Managing a Security &

Privacy Governance FunctionApril 3, 2014

Audrey Foster, CPA, CISA, CGMA, CITP

Director of AICPA Internal Audit, Risk & Compliance

American Institute of CPAs®

Overview

Definition of Governance

• the action or manner of governing.

Definition of Govern

• conduct the policy, actions, and affairs of (a state,

organization, or people).

• control, influence, or regulate (a person, action, or course

of events).

• conduct oneself, esp. with regard to controlling one's emotions.

• serve to decide (a legal case).

Session Goals

• Importance of Security & Privacy Governance

• Setup of Governance within a Security & Privacy Function

• Examples of Governance within a Security & Privacy Function

2

American Institute of CPAs®

Security & Privacy (S&P)

Defined:

• Security: Protecting

information from unauthorized

access, use, disclosure,

disruption, modification,

perusal, inspection, recording

or destruction.

• Privacy: Understanding the

relationship between collection

and dissemination of data,

technology, the public

expectation of privacy, and the

legal and political issues

surrounding them.

Understanding of group:

• Who works in just security?

• Who works in just privacy?

• Who works in both?

• Who works in audit?

• Who reports through IT?

• Who reports outside IT?

Importance of Governance

3

American Institute of CPAs®

Importance of Governance

4

and risk-basedintent

American Institute of CPAs®

Importance of Governance

5

S&P

American Institute of CPAs®

Setup of Governance

CEO, COO,

Audit & S&P Committees

Internal Audit, Risk & Compliance

Team

Internal Audit Security & Privacy Exams Compliance

6

Establish clear S&P

organizational structure.

• Reporting lines provide an

organizational wide

perspective and authority.

Example:

American Institute of CPAs®

Setup of Governance

Define S&P goals and follow them!

• Ensure they are balanced with a risk-based approach where

your organization wants you to be at the table.

• Actions speak louder than words, walk the talk, etc!

Examples:

• Strengthen processes and procedures

• Ensure sustainable change

• Monitor environment

• Continuous assessment of risk

• Allow business opportunity

- Don’t be a “no” team!

- Control beneficial risks

7

American Institute of CPAs®

Setup of Governance

Define the S&P mission and communicate it!

Example:

• Provide leadership in the development, delivery, maintenance,

and monitoring of the Institute’s information security, risk

management and privacy programs.

• Provide strategic assistance in the safeguarding of information

assets and the supporting infrastructure against unauthorized

use, disclosure, modification, damage or loss.

8

American Institute of CPAs®

Setup of Governance

Define S&P areas and scope of work.

Example – Breakdown of Key Areas of Work:

• Project Consulting

- S&P performs independent reviews and consulting

engagements to improve the organization’s operating and

internal control environment around privacy and information

security.

• Program Development

- S&P develops frameworks, and distributes privacy and

information security focused policies and procedures and

practice aids, enabling the Institute to effectively and

efficiently navigate privacy laws and information security

risks.

9

American Institute of CPAs®

Setup of Governance• Compliance Monitoring

- S&P identifies areas for improvement or deficiencies through

compliance audits, process reviews, risk assessments,

vulnerability assessments, and security awareness training;

and leads efforts to improve and/or establish risk mitigating

processes and systems to make operations within the

Institute more effective and efficient.

• Incidents & Inquiries

- S&P facilitates the response plan and triage activities for

information security incidents & inquiries, following through

to successful closure while also identifying efforts to improve

and/or establish processes and systems geared toward

reducing the risk of subsequent occurrences. Additionally,

S&P functions as a vendor and contract reviewer/approver

for services where either the Institute/member data is shared

with a third party, or include changes to our information

security architecture.

10

American Institute of CPAs®

Setup of Governance

Establish policy, but…

• Create value-add policies that truly mean something and that

you are willing to devote staff hours to monitor compliance with

that policy.

• Higher likelihood that users within your organization will be

aware and following S&P policies.

Speak the executive voice.

• Know your audience (concept versus detailed based).

• Summarize what is really important with enough substance for

them to understand key concepts.

• Know when they need to be decisions makers and give a

pro/con analysis with a recommendation.

11

American Institute of CPAs®

Examples of Governance

S&P Function Reporting Structure

• Example #1 in the following slides.

Streamlined Annual Risk Assessment/ Project Plan

• Example #2 in the following slides.

Finding Process for Consulting Engagements

• Example #3 in the following slides.

12

American Institute of CPAs®

Example #1S&P Function Reporting Structure

Challenge

• The security function within the organization was not providing

the oversight and governance needed to meet the current

business environment nor strategic initiatives, including privacy

considerations.

Innovative Thought

• Create a Security & Privacy (S&P) function which reports up

through Internal Audit (IA) which already has a reporting

structure within the organization that allows independent thought

along with established processes to plan projects to allow S&P

to step into the needed oversight and governance role.

13

American Institute of CPAs®

Example #1 OutcomeS&P Function Reporting Structure

Outcome

• The creation of a S&P Committee made up of senior leadership

which guides the actions of the S&P function and allows IA to be

independent, along with some additional external audits.

• A reporting structure which allows an ability organizational wide

to establish and execute projects, policies and oversight needed

to address the key S&P risks within the organization.

• A holistic team that can work with management and various

governance committees and boards to understand and respond

to a full breath of organizational risks, strategic initiatives, and

compliance requirements to ensure adequate measures are in

place to protect the organization’s interests.

14

American Institute of CPAs®

Example #2Streamlined Annual Risk Assessment/ Project Plan

Challenge

• Risk register had many detailed listing of potential risks which

was overwhelming to evaluate and didn’t consider strategic

initiatives or other key team activities.

Disruptive Thought

• Stop doing risk assessments.

Innovative Thought

• Have no more than 20 risks to assess where every single risk

means something, auditable/ reviewable strategic initiatives

along with activities within mission critical teams are evaluated.

Outcome

• Streamlined annual risk assessment process where projects are

focused on the true needs of the organization with a nimbleness

that allows resources to be reallocated as needed. 15

American Institute of CPAs® 16

Env.Assessment

Prelim. Annual Plan

& ERM

Final Annual Plan & ERM

NovemberApril AugustJanuary

Primary Inputs & Prelim.

Focus Areas

Final Focus Areas &

Annual Plan

IA/S&P Annual Plan

Strategy Annual Plan

Audit Committee Approval

Example #2 OutcomeManaging Organizational Risks

American Institute of CPAs®

Example #2 OutcomeAnnual Plan Development

17

Focus Area Identification

(Primary Inputs)

Risk Ranking(Primary Inputs)

IA/S&P Annual Plan

What are Focus Areas?

• Areas IA/S&P is targeting to support through assurance and

consulting activities.

• Spend time evaluating if a primary input would be an auditable/

reviewable area.

American Institute of CPAs®

Mission Critical Teams

Meetings with Senior Leadership

Annual Plan: Strategic

Initiatives

Approved IT Projects

Knowledge of Environment

ERM Risk Evaluation

Primary

Inputs

IA/S&P Annual Plan

Initiated annually; updated quarterly.

Identify Focus Areas

& Risk Rank

18

Recurring Projects &

Internal Team Initiatives

Example #2 OutcomeAnnual Plan Development

American Institute of CPAs®

Risk Factors

Reputation Impact

Control Env.

External Env.

Mgt Concerns

Strategic Impact

Ops Impact Weighted

Risk ScoreWeight: 25% 15% 20% 10% 15% 15%

Example: 5 3 1 5 5 3 3.6

Example #2 Outcome

Risk Assessment Methodology

19

Risk Factors

Reputation Impact

Control Env.

External Env.

Mgt Concerns

Strategic Impact

Ops Impact

Weight: 25% 15% 20% 10% 15% 15%

Focus Area Identification

(Primary Inputs)

Risk Ranking(Primary Inputs)

IA/S&PAnnual Plan

1 = Low, 3 = Moderate, 5 = High

American Institute of CPAs®

Strategic Initiatives

Which could be reviewed by IA/S&P…

20

Example

Example

Example

Example

Example

Example

Example

Example

Example

Example

Example

Indicates an IA/S&P project is planned.

Mission Critical Teams

Example

Example

Example

Example

Example

Example

Example

Example

Example

Example

Example

Note: Mission critical

teams were risk

ranked using specific

criteria to determine

their priority.

American Institute of CPAs® 21

NoStrategic Initiative

Team Focus AreaWeighted Risk Score

IA/S&P Plan

1 X Example Focus Area 4.65 IA/S&P – Example Project

2 X Example Focus Area 4.45 S&P – Example Project

3 X Example Focus Area 4.25 S&P – Example Project

4 X Example Focus Area 4.20 IA – Example Project

5 X Example Focus Area 4.20 S&P – Example Project

6 X Example Focus Area 4.15 IA – Example Project

7 X Example Focus Area 4.05 S&P – Example Project

8 X X Example Focus Area 3.95 IA – Example Project

9 X Example Focus Area 3.95 IA – Example Project

10 X Example Focus Area 3.75 IA – Example Project

Example #2 OutcomeTOP 10 Focus Areas

American Institute of CPAs® 22

Roadmap

CICA/CIMA

RoadmapMember

Value

IIA Standards QAR

Compliance

Recruiting

CICA/CIMA

Example

Member Value

COSO/ FSReporting

Example

Area

Example

Area

Roadmap

Member Value

Example

Example #2 OutcomeRecurring Projects & Internal Team Initiatives

American Institute of CPAs®

Example #2 OutcomeIA/S&P Project Plan

23

Project Status

To be approved by Audit Committee in

August

IA – Recruiting (Internal Team Initiative) Not Started

IA – QAR (Internal Team Initiative) Not Started

IA – Example Project (Internal Team Initiative) Not Started

IA – Example Project Not Started

IA – Example Project Not Started

IA – Example Project Not Started

IA – Example Project Not Started

IA – Example Project Not Started

IA/S&P – Example Project Not Started

To be approved by S&P Committee in

August

S&P – Example Project Not Started

S&P – Example Project Not Started

S&P – Example Project Not Started

S&P – Example Project Not Started

S&P – Example Project (Internal Team Initiative) Not Started

RecurringProjects

S&P – Example Project Area Not Started

IA/S&P – Example Project Area Not Started

IA – External Audit Assistance Not Started

American Institute of CPAs®

Example #3Finding Process for Consulting Engagements

Challenge

• Within a consulting engagement for a multi-year software

implementation IT project, feedback was being provided by

IA/S&P that either was not getting timely addressed or was

being forgotten among the many tasks.

Innovative Thought

• Use existing finding management processes to create a method

that could be used during the IT project where IA/S&P concerns

are being addressed timely and prior to go-live.

Outcome

• IA/S&P feedback is incorporated and accountability for timelines

and resolution is clear.

24

American Institute of CPAs® 25

Confirm Issue2 weeks to

resolve

Finding for unresolved

high or moderate risk

issues

1 week to respond with action plan/ remediation

date (past due if not received)

Verbal finding for unresolved low risk issues (no follow-up/

action plan)

Summarize in quarterly

reportVerbal

Finding

Monitoring

Items

Finding

Preliminary

Observation

Addressed with future activity

IA/S&P will monitor progress

Example #3 Outcome

American Institute of CPAs®

Questions / Discussion

26