raleigh issa chapter april meeting - managing a security & privacy governance function -...
Post on 21-Oct-2014
392 Views
Preview:
DESCRIPTION
TRANSCRIPT
Managing a Security &
Privacy Governance FunctionApril 3, 2014
Audrey Foster, CPA, CISA, CGMA, CITP
Director of AICPA Internal Audit, Risk & Compliance
American Institute of CPAs®
Overview
Definition of Governance
• the action or manner of governing.
Definition of Govern
• conduct the policy, actions, and affairs of (a state,
organization, or people).
• control, influence, or regulate (a person, action, or course
of events).
• conduct oneself, esp. with regard to controlling one's emotions.
• serve to decide (a legal case).
Session Goals
• Importance of Security & Privacy Governance
• Setup of Governance within a Security & Privacy Function
• Examples of Governance within a Security & Privacy Function
2
American Institute of CPAs®
Security & Privacy (S&P)
Defined:
• Security: Protecting
information from unauthorized
access, use, disclosure,
disruption, modification,
perusal, inspection, recording
or destruction.
• Privacy: Understanding the
relationship between collection
and dissemination of data,
technology, the public
expectation of privacy, and the
legal and political issues
surrounding them.
Understanding of group:
• Who works in just security?
• Who works in just privacy?
• Who works in both?
• Who works in audit?
• Who reports through IT?
• Who reports outside IT?
Importance of Governance
3
American Institute of CPAs®
Importance of Governance
4
and risk-basedintent
American Institute of CPAs®
Importance of Governance
5
S&P
American Institute of CPAs®
Setup of Governance
CEO, COO,
Audit & S&P Committees
Internal Audit, Risk & Compliance
Team
Internal Audit Security & Privacy Exams Compliance
6
Establish clear S&P
organizational structure.
• Reporting lines provide an
organizational wide
perspective and authority.
Example:
American Institute of CPAs®
Setup of Governance
Define S&P goals and follow them!
• Ensure they are balanced with a risk-based approach where
your organization wants you to be at the table.
• Actions speak louder than words, walk the talk, etc!
Examples:
• Strengthen processes and procedures
• Ensure sustainable change
• Monitor environment
• Continuous assessment of risk
• Allow business opportunity
- Don’t be a “no” team!
- Control beneficial risks
7
American Institute of CPAs®
Setup of Governance
Define the S&P mission and communicate it!
Example:
• Provide leadership in the development, delivery, maintenance,
and monitoring of the Institute’s information security, risk
management and privacy programs.
• Provide strategic assistance in the safeguarding of information
assets and the supporting infrastructure against unauthorized
use, disclosure, modification, damage or loss.
8
American Institute of CPAs®
Setup of Governance
Define S&P areas and scope of work.
Example – Breakdown of Key Areas of Work:
• Project Consulting
- S&P performs independent reviews and consulting
engagements to improve the organization’s operating and
internal control environment around privacy and information
security.
• Program Development
- S&P develops frameworks, and distributes privacy and
information security focused policies and procedures and
practice aids, enabling the Institute to effectively and
efficiently navigate privacy laws and information security
risks.
9
American Institute of CPAs®
Setup of Governance• Compliance Monitoring
- S&P identifies areas for improvement or deficiencies through
compliance audits, process reviews, risk assessments,
vulnerability assessments, and security awareness training;
and leads efforts to improve and/or establish risk mitigating
processes and systems to make operations within the
Institute more effective and efficient.
• Incidents & Inquiries
- S&P facilitates the response plan and triage activities for
information security incidents & inquiries, following through
to successful closure while also identifying efforts to improve
and/or establish processes and systems geared toward
reducing the risk of subsequent occurrences. Additionally,
S&P functions as a vendor and contract reviewer/approver
for services where either the Institute/member data is shared
with a third party, or include changes to our information
security architecture.
10
American Institute of CPAs®
Setup of Governance
Establish policy, but…
• Create value-add policies that truly mean something and that
you are willing to devote staff hours to monitor compliance with
that policy.
• Higher likelihood that users within your organization will be
aware and following S&P policies.
Speak the executive voice.
• Know your audience (concept versus detailed based).
• Summarize what is really important with enough substance for
them to understand key concepts.
• Know when they need to be decisions makers and give a
pro/con analysis with a recommendation.
11
American Institute of CPAs®
Examples of Governance
S&P Function Reporting Structure
• Example #1 in the following slides.
Streamlined Annual Risk Assessment/ Project Plan
• Example #2 in the following slides.
Finding Process for Consulting Engagements
• Example #3 in the following slides.
12
American Institute of CPAs®
Example #1S&P Function Reporting Structure
Challenge
• The security function within the organization was not providing
the oversight and governance needed to meet the current
business environment nor strategic initiatives, including privacy
considerations.
Innovative Thought
• Create a Security & Privacy (S&P) function which reports up
through Internal Audit (IA) which already has a reporting
structure within the organization that allows independent thought
along with established processes to plan projects to allow S&P
to step into the needed oversight and governance role.
13
American Institute of CPAs®
Example #1 OutcomeS&P Function Reporting Structure
Outcome
• The creation of a S&P Committee made up of senior leadership
which guides the actions of the S&P function and allows IA to be
independent, along with some additional external audits.
• A reporting structure which allows an ability organizational wide
to establish and execute projects, policies and oversight needed
to address the key S&P risks within the organization.
• A holistic team that can work with management and various
governance committees and boards to understand and respond
to a full breath of organizational risks, strategic initiatives, and
compliance requirements to ensure adequate measures are in
place to protect the organization’s interests.
14
American Institute of CPAs®
Example #2Streamlined Annual Risk Assessment/ Project Plan
Challenge
• Risk register had many detailed listing of potential risks which
was overwhelming to evaluate and didn’t consider strategic
initiatives or other key team activities.
Disruptive Thought
• Stop doing risk assessments.
Innovative Thought
• Have no more than 20 risks to assess where every single risk
means something, auditable/ reviewable strategic initiatives
along with activities within mission critical teams are evaluated.
Outcome
• Streamlined annual risk assessment process where projects are
focused on the true needs of the organization with a nimbleness
that allows resources to be reallocated as needed. 15
American Institute of CPAs® 16
Env.Assessment
Prelim. Annual Plan
& ERM
Final Annual Plan & ERM
NovemberApril AugustJanuary
Primary Inputs & Prelim.
Focus Areas
Final Focus Areas &
Annual Plan
IA/S&P Annual Plan
Strategy Annual Plan
Audit Committee Approval
Example #2 OutcomeManaging Organizational Risks
American Institute of CPAs®
Example #2 OutcomeAnnual Plan Development
17
Focus Area Identification
(Primary Inputs)
Risk Ranking(Primary Inputs)
IA/S&P Annual Plan
What are Focus Areas?
• Areas IA/S&P is targeting to support through assurance and
consulting activities.
• Spend time evaluating if a primary input would be an auditable/
reviewable area.
American Institute of CPAs®
Mission Critical Teams
Meetings with Senior Leadership
Annual Plan: Strategic
Initiatives
Approved IT Projects
Knowledge of Environment
ERM Risk Evaluation
Primary
Inputs
IA/S&P Annual Plan
Initiated annually; updated quarterly.
Identify Focus Areas
& Risk Rank
18
Recurring Projects &
Internal Team Initiatives
Example #2 OutcomeAnnual Plan Development
American Institute of CPAs®
Risk Factors
Reputation Impact
Control Env.
External Env.
Mgt Concerns
Strategic Impact
Ops Impact Weighted
Risk ScoreWeight: 25% 15% 20% 10% 15% 15%
Example: 5 3 1 5 5 3 3.6
Example #2 Outcome
Risk Assessment Methodology
19
Risk Factors
Reputation Impact
Control Env.
External Env.
Mgt Concerns
Strategic Impact
Ops Impact
Weight: 25% 15% 20% 10% 15% 15%
Focus Area Identification
(Primary Inputs)
Risk Ranking(Primary Inputs)
IA/S&PAnnual Plan
1 = Low, 3 = Moderate, 5 = High
American Institute of CPAs®
Strategic Initiatives
Which could be reviewed by IA/S&P…
20
Example
Example
Example
Example
Example
Example
Example
Example
Example
Example
Example
Indicates an IA/S&P project is planned.
Mission Critical Teams
Example
Example
Example
Example
Example
Example
Example
Example
Example
Example
Example
Note: Mission critical
teams were risk
ranked using specific
criteria to determine
their priority.
American Institute of CPAs® 21
NoStrategic Initiative
Team Focus AreaWeighted Risk Score
IA/S&P Plan
1 X Example Focus Area 4.65 IA/S&P – Example Project
2 X Example Focus Area 4.45 S&P – Example Project
3 X Example Focus Area 4.25 S&P – Example Project
4 X Example Focus Area 4.20 IA – Example Project
5 X Example Focus Area 4.20 S&P – Example Project
6 X Example Focus Area 4.15 IA – Example Project
7 X Example Focus Area 4.05 S&P – Example Project
8 X X Example Focus Area 3.95 IA – Example Project
9 X Example Focus Area 3.95 IA – Example Project
10 X Example Focus Area 3.75 IA – Example Project
Example #2 OutcomeTOP 10 Focus Areas
American Institute of CPAs® 22
Roadmap
CICA/CIMA
RoadmapMember
Value
IIA Standards QAR
Compliance
Recruiting
CICA/CIMA
Example
Member Value
COSO/ FSReporting
Example
Area
Example
Area
Roadmap
Member Value
Example
Example #2 OutcomeRecurring Projects & Internal Team Initiatives
American Institute of CPAs®
Example #2 OutcomeIA/S&P Project Plan
23
Project Status
To be approved by Audit Committee in
August
IA – Recruiting (Internal Team Initiative) Not Started
IA – QAR (Internal Team Initiative) Not Started
IA – Example Project (Internal Team Initiative) Not Started
IA – Example Project Not Started
IA – Example Project Not Started
IA – Example Project Not Started
IA – Example Project Not Started
IA – Example Project Not Started
IA/S&P – Example Project Not Started
To be approved by S&P Committee in
August
S&P – Example Project Not Started
S&P – Example Project Not Started
S&P – Example Project Not Started
S&P – Example Project Not Started
S&P – Example Project (Internal Team Initiative) Not Started
RecurringProjects
S&P – Example Project Area Not Started
IA/S&P – Example Project Area Not Started
IA – External Audit Assistance Not Started
American Institute of CPAs®
Example #3Finding Process for Consulting Engagements
Challenge
• Within a consulting engagement for a multi-year software
implementation IT project, feedback was being provided by
IA/S&P that either was not getting timely addressed or was
being forgotten among the many tasks.
Innovative Thought
• Use existing finding management processes to create a method
that could be used during the IT project where IA/S&P concerns
are being addressed timely and prior to go-live.
Outcome
• IA/S&P feedback is incorporated and accountability for timelines
and resolution is clear.
24
American Institute of CPAs® 25
Confirm Issue2 weeks to
resolve
Finding for unresolved
high or moderate risk
issues
1 week to respond with action plan/ remediation
date (past due if not received)
Verbal finding for unresolved low risk issues (no follow-up/
action plan)
Summarize in quarterly
reportVerbal
Finding
Monitoring
Items
Finding
Preliminary
Observation
Addressed with future activity
IA/S&P will monitor progress
Example #3 Outcome
American Institute of CPAs®
Questions / Discussion
26
top related