SOX and Security Presentation to ISACA (PowerPoint)
-
Upload
billy82 -
Category
Technology
-
view
1.657 -
download
4
Transcript of SOX and Security Presentation to ISACA (PowerPoint)
BB: SOX and Security 1
Sarbanes –Oxley and Enterprise Security: IT Governance What it Takes
to Get the Job Done
Bill Brown and
Frank Nasuti
BB: SOX and Security 2
Purpose of the Article What are the requirements for
SOX compliance for IT? Effective governance – what is it
and what does it mean in the context of SOX?
A look at Motorola and security
BB: SOX and Security 3
IT is not always in the front of compliance discussions…
A Gartner survey of 75 senior compliance executives found that 37% of companies had no IT representation on SOX compliance teams (Leskeia & Logan, 2003).
BB: SOX and Security 4
What IT Governance Model Really Works for SOX?
Seems intuitive that applying an effective governance structure would be the expeditious solution…but
BB: SOX and Security 5
But what really works? ISO 17799? ITIL? IT Governance Institute?Then of course, what
happens when the consultants walk away…
BB: SOX and Security 6
But what really works? Extensive research by Weill
and Ross at MIT
IT Governance: How Top Performers Manage IT Decision Rights for Superior Results
BB: SOX and Security 7
10 Barriers to Security and Business Continuity Planning
Working Council of Corporate Executive Board (2003a):1. subjective risk prioritization, 2. poor risk communication, 3. security requirements mismatch, 4. siloed business protection,5. unclear business continuity ownership, 6. insufficient user awareness, 7. inconsistent password policies, 8. incomplete business continuity preparedness, 9. poor crisis communication, and 10.external partner vulnerabilities.
BB: SOX and Security 8
Does Technology or the Governance Drive Compliance?
Alberts, a senior member of the Networked Systems Survivability Program at the Software Engineering Institute at Carnegie Mellon, described the broader issue of security as being primarily perceived as a technology problem, when in fact it is an organizational problem with a technology component (Zorz, 2003).
BB: SOX and Security 9
Other Regulations and IT
Health Insurance Portability and Accountability Act of 1996 (HIPAA),
Gramm-Leach-Bliley Act of 1999 (GLBA), Fair Credit Reporting Act (FCRA), Notification of Risk to Personal Data Act
(NORPDA), Personal Information Protection and
Electronic Documents Act (PIPEDA)
BB: SOX and Security 10
Only SEC Registrants? Not so.
Increasingly, SOX’s provisions are becoming applicable to private companies as well (Heffes, 2005).
In turn, lenders and states increasingly are asking private companies about the status of their internal control environments.
BB: SOX and Security 11
Scope of SOX Eleven sections of SOX (2002)
define auditor and corporate responsibilities, including expectations for financial disclosures, strong penalties for white-collar crimes, and protection for “whistleblowers.”
BB: SOX and Security 12
SOX and Personal Liability SOX outlines the duties (and
liabilities)– chief executive officer (CEO), – chief financial officer (CFO), – and the external auditor
Personal responsibility for ensuring the credibility of the financial reporting provided to stakeholders.
BB: SOX and Security 13
SOX and ITKey sections of SOX
compliance that directly involve IT include Sections 302, 404, 409, and 802 (SOX, 2002).
BB: SOX and Security 14
Section 302:– corporate officers to make representations related to
the disclosure of internals controls, procedures, and assurance from fraud.
Section 404:– requires an annual assessment of the effectiveness
of internal controls. Section 409:
– requires disclosures to the public on a “rapid and current basis” of material changes to the firm’s financial condition.
Section 802:– requires authentic and immutable record retention.
BB: SOX and Security 15
In connection with SOX compliance, the SEC requires the implementation of Enterprise Risk Management – Integrated Framework (ERM) authored by the Treadway Commission’s Committee of Sponsoring Organizations (COSO)
BB: SOX and Security 16
The ERM framework divides IT controls into two types (Ramos, 2004): 1.general computer controls
2.application-specific controls
BB: SOX and Security 17
General ControlsGeneral Controls
General controls include the following:1. Data center operations (e.g., job scheduling,
backup and recovery),
2. Systems software controls (e.g., acquisition and implementation of systems),
3. Access security, and
4. Application system development and maintenance controls.
BB: SOX and Security 18
Application controls are designed to perform the following:
1. Control data processing;
2. Ensure the integrity of transactions, authorization, and validity; and
3. Encompass how different applications interface and exchange data.
Application ControlsApplication Controls
BB: SOX and Security 19
COSO and Organization
COSO described internal control as a process that is affected by people (COSO, 2005; Damianides, 2005).
Organizational design, behavior, and IT governance play very significant roles in whether the enterprise can successfully implement the ERM framework as defined by the Treadway Commission.
BB: SOX and Security 20
COSO ERM describes five interrelated components of internal control in Section 404.
1. “Tone at the top”2. Identification of risks, objectives, and the
methods to manage the risks; 3. Activities and procedures that are established
and executed to address risks;4. Systems to capture and exchange the
information needed to conduct, manage, and control its operations; and
5. The monitoring of and responses to changing conditions as warranted.
BB: SOX and Security 21
The SEC offers little specific guidance on IT security,
Door is open to interpretation as to the scope and nature of security initiatives for SOX compliance.
BB: SOX and Security 22
Although the SEC has not defined security requirements per se, the SEC is a very effective change agent and will assert itself if additional compliance measures are required (Mead & McGraw, 2004).
BB: SOX and Security 23
Section 302 RepresentationsSection 302 Representations
Surveys of CIOs reported that 44% of the companies required the CIO to certify financial results under SOX compliance (CIO Insight/Gartner, 2004).
BB: SOX and Security 24
This process is known as sub-certification, and it usually requires the individuals to provide a written affidavit to the CEO and CFO that will allow them to sign their certifications in good faith (Ramos, 2004).
Section 302 RepresentationsSection 302 Representations
BB: SOX and Security 25
Sub-certificationSub-certification
Items that may be the subject of sub-certification affidavits include– statement of accuracy of specific account
balances, – compliance with company policies and
procedures, – the company’s code of conduct, – and the adequacy of the design and/or
operating effectiveness of internal controls.
BB: SOX and Security 26
Section 302 SOX:
– IT administration,– Organization governance, – Responsibilities of CIOs, – Budgets, – Vendors, – Outsourcers, and– Business continuity plans.
BB: SOX and Security 27
Section 404 Section 404, in conjunction with the
related SEC rules and Auditing Standard No. 2 established by the Public Company Accounting Oversight Board (PCAOB), is driving pervasive change in the internal controls of the enterprise.
BB: SOX and Security 28
Two new reports at the end of every fiscal year (SOX, 2002).
Reports must be included in the company’s annual report filed with the SEC.
Management also must disclose any material weaknesses in internal control.
Section 404 Continued…Section 404 Continued…
BB: SOX and Security 29
If a material weakness exists, management may not be able to conclude that the company’s internal control over financial reporting is effective (SOX, 2002).
External auditor also must attest to the truthfulness of these management internal control assertions.
Section 404 Continued…Section 404 Continued…
BB: SOX and Security 30
SOX: How It WorksSOX: How It Works
In compliance with the Management Assessment of Internal Controls (Section 404), which of the following is the correct sequence in identifying and assessing internal controls?
a. Document controls, document processes, identify risks, assess design
b. Document processes, identify risks, document controls, assess design
c. Identify risks, document controls, document processes, assess design
d. Assess design, identify risks, document controls, document processes
Source: MicroMashSource: MicroMash
BB: SOX and Security 31
Regarding compliance with the Management Assessment of Internal Controls (Section 404), which of the following levels of the internal control reliability model is committed to continuous improvement?
a. Informal level
b. Systematic level
c. Optimized level
d. Integrated level
SOX: How It WorksSOX: How It Works
Source: MicroMashSource: MicroMash
BB: SOX and Security 32
In compliance with the Management Assessment of Internal Controls (Section 404 of the Sarbanes-Oxley Act), the software tool that is selected to report on internal control should do all of the following except:
a. link controls to processes.
b. Describe the work processes.
c. Link processes to objectives.
d. Link costs to risks.
SOX: How It WorksSOX: How It Works
Source: MicroMashSource: MicroMash
BB: SOX and Security 33
The role of IT auditor in complying with the Management Assessment of Internal Controls (Section 404) is:
a. planning internal controls
b. documenting internal controls
c. designing internal controls
d. implementing internal controls
SOX: How It WorksSOX: How It Works
Source: MicroMashSource: MicroMash
BB: SOX and Security 34
Timely Compliance ERM framework, a cornerstone of Section 404
and COSO, requires ongoing feedback from throughout the company. – Current, – Accurate, and – Sufficiently robust to support the analysis of different
risk responses (COSO, 2005). Many firms are implementing risk management
applications to assist with internal control and assessment processes (Decker & Lepeak, 2003).
BB: SOX and Security 35
Section 409Disclose to the public, on a rapid and current basis, material changes to a firm’s financial condition (SOX, 2002).
BB: SOX and Security 36
Example of 409 A computer virus knocked out the
supply chain and materially affected the financial performance on a quarterly financial report (Proctor, 2004).
This would be a disclosable event for financial reporting purposes under SOX.
BB: SOX and Security 37
In compliance with the Real Time Issuer Disclosures (Section 409), real time compliance tools do not include which of the following?
a. Data warehousing b. Spreadsheet software c. Data mining d. Data mart
SOX: How It WorksSOX: How It Works
Source: MicroMashSource: MicroMash
BB: SOX and Security 38
Real time issuer disclosure requirement of the Section 409 does not include which of the following?
a. Trend analysis
b. Qualitative information
c. Chat room
d. Graphic presentations
SOX: How It WorksSOX: How It Works
Source: MicroMashSource: MicroMash
BB: SOX and Security 39
Section 802 The IT organization must have policies in
place to ensure appropriate record retention and security.
SOX (2002) has a direct impact on data management, data and system security, and business recovery practices.
The CIO must understand the requirements and ensure that the appropriate policies are in place, including ongoing compliance.
BB: SOX and Security 40
What Governance Models and Processes Work?
BB: SOX and Security 41
The IT Governance Institute (2005a, 2005b) issued a governance model that provides the structure and practices for four IT domains:
A Quick Review: IT Governance
BB: SOX and Security 42
IT Governance InstituteIT Governance Institute
1.Plan and organize the strategic plan, architecture, IT organization, human resources, and compliance with external requirements (including SOX); assess risks; manage projects; and manage quality.
BB: SOX and Security 43
2.Acquire and implement software, hardware, infrastructure, and procedures; install and accredit systems; and manage changes.
3.Deliver and support service, performance and capacity, systems security, and user training; assist and advise customers; and manage problems and incidents, data, facilities, and operations.
IT Governance InstituteIT Governance Institute
BB: SOX and Security 44
4. Monitor processes, assess internal controls, obtain independent assurance, and provide for the independent audit.
IT Governance InstituteIT Governance Institute
BB: SOX and Security 45
ISO 17799 ISO 17799 is a detailed “what
to do” security standard that is organized into 10 major sections, each covering a different topic or area (“What is: ISO 17799,” 2001)
BB: SOX and Security 46
1. Business continuity planning, 2. System access control, 3. System development and maintenance, 4. Physical and environmental security, 5. Compliance, 6. Personnel security, 7. Security organization, 8. Computer and network management, 9. Asset classification and control, and 10. Security policy.
What can we learn from ISO 17799?What can we learn from ISO 17799?
BB: SOX and Security 47
ISO 17799 has a narrow focus on security management and cannot stand alone as a security governance standard (Stolovitch, 2004; Symons, 2005).
What can we learn from ISO 17799?What can we learn from ISO 17799?
BB: SOX and Security 48
ITIL ITIL, initially developed in the UK
by the Office of Government Commerce, defines a broad range of processes that are considered best practices and are documented in a series of books.
BB: SOX and Security 49
1. incident management, 2.change management, 3.problem management, 4.service-level management, 5.continuity management (disaster recovery), 6.configuration management, 7. release management, 8.capacity management, 9. financial management, 10.availability management, 11.security management, and 12.help desk management.
What can we learn from ITIL?What can we learn from ITIL?
BB: SOX and Security 50
Extremely useful for service management.
ITIL should be applied as a tool within the context of a broader organizational strategy but should not be considered a comprehensive solution (Meyer, 2005).
What can we learn from ITIL?What can we learn from ITIL?
BB: SOX and Security 51
What other trends are in play? Centralized vs. Decentralized
Central information security groups are assuming greater seniority, with 40% or more of the security groups reporting directly to the CIO (Corporate Executive Board, 2003b). 1. assuming responsibility for governing and
coordinating policy and standards formulation, architecture,
2. vendor selection, 3. compliance auditing, 4. vulnerability assessment, 5. and intelligence gathering.
BB: SOX and Security 52
What other trends are in play? Centralized vs. Decentralized
Emerging roles for the central information security organization
1. awareness campaigns,
2. central password management,
3. supply-chain security programs.
BB: SOX and Security 53
Centralized Security and SOX – How does it fit?
SOX requires compliance with the Treadway Commission’s COSO ERM framework and therefore requires security risk prioritization and communication to be consistent with those standards.
SOX (2002) Sections 302, 404, 409, and 802 are affected by all of these items, with the exception of subjective risk prioritization and poor risk communication.
BB: SOX and Security 54
Basis of Research: “Describe to me your governance processes” In a survey of 256 IT organizations,
the best predictor of effective IT governance performance was the % of managers in leadership positions who could accurately describe their IT governance processes (Weill & Ross, 2004).
BB: SOX and Security 55
Research by Weill and Ross (2004)
Consistent with the research by Weill and Ross (2004), a direct reporting relationship by a centralized security organization creates the opportunity for more effective security governance through more collaborative opportunities between the business professionals and IT security management and through defined decision rights that involve technical decisions.
BB: SOX and Security 56
“Describe to me your governance processes”“Describe to me your governance processes”
Above-average governance-performing enterprises, 45% or more of managers could accurately describe their IT governance,
Below-average performing enterprises, only a few managers in leadership positions could describe their governance process.
BB: SOX and Security 57
1. A higher % of senior managers who engage more often and more effectively in IT governance (committees, announcements, etc.),
2. Direct involvement of the senior business leaders in IT governance,
3. Clearer business objectives for IT applications, 4. More differentiated business strategies, 5. Fewer approved exceptions, and 6. Fewer changes in governance from year to
year (Weill & Ross, 2004).
“Describe to me your governance processes”“Describe to me your governance processes”
BB: SOX and Security 58
IT principles IT & business unit leaders
IT architecture IT specialists
IT infrastructure IT specialists
Business ap need Corp & business units, with or without IT
IT investment IT & business unit leaders
Most Effective GovernanceMost Effective Governance
BB: SOX and Security 59
IT principles IT & business unit leaders
IT architecture IT & business unit leaders
IT infrastructure IT & business unit leaders
Business ap need IT & business unit leaders
IT investment IT & business unit leaders
Least Effective GovernanceLeast Effective Governance
BB: SOX and Security 60
Weill and Ross (2004) reported that the most effective decision-making structures are
1. Executive management committees,
2. IT leadership committees, and
3. Business/IT relationship managers.
BB: SOX and Security 61
The least effective IT decision-making structures are1.Capital approval committees
and
2.Architectural committees.
BB: SOX and Security 62
Security and Motorola
Many enterprises are concerned with security, but Motorola has made it a strategic priority (Weill & Ross, 2004).
BB: SOX and Security 63
Security and Motorola Security governance secures the
support of executive management through a Management Board for IT Principles and IT investment, but the security leaders maintain the final decision authority over the security architecture and infrastructure.
BB: SOX and Security 64
Decision Making at MotorolaDecision Making at Motorola
The decision-making process at Motorola security includes the following:
1. IT principles: Management Board and security leaders
2. IT architecture: security leaders
3. IT infrastructure: security leaders
4. Business application need: business leaders
5. IT investment: Management Board and security leaders
BB: SOX and Security 65
Motorola’s Information Security Officer at Management Board meetings
1. Identifies Motorola’s security risks and the alternatives for addressing them,
2. Educates about alternative various security breaches and the potential impacts of each threat,
3. Recommended security principles and priorities in certain areas of the business,
4. A budget that is approved separately from the rest of the IT budget.
Decision Making at MotorolaDecision Making at Motorola
BB: SOX and Security 66
Using a monarchy decision-making style, Motorola’s Corporate Information Security Officer
1. Implements security plans at both a corporate and business unit level,
2. Designs and builds appropriate technology with his support staff, and
3. Works with IT architects at both the corporate and the sector levels to ensure that security measures are built seamlessly into the IT infrastructure and applications.
Decision Making at MotorolaDecision Making at Motorola
BB: SOX and Security 67
As an example of how Motorola security integrates itself into the IT architecture and infrastructure, Motorola created –A single, global department
–Centrally rolls out standard configurations across the enterprise (Microsoft Executive Circle, 2004).
Decision Making at MotorolaDecision Making at Motorola
BB: SOX and Security 68
Motorola’s security organization is ultimately responsible for 65,000 desktop and portable computers plus embedded devices and other computers spread across the Americas, Europe, Africa, and Asia.
Decision Making at MotorolaDecision Making at Motorola
BB: SOX and Security 69
Before centralizing the upgrades, updates using third-party software programs or complete security updates to protect Motorola's enterprise from viruses, hackers, and other security threats would take weeks. – Consolidated 600 domains into a single
environment with nine child domains– Software updates that formerly took months are
now completed in less than a week.
Decision Making at MotorolaDecision Making at Motorola
BB: SOX and Security 70
In the development of centralized security protection for 65,000 desktop and portable computers and supply chain security programs,
1. Identified and prioritized risks,
2. Communicated the risks to the business units and external partners,
3. Matched the security requirements to the needs, avoided siloed business protection,
4. Managed external partner vulnerabilities.
Decision Making at MotorolaDecision Making at Motorola
BB: SOX and Security 71
Motorola completed the business protection lifecycle through three major security processes:
1. risk assessment,
2. policy setting and oversight, and
3. effective execution.
Security Governance at MotorolaSecurity Governance at Motorola
BB: SOX and Security 72
Transformed the IT security function from a set of ad hoc activities with an emphasis on technology to a coordinated approach of principles, behaviors, and adaptive solutions that map to business requirements (Proctor, 2004).
Security Governance at MotorolaSecurity Governance at Motorola
BB: SOX and Security 73
Centralized security works closely with the Management Board to define policies and priorities, to educate stakeholders, and to set budgets apart from IT operations.
Motorola security leaders take sole possession and leadership of the IT security architecture and infrastructure.
Security Governance at MotorolaSecurity Governance at Motorola
BB: SOX and Security 74
Motorola security has transformed itself from a loosely distributed set of domains across the world into a centrally coordinated approach to secure 65,000 computers and to administer a supply-chain security program.
Effective decision-making structures, alignment processes, and methods of engagement are integral to effective security governance and ultimately to SOX compliance.
Security Governance at MotorolaSecurity Governance at Motorola
BB: SOX and Security 75
Senior security leadership in governance structures such as Motorola likely can fully explain their governance process.
Motorola’s SOX compliance program that can change and evolve as the security environment changes and evolves.
Security Governance at MotorolaSecurity Governance at Motorola
BB: SOX and Security 76
The security governance framework at Motorola has created an enabling organization rather than a support organization.
Security Governance at MotorolaSecurity Governance at Motorola
BB: SOX and Security 77
COSO ERM in Section 404. 1. “Tone at the top”2. Identification of risks, objectives, and the
methods to manage the risks; 3. Activities and procedures that are established
and executed to address risks;4. Systems to capture and exchange the
information needed to conduct, manage, and control its operations; and
5. The monitoring of and responses to changing conditions as warranted.
Security Governance at MotorolaSecurity Governance at Motorola
Does the organizational model work?Does the organizational model work?
BB: SOX and Security 78
Roadmap Ahead:Systems Complexity Will Increase
Roadmap Ahead:Systems Complexity Will Increase
In-depth interviews with over 50 CIOs showed that rapid strategic business change and e-business and technology complexity will be significant drivers in the near future (Reich & Nelson, 2003).
As organizations transition into more e-business and more architectural complexity, it is reasonable to assume that the 44% of CIOs that sub-certify may increase
BB: SOX and Security 79
Additional Research
Partner with Hyperion to develop real time compliance (dashboard models) to meet Section 409 requirements
BB: SOX and Security 80
Sarbanes–Oxley and Enterprise Security: IT Governance What it Takes to Get the
Job Done
Bill Brown and
Frank Nasuti
Slides available at: www.business.mnsu.edu/brownw1Slides available at: www.business.mnsu.edu/brownw1