1. Audit / Compliance
& Risk Governance
Business
Development
Training
Tory S. Quinton
2. Identify your contact
Identify your
customers ERP
Budget: 20K +
Frequency of Audits
Challenges Related To
Segregation of Duties
Challenges with
Access Governance /
Reviews
Challenges with
Change Tracking /
Reporting
How challenges
impact you / your
organization
Challenges with
Litigation Mitigation
12 – 18 months
evaluation /
implementation
timeline
Calendar Invite
Opening: Know who you are
speaking with, what their role is and
how your solution can benefit them
in a broad and general sense
Solution Scoping: Questions
designed to give insights into how
the solution will benefit the
organization. These questions
should also be used to build interest
on the part of the customer.
Challenge Questions / Statements:
How do he challenges identified in
the Questioning and Solution
Scoping phase impact the customer
individually and organizationally?
Closing: Determine timeframe for
evaluation / implementation and
submit calendar invite for Sales
Engagement
Lead Generation
LIFECYCLE
SCHEDULE
Security Compliance
Risk
Management
3. Six Pillars of Control Monitoring
Access
Certification
Risk
Analysis
Role
Management
Compliant
User
Provisioning
Continuous
Monitoring
Emergency
Access
Management
1.
3.
2.
5.
4.
6.
Categorize the underlying criticality &
assess value of specific IT systems & data.
Select baseline security controls & apply
device policies as directly related to
overall risk.
Implement & validate effective controls
that properly execute required security
policies
Assess continuously that all controls work
in unison to maintain cross-infrastructure
protection.
Authorize requests to alter network access
& record all changes and their specific
parameters.
Monitor all required security controls at
all times to maintain overarching policy
compliance..
Six Success Markers
5. WHAT IS IT?
A basic building block of sustainable risk
management and internal controls for a
business. The principle of SOD is based on
shared responsibilities of a key process
that disperses the critical functions of that
process to more than one person or
department. Without this separation in key
processes, fraud and error risks are far
less manageable.
WHY IS IT IMPORTANT?
Imagine what would happen if the keys, lock and code for
a nuclear weapons system were all in the hands of one
person! Emotions, coercion, blackmail, fraud, human error
and disinformation could cause grave and expensive one-
sided actions that can’t be corrected. Or, consider the
software engineer who has the authority to move code into
production without oversight, quality assurance or access
rights’ authentication.
Without SOD, either of these scenarios clearly shows the
possibility of disastrous outcomes. As a result, the risk
management goal of SOD controls is to prevent unilateral
actions from occurring in key processes where irreversible
affects are beyond an organization’s tolerance for error or
fraud.
Without SOD, either of these scenarios clearly shows the
possibility of disastrous outcomes. As a result, the risk
management goal of SOD controls is to prevent unilateral
actions from occurring in key processes where irreversible
affects are beyond an organization’s tolerance for error or
fraud.
Segregation of Duties
6. What is it?
The foundation of any access risk
management initiative should be adherence
to the principle of least-privileged access,
which ensures that legitimate users have
only the minimum amount of access
necessary to do their job. Access-related
risks become unacceptable when the
principle of least-privileged access is
violated. It's critical that organizations avoid
violations to minimize risks.
Perhaps more importantly, organizations
should understand how violations happen in
order to avoid them. Typically, violations are
a result of one of five access governance
challenges:
Common Challenges
1. Entitlement Inertia: The failure to remove previously issued
access entitlements once they are no longer necessary or
appropriate.
2. Orphaned Accounts: User access data is not only
contained within centralized directories where it can be
monitored, but also scattered throughout the organization's
information resources and are often unmonitored, greatly
increasing the possibility that "orphaned" accounts could
remain after the off-boarding process that takes place when
an employee leaves an organization.
3. Compliance Myopia: Compliance myopia results from the
mistaken assumption that compliance with access-related
regulatory guidelines ensures adequate access risk
management.
4. Rubber Stamping: happens when business managers are
asked to review and approve access entitlements that are
communicated to them in a security syntax language that
they cannot understand.
5. Accountability Loopholes: are open as long as full
responsibility for access governance is limited to IT. IT
security teams are operationalizing access on the request of
the business, but they do not have the business context to
understand what level of access is needed for a particular job
function or business responsibility.
Access Governance /
Reviews
7. WHAT IS IT?
Change Tracking gives your
customers a clear history of
your data including who
accesses it and when as well
any changes made to your data
or how that data may have been
off-ramped, including email,
printing or transmission
WHY IS IT IMPORTANT?
Knowing the history of your data
gives you three very important
items.
1. Greater protection to your reputation,
financial bottom line & the ability to keep
your customer trust in the event of a
security event.
2. Improved ability to stay compliant with
ever changing regulations/
3. Reduced risk of litigation and minimized
financial penalty After a security event.
How much is your peace of mind
worth?
Change Tracking
8. There are real consequences…
A proactive Compliance policy that includes
access controls, audit controls and change
tracking is foundational to any security policy,
BUT you can not protect yourself from all threats.
What happens after a security event defines your
organizations ability to bounce back, stay in good
favor with customer and minimize financial
penalties.
To protect yourself it is imperative that you
understand the risks associated wit…
• Human Error
• Document Handling / Mis-Handling
• Recovering from Natural Disasters
• Employee Turnover
• Improperly configured networked devices
• Malicious Internal Attack
• Malicious External Attack
• Data Tampering
• Theft of Services
The Importance of Security
1. There were 91,765,453 reported Security Events in 2015.
2. This equals 1,764,720 Security Events per week that IT
professionals and Compliance Managers MUST deal with.
3. 54% of employees admit they don't always follow security
policy.
4. 51% of those employees work with confidential information.
5. A minimum of 29% loss to your reputation!
6. 21 % loss in Employee Productivity!
7. 19 % in lost revenue!