Archive for Governance and Risk Management

SOX Spared, Oversight Improved…

June 30, 2010 · Filed under Compliance, Governance and Risk Management · Tagged , ,

The advent of regulations that impact IT (SOX, PCI, FDCC, etc.) are considered by many as a costly nuisance. However, one could argue that the impact of these regulations that require stringent controls and accountability have resulted in higher levels of measurable security.

Earlier this week, one of the most well known regulations (SOX) came under scrutiny by the Supreme Court…specific to concerns around oversight. There was an excellent article published that illustrates the courts ruling:

http://online.wsj.com/article/SB10001424052748703964104575334771098178714.html?mod=WSJ_hpp_LEADNewsCollection

The following is my summary of the results of the ruling:

1) The Supreme Court has ruled that the SEC now has the ability to remove Public Company Accounting Oversight Board (PCAOB) members “at will”, which represents a very significant change.  Prior to this decision, the only way the SEC could remove a member of the board would be with “due cause”. The importance of this ruling centers around ensuring that the accounting rules and controls that have been established (as it pertains to SOX) are maintained, and enforced – and that oversight is not conducted by the PCAOB…but rather by the SEC.  Thus, the change has created more accountability.

2) In terms of the impact on the SOX regulation, for those that have to comply, it’s business as usual.

Now, had the court ruled on a broader basis, they could have actually forced Congress to revisit the act altogether.  Which for most public companies, if SOX went away they would jump for joy. Although…the practices that have been established to ensure compliance have been a worthy and valuable investment as it’s helped make companies better practitioners, resulting in the prevention of any additional Enron’s or WorldCom’s in today’s business environment.

Dave Eike

Shavlik Technologies

Leave a comment »

Measurable, Continuous Compliance

November 5, 2009 · Filed under Automation, Compliance, Framework Standards, Governance and Risk Management, information security · Tagged , , , ,

The subject of compliance as it pertains to information security continues to demand a great deal of attention…for some very obvious reasons. There is a big difference between compliance and security. To consider yourself compliant, doesn’t necessarily mean you’re secure. Generally, compliance rituals such as assessment and audits are conducted either quarterly or annually, and the results of these “point-in-time” activities only offers a snapshot of your current state of security at that time. So to assume that your secure because you passed an audit today that states you’re compliant, doesn’t equate to you being secure tomorrow. This is probably best illustrated by some of the very well publicized breaches that took place over the last couple years – like Heartland, Choicepoint and TJX, just to name a few. Each of these notable entities thought they were compliant, and thus secure…boy were they wrong, and they are still recovering from the damage.

More often than not, compliance (specific to information security) is viewed as a project not as an ongoing, strategic business requirement. Here in lies the problem, but more importantly, the opportunity. The key is to make compliance activities part of the normal course of business operations:

If you consider the subject of risk management as it pertains to compliance, many companies today who have compliance requirements are faced with the monumental task of establishing and maintaining a compliant state.

For many, compliance is;

  • A semi-automatic task at best, that leverages a basic policy structure, with the absence of any form of automated remediation to address any risks once discovered. This method is both expensive, and time consuming, and certainly puts any company faced with addressing compliance requirements in this manner at risk.
  • For those that are more fortunate – a quarterly process may exist, that may leverage some form of best practice based policy structure, as well some measure of remediation and reporting. This approach is much improved vs. the semi-automatic method…however, there are still gaps. Without a more “real-time” approach, the gaps in time between each quarterly assessment could pose a significant potential for risk. Even with a positive audit result, with the ever increasing number of threats companies are being exposed to these days, even great vigilance is required.
  • The best approach, is what I will categorize as “continuous compliance”. This approach is one fully supported by management, and measured like any other critical business operational requirement.

To achieve this, the following approach should be taken…

Establish a measurable set of security policies (controls), that are standards based, and well recognized. Examples of these can be found via ISO, NIST, ITIL, etc. Additionally, the frequency by which these established controls should be measured should be monthly or weekly if possible…thus leaving no stone unturned! It’s also important that you apply the appropriate level of automation to the process, to ensure that the process of assessment, decisioning, remediation and reporting are completely automated.

The impact to the business by adopting some form of measurable, repeatable means of ensuring compliance will not only save you money, but drastically reduce your potential for risk. I can assure you…it will be money well spent.

Dave Eike
Shavlik Technologies

Comments (1) »

The Value Of A Formal Information Security Management Program

October 13, 2009 · Filed under Framework Standards, Governance and Risk Management, Reporting · Tagged , ,

The creation and implementation of a formal information security management program is fraught with challenges, but once in place offers enormous benefit to the implementer. With the sheer number of vulnerabilities reaching a staggering level, the ability to accurately identify, remediate and manage any potential vulnerability related risk is critical. If you surveyed most IT professionals, and posed the question; “has your company implemented any form of formal information security management program” – which is the combination of people, process and technology working together to address vulnerabilities and risk – the answer would generally be no. Not for the lack of desire or the ability to create one –no, it’s more a function of time and resource. With the current economic conditions weighing heavily on most every business…the implementation of an information security management program is generally not a top priority. However, surprisingly enough…by implementing such a program – the by-products can be quite beneficial. Examples of this can be seen in improved operational costs due to greater efficiency, as well as the reduction of risk. The greatest value comes in the form of measurability!

Measurability comes from the structured implementation of secure controls (or policies) that are both measurable and enforceable. The use of well recognized framework standards such as ISO27002, NIST 800-53, COBIT, ITIL and others are the basis for any type of formal program. If you are considering the development of such a program…there are some excellent websites that contain a wealth of information that will aid you in your effort. Some of the sites I’d recommend are as follows:

ISO 27002

http://www.standardsdirect.org/iso17799.htm

NIST 800-53

http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf

COBIT

http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981

ITIL

http://www.itil-officialsite.com/home/home.asp

By creating a formal information security management program, you’ve created structure around a very difficult thing to confine – the potential for risk. Once in place, you’ll quickly discover that your security posture is truly measurable, and the return on your investment in such an endeavor is rapid.

Dave Eike
Shavlik Technologies

Comments (1) »

Governance, Risk and Compliance – Taking Advantage Of The Downturn

September 17, 2009 · Filed under Governance and Risk Management · Tagged , ,

The current economic climate continues to have an adverse impact on many organizations. With many IT investments now stuck in a holding pattern, there is a bright spot! Spending in support of Regulatory Compliance and Information Security continues. The catalysts fueling this continued level of investment center around: increasing regulatory requirements, the need for better process automation, and a requirement for improved levels of reporting.

Target Areas of Investment:

The target areas of investment (designed to address this ever growing set of needs) focus around the elements of Governance, Risk and Compliance (GRC). Better defined:

  • Governance: the improvement of process effectiveness, which will lead to better overall performance measurability.
  • Risk: the ability to determine the acceptable level of risk, and the probability that the risk will occur – and measures to manage / mitigate the risk.
  • Compliance: the assembly of policies and IT controls that provide decision support, designed to address multiple regulations - if required.

For many organizations today, the approach taken to GRC is less then efficient, and often times difficult to measure and enforce. Investing in the Three P’s (People, Process and Technology) in support of any GRC initiative is imperative. Like anything – it’s not without risk, especially when times are tough. But what’s the alternative? Lack of awareness, the presence of unnecessary and unknown risk, or even (heaven forbid) – a breech!

Be Prepared for the Unpredictable:

The sign of a good GRC program is to be prepared for the unpredictable. No one could have predicted 9/11 and it’s even more difficult to predict what risks lie ahead, their potential impact, and more importantly the ability to proactively address them! Without the necessary resources, and a structured program – the task at hand becomes almost insurmountable. This is why an investment in GRC makes so much sense.

I was chatting with one of our customers the other day, discussing the level of progress his firm had made towards the creation of a GRC program, and he had some very interesting insight.

He stated, in the early stages of the development of our GRC program…the meetings were very time consuming, and lacked structure…largely because of the lack of resource and investment. However, over time – we were able to convince the company’s business leaders to view the concept of GRC as a strategic part of our business – and with that support came greater investment. By increasing the level of investment, it allow us to add more structure – and invest in tools that will help advance our efforts. It’s been an real win, and we’ve seen drastic improvements in our ability to measure and manage risk! – CISO, Medium High Tech Company.

The Three P’s:

The ability to add structure and measurability are the basic values that will be realized by the development of a GRC program. The key to success is moving your GRC program from the “tactical” to the “strategic” creating a program that better aligns IT with the objectives of the business. The recommended components required to develop such a program are as follows:

People

  • You’ll need Executive sponsorship. Without it, the program will fail.
  • Hire the right people…with the skills and passion to get the job done.
  • Empower those you hire, giving them the authority to take action, but with authority comes accountability.

Process

  • Design and implement process that drives efficiency, which will then impact the potential for risk and impact cost.
  • Leverage well recognized framework standards (i.e.; ISO, ITIL, NIST, etc) to develop, measure and manage policies and controls.

Technology (Tools)

  • Automation of critical to perform tasks that are standing in the way of current progress this is key.
  • Implement the use of tools that can accurately assess your current state of security / compliance – with automated remediation, which will help drive down both risk and reduce the cost of operation.
  • Require nothing less than reporting that clearly illustrates your current condition, with information that will help with decisioning, and support any ongoing form of regulatory requirements.

By investing in the right combination of People, Process and Technology – you’re well on the way towards developing a first rate GRC program! The result – greater efficiency, the reduction of risk, and significant cost savings!

Dave Eike
Shavlik Technologies

Leave a comment »