T2P Information Governance & Risk Management News

Defining GRC (the discipline)

2011-03-17T17:49:54Z

What we're talking about here is "Governance, Risk, & Compliance" (GRC) as a discipline, not the product niche that seems to be the favorite catch-all for startups these days. Simply buying a license for IT UCF and throwing a UI on it does not a GRC product make, and it certainly does not address the overall discipline of GRC, which is fundamental to the successful management of organization and the risk contained therein. All organizations have a governance structure, but they're not universally integrating security and risk management practices into those structures. Moreover, compliance (aka "checkbox security") has taken far too prevalent of a roll in organizations today, rather than being a component of the overall governance and risk management strategies.

Approaching GRC as a disciple, it appears that there are five (5) main areas where organizations should invest time, energy, and resources:

1) Survivability Strategy & Legal Defensibility

First and foremost, existing governance needs to be bolstered by a change in direction and strategy. Instead of the traditional approach of building levies, it's instead imperative that executives shift to a survivability strategy that focuses on how to break in manageable ways while continuing operations and minimizing losses and disruption. At the same time, this strategy should leverage legal defensibility as part of the risk management approach to ensure that decisions are a) sound, b) documented, and c) represent meaningful and measurable change for the organization.

2) Formalized Methods

In addition to heading change on overall strategy, it is also vital to recognize the role and importance of leveraging formalized methods in providing a solid, improvable, repeatable basis for decisions. Adopting formal risk assessment, analysis, and management methods as part of an overall decision analysis and management approach will improve decision qualities while also meeting legal defensibility requirements.

Application security initiatives should be captured as integrated methods within an overall formalized software development methodology (even if an agile/rapid-style process is in use). Building security in is far better than bolting it on after the fact, and it will reduce long-term maintenance costs as well. Moreover, putting appsec tools (with appropriate training) into the hands of developers and QA testers will reduce the overall time investment necessary to ruggedize development processes and outputs.

Traditional audit and testing should be eschewed in favor of integrated and white-box methods that allow for thorough, informed assessments. While it's useful to have external "black box" style tests performed, they bring with them limited visibility that results in only partial coverage of code, whereas giving testers full access to the codebase in addition to integrating appsec tools into the dev process can provide much more thorough and complete coverage.

Finally, a premium should be placed on visibility and metrics. If you can't see into a codebase or system, then you're increasing your exposure through simple lack of informed awareness. Instead, transparency (from an internal perspective) is important, and will then allow for the development of useful measurements that can be tracked through a realistic metrics program. Developing quality metrics will help the GRC program track organizational performance and maturity, which can in turn be used to guide security investments, as well as to justify the effectiveness and benefit of investments.

3) Policies 2.0

We've all seen them: 100-page "policy" documents, for which users are responsible to know and understand some or all. How much the average person needs to know is probably unknown, and yet we treat them as hallowed tomes of wisdom. Unfortunately, nothing could be further from the truth. The simple fact is that most policies are of at least secondary importance to the business, and most people don't even need to know about them. Why, then, do we inflict these control regimes on entire organizations?

Instead of focusing on policies, it's far more useful and effective to look at practices and processes. What are people doing on a daily basis? Are they following repeatable processes? If you can't define and describe what it is that every employee does on a daily basis, then I submit that you have a bit of a problem.

The next generation of policies should leverage a few attributes:
* Lightweight: The security policies themselves should be as minimal as possible. They should define the overall structure policy and control framework structure(s), setting forth the raw requirements to which the business is subject or subjecting itself (e.g. regulatory requirements [like PCI DSS], certification regimes [like ISO 27000], roles and responsibilities). At most, we're talking 10-20 formatted pages. Note that you don't articulate the detailed requirements at this level, but provide the overall governance structure that will point into specific in-practice implementations (e.g., standards, guidelines, processes).

* Prioritized by Risk: The top-level policies should set forth a risk-based prioritization scheme. Not all requirements are created equal. It should thus be self-evident how such a determination can be made. The average user should know either how to correctly self-assess requirement priority, or at least be able to make an informed request that is answered in a timely fashion. Responsibility for making good decisions must be put squarely on the shoulders of those making the decisions, and sanctioning regimes should be linked-in at this level to let people know that not following the rules, or simply making bad decisions in violation of the rules, will have consequences with negative impacts. At the same time, users should be empowered to make legally defensible decisions that say "The cost of confirming with Requirement X are not acceptable, but we need to move forward with taking this action anyway." For example, spending $1m to meet a policy requirement in a $0.5m project does not make sense, especially if that requirement does not represent a appreciable level of risk for the organization.

* Process-Oriented: Or, simply put: practical and pragmatic. If you can't put every single requirement into practice, then it shouldn't be a requirement, plain and simple. More importantly, while it may increase the burden on your compliance-management people, it is far more worthwhile to embed requirements into existing (or new) processes, rather than to maintain them in a tome on a shelf that will never be followed. Consider the PCI DSS requirement for addressing the OWASP Top 10 in applicable applications. If you integrate testing for those weaknesses into the development process using a "build security in" approach, then you'll know that those issues are being proactive addressed. This approach is far preferable to trying to catch these weaknesses down the pipeline using pre-release security testing (which is not to say you shouldn't have pre-launch testing, but that it shouldn't be focused on the minimal requirements so much as on value-add testing).

4) HPG-based ET&A

Education, training, and awareness activities have historically been rather ineffective. Sure, you can show some short-term results where ET&A causes a down-tick in bad things happening, but overall we still have the same problems today as we did 15 years ago. Ultimately, these problem track back to one key finding: the human paradox gap was not narrowed.

The human paradox gap (HPG) is a phrase leveraged by Michael Santarcangelo in his book, Into the Breach, in which he talks about the fundamental disconnect between users' decisions+actions and the resulting consequences+impacts. That is, people generally do not feel the pain of their bad decisions, nor do they generally receive positive feedback for their good decisions (all within an infosec/IT context). To make matters worse, infosec traditionally has taken a very stick-heavy approach to this problem, flogging users for being "stupid" (e.g. ID-10-T and EBCAK errors), when at the same time all that infosec has done is enabled bad behavior and poor decisions by taking overall responsibility out of users' hands while leaving the actual decision authority in their hands.

Going forward, GRC programs should focus on how to narrow the HPG. Instead of focusing on annual CBT-based training that has become mind-numbing, repetitive, and easy to tune out, GRC programs should instead work with people on an ongoing basis, throughout the year, identifying both positive and negative impacts and directly linking people to those impacts. Additionally, users need to have security responsibilities added to their job descriptions, and have their performance measured against a handful of useful security measures. Furthermore, once users have been brought up-to-speed on these programs and completed an adjustment period, they then must be held accountable for poor security performance, just as they would be for poor performance around their normal job functions.

Cultural change will only come through changing people. Security teams cannot be held responsible for the decisions of non-security people. Why do we continue to enable these bad decisions and take the fall on their behalf? It's time to say "no" to these practices and put the responsibility back where it belongs: onto the users making bad decisions.

5) Audit & Quality: Beyond Checkboxes

Too much of the focus in GRC to date has been on checkbox security and compliance. The way most vendors talk, you'd think GRC was really CAISMGRT ("Compliance, Audit, and, I Suppose, Maybe Governance and Risk, Too"). Compliance is not security, it's not governance, and it's not even really audit. Governance is your overall umbrella structure for managing an organization, which has decision analysis and management as a key component. "Risk" in this context means risk assessment, analysis, and management. It deals with a specific component of decision analysis, and should be driven by a desired survivability objective, and underpinned by sound legal defensibility approach. Compliance, really, is just an ancillary piece that supports the G and R. Really, it's just one piece of Governance and Risk, buttressed through various audit activities.

Unfortunately, these audit activities have become worse and less effective over time. One need only look at the number of breaches of PCI DSS "compliant" organizations to realize that "compliance" has its limits. Part of the problem is in focusing almost exclusively on compliance, rather than GRC as an overall, comprehensive program. Another part of the problem is in how audits are performed, and how quality may or may not be measured.

For an excellent, amusing, and short (20-minute) webinar on audit, check out IT UCF's webinar "Creating Audit Questions." This webinar highlights very clearly what is needed in performing audits. It's not adequate to simply focus on yes/no questions in performing an audit. Instead, it's rather important to take a holistic approach, getting beyond whether or not a widget is in the right configuration, and looking at the widget's overall place in the world, and how its placement may or may not be in keeping with the spirit (purpose) of it's respective regulatory provenance.

In addition to revamping the audit complex, it's also necessary to look at adding or improving an overall quality and performance management apparatus, of which audit is merely one part. This apparatus should have responsibilities for routine assessments (beyond basic audits), as well as for defining, maintaining, tracking, and trend-analyzing key metrics. Metrics is, of course, a hot topic today in infosec, though one without much good open source material or obvious answers. Nonetheless, despite the lack of open source solutions, that does not mean that organizations cannot (or have not) define their own reasonable metrics to track program effectiveness. From the perspectives of fiscal responsibility and legal defensibility, I submit that high quality metrics are very important to the success and survival of your GRC program, and something that should be taken very seriously. Moreover, these schemas should be supported by people with a sound mathematical background that includes an understanding of sampling, statistics, and modeling (ymmv depending on org size - however, I think there's an opportunity here for vendors and niche consultancies).

GRC or GROC?

Lastly, I'm reminded of the TEAM Model that I developed for my masters thesis back in 2006 (depicted below in its v2 state). If you look at the model, one of the things missing from GRC is operations. In fact, I have to wonder if part of the reason we don't grok GRC is because it should be GROC, or maybe just GRO. Through all the descriptions above, you'll note that it is all consistent with the TEAM Model, with very little variation.

Mapping this diagram to GRC, I would argue that Governance encapsulates the entire model, whereas Risk obviously maps to the Information Risk Management competency, and Compliance maps as a sub-component of Quality & Performance Management. I would submit that the next generation of GRC should, in fact, map fully to the TEAM Model (but then, of course, I'm a bit biased). Nonetheless, I find the model to be instructive and useful as a reference point for topics like GRC as a discipline, and hope that you'll agree, too.

PwC Survey Shows Opportunity for Internal Auditors to Align With CEO Focus on ... - PR Newswire (press release)

2011-03-16T13:02:55Z

PwC Survey Shows Opportunity for Internal Auditors to Align With CEO Focus on ...
PR Newswire (press release)
"It is important that internal audit leaders stay on top of CEO business strategies," Brown said. "Emerging markets, technology and regulation are quickly evolving, and the risks associated are quickly changing as a result. If internal audits can keep ...

and more »

Five Australian IT leaders share their experiences

2011-03-18T03:00:00Z

Learn how five Australian IT leaders, from industry, government and education, tackled projects for their organisations.

New Tone at the Top: Evaluating Corporate Culture

2011-03-14T10:00:00Z

This edition of Tone at the Top explains the importance and “how-to” of evaluating an organization’s soft controls around corporate culture. It’s essential to providing management and the board assurance that the organization will not join the ranks of those that have been brought to their knees by lagging ethics and a weak corporate culture. Read the new issue at http://www.theiia.org/periodicals/newsletters/tone-at-the-top. Also, please take our Readers Survey to tell us what you think of Tone at the Top: http://www.theiia.org/tonetopsurvey. Tone at the Top provides executive management, boards of directors, and audit committees with concise, leading-edge information on such issues as ethics, internal control, governance, and the changing role of internal auditing; and guidance relative to their roles in, and responsibilities for, the internal audit function. Your colleagues and audit committee and board members are invited to receive complimentary subscriptions to Tone at the Top. Register online at http://www.theiia.org/periodicals/newsletters/tone-at-the-top/tone-at-the-top-subscription-main-page/.

COSO Releases Two Additional Thought Papers on ERM

2011-01-11T20:29:00Z

ALTAMONTE SPRINGS, Fla. - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal controls, enterprise risk management (ERM), and fraud deterrence – is releasing two additional new thought papers relating to ERM aimed at providing guidance to help organizations advance along the ERM maturity curve. The first thought paper, Embracing Enterprise Risk Management: Practical Approaches for Getting Started, developed by Mark Frigo and Richard Anderson of the Center for Strategy, Execution, and Valuation at DePaul University,describes how an organization can begin implementing an ERM process. It also examines perceived barriers to effective ERM and how to work through those barriers. “Starting an ERM process is a daunting task for many organizations” said Anderson. “The paper provides an action plan that can be used as a tangible tool in ERM implementation.” COSO’s second thought paper, Developing Key Risk Indicators to Strengthen Enterprise Risk Management, developed by the ERM Initiative at North Carolina State University, discusses the importance of developing key risk indicators to be used to monitor emerging risks that might affect the strategic success of the enterprise. “Key risk indicators can serve as leading indicators of emerging risks that senior management and the board of directors can monitor to ensure that they don’t negatively affect the achievement of strategic objectives,” according to Mark Beasley, Deloitte Professor of Enterprise Risk Management and Director of North Carolina State’s ERM Initiative and co-author of this thought paper. “There is a lot of current activity involving implementation and enhancement of ERM in organizations of all sizes” said David Landsittel, chair of COSO. “Given COSO’s dedication to providing ERM thought leadership, we are issuing these two thought papers with an objective of assisting organizations in becoming more robust in their risk management activities.” Copies of these thought papers can be downloaded free of charge from COSO’s web site, (www.coso.org). COSO also encourages organizations seeking to strengthen their ERM processes to consider its 2004 Enterprise Risk Management – Integrated Framework, and its previously issued survey reports and thought papers on ERM, all accessible through its web site. ### About COSO Originally formed in 1985 to sponsor the National Commission of Fraudulent Financial Reporting, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control and fraud deterrence. COSO’s supporting organizations are The Institute of Internal Auditors (IIA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and the Institute of Management Accountants (IMA). www.coso.org About DePaul University’s Center for Strategy, Execution, and Valuation The Strategic Risk Management Lab in the Center for Strategy, Execution, and Valuation at DePaul University is an engagement platform for thought leaders and the business community to co-create and share leading practices in Strategic Risk Management and ERM. The Strategic Risk Management Lab provides executive education, collaborative research and advising on leading practices in ERM focused on linking strategy, risk management and governance, as well as university courses which integrate ERM and Strategic Risk Management into the curriculum. http://commerce.depaul.edu/sev/ About North Carolina State’s ERM Initiative The ERM Initiative in the College of Management at North Carolina State University is pioneering thought-leadership about the emergent discipline of enterprise risk management, with a particular focus on the integration of ERM in strategy planning and governance. The ERM Initiative conducts outreach to business professionals through executive education and hands-on advising; its internet portal (www.erm.ncsu.edu); research advancing knowledge and understanding of ERM issues; and undergraduate and graduate business education for the next generation of business executives. www.erm.ncsu.edu Media Contact Scott C. McCallum Manager of Corporate Communications & PR Tel +1-407-937-1247 Email Scott.McCallum@theiia.org

New Guidance Outlines Assessing the Adequacy of Risk Managementand and Internal Audit Effectiveness and Efficiency

2011-01-12T20:35:00Z

ALTAMONTE SPRINGS, Fla. – Boards of directors and senior management of organizations worldwide are increasingly implementing enterprise-wide risk management practices in the aftermath of the financial crisis of 2007 and the economic recession of the ensuing two years. Newly published guidance from The Institute of Internal Auditors (IIA) can help organizations assess the adequacy of those practices as measured against the Geneva-based International Organization for Standardization’s (ISO’s) widely respected ISO 31000 framework. “Our research with chief audit executives (CAEs) around the globe is telling us that internal auditors are being looked to more and more to offer independent, objective opinions about whether an organization’s risk management activities are effective ,” says IIA Vice President of Standards and Guidance Beryl Davis, CIA. “The IIA guide Assessing the Adequacy of Risk Management Using ISO 31000 offers internal auditors three self-contained approaches to forming such a conclusion, each of which CAEs could tailor to meet the specific needs of their organization,” she says. Taking a process elements approach can help internal auditors determine whether each of the seven foundational elements of the risk management process identified in ISO 31000 is in place, the guide says. These elements are: communication; setting the context; risk identification; risk analysis; risk evaluation; risk treatment; and monitoring and review. The key principles approach is rooted in the concept that to be fully effective, the risk management process must satisfy a minimum set of principles or characteristics, the guide notes. Under ISO 31000, an effective risk management activity: Creates and protects organization value. Is an integral part of organizational processes. Is a key element of decision-making. Explicitly addresses uncertainty. Is systematic, structured, and timely. Is based on the best available information. Is tailored to the organization, its size, culture objectives, and risk profile. ISO 31000’s maturity model approach stems from a foundational assumption that the quality of an organization’s risk management activity will improve over time. Adopting ISO 31000’s maturity model approach, the guide says, can help CAEs assess where their organization’s risk management process lies on this continuum and, by extension, enable the board to determine whether it meets the current needs of the organization and is maturing as expected. “The IIA recognizes there are numerous reliable frameworks internal auditors can use to assess their ERM effectiveness,” Davis says. “Some of these frameworks – notably Enterprise Risk Management-Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – are used primarily in the Unites States, while others such as the ISO’s are used around the world,” she says. “The IIA’s new practice guidance based on ISO 31000 further expands The Institute’s offerings on how to leverage the advantages of the various frameworks available to organizations,” she adds. A second practice guide newly published by The IIA, Measuring Internal Audit Effectiveness and Efficiency, is grounded in the professional requirement that the effectiveness, efficiency, and level of customer service of the internal audit activity must be assessed and monitored vigorously. “Internal auditing can add immense value and support continuous improvement by identifying business risks and inefficiencies,” Davis says. “However, the internal audit department’s effectiveness and efficiency, itself, must be monitored in order to build and maintain the internal auditor’s credibility. This can be accomplished by establishing a performance measurement process, identifying key performance measures, and monitoring and reporting on the level of customer service provided to internal audit stakeholders,” she says. This 19-page guide describes how to establish performance measurement and monitoring processes and report the results effectively. The document’s extensive appendices, containing material such as sample internal audit performance metrics, dashboard reports, and stakeholder feedback surveys, should be of substantial value to CAEs. All IIA practice guides are strongly recommended elements of The IIA’s International Professional Practices Framework. Assessing the Adequacy of Risk Management Using ISO 31000 and Measuring Internal Audit Effectiveness and Efficiency are available to IIA members for free PDF download at: http://www.theiia.org/guidance/standards-and-guidance/. The International Organization for Standardization’s ISO 31000 framework is available at www.iso.org. COSO’s Enterprise Risk Management — Integrated Frameworkis available at www.coso.org. ### About The IIA Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit profession's global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. Members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security. Media Contact Scott C. McCallum Manager of Corporate Communications & PR Tel +1-407-937-1247 Email Scott.McCallum@theiia.org

Cloud contracts gone astray

2011-03-23T11:00:09Z

IT may be prepping for a move to the cloud, but finance needs to make sure that the savings this new technology brings won’t be cancelled out by poorly executed contracts for service. That’s the word from the folks at Gartner, who’ve recently issued some guidelines for agreements with vendors.

Cloud computing done right can bring big cost savings for IT. But contracts and deals must be closely examined so shortcomings can be addressed.

Here are the biggest risks, according to a recent Gartner report:

Cloud contracts aren’t mature for all markets – Some cloud services have been around longer than others, and providers venturing into newer areas may not have figured out how to handle the security, performance and other needs required by most businesses.
Contract terms generally favor vendors – The way cloud services are structured makes it difficult to customize contracts based on customers’ needs. That can often result in standardized contract terms that better serve the vendor’s interests. And there may not be room for much negotiations, so companies should adjust their expectations accordingly.
Contracts are easily changed by the vendor – Cloud service contracts are often long and confusing, making it easy for some vendors to change terms without all of their customers noticing. Business must completely understand all terms of the contract before signing it.
Contracts don’t have clear service commitments – One key weapon IT has in dealing with a cloud provider is a service guarantee. But too often, service guarantees are vague and don’t include any real penalties for the vendor. Businesses should make sure those terms are acceptable before entering into an agreement.

While managing records, manage risk - FierceContentManagement

2011-03-23T11:41:17Z

While managing records, manage risk
FierceContentManagement
Ours includes records management-specific issues," she added. Security is typically addressed in records storage, and many ECM solutions have permission and authorization settings. But is that enough? The insider threat may not be addressed explicitly ...

How to integrate an acquired company in just 90 days

2011-03-21T10:00:00Z

Avnet's M&A playbook allows it to bring acquired companies -- and their IT systems -- into the fold with 'deliberate speed' -- usually within 90 days.

Paul Glen: IT, the business, and the clash of cultures

2011-03-21T10:00:00Z

Business groups need IT more than ever, but the levels of mutual trust remain low and frustration remains high.

CIOs aren't CIOs for long

2011-03-23T10:00:00Z

A U.S. president, especially if they win reelection, will have a much better chance of staying in the same job longer than many CIOs, new survey data suggests.

CIO Watch: NASA CTO resigns over budget cuts

2011-03-25T14:10:00Z

NASA's CTO for IT departs over concerns about funding and the lack of entrepreneurial spirit at the space agency. And Kevin Hart leaves the CIO post at troubled Clearwire.

Lawsuit alleges cloak-and-dagger conspiracy by Software AG

2011-03-25T19:36:00Z

Middleware giant Software AG conducted an elaborate corporate espionage scheme replete with "sex, lies and an audiotape," according to allegations in a lawsuit filed by RFID vendor GlobeRanger.

When the CIO is also the CFO

2011-03-14T10:00:00Z

Some would argue the relationship between IT and finance is naturally combative. So what happens when one person holds two titles -- CIO and CFO -- in the same company?

Customer sues Infor after ERP license audit

2011-03-07T18:07:00Z

A New York manufacturer is suing ERP (enterprise resource planning) vendor Infor following a dispute over whether it should have to pay nearly $150,000 in additional license fees.

Today's CSO: Business, Relationships Come First

2011-03-01T05:00:00Z

As Baby Boomers are leaving the corporate workplace to enjoy their time on the beach, in the mountains and in their RVs traveling across the country, corporate security departments are losing leadership talent more frequently than at any other time in corporate history.

7 Communication Mistakes CSOs Still Make

2011-03-23T04:00:00Z

For many years, we heard security professionals lament the way they are perceived. Terms such as "the place where good ideas go to die" and "the department of no" weren't uncommon just a few years ago when referring to the security function.

Enterprise Reinvention: How to Improve Corporate Performance through Enterprise Risk Management

2010-06-21T04:00:00Z

The rapidly changing and competitive business environment make it a good time to reinvent your enterprise risk management program, this will require a systematic move from the Industrial Age to the Knowledge Age.

How Kelly Services Manages Risk in the Cloud

2011-03-23T04:00:00Z

CSO contributor Bob Violino recently interviewed Rosie Rivel, senior manager of IT global risk and compliance at Kelly, regarding risk and the cloud.

Why IT Management Frameworks Don't Guarantee IT Success

2008-03-05T05:00:00Z

It just isn't enough for your IT organization to have mature management and software development processes if the business organizations don't do their part. Companies also need an IT maturity model for the enterprise. PLUS: 5 tips to jump-start consultants and standards organizations.