1

1Confidential

Monday, October 10, 2016

The Venetian | The Palazzo | Sands Expo | Sands Bethlehem | Paiza | Sands Macao

The Venetian Macao | Four Seasons Hotel Macao | The Plaza Macao | Sands Cotai Central | Marina Bay Sands

INFORMATION SECURITY AND THE COMPLIANCE OFFICER

Ralph Villanueva CISA CISM CRMA CIA CFE ITIL

Presented for the 15th Annual Compliance and Ethics Institute

Sheraton Grand Chicago, September 25 to 28, 2016

2Confidential

OBJECTIVES

� Discuss the role of the compliance officer in an IT Department

� How to handle IT professionals at work

� How to get results from your IT professionals and enhance IT security

3Confidential

ABOUT THE SPEAKER� IT Compliance Analyst for over 5 years and Internal Auditor, Accounting

Manager and Financial Controller for over 20 years,

� Certified Information Security Manager (CISM), Certified Information

Systems Auditor (CISA), Certification in Risk Management and Assurance (CRMA), Certified Internal Auditor (CIA), Certified Fraud

Examiner (CFE) and IT Infrastructure Library (ITIL) ,

� Spoke about audit, fraud and compliance topics since 2010,

� Believes that effective information security depends on effective communication between compliance and IT professionals, and

� Believes that the compliance officer is the most important person in the C Suite.

2

4Confidential

WHY IS INFORMATION SECURITY IMPORTANT?

�Intellectual Property Theft

�Cyber Crime Threats

�Regulatory Penalties

5Confidential

INTELLECTUAL PROPERTY THEFT

“MIDWEST AGRICULTURE IS A PRIME TARGET FOR THEFT OF INTELLECTUAL PROPERTY AND CYBER ATTACKS”

Laurie Bedord, Successful Farming online magazine, April 5, 2016

6Confidential

CYBER CRIME THREATS

Source: McAfee 2015 Cyber Security Study

3

7Confidential

Clip from March 2016 Verizon Data Breach

8Confidential

PENALTY FOR LACK OF INFORMATION SECURITY

Source: 2016 Cost of Data Breach Study by Ponemon Institute and IBM

9Confidential

REGULATORY PENALTIES

“HOME HEALTH CARE PROVIDER HIT WITH $240,000 HIPAA PENALTY”

Tim Mulaney, Home Health Care News online magazine, February 3, 2016

4

10Confidential

Information Security is top of mind in fellow compliance professionals“Even if they are technologically challenged, CCOs, senior

managers and principals should become familiar with the security measures that can help to thwart a cyber attack.”

- Les Abromovitz, Put Compliance Chores on your To Do List, Compliance and Ethics Professional magazine, June

2016 issue

“Organizations need to treat each privacy incident as a

potential breach.”

- Mahmood Sher-Jan, Data Mishaps: Everyday Events,

Inevitable Incidents and Data Breach Disasters, Compliance and Ethics Professional magazine, September

2016 issue

11Confidential

Information Security is top of mind in fellow compliance professionals“Companies seeking to strengthen data security should

heed the findings of a recent survey showing workers have careless security habits and poor security training.”

- Survey: Data Security Risks Heightened by Bad Habits, Poor Training, Compliance and Ethics Professional

magazine, July 2016 issue

“Once you have identified the information that should be

protected, how do you protect it? It goes without saying that you have to have a policy.”

- Mary Ellen O’Neill: Every Company Needs a Comprehensive Confidential Data Protection Program,

Compliance and Ethics Professional magazine, July 2016

issue

12Confidential

WHAT IS INFORMATION SECURITY?

“Information security is the practice of defending information from unauthorized access, use,

disclosure, disruption, modification, inspection, recording or destruction”

From US Code, Title 44, Chapter 35, Subchapter III, Section 3542

5

13Confidential

THREE INFORMATION SECURITY CONSIDERATIONS

�Confidentiality

�Integrity

�Availability

14Confidential

SEVEN ROLES OF A COMPLIANCE OFFICER

� Designing, implementing, overseeing and monitoring the compliance program

� Reporting on a regular basis to the organization’s governing body, CEO

and compliance committee

� Revising the compliance program periodically as appropriate

� Developing, coordinating and participating in a multifaceted educational

and training program

� Assisting with internal compliance review and monitoring activities

� Assuring management has mechanisms in place to mitigate risks

� Assuring management takes corrective action to resolve the

noncompliance problems identified

Source: Compliance 101, 2nd edition by Debbie Troklus and Sheryl Vacca

15Confidential

IT SECURITY AND COMPLIANCE

IT Security Confidentiality, integrity and

availability of data

CompliancePolicies, rules and regulations

6

16Confidential

INFORMATION SECURITY AND COMPLIANCE

Confidentiality, Integrity and Availability Model (from ISACA)

Requirement Impact and Potential

Consequences

Method of Control

Confidentiality-the protection of

information from unauthorized

disclosure

Disclosure of information protected

by privacy laws

Loss of public confidence

Loss of competitive advantage

Legal action against company

Access controls

File permissions

Encryption

Integrity-the accuracy and

completeness of information in

accordance with business values and

expectations

Inaccuracy

Erroneous decision

Fraud

Access controls

Logging

Digital signatures

Hashes

Encryption

Availability-the ability to access

information and resources required

by the business process

Loss of functionality and operational

effectiveness

Loss of productive time

Interference with company

objectives

Redundancy

Back ups

Access controls

17Confidential

INFORMATION SECURITY AND COMPLIANCE

Examples of what compliance officers can do to enhance IS

� Ask about compliance with IS aspects of regulations applicable to their

industry (i.e. PCI, HIPAA, BASEL II etc.)

� Look into information security portion of compliance programs

� Gauge degree of management involvement in information security

� Discuss with peers the current issues about information security and

compliance

� Talk to the IT Department about processes and technologies geared

towards information security

18Confidential

WHEN IT COMES TO ENFORCING IT

COMPLIANCE POLICY…………….SITUATIONS ARE

7

19Confidential

“I DON’T CARE” SITUATION

20Confidential

“WHAT TOOK YOU SO LONG” SITUATION

21Confidential

“SPEAKING IN CODES” SITUATION

8

22Confidential

THREE PROBLEMS WITH INFORMATION SECURITY COMPLIANCE

�Communication with IT professionals

�Management culture

�Budget

23Confidential

COMMUNICATION WITH IT PROFESSIONALS

Does your IT Dept communicate this way?

(clip from The IT Crowd)

24Confidential

First, recognize the problem.

“The communication gap between IT and the business

community is a contributing factor in the underestimation

and lack of appreciation of each other.” Robert Putrus,

CISM and IT Professional (A Nontraditional Approach to

Prioritizing and Justifying Cybersecurity Investments,

ISACA Journal, Volume 2, 2016)

COMMUNICATION WITH IT PROFESSIONALS

9

25Confidential

COMMUNICATION AND TECHNICAL KNOWLEDGE ARE IMPORTANT

“The communication gap between IT and the business

community is a contributing factor in the underestimation and

lack of appreciation of each other.” Robert Putrus, CISM and IT

Professional (A Nontraditional Approach to Prioritizing and

Justifying Cybersecurity Investments, ISACA Journal, Volume

2, 2016)

COMMUNICATION WITH IT PROFESSIONALS

26Confidential

SECOND STEP: SIZE UP THE SITUATION

A typical day the IT Department

�User provisioning

�Reset user name and password

�Configure PC, server & other hardware

�Load back-up media (tape, disc etc.)

�Update applications to latest version

�Test network connectivity

�Open and close ports

�Trouble shoot user issues

COMMUNICATION WITH IT PROFESSIONALS

27Confidential

SECOND STEP: SIZE UP THE SITUATION

A typical day for the rest of us

�Go over the latest pronouncements from the Treasury Department

�See if the new procedure for hiring employees include a signed agreement to

use computer and information resources for lawful and company purposes only

�Reviewing the legality of a merger with a competitor

�Go over the latest OSHA report on workplace safety compliance

�Meet with various departments and try to fit in their work into the compliance

framework

COMMUNICATION WITH IT PROFESSIONALS

10

28Confidential

REASONS WHY SMART PEOPLE HAVE DIFFICULTY IN COMMUNICATING IN LAYMAN’S TERMS:

1. They were taught how to communicate to peers, not to broader audiences

2. They live in a bubble

3. They’re too busy

4. They’re driven by ego

From the book “Supercommunicator: Explaining The Complicated So Anyone Can Understand” by Frank Pietrucha, published in 2014

COMMUNICATION WITH IT PROFESSIONALS

29Confidential

From “State of Cybersecurity: An ISACA Perspective” by Ron Hale PhD, CISM, March 8, 2016

COMMUNICATION WITH IT PROFESSIONALS

30Confidential

THIRD STEP:COMMUNICATE

HOW TO BRIDGE THE GAP BETWEEN IT AND NON-IT

1. Learn to communicate to a broader audience

2. Look beyond your specialty

3. Find time to simplify

4. Seek to be understood

COMMUNICATION WITH IT PROFESSIONALS

11

31Confidential

THIRD STEP:COMMUNICATE

Plus

� Read up on IT terminology and concepts, and

� Get out of your offices and initiate face-to-face communication with

the IT Dept employees

COMMUNICATION WITH IT PROFESSIONALS

32Confidential

COMMUNICATION WITH IT PROFESSIONALS

33Confidential

MANAGEMENT CULTURE

(Clip from Office Space)

12

34Confidential

Company culture

Does your company allow open collaboration across departments? Can compliance officers easily access IT personnel?

MANAGEMENT CULTURE

35Confidential

Organizational structure

Is there too much bureaucracy? Should compliance officers get 10 approvals before they get the reports they need?

MANAGEMENT CULTURE

36Confidential

Training

Are IT personnel trained to generate the results you need? Are employees from other departments conversant with IT terminology?

MANAGEMENT CULTURE

13

37Confidential

Personality

Are IT people trained to value co-workers as internal customers? Are compliance professionals coached in dealing with difficult IT personnel?

MANAGEMENT CULTURE

38Confidential

Planning

Did you ask IT for the right time to observe payroll controls? Is IT informed of the compliance requirements they need to generate ahead of time?

MANAGEMENT CULTURE

39Confidential

Timing

Are you asking for reports while the IT Department is responding to a cyber attack? Does compliance synchronize its schedule with IT?

MANAGEMENT CULTURE

14

40Confidential

People Skills

“People skills are the various attributes and competencies that allow one to play well with others.” Communications coach and author David

Parnell from “The 20 People Skills You Need To Succeed At Work, Forbes magazine, November 15, 2013

MANAGEMENT CULTURE

41Confidential

BUDGET

42Confidential

Funding

Does the company have enough funds to upgrade hardware and software? Is CAPEX for compliance reporting and compliance requirements included in

annual planning?

BUDGET

15

43Confidential

Technology

Does your IT people have all the tools they need to meet your needs? Is compliance provided the necessary tools to generate reports from IT system?

BUDGET

44Confidential

Manpower

Does IT have enough people for your compliance requirements or recommendations? Will the additional IT FTE justify the cost of increased

compliance?

BUDGET

45Confidential

SUMMARY

CIA – Confidentiality, Integrity

and Availability

CMB-Communication,

Management and Budget

16

46Confidential

FINAL THOUGHTS

Sense of Humor

“A sense of humor is part of the art of leadership, of getting along with people, of getting things done.” US President Dwight Eisenhower

47Confidential

WHEN IT AND COMPLIANCE ARE IN SYNC

FINAL THOUGHTS