IT Compliance and Controls

A web cast by Deloitte accompanied with a poll has provided some interesting data points on the state of data governance within businesses.  On the heels of this web cast and poll results I have also added some insight from my field experience and general personal impressions.  Interesting facts include:

• The definition of Data Governance is often different for different people throughout the organization

Creating a great opportunity to establish relative context and personal ownership across the myriad divisions and geographies of the business

• 36.4% think the chief information officer (CIO) should be the sponsor and accountable for data governance in an organization

Full accountability I accept, but responsibility must be across those that have personal and business concerns directly related to Data Governance

• 15.5% consider data asset specification optimization as a top problem

Reading these findings I cannot help but hear a certain management guru seeking to hear the contrarian position.  This is not to say that Data Governance is bad or good, but perhaps provide supplemental support to a very difficult challenge.
A great challenge of Data Governance is shifting culture and human behavior to instill control around the data in question.  An interesting approach would be to seek to find what is already being done within the business operations that can provide a control and monitor with some form of natural feedback.  This would allow for data governance to occur naturally relative to every organization, while allowing for a broad adoption across the board with low cost impact.

Such controls can be found in the manner in which data is accessed from the databases and file servers.  Controls can be pulled from how the desktop / laptops are deployed and supported.  This approach looks at the entire business as a system, and can allow for controls to be recorded.  In essence, the objective is to (at least partially) establish data governance and spot level controls without labeling a new server / gadget / process as data governance.
Again, this is not an argument against a mature and prudent data governance program across an enterprise, but simply an identification of possible supplemental avenues that can bring those greatly desired early wins.

Other contrary native controls?

Reflectively,

James DeLuccia

The FTC sent out letters to nearly 100 organizations advising that customer and / or employee data that is protected by United States’ laws were widely available online.  The release of such information is not new to most - given the early days of Napster when entire hard drives were shared and Quickbook files and more were available to every person with the curiosity to look for them.

The notice stated that personal health records; financial account information; data protected by PCI DSS, HIPAA, and HITECH; and other PII data records were available and discovered by the FTC to be exposed.

These notifications are a great step however, as they provide business with awareness and guidelines on reducing the threat and provide guidance on how to minimize the impact of these data breaches.  Unfortunately, as these file sharing systems go - the data is likely released permanently and the owners of this information will need to establish monitoring and preventive measures moving forward.

A few things suggested by the FTC on protecting sensitive information from being exposed to P2P networks include:

• Delete sensitive information you don’t need, and restrict where files with sensitive information can be saved.
• Minimize or eliminate the use of P2P file sharing programs on computers used to store or access sensitive information.
• Use appropriate file-naming conventions.
• Monitor your network to detect unapproved P2P file sharing programs.
• Block traffic associated with unapproved P2P file sharing programs at the network perimeter or network firewalls.
• Train employees and others who access your network about the security risks inherent in using P2P file sharing programs.

In addition, the use of personal computers and smart devices (PDA, Ipod Touch, Iphone, Android device, iPad, etc…) should be carefully reviewed and their use defined.  The velocity of data creates a need for DLP at multiple points.  As the utility of such devices increases, the need for managing this information and protecting it will also increase.

Thoughts on how to minimize the release to P2P networks?

- James DeLuccia

According to a recent examination by global professionals relating to the failure of risk management controls with respect to financial exposures many of the failures can be attributed to very specific technology failures.  This does not excuse the vast amount of other shortfalls, and apply blame as you see fit arguments.  It does highlight that these did certainly not help the situation any, and in fact exasperated it to some degree.  A few cogent points highlighted in the 36 page report are eerily applicable to all organizations, and should be a flare to all audit, security, risk managers, and compliance personnel.  PDF Report can be downloaded here.

Points that should be carefully considered:

“One challenge to improving risk management systems has been poor integration resulting from multiple mergers and acquisitions”

This is especially dangerous considering that many businesses choose to operate separately initially to insulate interruptions to the business at large.  Information systems are generally incompatible at the beginning of any integration.  This is due to the lack of pre-planning and enterprise M&A integration methodologies within the acquiring firms.  Organizations should take immediate action if they have acquired entities without consolidating these technology systems, or at the very least routing ALL traffic, logs, compliance controls, and processes through the acquiriing entity.  This creates both friction and a need for efficiency - two very powerful forces that will result in immediate transformation of these information technology environments, in the right direction.

“…acquisitions over the years have produced an environment in which static data are largely disaggregated”

This effects the ability to ensure daily consistent delivery of data and information technology services.  In addition, historic activity is just as important in managing current data environments.  Lacking such clarity and statistics requires executives to manage blindly without any context and sensible barometer of delivery and achievable commitments.

“…certain products and lines of business have not been included in data aggregation and analysis processes”

Technology historically has been disconnected from the business delivery objectives, and actual exclusion of specific products and businesses only ensures budgets will be misplaced; service will be inappropriate; and risks will not be addressed properly (if at all)

“…two systems for the same business results in duplication of processes”

This finding simply highlights waste - waste in resources; talent; time; bandwidth; budget, and brainpower.  In an age of interconnected capabilities such requirements for dual systems should becoming sparse and rare.

An interesting message echoes throughout the report was risk managements lack of complete visibility into the firms’ risks.  A point that is both similar in nature and impact to CIO and Technology executives alike.  How well do we professionals truly understand what is happening and has happened within the business information systems?  Is all the data that is pertinent provided and managed?  Peter Drucker would certainly ask - Are you fully aware of the system (not the one computer or the e-transactions, but the technology system as a whole)?  Are you making choices based on all the right information, or based on the information you have (right or wrong)?

The crossovers from professional risk management and technology leadership are clear, striking, and very relevant.  It is prudent that today’s leadership is aware and armed with the skills across many trades - risk management in particular - to truly leverage the centuries of experience that exist within arms reach.

Additional perspective - please leave a comment,

James DeLuccia IV

Check out my other thoughts here on IT Controls and PCI DSS

In the past five years of delivering work that has been focused on aligning and enhancing corporations against contractual agreements, operational requirements, and risks - today officially classified as Governance, Risk and Compliance (or GRC) through technology I have seen real returns for my clients.  While these improvements happen immediately, the real rewards are realized through embedding the efforts over the long haul.  I have been quite pleased with the results of my own GRC activities, and based the book on highlighting these core success criteria.

A recent survey, albeit funded by a GRC vendor, conducted by the Aberdeen Group reinforces the returns corporations receive through adopting GRC into their organizations.  I find these results to be in-line with my own personal experience.  The link to the press release is here.  A quick bit of the numbers they highlight include:

Some of the main results pointed out by the research shows that Best-in-Class companies:

1. estimated that business-critical decisions are made 10% faster, based on improved management visibility into current risks.

2. eliminated redundant risk management activities and processes, with a reduction of 8.5%.

3. improved efficiency of their compliance tracking and reporting processes by 12% and their ability to provide clear, timely communication of risks and compliance status to shareholders and board of directors.

4. increased their flexibility to adjust to new or updated regulatory requirements by 11.5%.

I strongly encourage organizations to develop a culturally correct IT Governance process and create an ongoing GRC initiative.  Only when technology, business risk, and innovation are moved together can organizations truly capitalize on the benefits of their existing assets.

A separate report, Managing Risk, Improving Visibility, and Reducing Operating Costs was released in May 2009 which is also quite good and highlights the IT GRC benefits.  As with any industry report, be aware of the samples, scope, sources, funding for report, and how your organization differs and is similar in nature.

Other considerations?

James DeLuccia IV

(Please note, I was unable to locate the actual report beyond the broken link in the press releases.  I will check periodically and see if I can locate it when it becomes available.  If you find it, please post a comment and I will update here)

An incredible trend is happening in the “for contract” market  - specifically the for hire programmers.  oDesk and eLance both show dramatic upticks in the amount of work being posted and delivered on the site (nice article here on the growth).  oDesk alone is tracking about 100,000 hours a week of work, or nearly $65 million dollars worth.  This massive increase in outsourced projects to independents and for hire groups is an indicator of the need for businesses to find affordable development, but at what cost?
The trend is perfect for highlighting how businesses can shift to deliver services required - in any economy.  The trend also equally shows that the practices and methods equally shift.  The challenge is making this shift securely and with the correct safeguards.  (This is highlighted nicely from a macro risk perspective by Mike Nolan here in The Need for Alignment.)  Leveraging contractors has always required specific validation techniques:

• Right to Audit clauses to ensure operations meet marketing materials
• Background check summaries on contractors
• AV and Malware running on contractor systems (or in the U.S. government, no p2p)
• Vendor management procurement procedures

Awareness is necessary for when these jobs begin to be sourced through open market places.  The fidelity of the business providing the services, protection of intellectual property, and the proper review of software against best practices is only the beginning of the new and expanded risks that must be considered.
Businesses and leaders should certainly embrace these open markets that allow greater access and better price transparency, but it must be done in a manner that reflects the risk capability of the business to ensure a balanced operating environment.

Additional thoughts and ideas on best practices for vetting outsourcing vendors?

James DeLuccia IV

As the economies around the world remain challenged by the economic environment, the propensity for fraud is significantly higher.  One may speculate that fraud is consistent but only our sensitivity shifts between good and bad times.  Whichever school of thought you support is a matter of risk perspective, and quite irrelevant today.

Fraud is up on a worldwide basis.  The attacks and scams are increasing, and it is occurring across all sectors.  An excellent breakdown the “KPMG Forensic Fraud Barometer” states that fraud for the UK and areas that over 1.1 billion Pounds of fraud have come to court in 2008.

The Association of Certified Fraud Examiners (ACFE) has a great amount of detailed statistics here, a nice simple guide for small businesses seeking to minimize/prevent fraud, and a nice bit of information on the past ACFE fraud conference (highly recommended)

We are definitely seeing these frauds perpetrated in common channels - such as in Las Vegas at Conferences (below are several links to articles referring to two ATMs found during the DefCon 17 Conference - very interesting read):

• Hack a Day Article
• Engadget Article
• Slashdot Article
• Computerworld Article
• Wired Article

In addition organized crime groups are also leveraging the technologies of today (Facebook, twitter, SMS) - and the attack vectors (i.e., phishing).

Protection; Prevention; Detection:

1. Being aware of trends is vital to erecting current and appropriate (even if temporary) safeguards - such as required by the FTC Red Flag
2. Communicate with peers and collaborate - that may be accomplished by being a part of message boards; Twitter Groups, and attending Conferences.
3. Evaluate your fraud programs and determine the current success rate, and implement corrections.

These are simply single high level areas to consider - review your fraud programs seriously and consider the resources available by the above referenced parties.

As mentioned by Vivien Osborne of KPMG UK in the KPMG Forensic Fraud Report:

“In these harsh economic times, internal fraud could become the tipping point between the survival and demise of an organisation.  Companies need to be rigorous about re-enforcing their anti-fraud measures.  By reviewing their high risk and key operations, having effective reporting channels and deploying detection mechanisms such as data analytics they may give themselves a better chance to fight fraud.”

Additional Fraud Resources, please add below in comments.

Best,

James DeLuccia IV

As friends know, I have been launching businesses for the past few years with varied success and feelings about venture capitalists.  The summation is the common “chicken and egg problem”.  Meaning most investors that do not understand a new technology, or paradigm shifting solutions the investor(s) seek to see the solution working.  The inventor and technologist will likely feel that is the whole point of pitching for financing ;)  Hence chicken or egg.  I am extremely pleased to see Ben Horowitz and Marc Andreessen launching new fund focused on placing money on the table to encourage solutions and innovation within IT Security, Compliance, and the tactical areas of the industry. One of their core principles:

Technology and its advancement is absolutely central to human progress. Entrepreneurs who create new technologies and technology companies are improving the standard of living of people worldwide and unlocking amazing new levels of human potential.

So a call to action to all my colleagues and friends that have been screaming and itching to make the world better through their own ingenuity and hardwork - APPLY; develop; and make a difference.

Or to consider the problem statement above:  Be a Rooster, because in the “Which came first the Chicken or the Egg” problem - the Egg is the answer, because Chickens don’t lay eggs - Roosters do.

Happy inventing and hacking,

James DeLuccia IV

For inspiration on problems to solve, check out my other site here.

There are many challenges to growing a business, sustaining a business, and definitely changing a business.  The latter, most would agree, is by far the hardest and largest challenge for organizations seeking to adopt controls throughout the business.  Now controls is a generic term being used now to include policies, procedures, technology safeguards, and routine human manual activities that seek to provide consistency of operations.
As an advocate of trying to build control environments that reflect the business culture instead of forklifting a standard method (i.e., dropping COBIT 4 onto the business and walking away), it is encouraging to see how a study out of the University College of London support the potential of dense populations.
The UCL study found that “High population density leads to greater exchange of ideas and skills…”  This is profound when one considers how a business core team spends more time together then they do apart.  Even a common joke is that those who work together spend more time together then they do with their own spouses.
The takeaway from this study is that businesses with core teams that work intensely together will excel where those alone cannot, and this is pointedly true with implementing a control environment.  It is true that bolting on a new standard or government set of mandates is inefficient, but what most fail to capture is how innovative businesses can be when working together to solve these problems together.
Check out the interesting study here from the University College of London.
Moving forward - consider forming tight teams that are semi-permanent that are focused on finding innovation in the controls themselves to constantly uncover efficiencies and opportunities.

Best,

James DeLuccia IV

This week is Compliance Week and for most that implies vendor pitches and F.U.D., but there has been specific tidbits flow from the conference that indicate otherwise.  If you are not in attendance the consistent flow on Twitter (your window into conversations of interest) and upon blogs should give you a reasonable re-cap.  I strongly recommend if any sessions are of interest reaching out to the speakers directly and striking a conversation - the speaker’s list is here.
Michael Rasmussen has posted a nice update on his blog.  He raises a point that is of particular interest to business executive and practitioners that I wanted to expand upon.  The concept of regulation, merging of regulating agencies, and the net effect on effectiveness and efficiencies.  There are plenty of arguments against regulation and for it, but that is not the point here - what is intriguing is what happens to the businesses themselves in these ebb and flow moments in our history?  I go into great detail on this fact in my book, but want to point out specific areas of focus.
The concept of “consolidating” regulators and legislation to create a super structure to protect the citizens has the net effect of watering down guidance and regulation.  This is a common complaint for individuals adopting (fully) ITIL v3 or COBIT.  These are too broad to properly fit any one organization, and unlikely to address the risks any one organization faces adequately.
Given this observation, executives should consider:

• Embrace public; international; open governance / security frameworks and cut from here your own program
• Cost to compliance should DECLINE and not increase over time - unless your business is expanding at which point the cost curve should be correlated to that of the expansion costs
• The achievement of compliance is not sufficient to thwart the risks to the business - security, privacy, operational integrity, and satisfaction of contractual agreements require a cultural and organic approach

Practitioners must take it upon themselves to educate and communicate when compliance F.U.D. and marketing take over a business’ risk management programs.  Only through communication will everyone know what risks exist; what risks are addressed; which risks are immaterial; and how they fit together to form the information security program and governance processes.

Other insights and perspectives on the affect of consolidating and “watering down” effective controls and safeguards to the point where they do not address the original intent?

Kind regards,

James DeLuccia IV

There are numerous instances where laptops and portable devices are lost / stolen.  The classic CEO whose laptop disappeared at a conference to those thieves who coincidentally opened the one trunk of an auditor’s rental car and gained access to significant sensitive information sprinkle the news wires.
While imagination can speak to what the impacts may be - Intel sponsored a report by the Ponemon institute on this very topic.
The net result is the majority of costs are derived from the substance of the data and not the actual laptop itself - meaning if there is Proprietary IP or protected sensitive data the costs are impactful.  Check out the Intel page here, and the straight link to the paper here.
The report is centered explicitly on the costs and highlights the worst case scenarios without providing alternate avenues of thought and opportunity.  I would challenge readers of the report to consider how data is managed and utilized in the organization before safety cabling every laptop, deploying full-disk encryption (not a bad idea), or rolling out full dumb-terminal netbooks.
In addition - consider the other devices that are transported with these laptops that can carry just as sensitive (or the same data) without any of the particular solutions or safeguards - your iphone / BB, a collection of USB tokens, CDs, ipod, Kindle, etc…

Consider all the data carriers before pushing out point solutions - data should be managed within an evolving program to satisfy each new channel and environment (Social networks, twitter, IM, torrent …)

Thoughts?

James DeLuccia IV