1 / 18

Security Audit vs. Security Review September 16, 2009

California State Lottery. Security Audit vs. Security Review September 16, 2009. Agenda. California Lottery’s preparation and selection of external audit team KPMG discussion on performing the security audit. 2. Background of CSL Security Audit. California Lottery Act Mandated elements

geoffrey-rios
Télécharger la présentation

Security Audit vs. Security Review September 16, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. California State Lottery Security Audit vs. Security Review September 16, 2009

  2. Agenda California Lottery’s preparation and selection of external audit team KPMG discussion on performing the security audit 2

  3. Background of CSL Security Audit • California Lottery Act • Mandated elements • Limitations of past security reviews • New Statement of Work • Vendor Selection Team

  4. Mandated Security Elements • Personnel • Game retailer • Manufacturing and Distribution • Ticket validation, counterfeiting, alterations, fraud, unclaimed prizes, preprinted tickets • Draws and Games • Computer • Data Communications • Physical • Database • Other Security

  5. Limitations of Past Security Reviews Traditionally what happens during an audit: • Adequate business knowledge not demonstrated • There is some understanding, but we miss the big picture • External environment is not always considered • Different levels of knowledge within Audit Team, not well shared • Auditing on compliance to management policies and procedures not adequate to base conclusions • Do not understand risk to the business • Auditors only perform checklist approach

  6. Impacts of Traditional Audit Approach • Exposure to risk increases in key areas • Reduction in audit efficiency • Customer dissatisfaction • Key Stakeholders not identified and involved in the process

  7. SOW • Develop model of each vital Lottery component • Assess each component • Identify high risk components • Perform general and internal control reviews in high risk areas • Review mandated areas • Cite audit standards

  8. Vendor Selection Team • ID Stakeholders • CSL key stakeholders are IT and Security/ Law Enforcement • Created selection team • Developed and distributed RFI • Performed two step selection process

  9. Traditional Risk Management vs. ERM

  10. Risk Framework Committee of Sponsoring Organizations of the Treadway Commission (COSO) Issued the most widely used internal control and enterprise risk management frameworks in use today COSO’s Enterprise Risk Management – Integrated Framework: “expands on internal control, providing a more robust and extensive focus on the broader subject of risk management” The basis for taking a risk-based approach to audits 10

  11. Conducting a Risk-Based Audit Identify business/audit objectives Identify risks to those objectives Evaluate the inherent “severity” of risks Identify controls or other strategies to mitigate the risks Determine whether controls are in place and working Determine residual risk after controls and mitigations are evaluated Identify gaps where risks are not mitigated and no controls exist or are weak Calculate the final residual risk “severity” 11

  12. Business Acumen is Key to Identifying Risks • Knowledgeable about the business • Applies business perspective to business objectives • Align employees with strategy and initiatives • Holistic View - think in terms of the entire system and the effects and consequences of actions and decisions • Operate with an awareness of the general landscape of general business arenas

  13. Relevant Internal Information • Process – Flow how major organizations fit together • People – Leadership/Operations, organization charts as well as others • Plans /Priorities – Lottery’s Objectives

  14. Competitors Regulatory Concerns Legal Market Economy Environment Relevant External Information

  15. CSL Project Approach • Risk Assessment and Security Audit Objectives: • Identification of risks and internal control dependencies related to security that impact Lottery business objectives • Develop understanding of Lottery business objectives • Develop understanding of Lottery key processes supporting business objectives • Develop understanding of risks associated with key processes that support Lottery business objectives • Develop understanding of significant security control dependencies embedded in key processes • Value Proposition: • Holistic view of Lottery Information Security on an enterprise scale • Assessment of risk impacting the achievement of key organization objectives • Observations and recommendations to help enhance information protection practices and Lottery operations • Lottery Security Audit Compliance

  16. Risk and Controls Matrix The “master” repository for all risks and mitigating controls Correlates all risk data including categories, business areas affected, related objectives, and other information Calculates all risk ratings Used as a basis for documenting the risk assessment and developing reports Sometimes called a “risk register” 16

  17. Benefits of the Risk-Based Approach Improved decision making, especially in setting strategy Improved governance Improved compliance More effective business processes Audits directed at high risk areas that include all activities of the business Audit objectives are aligned to strategic and operational risk Organization is involved during all stages of planning as they own the risk. 17

  18. Thank You! Questions? 18

More Related