Raleigh issa chapter april meeting - managing a security & privacy governance function - 04.03.14

  • Published on
    21-Oct-2014

  • View
    385

  • Download
    1

Embed Size (px)

DESCRIPTION

Audrey Foster presented at the April 2014 Raleigh ISSA Chapter meeting

Transcript

<p>Title</p> <p>Managing a Security &amp; </p> <p>Privacy Governance FunctionApril 3, 2014</p> <p>Audrey Foster, CPA, CISA, CGMA, CITP</p> <p>Director of AICPA Internal Audit, Risk &amp; Compliance</p> <p>American Institute of CPAs</p> <p>Overview</p> <p>Definition of Governance</p> <p> the action or manner of governing. </p> <p>Definition of Govern</p> <p> conduct the policy, actions, and affairs of (a state, organization, or people).</p> <p> control, influence, or regulate (a person, action, or course of events).</p> <p> conduct oneself, esp. with regard to controlling one's emotions.</p> <p> serve to decide (a legal case).</p> <p>Session Goals</p> <p> Importance of Security &amp; Privacy Governance</p> <p> Setup of Governance within a Security &amp; Privacy Function</p> <p> Examples of Governance within a Security &amp; Privacy Function</p> <p>2</p> <p>American Institute of CPAs</p> <p>Security &amp; Privacy (S&amp;P) </p> <p>Defined:</p> <p> Security: Protecting information from unauthorized </p> <p>access, use, disclosure, </p> <p>disruption, modification, </p> <p>perusal, inspection, recording </p> <p>or destruction.</p> <p> Privacy: Understanding the relationship between collection </p> <p>and dissemination of data, </p> <p>technology, the public </p> <p>expectation of privacy, and the </p> <p>legal and political issues </p> <p>surrounding them.</p> <p>Understanding of group:</p> <p> Who works in just security?</p> <p> Who works in just privacy?</p> <p> Who works in both?</p> <p> Who works in audit?</p> <p> Who reports through IT?</p> <p> Who reports outside IT?</p> <p>Importance of Governance</p> <p>3</p> <p>American Institute of CPAs</p> <p>Importance of Governance</p> <p>4</p> <p>and risk-basedintent</p> <p>American Institute of CPAs</p> <p>Importance of Governance</p> <p>5</p> <p>S&amp;P</p> <p>American Institute of CPAs</p> <p>Setup of Governance</p> <p>CEO, COO, </p> <p>Audit &amp; S&amp;P Committees</p> <p>Internal Audit, Risk &amp; Compliance </p> <p>Team</p> <p>Internal Audit Security &amp; Privacy Exams Compliance</p> <p>6</p> <p>Establish clear S&amp;P </p> <p>organizational structure.</p> <p> Reporting lines provide an organizational wide </p> <p>perspective and authority.</p> <p>Example:</p> <p>American Institute of CPAs</p> <p>Setup of Governance</p> <p>Define S&amp;P goals and follow them!</p> <p> Ensure they are balanced with a risk-based approach where your organization wants you to be at the table.</p> <p> Actions speak louder than words, walk the talk, etc!</p> <p>Examples:</p> <p> Strengthen processes and procedures</p> <p> Ensure sustainable change</p> <p> Monitor environment</p> <p> Continuous assessment of risk</p> <p> Allow business opportunity</p> <p>- Dont be a no team! </p> <p>- Control beneficial risks</p> <p>7</p> <p>American Institute of CPAs</p> <p>Setup of Governance</p> <p>Define the S&amp;P mission and communicate it!</p> <p>Example: </p> <p> Provide leadership in the development, delivery, maintenance, and monitoring of the Institutes information security, risk management and privacy programs. </p> <p> Provide strategic assistance in the safeguarding of information assets and the supporting infrastructure against unauthorized </p> <p>use, disclosure, modification, damage or loss.</p> <p>8</p> <p>American Institute of CPAs</p> <p>Setup of Governance</p> <p>Define S&amp;P areas and scope of work.</p> <p>Example Breakdown of Key Areas of Work:</p> <p> Project Consulting</p> <p>- S&amp;P performs independent reviews and consulting </p> <p>engagements to improve the organizations operating and internal control environment around privacy and information </p> <p>security.</p> <p> Program Development</p> <p>- S&amp;P develops frameworks, and distributes privacy and </p> <p>information security focused policies and procedures and </p> <p>practice aids, enabling the Institute to effectively and </p> <p>efficiently navigate privacy laws and information security </p> <p>risks.</p> <p>9</p> <p>American Institute of CPAs</p> <p>Setup of Governance Compliance Monitoring</p> <p>- S&amp;P identifies areas for improvement or deficiencies through </p> <p>compliance audits, process reviews, risk assessments, </p> <p>vulnerability assessments, and security awareness training; </p> <p>and leads efforts to improve and/or establish risk mitigating </p> <p>processes and systems to make operations within the </p> <p>Institute more effective and efficient.</p> <p> Incidents &amp; Inquiries</p> <p>- S&amp;P facilitates the response plan and triage activities for </p> <p>information security incidents &amp; inquiries, following through </p> <p>to successful closure while also identifying efforts to improve </p> <p>and/or establish processes and systems geared toward </p> <p>reducing the risk of subsequent occurrences. Additionally, </p> <p>S&amp;P functions as a vendor and contract reviewer/approver </p> <p>for services where either the Institute/member data is shared </p> <p>with a third party, or include changes to our information </p> <p>security architecture.</p> <p>10</p> <p>American Institute of CPAs</p> <p>Setup of Governance</p> <p>Establish policy, but</p> <p> Create value-add policies that truly mean something and that you are willing to devote staff hours to monitor compliance with </p> <p>that policy.</p> <p> Higher likelihood that users within your organization will be aware and following S&amp;P policies.</p> <p>Speak the executive voice.</p> <p> Know your audience (concept versus detailed based).</p> <p> Summarize what is really important with enough substance for them to understand key concepts.</p> <p> Know when they need to be decisions makers and give a pro/con analysis with a recommendation.</p> <p>11</p> <p>American Institute of CPAs</p> <p>Examples of Governance</p> <p>S&amp;P Function Reporting Structure </p> <p> Example #1 in the following slides.</p> <p>Streamlined Annual Risk Assessment/ Project Plan</p> <p> Example #2 in the following slides.</p> <p>Finding Process for Consulting Engagements</p> <p> Example #3 in the following slides.</p> <p>12</p> <p>American Institute of CPAs</p> <p>Example #1S&amp;P Function Reporting Structure</p> <p>Challenge</p> <p> The security function within the organization was not providing the oversight and governance needed to meet the current </p> <p>business environment nor strategic initiatives, including privacy </p> <p>considerations.</p> <p>Innovative Thought</p> <p> Create a Security &amp; Privacy (S&amp;P) function which reports up through Internal Audit (IA) which already has a reporting </p> <p>structure within the organization that allows independent thought </p> <p>along with established processes to plan projects to allow S&amp;P </p> <p>to step into the needed oversight and governance role.</p> <p>13</p> <p>American Institute of CPAs</p> <p>Example #1 OutcomeS&amp;P Function Reporting Structure</p> <p>Outcome</p> <p> The creation of a S&amp;P Committee made up of senior leadership which guides the actions of the S&amp;P function and allows IA to be </p> <p>independent, along with some additional external audits.</p> <p> A reporting structure which allows an ability organizational wide to establish and execute projects, policies and oversight needed </p> <p>to address the key S&amp;P risks within the organization.</p> <p> A holistic team that can work with management and various governance committees and boards to understand and respond </p> <p>to a full breath of organizational risks, strategic initiatives, and </p> <p>compliance requirements to ensure adequate measures are in </p> <p>place to protect the organizations interests. </p> <p>14</p> <p>American Institute of CPAs</p> <p>Example #2Streamlined Annual Risk Assessment/ Project Plan</p> <p>Challenge</p> <p> Risk register had many detailed listing of potential risks which was overwhelming to evaluate and didnt consider strategic initiatives or other key team activities.</p> <p>Disruptive Thought</p> <p> Stop doing risk assessments.</p> <p>Innovative Thought</p> <p> Have no more than 20 risks to assess where every single risk means something, auditable/ reviewable strategic initiatives </p> <p>along with activities within mission critical teams are evaluated.</p> <p>Outcome</p> <p> Streamlined annual risk assessment process where projects are focused on the true needs of the organization with a nimbleness </p> <p>that allows resources to be reallocated as needed. 15</p> <p>American Institute of CPAs 16</p> <p>Env.Assessment</p> <p>Prelim. Annual Plan </p> <p>&amp; ERM</p> <p>Final Annual Plan &amp; ERM</p> <p>NovemberApril AugustJanuary</p> <p>Primary Inputs &amp; Prelim. </p> <p>Focus Areas </p> <p>Final Focus Areas &amp; </p> <p>Annual Plan</p> <p>IA/S&amp;P Annual Plan</p> <p>Strategy Annual Plan</p> <p>Audit Committee Approval</p> <p>Example #2 OutcomeManaging Organizational Risks</p> <p>American Institute of CPAs</p> <p>Example #2 OutcomeAnnual Plan Development</p> <p>17</p> <p>Focus Area Identification </p> <p>(Primary Inputs)</p> <p>Risk Ranking(Primary Inputs)</p> <p>IA/S&amp;P Annual Plan</p> <p>What are Focus Areas?</p> <p> Areas IA/S&amp;P is targeting to support through assurance and consulting activities.</p> <p> Spend time evaluating if a primary input would be an auditable/ reviewable area.</p> <p>American Institute of CPAs</p> <p>Mission Critical Teams</p> <p>Meetings with Senior Leadership</p> <p>Annual Plan: Strategic </p> <p>Initiatives</p> <p>Approved IT Projects</p> <p>Knowledge of Environment</p> <p>ERM Risk Evaluation</p> <p>Primary </p> <p>Inputs</p> <p>IA/S&amp;P Annual Plan</p> <p>Initiated annually; updated quarterly.</p> <p>Identify Focus Areas</p> <p>&amp; Risk Rank</p> <p>18</p> <p>Recurring Projects &amp; </p> <p>Internal Team Initiatives </p> <p>Example #2 OutcomeAnnual Plan Development</p> <p>American Institute of CPAs</p> <p>Risk Factors</p> <p>Reputation Impact</p> <p>Control Env.</p> <p>External Env.</p> <p>Mgt Concerns</p> <p>Strategic Impact</p> <p>Ops Impact Weighted </p> <p>Risk ScoreWeight: 25% 15% 20% 10% 15% 15%</p> <p>Example: 5 3 1 5 5 3 3.6</p> <p>Example #2 Outcome</p> <p>Risk Assessment Methodology</p> <p>19</p> <p>Risk Factors</p> <p>Reputation Impact</p> <p>Control Env.</p> <p>External Env.</p> <p>Mgt Concerns</p> <p>Strategic Impact</p> <p>Ops Impact</p> <p>Weight: 25% 15% 20% 10% 15% 15%</p> <p>Focus Area Identification </p> <p>(Primary Inputs)</p> <p>Risk Ranking(Primary Inputs)</p> <p>IA/S&amp;PAnnual Plan</p> <p>1 = Low, 3 = Moderate, 5 = High</p> <p>American Institute of CPAs</p> <p>Strategic Initiatives</p> <p>Which could be reviewed by IA/S&amp;P</p> <p>20</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Indicates an IA/S&amp;P project is planned.</p> <p>Mission Critical Teams</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Example</p> <p>Note: Mission critical </p> <p>teams were risk </p> <p>ranked using specific </p> <p>criteria to determine </p> <p>their priority. </p> <p>American Institute of CPAs 21</p> <p>NoStrategic Initiative</p> <p>Team Focus AreaWeighted Risk Score</p> <p>IA/S&amp;P Plan</p> <p>1 X Example Focus Area 4.65 IA/S&amp;P Example Project</p> <p>2 X Example Focus Area 4.45 S&amp;P Example Project</p> <p>3 X Example Focus Area 4.25 S&amp;P Example Project</p> <p>4 X Example Focus Area 4.20 IA Example Project</p> <p>5 X Example Focus Area 4.20 S&amp;P Example Project</p> <p>6 X Example Focus Area 4.15 IA Example Project</p> <p>7 X Example Focus Area 4.05 S&amp;P Example Project</p> <p>8 X X Example Focus Area 3.95 IA Example Project</p> <p>9 X Example Focus Area 3.95 IA Example Project</p> <p>10 X Example Focus Area 3.75 IA Example Project</p> <p>Example #2 OutcomeTOP 10 Focus Areas</p> <p>American Institute of CPAs 22</p> <p>Roadmap</p> <p>CICA/CIMA</p> <p>RoadmapMember </p> <p>Value</p> <p>IIA Standards QAR</p> <p>Compliance</p> <p>Recruiting</p> <p>CICA/CIMA</p> <p>Example</p> <p>Member Value</p> <p>COSO/ FSReporting</p> <p>Example</p> <p>Area</p> <p>Example</p> <p>Area</p> <p>Roadmap</p> <p>Member Value</p> <p>Example</p> <p>Example #2 OutcomeRecurring Projects &amp; Internal Team Initiatives</p> <p>American Institute of CPAs</p> <p>Example #2 OutcomeIA/S&amp;P Project Plan</p> <p>23</p> <p>Project Status</p> <p>To be approved by Audit Committee in </p> <p>August</p> <p>IA Recruiting (Internal Team Initiative) Not Started</p> <p>IA QAR (Internal Team Initiative) Not Started</p> <p>IA Example Project (Internal Team Initiative) Not Started</p> <p>IA Example Project Not Started</p> <p>IA Example Project Not Started</p> <p>IA Example Project Not Started</p> <p>IA Example Project Not Started</p> <p>IA Example Project Not Started</p> <p>IA/S&amp;P Example Project Not Started</p> <p>To be approved by S&amp;P Committee in </p> <p>August</p> <p>S&amp;P Example Project Not Started</p> <p>S&amp;P Example Project Not Started</p> <p>S&amp;P Example Project Not Started</p> <p>S&amp;P Example Project Not Started</p> <p>S&amp;P Example Project (Internal Team Initiative) Not Started</p> <p>RecurringProjects</p> <p>S&amp;P Example Project Area Not Started</p> <p>IA/S&amp;P Example Project Area Not Started</p> <p>IA External Audit Assistance Not Started</p> <p>American Institute of CPAs</p> <p>Example #3Finding Process for Consulting Engagements</p> <p>Challenge</p> <p> Within a consulting engagement for a multi-year software implementation IT project, feedback was being provided by </p> <p>IA/S&amp;P that either was not getting timely addressed or was </p> <p>being forgotten among the many tasks.</p> <p>Innovative Thought</p> <p> Use existing finding management processes to create a method that could be used during the IT project where IA/S&amp;P concerns </p> <p>are being addressed timely and prior to go-live.</p> <p>Outcome</p> <p> IA/S&amp;P feedback is incorporated and accountability for timelines and resolution is clear. </p> <p>24</p> <p>American Institute of CPAs 25</p> <p>Confirm Issue2 weeks to </p> <p>resolve</p> <p>Finding for unresolved </p> <p>high or moderate risk </p> <p>issues</p> <p>1 week to respond with action plan/ remediation </p> <p>date (past due if not received)</p> <p>Verbal finding for unresolved low risk issues (no follow-up/ </p> <p>action plan)</p> <p>Summarize in quarterly </p> <p>reportVerbal</p> <p>Finding</p> <p>Monitoring</p> <p>Items</p> <p>Finding</p> <p>Preliminary </p> <p>Observation</p> <p>Addressed with future activity</p> <p>IA/S&amp;P will monitor progress</p> <p>Example #3 Outcome</p> <p>American Institute of CPAs</p> <p>Questions / Discussion</p> <p>26</p>