Security Management : Regulations

Policy Lifecycle: GRC and Security Controls

CA Community — Tue, 12 Jan 2010 14:30:00 GMT

In my numerous discussions with clients, I tend to find a recurring theme of organizations attempting to bridge the gap between business policies tied to regulations and security controls through a process called “The Policy Lifecycle.”

The origin of this lifecycle starts with any number of groups that include compliance, legal, and security, who are responsible for reviewing a myriad of both state and federal regulations on a quarterly basis. I’ll use security in this example. After extensive review, the Chief Security Officer (CSO) must determine what regulations apply to the security organization, and then work with other teams to institute policies in order to ensure regulatory compliance. The policies typically require review and approvals prior to employee distribution. If the policy is focused on data privacy issues, such as credit card and/or personal/confidential information, any employee who processes or handles this type of information must review and attest to the policy guidelines in order to be compliant with regulations such as PCI.

Furthermore, controls must be put in place to ensure the policy is being adhered to within the organization. We know that history shows the damage resulting from public leaks of highly sensitive client information. Typically, these leaks occur because there is a lack of effective controls in place. For example, there must be controls that ensure that the assignment of privileges is based upon each individual’s job function and overall responsibilities. Why is this important? When dealing with highly sensitive credit card information, it is imperative that the right people have access to the right information based upon their role in the organization. And more importantly, nobody should have access to information that they don’t absolutely need in order to perform their job function. This principle includes not only access to the information, but access to all of the information. Specifically, many workers need to validate a customer by their Social Security Number (typically, the last four digits), but very few need access to the whole SSN.

Once the controls have been put in place, the CSO (and the IT Security organization) need to validate that they are working effectively. This typically involves an arduous manual process of checking with management to ensure that only appropriate employees have privileged access to confidential information – and only access to the necessary level of information as well. Because this is a manual process, the risk of human error looms in the background. It is highly possible that the wrong employees could obtain access to this sensitive and protected information, which could prove disastrous for the organization. If any violations do occur, they must be documented, assigned for remediation, and resolved quickly.

For some policies, a process of self-attestation is required, in which each affected employee is required to attest to the fact that they understand the policy and have complied with it. This process can be streamlined through automated questionnaires or surveys.

Lastly, the CSO performs a regular review of the company’s “state of compliancy” as it relates to very important regulations – such as SOX, PCI, or HIPAA. They must produce a report that details their key regulations, the policies in place to meet the regulations, and the state of their supporting controls. The policy lifecycle process is typically performed manually in most organizations, which leads to inefficiencies, inaccuracies and out of date information.

So, how can a GRC solution help an organization manage the policy lifecycle process?

The review, approval and attestation processes can be automated in GRC solutions through streamlined workflow processes. A policy dashboard displays the results of who has, or has not, attested to compliance with the policy.

A GRC solution can also help streamline the process of validating that the controls are operating correctly. Each control is typically documented in the GRC system, so the current state of its testing is always known. And, in many cases, through the actual testing of the control, it is possible to automate the process of validating that each user has only the appropriate access entitlements based on his/her role. This process checks security policies against existing user entitlements, and automatically flags any violations to these policies to business managers. If violations do occur, action can be taken immediately through the remediation process. The remediation process ensures the issues are captured and the appropriate person(s) are assigned to resolve the issues in a timely matter, helping to minimize any potential risks to the organization.

The control violations results are integrated back into the GRC system and are represented in an audit card. The audit card displays the control effectiveness results in a graph. The audit card history also serves as evidence for the examiners during a PCI audit.

In addition, by using a compliance dashboard, the CSO can gain a better understanding of the company’s overall policy lifecycle process. The dashboard displays key regulations, the state of the policies and controls in place to support the regulations, and remediation plans to resolve outstanding issues, all in a centralized, easy-to-read view.

Rather than relying on quickly out-of-date and error-prone spreadsheets, using a centralized GRC solution helps to provide efficient, accurate, and up-to-date reporting of the state of compliance, streamlining the policy lifecycle process for the organization.

During my customer visits I typically find that organizations are struggling with how to implement effective security policies. Some companies have committees that create the policies; while others are developed by one or two individuals. The challenge is to update, distribute and adhere to the policies by establishing good controls. This is where an effective approach coupled with a good GRC solution can solve this challenge.

Sarbanes-Oxley – Unconstitutional?

CA Community — Tue, 29 Dec 2009 15:15:00 GMT

As previewed by Sumner Blount in his November 30^th blog post, the Supreme Court on December 7^th heard opening arguments challenging the constitutionality of the 2002 Sarbanes-Oxley Act, which came out of the scandalous collapses of Enron, WorldCom, Tyco and other companies early this decade. At issue in the lawsuit, filed by the Free Enterprise Fund and a Nevada accounting firm, is the Sarbanes-Oxley law's creation of an independent board to police auditors of publicly held companies.

“If you combine the ability to make laws and enforce the law, that’s what King George did – and that is the ultimate definition of tyranny,” said Lawyer Michael Carvin in an associated NPR interview. Their story and an audio recording can be found here.

In case you missed Sumner’s previous post, the crux of the matter, as reported by the Courier, is:

“The plaintiffs argue the Public Company Accounting Oversight Board violates the Constitution because it is not accountable to the president. The president lacks power to review the board's work or influence its finances, the plaintiffs said. Board members are appointed by the Securities and Exchange Commission, which cannot remove board members for anything other than willful violations, the plaintiffs have said. They also have argued the arrangement violates the constitutional guarantee of a separation of powers because Congress has at least as much control over the accounting board, if not more, than the White House. The Securities and Exchange Commission and the accounting oversight board are both subject to congressional oversight.”

Much has been made of this law since It was enacted and its subsequent consequences, with many as a result calling it the ‘new employment act for auditors’ – but now that the requirements of the act are so ingrained in so many large, publicly traded companies, is it here to stay? Certainly there are those that have protested its very existence from its initial enactment – a quick Google search brings a myriad of articles on the subsequent mass privatization of companies and the exodus of companies to stock exchanges and trading boards in countries with far less stringent reporting requirements – but is the anti-SOX wave now reaching tsunami like proportions?

Many point to recent ‘smaller wins’ such as that voted on by the house in November, working towards excepting smaller companies from some of the more onerous requirements as small victories in a much larger battle. (Garret / Adler amendment.)

Having been entrenched in a large financial institution during the more formative years of the Sarbanes-Oxley act (the so called ‘year zero’ through the publication of the PCAOB’s Audit Standard No. 5 and the Security and Exchange Commissions’ guidance), I can see the benefit of the enterprise governance, risk and compliance (GRC) programs that were largely established in the wake of SOX and in some cases further developed and tuned in response to the more prescriptive guidelines and requirements that were to follow (such as PCI for example).

While I can see portions of the act that must change over time, to re-encourage the sort of free enterprise and opportunity the United States built itself upon, I feel that many of the components of the act that promote oversight, clarity and visibility, both to executive management and to the public, must be here to stay. Yes, some relaxation of some of the rules may bring companies flooding back to ‘the greatest stock market in the world,’ but investors, forever burned by the likes of Enron, WorldCom, et al, are now always going to look for that extra insight that the publication of additional information and disclosure of significant events is going to bring. Even the companies themselves have become dependent on the value added by the extra level of documentation, testing and certification that comes with formally documented processes, controls, and the associated risk management and governance practices.

Unconstitutional? Perhaps – on a technicality, the Sarbanes-Oxley act will start to fray and unravel… but I firmly believe the tone of ensuring corporate transparency is welcome, necessary, and here to stay.

Is Basel II Dangerous for the World Economy?

CA Community — Tue, 22 Dec 2009 14:45:00 GMT

For starters, Basel II is the second set of recommendations on banking laws and regulations published by the Basel Committee on Banking Supervision. It is the most important framework that is focused primarily on Financial Institutions. The key principles of Basel II can be summarized in its three pillars - minimum capital reserves, supervisory review, and market discipline. Widely followed in Europe, it is becoming the standard in the United States.

The intent of Basel II is to reduce excessive leverage (and therefore financial risk) in the banking industry. By regulating how much capital a bank must keep in reserve (as a percentage of total assets), it has helped to ensure that banks would have sufficient reserves on hand to meet their normal customer needs. In this sense, it has helped to reduce financial risk in many banking institutions.

In general, do regulations weaken the economy?

Some people will tell you that all regulations and government oversight unnecessarily weigh down companies with red tape and cost, therefore negatively affecting the overall economy. Arguments to this effect are nothing new. Others will tell you that the better business processes provided due to thorough evaluation of each business process more than pay for the increased costs that they bring. The reality is that there is an appropriate level of oversight that is necessary in order to provide and maintain confidence on the part of the public and to make sure certain industry standards are met.

How Basel II is different than most regulations

The effect of this regulation can be significant especially because of the Capital reserve requirements (Pillar 2). These requirements could necessitate behavior which could accelerate a downturn once one starts. The general nature of having a reserve is pro-cyclical, which means it magnifies what is already going on in the economy. In good financial times, capital reserve requirements have less impact due to the increased value of the assets. Unfortunately, in less prosperous times, the Risk Management Pillar of Basel II can actually dictate the need to be more conservative with investments. This shift in thinking is exactly what the broader economy does not want to have happen. For this reason, Basel II can, if not managed, make a shaky economy worse, and therefore be an overall negative for the economies of the world.

This same phenomenon occurs within our personal financial situations. If there is news of a downturn in the economy, it is common to start being concerned with your job. This concern may force you to delay new purchases. These delays impact the people who sell those products and those that manufacture them, causing concerns on their parts about job security. At some point, fear of a financial downturn can be a self-fulfilling prophecy.

Was Basel II responsible for last year’s financial crisis?

The answer to that is a resounding no. First off, the flashpoint for the credit problems was the sub-prime real estate market in the United States. Basel II, though coming to America, has not been fully adopted. For that reason, it can’t be blamed for the current economic situation. In fact, there is a case to be made that the kind of Risk Analysis mandated by Basel II should help situations such as these. Additionally, there is a wonderful opportunity to take advantage of our recent misfortune and use the extreme experiences of the past year to provide excellent stress testing for Basel II efforts. Evaluating risk programs against real world scenarios should provide excellent value. Through this backward looking analysis, it will likely be clear that Basel II and Risk Management programs as a whole will need modifications. Whether this will usher in the movement for a Basel III, a full rewrite of Basel II, is not likely. Though time for Basel II ½ may be upon us.

The Severe Ripple Effects of Non-Compliance

Sumner Blount — Tue, 08 Dec 2009 14:15:00 GMT

I came across an interesting article recently that highlights to me not only the potential financial impact of non-compliance, but the complex way in which this non-compliance can impact other parties in the value chain.

A brief summary. A POS (point of sale…..although another interpretation might also be appropriate) terminal was sold to a number of restaurants in the South. After using the system for several weeks, these restaurants started observing strange behavior (eg, the mouse moved at random and could not be controlled), and reports of credit card thefts started to come in from Visa and Mastercard. It turns out after much forensic analysis that there was a major breach by a Romanian hacker, who stole info from hundreds of credit cards. The hacker was able to do this because of two factors:

The POS system stored ALL the info that was on the credit card magnetic strip after the transaction was complete – a clear violation of PCI standards.
The technicians from the company that sold and maintained the systems used absurdly poor security when installing the software, such as the same default name and password across all systems.

So, what was the impact on each restaurant? The original system cost $20K, but some restaurants had to later pay for forensic analysis ($19K), a fine from Visa ($5K), a fine from Mastercard ($100K….later rescinded), and partial restitution for the fraudulent transactions ($20K). So, the original $20K investment on a “state of the art” system turned into an unmitigated disaster. The vendor of the POS system denies all responsibility – hopefully, they have a good lawyer who can argue that with a straight face.

I’m not sure there are any universally applicable lessons here, but a few observations struck me.

First, it’s remarkable that such poor security practices would occur, especially in a technology product in which security is essential.

Second, compliance is serious business. Some regulations are enforced more strictly than others, but in many cases (particularly PCI), the penalty for non-compliance can be debilitating.

Third, the days of compliance impacts being limited to your own enterprise are over, particularly for providers of technology solutions. Compliance is often a multi-faceted network or value chain, and any non-compliance by one participant can have significant (and often hidden) impacts on the other participants. In this case, the impact was very painful, and potentially disastrous.

I’m pulling for the restaurants.

The Battle Against SOX Continues

Sumner Blount — Mon, 30 Nov 2009 14:05:00 GMT

I have been semi-following a very interesting lawsuit over the past few months. It’s interesting primarily because of its potential impact on the regulatory environment if it is successful.

To bring you up to speed, two men (with financial backing) have brought a lawsuit that challenges the constitutionality of Sarbanes-Oxley (SOX). A recent article on this lawsuit can be found here. These lawyers are nominally representing an auditor from Nevada named Brad Beckstead, who is suing PCAOB (Public Company Accounting Oversight Board) because (he says) a SOX audit was so onerous that it ruined his auditing business. The lawyers claim that they are working on this case without payment, probably because it not only gives them very high visibility, but also because it fits into their conservative political agenda.

Their suit claims that PCAOB is unconstitutional, primarily because it has great power, but its members are not chosen by the President, but by the SEC. In addition, they claim that the members cannot be removed by the President, despite the fact that they work in the Executive branch. And, without the ability to remove members from this group, the President cannot effectively ensure that the “laws of the nation are faithfully carried out.” It’s certainly a novel challenge, to say the least.

One reason why this challenge is so concerning is that due to a “drafting quirk,” if any part of SOX is deemed to be invalid, the whole statute might be in question. And, if SOX is declared unconstitutional, it would raise questions not only about the validity of other major regulations, but it even calls into question the whole regulatory structure itself. And, if the Congress had to go back to SOX to re-negotiate it, I can’t even imagine the fireworks that would create.

The Supreme Court will take up this case on December 7 (interesting parallel – Pearl Harbor Day). I am hoping that the suit will be thrown out. But, with this Supreme Court, you never know what will happen.