auditor

Details:
  • Key member in a four person audit team for a Cyber Security Controls assessment across the company
  • Developed baseline audit programs for all areas including secure systems design, vulnerability management, security operations and event management, cyber threat intelligence (CTI), website operations, incident management, change management, asset management and patch management.
  • Audited the CTI, asset management and patch management areas in depth including detailed management interviews, evaluation of documented processes and practices, inspection of system designs, configurations and other relevant documentation and preparation of executive level reporting.
  • Within CTI, evaluated the extent and effectiveness of the external threat feeds in use, range of internal data sources ingested into the platform, models and algorithms used to develop unique indicators of compromise (IOC's), techniques used to research and analyze model outputs, and distribution of threat indicators to other parties in the company for action and response.  
  • Within asset management, evaluated the inventories and controls in place to maintain an up to date and effective inventory of internet presences and their supporting architectural elements, as well as processes to assess and approve the implementation of new internet accessible access points whether internal or externally hosted.
  • Within patch management, assessed the company wide practices used to identify software vulnerabilities within the software inventory, processes to test and evaluate the implementation of the required patches and reviewed the exception and mitigation measures for areas not able to be updated.  

Benefits to client:

With a baseline audit program, team members were able to hit the ground running with their respective areas.

Client received a comprehensive report on areas of improvement and an objective, independent assessment of the true state of control practices for the in-scope areas.