| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2008 Online Security
All rights reserved.
|
|
|
Forum : Corporate
Compliance: Lessons from the Front Lines
| Every organization is faced with Compliance in today・s business environment. The current hot legislation is the Sarbanes-Oxley legislation passed by Congress directly due to the scandals at Enron and WorldCom. This bill will have CEOs and CFOs sign attestation to the soundness of their organization's financial stability. In California, a leader in passing new legislation for regulations and compliance, there are two new bills passed almost simultaneously called Senate Bill 1386 and Assembly Bill 700. These two bills will enforce reporting to customers in a timely manner when databases or systems are compromised containing :customer non-public information.; The US Patriot Act is another legislation passed to provide more investigation of private information with fewer restrictions to somehow insure against cyberterrorism; however, it seems to throw citizen・s privacy out the window.
What this presents is there are now more areas where Compliance to new laws must be addressed. In the corporate world there are regulatory agencies over most any type of business. Businesses need to take into consideration at every turn how they are compliant to laws and regulations. The very act of attempting to be in Compliance can give a financial institution better ratings, a manufacturing organization a seal of approval, and a website a certificate of endorsement insuring security.
Let・s look at the hottest legislation currently pressing organizations into Compliance. Sarbanes-Oxley requires CEOs and CFOs to sign attestation of the financial conditions of their company. With that in mind, each business unit of the company must now conduct control self-assessments insuring the financial processes embedded in their business departments can verify they are doing a sound and adequate job of securing the finances of the company.
Whether they conduct this assessment internally using business personnel or hire an outside firm to perform the control self-assessments, they still need to verify they have looked at all the risks involved in their daily workflow. From this they can rate the risks inherent in conducting their business and give the business area an overall rating of level of risk. This ultimately provides the final risk rating in the company. Middle management will most likely perform the reviews for Compliance and sign off that they are adequately employing every methodology to protect the company・s assets.
The control self-assessments will be reviewed by the internal auditors and sample tested for Compliance. If there are questionable or inadequate processes after the review, they will be referred to management for business process re-engineering until the processes become compliant with the legislation. Once that is completed, the external auditors will have the duty to review the entire process and verify the soundness of the organization. The external auditors will prepare a report to the Board of Directors and Senior Management stating they have found the controls in place to insure the financial stability of the company. In the case of a financial organization, they might also report for FDICIA (Federal Deposit Insurance Incorporation Improvement Act), another compliance function.
If you approach the control self-assessments as a review based on RISK, you will most likely find some amount of risk inherent in the company. What the organization needs to do is reduce the risk for Compliance. Look at the controls your Information Technology department has put in place over systems holding financial data, customer data, proprietary information about the company, trade secrets, etc. But don・t rely just on the Information Technology people to secure the data.
In the business units there are Standard Operating Procedures to follow. Most commonly known as the Policies and Procedures. If there are no Policies and Procedures, there is a big gaping hole in the business unit. How can they identify if they have risk if they don・t know the way they conduct their business? Business units must know how their workflow is done on a daily basis. If the policies and procedures are not followed, how do they maintain confidentiality, integrity, and availability of the information? Review of the Policies and Procedures to see if they are followed is the primary risk assessment.
Do the Policies and Procedures identify the critical areas within the business unit and are they identified in the Business Continuity Plan for the business? Additionally, are they included in the Business Impact Analysis prioritized for the level of criticality? There is a natural flow from the business units Policies and Procedures through the Business Continuity Plan up to the Disaster Recovery Strategy Plan for the entire organization. Once the priorities have been set for the business units critical processes, the organization will place them in the recovery strategy for timely resumption in case there is an event.
The entire control self-assessment process is beneficial to the business units and needs to be embedded in the daily workflow. If you can perform the tasks daily that ensure the levels of risk are minimal within the business units it should provide ease of conducting audits against those controls, whether those audits are conducted internally, externally or by the regulatory agency over your organization. This provides continual Compliance to those regulations effecting your corporation.
How do you take on such a task? There are numerous ways, however, I am prejudiced for the internal process conducted by the business units themselves. As the Information Security Officer, I conducted control self-assessments for the banking institution I was last associated with. Through this process, the business units received an education on what their risk was. It was very difficult to sell it to them but I had the Board of Directors・ endorsement as well as Senior Management, this provides assurance that the organization will be in Compliance and will follow through with the assessments.
The project consisted of the following methodology. Use a Data Categories Classification document to identify the levels of risk pertinent to the monetary value of the data involved. We determined three classifications, High, Medium and Low risk, each with a dollar amount associated.
Next we provided definitions for Confidentiality, Integrity, and Availability which applied to the business being conducted in our organization. Some definitions were clear to the business departments, others were more obscure, thus more education for the business unit. We included the Mitigating Controls in place within the processes to reduce or eliminate the risk of conducting the business, i.e., appropriate levels of access to the data, correct login methodologies, secure applications, firewalls, segregation of duties, training, etc. From this evaluation of the levels of risk and the mitigating controls applied to them, the business units could determine their Aggregate Risk levels.
The project took nearly a year to complete. This was due to the education process. Some business units rated everything they performed as High Risk. Well, we all know that can・t be true. Although every business department believes what they do for the business is the most important, not every process has a high-risk rating. The businesses were also hesitant to truly identify their processes adequately and to realize the mitigating controls they had in place to reduce the risk levels. Thus, there was another opportunity to review the risk assessment with them and ask pertinent questions for them to determine the true amount of risk in their processes. Some business units were required to revisit their self-assessments a few times, an arduous task at best. In the long haul, it was a value add process.
Compilation of every control self-assessment the business units conducted provided the overall risk rating for the organization. This was reported to the Board of Directors on the one-year anniversary of the Gramm-Leach-Bliley Act for protection of :customer non-public information.; The organization was in Compliance and not only with the Gramm-Leach-Bliley Act but also with our federal regulators. The Office of the Comptroller of the Currency had required us to take the Gramm-Leach-Bliley legislation further and perform Information Security control self-assessments throughout the organization to insure all corporate information was secure.
Now, the corporation could regularly review and update their risk control self-assessments on an ongoing basis. When a new process was incorporated into their daily workflow they could identify the risk involved, update their risk assessment as well as their Policies and Procedures, their Business Continuity Plans and report any updates to the Information Technology department for the corporate Disaster Recovery Strategy Plan. As you can see, if this is done properly, the risk assessment process is embedded and your organization can continually be in Compliance.
|
>> All Corporate Forum Articles
|
|
|
|
