overcoming check-the-box it compliance...source: the it risk pyramid: where to start with risk...
TRANSCRIPT
1
Overcoming
Check-the-Box
IT Compliance
Chong Ee, CISA, CGEITDirector, Compliance and Accounting Process,
ZipRealty, Inc.
Agenda
2
• Perils of checking the box
• Connecting the dots
• The lifecycle of compliance
• Next steps
2
News of a
Break-In
3Image: Suat Eman / FreeDigitalPhotos.net
Where Are We Today?
Images: FreeDigitalPhotos.net 4
3
Unintended Consequences
• Pass/fail mentality
• False sense of security
• Race to the bottom
• Missed opportunities
5Image: Chris Sharp / FreeDigitalPhotos.net
Less than successful
product launch
Application does not meet
business requirements
Lack of access controls over
application
Poor change
management processes
Connecting the Dots - Part 1
6
4
Stacking IT Risks
Source: The IT Risk Pyramid: Where to Start with Risk Management, MIT Sloan CISR Research Briefing Vol. V, No. 1D, March 2005
Access
Availability
Accuracy
Agility
7
Connecting the Dots - Part 2
Change success rateDevelopers work
under pressure
Enhancement Rollout
Enhancement Rollout
Reduce testing
Reduce test documentation
Increase production access
Fix Rate Likelihood of
unauthorized corruption
Application Quality
Application Quality
Adapted from Modeling and Analysis of Information technology Change and Access Controls in the Business Context, Technical Note CMU/SEI-2006-TN-40, March 2007 8
5
3 of 53 IT Controlspredicted 45% of
performance variance:
Source: Leveraging IT Controls to Improve IT Operating Performance,” The Institute of Internal Auditors Research Foundation and IT Process Institute, 2008
Top Performers
Low Performers
Change success rate
Average fix rate
Average repeat audit finding
95% 83%
89% 67%
15% 67%
9
Overlooked Symptoms
• Lack of documented evidence of testing
• Nature (and impact) of enhancement/fix
• Other indicators – bugs raised after rollout
• Helpdesk support activity
• Frequency of patch releases addressing
regression impact of prior fixes
Image: FreeDigitalPhotos.net
6
Key Takeaway
IT General Computer
Controls
Application Controls
11
IT Risks
Mean Time to RepairFirst Fix RateChange Success Rate
Access
Availability
Accuracy
Agility
Image: FreeDigitalPhotos.net
Shared
Accounts
Privileged
Users
Poor
Deprovisioning
Lack of
background
screening
Lack of avenues to handle
employee issues
Connecting the Dots - Part 3
12
7
Inside an Inside Job
42% were hired
as privileged users
38% have prior
arrest history
23% use shared
accounts Over 75% who
used another account were former employees
Source: Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector, U.S. Secret Service and CERT/SEI, January 2008
55% were
noticed for prior inappropriate
behavior
13 Image: Francesco Marino / FreeDigitalPhotos.net
Image: FreeDigitalPhotos.net 14
Read Only
Superuser
1 application/system
Multiple applications/system
• Pervasive access
• Backdoor accounts
• Timeliness
• Communication
Overlooked Symptoms
8
15
Entity controls
Password controls
Access provisioning
Change controls
Backgroundscreening
Administrator
Key Takeaway
Risk Assessment
Extent of Testing
Image: FreeDigitalPhotos.net
Connecting the Dots - Part 4
16
Password
Complexity
Password
Expiry
Network
Segmentation
Intrusion Detection
System
Security Awareness and
Training
9
Multiple Password Expiries
Image: Suat Eman / FreeDigitalPhotos.net 17
Costs (and Benefits)
Password
Complexity
Password
Aging
Password
Aging
A
B
Source: The true cost of unusable password policies: password use in the wild. In Proceedings of the 28th international Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA, April 10 -15, 2010). CHI '10. ACM, New York, NY 18
10
Social Compliance
19
C o m p l i a n c e
20
S E C U R I T Y
vs.
11
21
• Unintended consequences
• Time to perform control exceeds time to
complete work
• User indifference/lethargy
• Workarounds
Image: FreeDigitalPhotos.net
Overlooked Symptoms
Image: FreeDigitalPhotos.net
Key Takeaway
22
• Assess usability and/or feasibility
• Revisit the role of context
• Understand control interdependency and overlaps
• Partner with Information Security
12
Image: Salvatore Vuono / FreeDigitalPhotos.net
PerformancePerformance
SecurityCompliance
Connecting the Dots: A Tale of 4 Parts
23
What Drives Compliance?
Event
Regulation
Process
24jscreationzs / FreeDigitalPhotos.net
13
SOX Compliance over Time
25
2004 2005 2006 2007 2008 2009
66% leverage SOX to drive
continuous improvement
45%perform SOX compliance
in-house
50% cost reduction
in compliance costs
Source: Protiviti 2010 Sarbanes-Oxley Compliance Survey, June 2010
Driving Maturity
26Source: Protiviti 2010 Sarbanes-Oxley Compliance Survey, June 2010
54%
51%
47%
Root cause remediation
Reporting workflow simplification
Eliminate non-value tasks
14
Image: FreeDigitalPhotos.net
• Recurring exceptions
• Lack of clarity over system owners/custodians
• Continued reliance on individual bravado rather than process sustainability
• Breaks-in-process during personnel changes
• Lack of external auditor reliance on internal controls work
27
Overlooked Symptoms
Image: FreeDigitalPhotos.net
Key Takeaway
28
UNRELIABLEUNRELIABLE
ININFOFORRMMALAL
STANDSTANDSTANDSTAND
ARDIZARDIZARDIZARDIZ
EDEDEDED
MOMOMOMOMOMOMOMO
NITNITNITNITNITNITNITNIT
OREOREOREOREOREOREOREORE
DDDDDDDD
OPOPOPOP
TITITITI
MIMIMIMI
ZEZEZEZE
DDDD
Reactive
Continuous Monitoring
Process Ownership
15
Breaking The Cycle
29
Symptom #1
Symptom #1 Remediation
Root Cause
Analysis
Fundamental
Solution
Symptom #2
Symptom #2 Remediation
…
Continued Inefficiencies
80% companies
automated less than half of key controls
70% indicate high
dependency on spreadsheets
30Source: Protiviti 2010 Sarbanes-Oxley Compliance Survey, June 2010
16
Barriers to Change
31
Organization
Control
AuditorImage: Simon Howden / FreeDigitalPhotos.net
Enterprise Risk Perspective
Access
Availability
Accuracy
Agility
Disparate infrastructure/ applications
32
IT Risks
Distributed access administration
Spreadsheet reliance for data integration
Lengthy financial
close cycles
17
Compensating Control
• Cost, system, resource limitations
• Control interdependency
• Performance and test
of controls
jscreationzs / FreeDigitalPhotos.net 33
The Case of the Missing Controls
Blank controls matrix
and a process flowchart
Prepared controls matrix and a process
flowchart
Prepared controls matrix
1
2
3
34
Source: Do Client-Prepared Internal Control Documentation and Business Process Flowcharts Help or Hinder an Auditor’s Ability to Identify Missing Controls? Auditing: A Journal of Practice & Theory, Vol. 28, No. 1, May 2009
18
Image: FreeDigitalPhotos.net
• High degree of complexity sustained with compensating controls
• Lack of test population
• Proportion of time devoted to control testing remains the same
• Disparate infrastructure and/or configurations
• Stagnant controls
35
Overlooked Symptoms
Key Takeaway
36
• Enterprise context in managing risks
• Outside organizations that leverage internal
control work
• Participation in pre/post system implementation
reviews, process redesigns, etc.
• Governance audits
Image: FreeDigitalPhotos.net
19
Next Steps
37
• Partner
• Integrate
• Sustain
Image: Arvind Balaraman / FreeDigitalPhotos.net
Laws and Laws and RegulationRegulation
Financial Reporting
Operating Effectiveness & Efficiency
Revisiting Internal Controls
38Source: COSO Framework
20
Partner
• IT Operations
• Information Security
• Business Units
Image: healingdream / FreeDigitalPhotos.net 39
Integrate
Filomena Scalise / FreeDigitalPhotos.net 40
• Embedded controls
• Process driven
• Extensibility
21
Sustain
Image: luigi diamanti / FreeDigitalPhotos.net 41
• Enterprise view
• Risk management
• Performance
metrics
Further Reading
Bierstaker, James Lloyd; Hunton, James E. and Thibodeau, Jay C.; “Do Client-Prepared Internal Control Documentation and Business Process Flowcharts Help or Hinder an Auditor’s Ability to Identify Missing Controls?” Auditing: A Journal of Practice & Theory, Vol. 28, No. 1, May 2009
Ee, Chong; “Adopting an Integrated Framework in Managing Fraud Risks,” ISACA Journal, Volume 4, 2010
Inglesant, P. G. and Sasse, M. A.; “The true cost of unusable password policies: password use in the wild,” In Proceedings of the 28th international Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA, April 10 - 15, 2010). CHI '10. ACM, New York, NY
Kowalski, E.; D. Cappelli and A. Moore; “Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector,” US Secret Service and CERT Program/Software Engineering Institute at Carnegie Mellon University, January 2008
Moore, Andrew P. and Antao, Rohit S.; “Modeling and Analysis of Information technology Change and Access Controls in the Business Context,” Technical Note CMU/SEI-2006-TN-40, March 2007
Phelps, Daniel and Milne, Kurt; “Leveraging IT Controls to Improve IT Operating Performance,” The Institute of Internal Auditors Research Foundation and IT Process Institute, 2008
Protiviti Inc.; 2010 Sarbanes-Oxley Compliance Survey, June 2010
Westerman, George; “The IT Risk Pyramid: Where to Start with Risk Management,” MIT Sloan CISR Research Briefing Vol. V, No. 1D, March 2005