ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW 2015/Sessions... · 2019. 1. 14. · Baker Tilly Virchow Krause, LLP [email protected] Jill Uitenbroek, MBA ... Share lessons

IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

Designing an IT Risk Management Framework

Session # 605

Tuesday, June 9: 3:30 – 5:00pm

Introductions

Chris Tait, MBA, CISA, CFSA, CCSK

Principal

Baker Tilly Virchow Krause, LLP

[email protected]

Jill Uitenbroek, MBA

Internal Audit Manager

SECURA Insurance Companies

[email protected]

3


Session Overview

Objectives

Discuss trends in the industry

Share lessons learned

Review strategies to developing an IT risk management

framework

4


Session Overview

Agenda

Industry Trends

Vendor Management

Compliance Program Alignment

Board of Director / Audit Committee Interaction

5

INDUSTRY TRENDS

Section one


Trends – Technology Landscape

7


Trends – Change in IT Audit

Past IT Audit Plan Current IT Audit Plan

> Change management / system

development life cycle (SDLC)

> Access administration and

authentication

> Disaster recovery and business

continuity planning

> Computer operations and

back-up

> Vendor management

> IT governance

> Data breach and vulnerability

management

> Data privacy

> Mobile device management

and security

> End user computing

Focused on core

IT general controls

Focused on emerging risks

and integration into ERM

Trends in IT have lead internal audit departments to focus more on emerging technologies as risk assessment frameworks dictate.

8


Trends – Regulatory / Business

Regulation Modernization

• Federal vs States

Corporate Governance

• Data Security / Privacy

• Government Policy Changes

• Corporate Partnership

ORSA / ERM

• Federal Insurance Office

9


Trends – Regulatory (Not new, but still relevant)

Model Audit Rule (MAR)

Gramm Leach Bliley Act (GLBA)

Drivers Privacy Protection Act (DPPA)

Fair Credit Reporting Act (FCRA)

Federal Information Security Management Act (FISMA)

HIPAA and HITECH Act

Identity Theft Red Flags

International Laws

PCI DSS

State Data Protection and Breach Notification Laws

10


Trends – Cyber Security What is happening?

For many companies, business value resides in its data and network

systems.

A sophisticated community of “hacktivists”, cyber criminals, and

organized crime syndicates wants to cause competitive harm and

financial loss by exploiting technical and social vulnerabilities of

information assets.

This combination leads to a high-likelihood of data breaches.

“It is not a matter of if, but when …” – Countless leaders and security professionals

11


Trends – Cyber Security Why is it important?

Negative

publicity

Regulatory

sanctions

Refusal

to share personal

information

Damage

to brand

Regulator

scrutiny

Legal

liability

Fines

Damaged

customer

relationships

Damaged

employee

relationships

Deceptive or

unfair trade

charges

!

12


Trends – Cyber Security Blocking and Tackling Controls

Percent of breaches

could have been

stopped through

simple or

intermediate

controls. 78% *According to the Verizon 2014 Data Breach Investigations Report

13


Trends – Cyber Security What do they do when breached?

49% Additional manual

procedures and controls

47% Identity and access

management solutions

They go back to the basics …. and bolster with technology.

52% Expanded use of

encryption

53% Training and awareness

14


Trends – Cyber Security

New York State – Department of Financial Services

• Report on Cyber Security in the Insurance Sector

(February 2015)

• Expands scope of its I/T security examinations in the

insurance sector to include “cyber security”.

(March 26, 2015)

NAIC Cybersecurity Task Force

• Principles for Effective Cybersecurity

(Adopted April 6, 2015)

15


Trends – NY DFS Report Key Findings

80% of those surveyed reported that they:

Participate in information-sharing organizations

Audit third-party service providers who handle personal

data

Have policies to minimize risks posed by social media

Have a designated information security executive

16


Trends – NY DFS Report (cont)

Areas needing improvement: Responding to the growing sophistication of cyber security

threats and the speed at which technology is changing

Frequency of reporting information security issues to senior

management and the Board of Directors

Relying primarily on penetration testing to determine

whether or not vulnerabilities exist

• According to DFS: “Ongoing vulnerability scanning is as − if not more

− important than penetration testing to identify known weaknesses

and potential exposures.”

17


Trends Key Takeaways

Rapid changes in technology need a flexible risk management approach

Cyber related risks will only increase and must be addressed continually

Data management will be the next ‘big thing’

1

2

3

18

VENDOR MANAGEMENT

Section two


Vendor Management Increasing Risks

.

Two-thirds of companies

‘extensively or

significantly’ rely on

vendors

(IIARF)

40% of CEOs expect to

develop majority of

upcoming innovations

with strategic partners

(PwC 2011 Annual Global

CEO Survey)

IT is outsourced more

than any other function

(Outsourcing Institute)

63% of data breaches in

2013 involved a third-

party

(2013 Trustwave Global

Security Report)

Increased

Risk

20


Vendor Management Drivers

• Increased number and

complexity of vendor

relationships

• Informal vendor selection

process

• Inability to identify relevant

risks by vendor relationship

• Insufficient knowledge of

vendor universe

• Inconsistent risk assessment

and monitoring practices

• NAIC: Annual Financial

Reporting Model Regulation,

Implementation Guide,

Appendix G

• OCC: Bulletin 2013-29, Third

Party Relationships

• FINRA: Rule 3190: Third

Party Service Providers

• COSO 2013 Internal Control

– Integrated Framework

Business Factors Regulatory Focus

21


Vendor Management Drivers

IT Continuity

Regulatory

Compliance

Information

Security and

Privacy

Customer

Service

Data Integrity

Financial

Reporting

Outsourcing business operations does not absolve organizations of

their responsibilities to manage risk!

Potential Risks

22


Effective Vendor Management

Effective vendor

management

programs

• Consider organizational

strategy

• Evaluate the degree of risk

and complexity of each

relationship

• Align activities based on

evaluation

• Define roles and

responsibilities

• Develop reporting

mechanisms to facilitate

monitoring

• Involve relevant stakeholders

23


Vendor management life cycle Key Items

• Scale activities based

on risk and

complexity

• Business continuity /

recovery plan

• Consider any use of

sub-contractors

(“fourth-party

vendors”)

• Develop a plan to

transfer activities to

another provider (or

bring in-house)

• Evaluate the degree

of difficultly and

specific risk factors of

transition

• Define and monitor

data transmission,

retention and

destruction actions

• Continue to monitor the same areas evaluated during due

diligence

• Periodic risk assessment questionnaires

• Service-level agreement monitoring

• Service Organization Control (SOC) examination reports

• Establish criteria for ‘critical vendors’ and increase the

frequency and depth of monitoring activities

• Determine the scope

of services to be

provided

• Assess related

vendor risks

• Involve relevant

stakeholders

• Document data

confidentiality

responsibilities

• Determine any

performance

measures and/or

benchmarks

• Incorporate internal

control monitoring

requirements (e.g.,

SOC report, right to

audit)

Ongoing Monitoring

Due Diligence Planning Contract Negotiation Termination

24


Remember: the ‘best’ option is subjective, and based on the

services performed and related third-party risks

Guidance

Scope

Typical Report Users

SOC 1

SSAE 16

Controls related to client’s financial

reporting (ICFR)

Internal/External Auditors

SOC 2

AT 101

Controls related to IT operations or compliance

Vendor Management

Internal/External Auditors

SOC 3

AT 101

Controls related to IT operations or compliance

General Use

AUP

AT 201

Controls determined by the requesting

party

Requesting Client Only

AT 101

Controls related to IT operations or compliance: Security, Confidentiality,

Processing Integrity, Availability and/or Privacy

Vendor Management SOC Reporting Options

25


Develop a formal, standardized process for vendor management

Tailor due diligence activities based on risk

Continue risk management for existing vendors through ongoing monitoring

1

2

3

Vendor Management Key Takeaways

Determine whether a SOC report will effectively meet monitoring needs

4

26

COMPLIANCE

PROGRAM

ALIGNMENT

Section three


ERM / GRC Linkage

Business

Continuity

Management

Investment

Management

Policy

Management Risk

Management

Threat & Incident

Management

Audit

Management

Compliance

Management

Vendor

Management

28


Enterprise Architecture

• Reduces long-term support costs

• Enables IT to be responsive to

business need.

• Integrated workflows that

accelerate design and

development

IT Governance

Portfolio Management

• Manage high project demand with limited resources.

• Create a fluid process that builds a portfolio that will

generate the most business value.

• Balance rigor and responsiveness on an

ongoing basis

Project Management

• Establish a PMO

• Drive the right level of project

methodology

• Over-involve business sponsors and

end users across the project lifecycle

Information Risk and

Security

• Governance of plans, policies and

frameworks is critical as organizations

experience an explosion in the number and

diversity of risks.

• Structure the information risk function and

its governance mechanisms to help protect

technology and information from both

internal misuse and external disruptions

29


A robust program is critical

GOVERNANCE AND POLICIES

Governance practices

Policies and procedures

Change management

Performance measurement

Enterprise risk management

Business continuity management

SECURITY AND CONTROL PROGRAM

TRAINING &

COMMUNICATION

INCIDENT RESPONSE

MANAGEMENT

RISK

ASSESSMENT

CONTROLS AND

COUNTERMEASURES

MONITORING

Controls assessment

Performance metrics

Systems monitoring

Compliance/certification

External audit

External reporting

Internal audit

Audit committee

30


Risk Assessment

Security Risk Assessments

Enterprise Risk Management Linkage

Technical Assessments

Standards / Readiness Evaluations

Compliance Assessments

Threat Intelligence

31


Common Language to Manage Complex Risks

Flexible, Comprehensive, Scalable

• Asset Management

• Business Environment

• Governance

• Risk Assessment

• Risk Management Strategy

Identify

• Access Control

• Awareness and Training

• Data Security

• Information Protection Processes and Procedures

• Maintenance

• Protective Technology

Protect

• Anomalies and Events

• Security Continuous Monitoring

• Detection Processes

Detect

• Response Planning

• Communications

• Analysis

• Mitigation

• Improvements

Respond

• Recovery Planning

• Improvements

• Communication

Recover

32


Controls and Countermeasures

Access Management

Network / Infrastructure Security

Change Controls

Secure Development

Physical Security

Vulnerability Assessments

Backup

Monitoring

3rd Party Control

Certifications

33


Training and Communication

Awareness Training

Cross-area Training

Skill Building

• Security

• Testing

• Audit

Communication With Industry Groups

34


Incident Response Management

Crisis Management

Investigation Teams

Response Plans and Teams

Collaboration with:

• Supply Chain

• Service Providers

• Law Enforcement

35


Strong governance and policies (Business

and IT)

Effective control program and ongoing

monitoring

Leverage industry standard frameworks

1

2

3

Compliance Program Alignment Key Takeaways

36

BOARD OF DIRECTORS

AND AUDIT COMMITTEE

INTERACTION

Section four


Board of Directors and Audit Committee Interaction

Audit Committee and Corporation Alignment

Determine what information is for Audit Committee vs full

Board of Directors

Sharpen Boards focus on cyber risk and security

38


Alignment with Audit Committee and Management

Ranking of Audit Focus

Data from Grant Thornton GRC 2015 Survey

Audit Committee Focus

Financial Risks

Compliance Risks

Operational Risks

Strategic Risks

CAE Focus

Compliance Risks

Operational Risks

Financial Risks

Strategic Risks

39


Alignment with Audit Committee and Management

Ranking of Risk

Audit Committee Risk 1) Mitigating risk

2) Stronger financial controls

compliance

3) Identifying improvement

opportunities

4) Stronger corporate governance

5) Stronger compliance efforts in

other areas

6) Increased efficiency

7) Business planning/growth strategy

8) Business insights

9) Other

CAE Risk 1) Identifying improvement

opportunities

2) Mitigating risk

3) Increased efficiency

4) Stronger corporate governance

5) Stronger financial controls

compliance

6) Stronger compliance efforts in

other areas

7) Business insights

8) Business planning/growth strategy

9) Other

Data from Grant Thornton GRC 2015 Survey 40


Align Support to Board Priorities

How prepared is the General Counsel’s Office?

Top Board Priorities 2015 % of General Counsel

who do not feel prepared

1. Compliance and Ethics 6%

2. Corporate Governance 4%

3. Executive Compensation 21%

4. Information Risk 34%

5. Information Technology Oversight 47%

6. Mergers and Acquisitions 17%

7. Regulatory Changes 16%

8. Hotline Reporting and Ethics

Violations

18%

9. Crisis Response Planning 41%

10. Anti-Corruption 33%

Data from: CEB 2015 Board and Governance Survey

41


Board and Audit Information

Traditionally information was shared with Audit Committee

and Audit Chairman would report to the Board.

Today there is a shift with more technology audit concerns,

that the Board is wanting more direct conversations with

management.

42


Skills Review

Is your Board knowledgeable on all the different technology

concerns in today’s business environment?

Does your Management team have the skills to respond to

the technology environment and ability to report to the

Board?

43


Changing landscape (Technology and

Regulatory)

Vendor Management

Alignment with the Board and Audit

Committee

1

2

3

Final Thoughts

44


Please Complete the Session Evaluation Form on the Conference App

Documents

ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW 2015/Sessions... · 2019. 1. 14. · Baker Tilly Virchow Krause, LLP [email protected] Jill Uitenbroek, MBA ... Share lessons