1

Overcoming

Check-the-Box

IT Compliance

Chong Ee, CISA, CGEITDirector, Compliance and Accounting Process,

ZipRealty, Inc.

Agenda

2

• Perils of checking the box

• Connecting the dots

• The lifecycle of compliance

• Next steps

2

News of a

Break-In

3Image: Suat Eman / FreeDigitalPhotos.net

Where Are We Today?

Images: FreeDigitalPhotos.net 4

3

Unintended Consequences

• Pass/fail mentality

• False sense of security

• Race to the bottom

• Missed opportunities

5Image: Chris Sharp / FreeDigitalPhotos.net

Less than successful

product launch

Application does not meet

business requirements

Lack of access controls over

application

Poor change

management processes

Connecting the Dots - Part 1

6

4

Stacking IT Risks

Source: The IT Risk Pyramid: Where to Start with Risk Management, MIT Sloan CISR Research Briefing Vol. V, No. 1D, March 2005

Access

Availability

Accuracy

Agility

7

Connecting the Dots - Part 2

Change success rateDevelopers work

under pressure

Enhancement Rollout

Enhancement Rollout

Reduce testing

Reduce test documentation

Increase production access

Fix Rate Likelihood of

unauthorized corruption

Application Quality

Application Quality

Adapted from Modeling and Analysis of Information technology Change and Access Controls in the Business Context, Technical Note CMU/SEI-2006-TN-40, March 2007 8

5

3 of 53 IT Controlspredicted 45% of

performance variance:

Source: Leveraging IT Controls to Improve IT Operating Performance,” The Institute of Internal Auditors Research Foundation and IT Process Institute, 2008

Top Performers

Low Performers

Change success rate

Average fix rate

Average repeat audit finding

95% 83%

89% 67%

15% 67%

9

Overlooked Symptoms

• Lack of documented evidence of testing

• Nature (and impact) of enhancement/fix

• Other indicators – bugs raised after rollout

• Helpdesk support activity

• Frequency of patch releases addressing

regression impact of prior fixes

Image: FreeDigitalPhotos.net

6

Key Takeaway

IT General Computer

Controls

Application Controls

11

IT Risks

Mean Time to RepairFirst Fix RateChange Success Rate

Access

Availability

Accuracy

Agility

Image: FreeDigitalPhotos.net

Shared

Accounts

Privileged

Users

Poor

Deprovisioning

Lack of

background

screening

Lack of avenues to handle

employee issues

Connecting the Dots - Part 3

12

7

Inside an Inside Job

42% were hired

as privileged users

38% have prior

arrest history

23% use shared

accounts Over 75% who

used another account were former employees

Source: Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector, U.S. Secret Service and CERT/SEI, January 2008

55% were

noticed for prior inappropriate

behavior

13 Image: Francesco Marino / FreeDigitalPhotos.net

Image: FreeDigitalPhotos.net 14

Read Only

Superuser

1 application/system

Multiple applications/system

• Pervasive access

• Backdoor accounts

• Timeliness

• Communication

Overlooked Symptoms

8

15

Entity controls

Password controls

Access provisioning

Change controls

Backgroundscreening

Administrator

Key Takeaway

Risk Assessment

Extent of Testing

Image: FreeDigitalPhotos.net

Connecting the Dots - Part 4

16

Password

Complexity

Password

Expiry

Network

Segmentation

Intrusion Detection

System

Security Awareness and

Training

9

Multiple Password Expiries

Image: Suat Eman / FreeDigitalPhotos.net 17

Costs (and Benefits)

Password

Complexity

Password

Aging

Password

Aging

A

B

Source: The true cost of unusable password policies: password use in the wild. In Proceedings of the 28th international Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA, April 10 -15, 2010). CHI '10. ACM, New York, NY 18

10

Social Compliance

19

C o m p l i a n c e

20

S E C U R I T Y

vs.

11

21

• Unintended consequences

• Time to perform control exceeds time to

complete work

• User indifference/lethargy

• Workarounds

Image: FreeDigitalPhotos.net

Overlooked Symptoms

Image: FreeDigitalPhotos.net

Key Takeaway

22

• Assess usability and/or feasibility

• Revisit the role of context

• Understand control interdependency and overlaps

• Partner with Information Security

12

Image: Salvatore Vuono / FreeDigitalPhotos.net

PerformancePerformance

SecurityCompliance

Connecting the Dots: A Tale of 4 Parts

23

What Drives Compliance?

Event

Regulation

Process

24jscreationzs / FreeDigitalPhotos.net

13

SOX Compliance over Time

25

2004 2005 2006 2007 2008 2009

66% leverage SOX to drive

continuous improvement

45%perform SOX compliance

in-house

50% cost reduction

in compliance costs

Source: Protiviti 2010 Sarbanes-Oxley Compliance Survey, June 2010

Driving Maturity

26Source: Protiviti 2010 Sarbanes-Oxley Compliance Survey, June 2010

54%

51%

47%

Root cause remediation

Reporting workflow simplification

Eliminate non-value tasks

14

Image: FreeDigitalPhotos.net

• Recurring exceptions

• Lack of clarity over system owners/custodians

• Continued reliance on individual bravado rather than process sustainability

• Breaks-in-process during personnel changes

• Lack of external auditor reliance on internal controls work

27

Overlooked Symptoms

Image: FreeDigitalPhotos.net

Key Takeaway

28

UNRELIABLEUNRELIABLE

ININFOFORRMMALAL

STANDSTANDSTANDSTAND

ARDIZARDIZARDIZARDIZ

EDEDEDED

MOMOMOMOMOMOMOMO

NITNITNITNITNITNITNITNIT

OREOREOREOREOREOREOREORE

DDDDDDDD

OPOPOPOP

TITITITI

MIMIMIMI

ZEZEZEZE

DDDD

Reactive

Continuous Monitoring

Process Ownership

15

Breaking The Cycle

29

Symptom #1

Symptom #1 Remediation

Root Cause

Analysis

Fundamental

Solution

Symptom #2

Symptom #2 Remediation

…

Continued Inefficiencies

80% companies

automated less than half of key controls

70% indicate high

dependency on spreadsheets

30Source: Protiviti 2010 Sarbanes-Oxley Compliance Survey, June 2010

16

Barriers to Change

31

Organization

Control

AuditorImage: Simon Howden / FreeDigitalPhotos.net

Enterprise Risk Perspective

Access

Availability

Accuracy

Agility

Disparate infrastructure/ applications

32

IT Risks

Distributed access administration

Spreadsheet reliance for data integration

Lengthy financial

close cycles

17

Compensating Control

• Cost, system, resource limitations

• Control interdependency

• Performance and test

of controls

jscreationzs / FreeDigitalPhotos.net 33

The Case of the Missing Controls

Blank controls matrix

and a process flowchart

Prepared controls matrix and a process

flowchart

Prepared controls matrix

1

2

3

34

Source: Do Client-Prepared Internal Control Documentation and Business Process Flowcharts Help or Hinder an Auditor’s Ability to Identify Missing Controls? Auditing: A Journal of Practice & Theory, Vol. 28, No. 1, May 2009

18

Image: FreeDigitalPhotos.net

• High degree of complexity sustained with compensating controls

• Lack of test population

• Proportion of time devoted to control testing remains the same

• Disparate infrastructure and/or configurations

• Stagnant controls

35

Overlooked Symptoms

Key Takeaway

36

• Enterprise context in managing risks

• Outside organizations that leverage internal

control work

• Participation in pre/post system implementation

reviews, process redesigns, etc.

• Governance audits

Image: FreeDigitalPhotos.net

19

Next Steps

37

• Partner

• Integrate

• Sustain

Image: Arvind Balaraman / FreeDigitalPhotos.net

Laws and Laws and RegulationRegulation

Financial Reporting

Operating Effectiveness & Efficiency

Revisiting Internal Controls

38Source: COSO Framework

20

Partner

• IT Operations

• Information Security

• Business Units

Image: healingdream / FreeDigitalPhotos.net 39

Integrate

Filomena Scalise / FreeDigitalPhotos.net 40

• Embedded controls

• Process driven

• Extensibility

21

Sustain

Image: luigi diamanti / FreeDigitalPhotos.net 41

• Enterprise view

• Risk management

• Performance

metrics

Further Reading

Bierstaker, James Lloyd; Hunton, James E. and Thibodeau, Jay C.; “Do Client-Prepared Internal Control Documentation and Business Process Flowcharts Help or Hinder an Auditor’s Ability to Identify Missing Controls?” Auditing: A Journal of Practice & Theory, Vol. 28, No. 1, May 2009

Ee, Chong; “Adopting an Integrated Framework in Managing Fraud Risks,” ISACA Journal, Volume 4, 2010

Inglesant, P. G. and Sasse, M. A.; “The true cost of unusable password policies: password use in the wild,” In Proceedings of the 28th international Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA, April 10 - 15, 2010). CHI '10. ACM, New York, NY

Kowalski, E.; D. Cappelli and A. Moore; “Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector,” US Secret Service and CERT Program/Software Engineering Institute at Carnegie Mellon University, January 2008

Moore, Andrew P. and Antao, Rohit S.; “Modeling and Analysis of Information technology Change and Access Controls in the Business Context,” Technical Note CMU/SEI-2006-TN-40, March 2007

Phelps, Daniel and Milne, Kurt; “Leveraging IT Controls to Improve IT Operating Performance,” The Institute of Internal Auditors Research Foundation and IT Process Institute, 2008

Protiviti Inc.; 2010 Sarbanes-Oxley Compliance Survey, June 2010

Westerman, George; “The IT Risk Pyramid: Where to Start with Risk Management,” MIT Sloan CISR Research Briefing Vol. V, No. 1D, March 2005