Raleigh issa chapter april meeting - managing a security & privacy governance function - 04.03.14

742 views

Published on

Audrey Foster presented at the April 2014 Raleigh ISSA Chapter meeting

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
742
On SlideShare
0
From Embeds
0
Number of Embeds
83
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Raleigh issa chapter april meeting - managing a security & privacy governance function - 04.03.14

  1. 1. Managing a Security & Privacy Governance Function April 3, 2014 Audrey Foster, CPA, CISA, CGMA, CITP Director of AICPA Internal Audit, Risk & Compliance
  2. 2. American Institute of CPAs® Overview Definition of Governance • the action or manner of governing. Definition of Govern • conduct the policy, actions, and affairs of (a state, organization, or people). • control, influence, or regulate (a person, action, or course of events). • conduct oneself, esp. with regard to controlling one's emotions. • serve to decide (a legal case). Session Goals • Importance of Security & Privacy Governance • Setup of Governance within a Security & Privacy Function • Examples of Governance within a Security & Privacy Function 2
  3. 3. American Institute of CPAs® Security & Privacy (S&P) Defined: • Security: Protecting information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. • Privacy: Understanding the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. Understanding of group: • Who works in just security? • Who works in just privacy? • Who works in both? • Who works in audit? • Who reports through IT? • Who reports outside IT? Importance of Governance 3
  4. 4. American Institute of CPAs® Importance of Governance 4 and risk-basedintent
  5. 5. American Institute of CPAs® Importance of Governance 5 S&P
  6. 6. American Institute of CPAs® Setup of Governance CEO, COO, Audit & S&P Committees Internal Audit, Risk & Compliance Team Internal Audit Security & Privacy Exams Compliance 6 Establish clear S&P organizational structure. • Reporting lines provide an organizational wide perspective and authority. Example:
  7. 7. American Institute of CPAs® Setup of Governance Define S&P goals and follow them! • Ensure they are balanced with a risk-based approach where your organization wants you to be at the table. • Actions speak louder than words, walk the talk, etc! Examples: • Strengthen processes and procedures • Ensure sustainable change • Monitor environment • Continuous assessment of risk • Allow business opportunity - Don’t be a “no” team! - Control beneficial risks 7
  8. 8. American Institute of CPAs® Setup of Governance Define the S&P mission and communicate it! Example: • Provide leadership in the development, delivery, maintenance, and monitoring of the Institute’s information security, risk management and privacy programs. • Provide strategic assistance in the safeguarding of information assets and the supporting infrastructure against unauthorized use, disclosure, modification, damage or loss. 8
  9. 9. American Institute of CPAs® Setup of Governance Define S&P areas and scope of work. Example – Breakdown of Key Areas of Work: • Project Consulting - S&P performs independent reviews and consulting engagements to improve the organization’s operating and internal control environment around privacy and information security. • Program Development - S&P develops frameworks, and distributes privacy and information security focused policies and procedures and practice aids, enabling the Institute to effectively and efficiently navigate privacy laws and information security risks. 9
  10. 10. American Institute of CPAs® Setup of Governance • Compliance Monitoring - S&P identifies areas for improvement or deficiencies through compliance audits, process reviews, risk assessments, vulnerability assessments, and security awareness training; and leads efforts to improve and/or establish risk mitigating processes and systems to make operations within the Institute more effective and efficient. • Incidents & Inquiries - S&P facilitates the response plan and triage activities for information security incidents & inquiries, following through to successful closure while also identifying efforts to improve and/or establish processes and systems geared toward reducing the risk of subsequent occurrences. Additionally, S&P functions as a vendor and contract reviewer/approver for services where either the Institute/member data is shared with a third party, or include changes to our information security architecture. 10
  11. 11. American Institute of CPAs® Setup of Governance Establish policy, but… • Create value-add policies that truly mean something and that you are willing to devote staff hours to monitor compliance with that policy. • Higher likelihood that users within your organization will be aware and following S&P policies. Speak the executive voice. • Know your audience (concept versus detailed based). • Summarize what is really important with enough substance for them to understand key concepts. • Know when they need to be decisions makers and give a pro/con analysis with a recommendation. 11
  12. 12. American Institute of CPAs® Examples of Governance S&P Function Reporting Structure • Example #1 in the following slides. Streamlined Annual Risk Assessment/ Project Plan • Example #2 in the following slides. Finding Process for Consulting Engagements • Example #3 in the following slides. 12
  13. 13. American Institute of CPAs® Example #1 S&P Function Reporting Structure Challenge • The security function within the organization was not providing the oversight and governance needed to meet the current business environment nor strategic initiatives, including privacy considerations. Innovative Thought • Create a Security & Privacy (S&P) function which reports up through Internal Audit (IA) which already has a reporting structure within the organization that allows independent thought along with established processes to plan projects to allow S&P to step into the needed oversight and governance role. 13
  14. 14. American Institute of CPAs® Example #1 Outcome S&P Function Reporting Structure Outcome • The creation of a S&P Committee made up of senior leadership which guides the actions of the S&P function and allows IA to be independent, along with some additional external audits. • A reporting structure which allows an ability organizational wide to establish and execute projects, policies and oversight needed to address the key S&P risks within the organization. • A holistic team that can work with management and various governance committees and boards to understand and respond to a full breath of organizational risks, strategic initiatives, and compliance requirements to ensure adequate measures are in place to protect the organization’s interests. 14
  15. 15. American Institute of CPAs® Example #2 Streamlined Annual Risk Assessment/ Project Plan Challenge • Risk register had many detailed listing of potential risks which was overwhelming to evaluate and didn’t consider strategic initiatives or other key team activities. Disruptive Thought • Stop doing risk assessments. Innovative Thought • Have no more than 20 risks to assess where every single risk means something, auditable/ reviewable strategic initiatives along with activities within mission critical teams are evaluated. Outcome • Streamlined annual risk assessment process where projects are focused on the true needs of the organization with a nimbleness that allows resources to be reallocated as needed. 15
  16. 16. American Institute of CPAs® 16 Env. Assessment Prelim. Annual Plan & ERM Final Annual Plan & ERM NovemberApril AugustJanuary Primary Inputs & Prelim. Focus Areas Final Focus Areas & Annual Plan IA/S&P Annual Plan Strategy Annual Plan Audit Committee Approval Example #2 Outcome Managing Organizational Risks
  17. 17. American Institute of CPAs® Example #2 Outcome Annual Plan Development 17 Focus Area Identification (Primary Inputs) Risk Ranking (Primary Inputs) IA/S&P Annual Plan What are Focus Areas? • Areas IA/S&P is targeting to support through assurance and consulting activities. • Spend time evaluating if a primary input would be an auditable/ reviewable area.
  18. 18. American Institute of CPAs® Mission Critical Teams Meetings with Senior Leadership Annual Plan: Strategic Initiatives Approved IT Projects Knowledge of Environment ERM Risk Evaluation Primary Inputs IA/S&P Annual Plan Initiated annually; updated quarterly. Identify Focus Areas & Risk Rank 18 Recurring Projects & Internal Team Initiatives Example #2 Outcome Annual Plan Development
  19. 19. American Institute of CPAs® Risk Factors Reputation Impact Control Env. External Env. Mgt Concerns Strategic Impact Ops Impact Weighted Risk Score Weight: 25% 15% 20% 10% 15% 15% Example: 5 3 1 5 5 3 3.6 Example #2 Outcome Risk Assessment Methodology 19 Risk Factors Reputation Impact Control Env. External Env. Mgt Concerns Strategic Impact Ops Impact Weight: 25% 15% 20% 10% 15% 15% Focus Area Identification (Primary Inputs) Risk Ranking (Primary Inputs) IA/S&P Annual Plan 1 = Low, 3 = Moderate, 5 = High
  20. 20. American Institute of CPAs® Strategic Initiatives Which could be reviewed by IA/S&P… 20 Example Example Example Example Example Example Example Example Example Example Example Indicates an IA/S&P project is planned. Mission Critical Teams Example Example Example Example Example Example Example Example Example Example Example Note: Mission critical teams were risk ranked using specific criteria to determine their priority.
  21. 21. American Institute of CPAs® 21 No Strategic Initiative Team Focus Area Weighted Risk Score IA/S&P Plan 1 X Example Focus Area 4.65 IA/S&P – Example Project 2 X Example Focus Area 4.45 S&P – Example Project 3 X Example Focus Area 4.25 S&P – Example Project 4 X Example Focus Area 4.20 IA – Example Project 5 X Example Focus Area 4.20 S&P – Example Project 6 X Example Focus Area 4.15 IA – Example Project 7 X Example Focus Area 4.05 S&P – Example Project 8 X X Example Focus Area 3.95 IA – Example Project 9 X Example Focus Area 3.95 IA – Example Project 10 X Example Focus Area 3.75 IA – Example Project Example #2 Outcome TOP 10 Focus Areas
  22. 22. American Institute of CPAs® 22 Roadmap CICA/CIMA Roadmap Member Value IIA Standards QAR Compliance Recruiting CICA/CIMA Example Member Value COSO/ FS Reporting Example Area Example Area Roadmap Member Value Example Example #2 Outcome Recurring Projects & Internal Team Initiatives
  23. 23. American Institute of CPAs® Example #2 Outcome IA/S&P Project Plan 23 Project Status To be approved by Audit Committee in August IA – Recruiting (Internal Team Initiative) Not Started IA – QAR (Internal Team Initiative) Not Started IA – Example Project (Internal Team Initiative) Not Started IA – Example Project Not Started IA – Example Project Not Started IA – Example Project Not Started IA – Example Project Not Started IA – Example Project Not Started IA/S&P – Example Project Not Started To be approved by S&P Committee in August S&P – Example Project Not Started S&P – Example Project Not Started S&P – Example Project Not Started S&P – Example Project Not Started S&P – Example Project (Internal Team Initiative) Not Started Recurring Projects S&P – Example Project Area Not Started IA/S&P – Example Project Area Not Started IA – External Audit Assistance Not Started
  24. 24. American Institute of CPAs® Example #3 Finding Process for Consulting Engagements Challenge • Within a consulting engagement for a multi-year software implementation IT project, feedback was being provided by IA/S&P that either was not getting timely addressed or was being forgotten among the many tasks. Innovative Thought • Use existing finding management processes to create a method that could be used during the IT project where IA/S&P concerns are being addressed timely and prior to go-live. Outcome • IA/S&P feedback is incorporated and accountability for timelines and resolution is clear. 24
  25. 25. American Institute of CPAs® 25 Confirm Issue 2 weeks to resolve Finding for unresolved high or moderate risk issues 1 week to respond with action plan/ remediation date (past due if not received) Verbal finding for unresolved low risk issues (no follow-up/ action plan) Summarize in quarterly report Verbal Finding Monitoring Items Finding Preliminary Observation Addressed with future activity IA/S&P will monitor progress Example #3 Outcome
  26. 26. American Institute of CPAs® Questions / Discussion 26

×