Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Designing an IT Risk Management Framework
Session # 605
Tuesday, June 9: 3:30 – 5:00pm
Introductions
Chris Tait, MBA, CISA, CFSA, CCSK
Principal
Baker Tilly Virchow Krause, LLP
Jill Uitenbroek, MBA
Internal Audit Manager
SECURA Insurance Companies
3
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Session Overview
Objectives
Discuss trends in the industry
Share lessons learned
Review strategies to developing an IT risk management
framework
4
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Session Overview
Agenda
Industry Trends
Vendor Management
Compliance Program Alignment
Board of Director / Audit Committee Interaction
5
INDUSTRY TRENDS
Section one
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Technology Landscape
7
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Change in IT Audit
Past IT Audit Plan Current IT Audit Plan
> Change management / system
development life cycle (SDLC)
> Access administration and
authentication
> Disaster recovery and business
continuity planning
> Computer operations and
back-up
> Vendor management
> IT governance
> Data breach and vulnerability
management
> Data privacy
> Mobile device management
and security
> End user computing
Focused on core
IT general controls
Focused on emerging risks
and integration into ERM
Trends in IT have lead internal audit departments to focus more on emerging technologies as risk assessment frameworks dictate.
8
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Regulatory / Business
Regulation Modernization
• Federal vs States
Corporate Governance
• Data Security / Privacy
• Government Policy Changes
• Corporate Partnership
ORSA / ERM
• Federal Insurance Office
9
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Regulatory (Not new, but still relevant)
Model Audit Rule (MAR)
Gramm Leach Bliley Act (GLBA)
Drivers Privacy Protection Act (DPPA)
Fair Credit Reporting Act (FCRA)
Federal Information Security Management Act (FISMA)
HIPAA and HITECH Act
Identity Theft Red Flags
International Laws
PCI DSS
State Data Protection and Breach Notification Laws
10
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Cyber Security What is happening?
For many companies, business value resides in its data and network
systems.
A sophisticated community of “hacktivists”, cyber criminals, and
organized crime syndicates wants to cause competitive harm and
financial loss by exploiting technical and social vulnerabilities of
information assets.
This combination leads to a high-likelihood of data breaches.
“It is not a matter of if, but when …” – Countless leaders and security professionals
11
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Cyber Security Why is it important?
Negative
publicity
Regulatory
sanctions
Refusal
to share personal
information
Damage
to brand
Regulator
scrutiny
Legal
liability
Fines
Damaged
customer
relationships
Damaged
employee
relationships
Deceptive or
unfair trade
charges
!
12
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Cyber Security Blocking and Tackling Controls
Percent of breaches
could have been
stopped through
simple or
intermediate
controls. 78% *According to the Verizon 2014 Data Breach Investigations Report
13
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Cyber Security What do they do when breached?
49% Additional manual
procedures and controls
47% Identity and access
management solutions
They go back to the basics …. and bolster with technology.
52% Expanded use of
encryption
53% Training and awareness
14
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – Cyber Security
New York State – Department of Financial Services
• Report on Cyber Security in the Insurance Sector
(February 2015)
• Expands scope of its I/T security examinations in the
insurance sector to include “cyber security”.
(March 26, 2015)
NAIC Cybersecurity Task Force
• Principles for Effective Cybersecurity
(Adopted April 6, 2015)
15
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – NY DFS Report Key Findings
80% of those surveyed reported that they:
Participate in information-sharing organizations
Audit third-party service providers who handle personal
data
Have policies to minimize risks posed by social media
Have a designated information security executive
16
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends – NY DFS Report (cont)
Areas needing improvement: Responding to the growing sophistication of cyber security
threats and the speed at which technology is changing
Frequency of reporting information security issues to senior
management and the Board of Directors
Relying primarily on penetration testing to determine
whether or not vulnerabilities exist
• According to DFS: “Ongoing vulnerability scanning is as − if not more
− important than penetration testing to identify known weaknesses
and potential exposures.”
17
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Trends Key Takeaways
Rapid changes in technology need a flexible risk management approach
Cyber related risks will only increase and must be addressed continually
Data management will be the next ‘big thing’
1
2
3
18
VENDOR MANAGEMENT
Section two
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Vendor Management Increasing Risks
.
Two-thirds of companies
‘extensively or
significantly’ rely on
vendors
(IIARF)
40% of CEOs expect to
develop majority of
upcoming innovations
with strategic partners
(PwC 2011 Annual Global
CEO Survey)
IT is outsourced more
than any other function
(Outsourcing Institute)
63% of data breaches in
2013 involved a third-
party
(2013 Trustwave Global
Security Report)
Increased
Risk
20
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Vendor Management Drivers
• Increased number and
complexity of vendor
relationships
• Informal vendor selection
process
• Inability to identify relevant
risks by vendor relationship
• Insufficient knowledge of
vendor universe
• Inconsistent risk assessment
and monitoring practices
• NAIC: Annual Financial
Reporting Model Regulation,
Implementation Guide,
Appendix G
• OCC: Bulletin 2013-29, Third
Party Relationships
• FINRA: Rule 3190: Third
Party Service Providers
• COSO 2013 Internal Control
– Integrated Framework
Business Factors Regulatory Focus
21
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Vendor Management Drivers
IT Continuity
Regulatory
Compliance
Information
Security and
Privacy
Customer
Service
Data Integrity
Financial
Reporting
Outsourcing business operations does not absolve organizations of
their responsibilities to manage risk!
Potential Risks
22
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Effective Vendor Management
Effective vendor
management
programs
• Consider organizational
strategy
• Evaluate the degree of risk
and complexity of each
relationship
• Align activities based on
evaluation
• Define roles and
responsibilities
• Develop reporting
mechanisms to facilitate
monitoring
• Involve relevant stakeholders
23
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Vendor management life cycle Key Items
• Scale activities based
on risk and
complexity
• Business continuity /
recovery plan
• Consider any use of
sub-contractors
(“fourth-party
vendors”)
• Develop a plan to
transfer activities to
another provider (or
bring in-house)
• Evaluate the degree
of difficultly and
specific risk factors of
transition
• Define and monitor
data transmission,
retention and
destruction actions
• Continue to monitor the same areas evaluated during due
diligence
• Periodic risk assessment questionnaires
• Service-level agreement monitoring
• Service Organization Control (SOC) examination reports
• Establish criteria for ‘critical vendors’ and increase the
frequency and depth of monitoring activities
• Determine the scope
of services to be
provided
• Assess related
vendor risks
• Involve relevant
stakeholders
• Document data
confidentiality
responsibilities
• Determine any
performance
measures and/or
benchmarks
• Incorporate internal
control monitoring
requirements (e.g.,
SOC report, right to
audit)
Ongoing Monitoring
Due Diligence Planning Contract Negotiation Termination
24
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Remember: the ‘best’ option is subjective, and based on the
services performed and related third-party risks
Guidance
Scope
Typical Report Users
SOC 1
SSAE 16
Controls related to client’s financial
reporting (ICFR)
Internal/External Auditors
SOC 2
AT 101
Controls related to IT operations or compliance
Vendor Management
Internal/External Auditors
SOC 3
AT 101
Controls related to IT operations or compliance
General Use
AUP
AT 201
Controls determined by the requesting
party
Requesting Client Only
AT 101
Controls related to IT operations or compliance: Security, Confidentiality,
Processing Integrity, Availability and/or Privacy
Vendor Management SOC Reporting Options
25
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Develop a formal, standardized process for vendor management
Tailor due diligence activities based on risk
Continue risk management for existing vendors through ongoing monitoring
1
2
3
Vendor Management Key Takeaways
Determine whether a SOC report will effectively meet monitoring needs
4
26
COMPLIANCE
PROGRAM
ALIGNMENT
Section three
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ERM / GRC Linkage
Business
Continuity
Management
Investment
Management
Policy
Management Risk
Management
Threat & Incident
Management
Audit
Management
Compliance
Management
Vendor
Management
28
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Enterprise Architecture
• Reduces long-term support costs
• Enables IT to be responsive to
business need.
• Integrated workflows that
accelerate design and
development
IT Governance
Portfolio Management
• Manage high project demand with limited resources.
• Create a fluid process that builds a portfolio that will
generate the most business value.
• Balance rigor and responsiveness on an
ongoing basis
Project Management
• Establish a PMO
• Drive the right level of project
methodology
• Over-involve business sponsors and
end users across the project lifecycle
Information Risk and
Security
• Governance of plans, policies and
frameworks is critical as organizations
experience an explosion in the number and
diversity of risks.
• Structure the information risk function and
its governance mechanisms to help protect
technology and information from both
internal misuse and external disruptions
29
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
A robust program is critical
GOVERNANCE AND POLICIES
Governance practices
Policies and procedures
Change management
Performance measurement
Enterprise risk management
Business continuity management
SECURITY AND CONTROL PROGRAM
TRAINING &
COMMUNICATION
INCIDENT RESPONSE
MANAGEMENT
RISK
ASSESSMENT
CONTROLS AND
COUNTERMEASURES
MONITORING
Controls assessment
Performance metrics
Systems monitoring
Compliance/certification
External audit
External reporting
Internal audit
Audit committee
30
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Assessment
Security Risk Assessments
Enterprise Risk Management Linkage
Technical Assessments
Standards / Readiness Evaluations
Compliance Assessments
Threat Intelligence
31
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Common Language to Manage Complex Risks
Flexible, Comprehensive, Scalable
• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy
Identify
• Access Control
• Awareness and Training
• Data Security
• Information Protection Processes and Procedures
• Maintenance
• Protective Technology
Protect
• Anomalies and Events
• Security Continuous Monitoring
• Detection Processes
Detect
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
Respond
• Recovery Planning
• Improvements
• Communication
Recover
32
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Controls and Countermeasures
Access Management
Network / Infrastructure Security
Change Controls
Secure Development
Physical Security
Vulnerability Assessments
Backup
Monitoring
3rd Party Control
Certifications
33
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Training and Communication
Awareness Training
Cross-area Training
Skill Building
• Security
• Testing
• Audit
Communication With Industry Groups
34
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Incident Response Management
Crisis Management
Investigation Teams
Response Plans and Teams
Collaboration with:
• Supply Chain
• Service Providers
• Law Enforcement
35
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Strong governance and policies (Business
and IT)
Effective control program and ongoing
monitoring
Leverage industry standard frameworks
1
2
3
Compliance Program Alignment Key Takeaways
36
BOARD OF DIRECTORS
AND AUDIT COMMITTEE
INTERACTION
Section four
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Board of Directors and Audit Committee Interaction
Audit Committee and Corporation Alignment
Determine what information is for Audit Committee vs full
Board of Directors
Sharpen Boards focus on cyber risk and security
38
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Alignment with Audit Committee and Management
Ranking of Audit Focus
Data from Grant Thornton GRC 2015 Survey
Audit Committee Focus
Financial Risks
Compliance Risks
Operational Risks
Strategic Risks
CAE Focus
Compliance Risks
Operational Risks
Financial Risks
Strategic Risks
39
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Alignment with Audit Committee and Management
Ranking of Risk
Audit Committee Risk 1) Mitigating risk
2) Stronger financial controls
compliance
3) Identifying improvement
opportunities
4) Stronger corporate governance
5) Stronger compliance efforts in
other areas
6) Increased efficiency
7) Business planning/growth strategy
8) Business insights
9) Other
CAE Risk 1) Identifying improvement
opportunities
2) Mitigating risk
3) Increased efficiency
4) Stronger corporate governance
5) Stronger financial controls
compliance
6) Stronger compliance efforts in
other areas
7) Business insights
8) Business planning/growth strategy
9) Other
Data from Grant Thornton GRC 2015 Survey 40
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Align Support to Board Priorities
How prepared is the General Counsel’s Office?
Top Board Priorities 2015 % of General Counsel
who do not feel prepared
1. Compliance and Ethics 6%
2. Corporate Governance 4%
3. Executive Compensation 21%
4. Information Risk 34%
5. Information Technology Oversight 47%
6. Mergers and Acquisitions 17%
7. Regulatory Changes 16%
8. Hotline Reporting and Ethics
Violations
18%
9. Crisis Response Planning 41%
10. Anti-Corruption 33%
Data from: CEB 2015 Board and Governance Survey
41
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Board and Audit Information
Traditionally information was shared with Audit Committee
and Audit Chairman would report to the Board.
Today there is a shift with more technology audit concerns,
that the Board is wanting more direct conversations with
management.
42
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Skills Review
Is your Board knowledgeable on all the different technology
concerns in today’s business environment?
Does your Management team have the skills to respond to
the technology environment and ability to report to the
Board?
43
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Changing landscape (Technology and
Regulatory)
Vendor Management
Alignment with the Board and Audit
Committee
1
2
3
Final Thoughts
44
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Please Complete the Session Evaluation Form on the Conference App