IT Compliance and Controls

Lessons from Financial Crisis for CIO and Executive Technology Leadership, pulled from Senior Supervisors Group

James — Mon, 09 Nov 2009 15:16:38 +0000

According to a recent examination by global professionals relating to the failure of risk management controls with respect to financial exposures many of the failures can be attributed to very specific technology failures. This does not excuse the vast amount of other shortfalls, and apply blame as you see fit arguments. It does highlight that these did certainly not help the situation any, and in fact exasperated it to some degree. A few cogent points highlighted in the 36 page report are eerily applicable to all organizations, and should be a flare to all audit, security, risk managers, and compliance personnel. PDF Report can be downloaded here.

Points that should be carefully considered:

“One challenge to improving risk management systems has been poor integration resulting from multiple mergers and acquisitions”

This is especially dangerous considering that many businesses choose to operate separately initially to insulate interruptions to the business at large. Information systems are generally incompatible at the beginning of any integration. This is due to the lack of pre-planning and enterprise M&A integration methodologies within the acquiring firms. Organizations should take immediate action if they have acquired entities without consolidating these technology systems, or at the very least routing ALL traffic, logs, compliance controls, and processes through the acquiriing entity. This creates both friction and a need for efficiency - two very powerful forces that will result in immediate transformation of these information technology environments, in the right direction.

“…acquisitions over the years have produced an environment in which static data are largely disaggregated”

This effects the ability to ensure daily consistent delivery of data and information technology services. In addition, historic activity is just as important in managing current data environments. Lacking such clarity and statistics requires executives to manage blindly without any context and sensible barometer of delivery and achievable commitments.

“…certain products and lines of business have not been included in data aggregation and analysis processes”

Technology historically has been disconnected from the business delivery objectives, and actual exclusion of specific products and businesses only ensures budgets will be misplaced; service will be inappropriate; and risks will not be addressed properly (if at all)

“…two systems for the same business results in duplication of processes”

This finding simply highlights waste - waste in resources; talent; time; bandwidth; budget, and brainpower. In an age of interconnected capabilities such requirements for dual systems should becoming sparse and rare.

An interesting message echoes throughout the report was risk managements lack of complete visibility into the firms’ risks. A point that is both similar in nature and impact to CIO and Technology executives alike. How well do we professionals truly understand what is happening and has happened within the business information systems? Is all the data that is pertinent provided and managed? Peter Drucker would certainly ask - Are you fully aware of the system (not the one computer or the e-transactions, but the technology system as a whole)? Are you making choices based on all the right information, or based on the information you have (right or wrong)?

The crossovers from professional risk management and technology leadership are clear, striking, and very relevant. It is prudent that today’s leadership is aware and armed with the skills across many trades - risk management in particular - to truly leverage the centuries of experience that exist within arms reach.

Additional perspective - please leave a comment,

James DeLuccia IV

Check out my other thoughts here on IT Controls and PCI DSS

Hard valuations and real world returns for IT GRC

James — Thu, 05 Nov 2009 14:26:14 +0000

In the past five years of delivering work that has been focused on aligning and enhancing corporations against contractual agreements, operational requirements, and risks - today officially classified as Governance, Risk and Compliance (or GRC) through technology I have seen real returns for my clients. While these improvements happen immediately, the real rewards are realized through embedding the efforts over the long haul. I have been quite pleased with the results of my own GRC activities, and based the book on highlighting these core success criteria.

A recent survey, albeit funded by a GRC vendor, conducted by the Aberdeen Group reinforces the returns corporations receive through adopting GRC into their organizations. I find these results to be in-line with my own personal experience. The link to the press release is here. A quick bit of the numbers they highlight include:

Some of the main results pointed out by the research shows that Best-in-Class companies:

1. estimated that business-critical decisions are made 10% faster, based on improved management visibility into current risks.

2. eliminated redundant risk management activities and processes, with a reduction of 8.5%.

3. improved efficiency of their compliance tracking and reporting processes by 12% and their ability to provide clear, timely communication of risks and compliance status to shareholders and board of directors.

4. increased their flexibility to adjust to new or updated regulatory requirements by 11.5%.

I strongly encourage organizations to develop a culturally correct IT Governance process and create an ongoing GRC initiative. Only when technology, business risk, and innovation are moved together can organizations truly capitalize on the benefits of their existing assets.

A separate report, Managing Risk, Improving Visibility, and Reducing Operating Costs was released in May 2009 which is also quite good and highlights the IT GRC benefits. As with any industry report, be aware of the samples, scope, sources, funding for report, and how your organization differs and is similar in nature.

Other considerations?

James DeLuccia IV

(Please note, I was unable to locate the actual report beyond the broken link in the press releases. I will check periodically and see if I can locate it when it becomes available. If you find it, please post a comment and I will update here)

Beware Outsourcing Savings from oDesk and others…

James — Thu, 13 Aug 2009 20:33:12 +0000

An incredible trend is happening in the “for contract” market - specifically the for hire programmers. oDesk and eLance both show dramatic upticks in the amount of work being posted and delivered on the site (nice article here on the growth). oDesk alone is tracking about 100,000 hours a week of work, or nearly $65 million dollars worth. This massive increase in outsourced projects to independents and for hire groups is an indicator of the need for businesses to find affordable development, but at what cost?
The trend is perfect for highlighting how businesses can shift to deliver services required - in any economy. The trend also equally shows that the practices and methods equally shift. The challenge is making this shift securely and with the correct safeguards. (This is highlighted nicely from a macro risk perspective by Mike Nolan here in The Need for Alignment.) Leveraging contractors has always required specific validation techniques:

Right to Audit clauses to ensure operations meet marketing materials
Background check summaries on contractors
AV and Malware running on contractor systems (or in the U.S. government, no p2p)
Vendor management procurement procedures

Awareness is necessary for when these jobs begin to be sourced through open market places. The fidelity of the business providing the services, protection of intellectual property, and the proper review of software against best practices is only the beginning of the new and expanded risks that must be considered.
Businesses and leaders should certainly embrace these open markets that allow greater access and better price transparency, but it must be done in a manner that reflects the risk capability of the business to ensure a balanced operating environment.

Additional thoughts and ideas on best practices for vetting outsourcing vendors?

James DeLuccia IV

Third Party Fraud - Breaking down Trust

James — Tue, 04 Aug 2009 21:29:35 +0000

As the economies around the world remain challenged by the economic environment, the propensity for fraud is significantly higher. One may speculate that fraud is consistent but only our sensitivity shifts between good and bad times. Whichever school of thought you support is a matter of risk perspective, and quite irrelevant today.

Fraud is up on a worldwide basis. The attacks and scams are increasing, and it is occurring across all sectors. An excellent breakdown the “KPMG Forensic Fraud Barometer” states that fraud for the UK and areas that over 1.1 billion Pounds of fraud have come to court in 2008.

The Association of Certified Fraud Examiners (ACFE) has a great amount of detailed statistics here, a nice simple guide for small businesses seeking to minimize/prevent fraud, and a nice bit of information on the past ACFE fraud conference (highly recommended)

We are definitely seeing these frauds perpetrated in common channels - such as in Las Vegas at Conferences (below are several links to articles referring to two ATMs found during the DefCon 17 Conference - very interesting read):

In addition organized crime groups are also leveraging the technologies of today (Facebook, twitter, SMS) - and the attack vectors (i.e., phishing).

Protection; Prevention; Detection:

Being aware of trends is vital to erecting current and appropriate (even if temporary) safeguards - such as required by the FTC Red Flag
Communicate with peers and collaborate - that may be accomplished by being a part of message boards; Twitter Groups, and attending Conferences.
Evaluate your fraud programs and determine the current success rate, and implement corrections.

These are simply single high level areas to consider - review your fraud programs seriously and consider the resources available by the above referenced parties.

As mentioned by Vivien Osborne of KPMG UK in the KPMG Forensic Fraud Report:

“In these harsh economic times, internal fraud could become the tipping point between the survival and demise of an organisation. Companies need to be rigorous about re-enforcing their anti-fraud measures. By reviewing their high risk and key operations, having effective reporting channels and deploying detection mechanisms such as data analytics they may give themselves a better chance to fight fraud.”

Additional Fraud Resources, please add below in comments.

Best,

James DeLuccia IV

A bright spot in the innovation wave - a Venture Fund with strong focus on IT

James — Wed, 08 Jul 2009 20:41:24 +0000

As friends know, I have been launching businesses for the past few years with varied success and feelings about venture capitalists. The summation is the common “chicken and egg problem”. Meaning most investors that do not understand a new technology, or paradigm shifting solutions the investor(s) seek to see the solution working. The inventor and technologist will likely feel that is the whole point of pitching for financing ;) Hence chicken or egg. I am extremely pleased to see Ben Horowitz and Marc Andreessen launching new fund focused on placing money on the table to encourage solutions and innovation within IT Security, Compliance, and the tactical areas of the industry. One of their core principles:

Technology and its advancement is absolutely central to human progress. Entrepreneurs who create new technologies and technology companies are improving the standard of living of people worldwide and unlocking amazing new levels of human potential.

So a call to action to all my colleagues and friends that have been screaming and itching to make the world better through their own ingenuity and hardwork - APPLY; develop; and make a difference.

Or to consider the problem statement above: Be a Rooster, because in the “Which came first the Chicken or the Egg” problem - the Egg is the answer, because Chickens don’t lay eggs - Roosters do.

Happy inventing and hacking,

James DeLuccia IV

For inspiration on problems to solve, check out my other site here.

How understanding Human Behavior can improve your business

James — Thu, 02 Jul 2009 11:28:15 +0000

There are many challenges to growing a business, sustaining a business, and definitely changing a business. The latter, most would agree, is by far the hardest and largest challenge for organizations seeking to adopt controls throughout the business. Now controls is a generic term being used now to include policies, procedures, technology safeguards, and routine human manual activities that seek to provide consistency of operations.
As an advocate of trying to build control environments that reflect the business culture instead of forklifting a standard method (i.e., dropping COBIT 4 onto the business and walking away), it is encouraging to see how a study out of the University College of London support the potential of dense populations.
The UCL study found that “High population density leads to greater exchange of ideas and skills…” This is profound when one considers how a business core team spends more time together then they do apart. Even a common joke is that those who work together spend more time together then they do with their own spouses.
The takeaway from this study is that businesses with core teams that work intensely together will excel where those alone cannot, and this is pointedly true with implementing a control environment. It is true that bolting on a new standard or government set of mandates is inefficient, but what most fail to capture is how innovative businesses can be when working together to solve these problems together.
Check out the interesting study here from the University College of London.
Moving forward - consider forming tight teams that are semi-permanent that are focused on finding innovation in the controls themselves to constantly uncover efficiencies and opportunities.

Best,

James DeLuccia IV

Compliance Week 2009: Ineffective Controls due to Consolidation of Regulators

James — Thu, 04 Jun 2009 16:24:12 +0000

This week is Compliance Week and for most that implies vendor pitches and F.U.D., but there has been specific tidbits flow from the conference that indicate otherwise. If you are not in attendance the consistent flow on Twitter (your window into conversations of interest) and upon blogs should give you a reasonable re-cap. I strongly recommend if any sessions are of interest reaching out to the speakers directly and striking a conversation - the speaker’s list is here.
Michael Rasmussen has posted a nice update on his blog. He raises a point that is of particular interest to business executive and practitioners that I wanted to expand upon. The concept of regulation, merging of regulating agencies, and the net effect on effectiveness and efficiencies. There are plenty of arguments against regulation and for it, but that is not the point here - what is intriguing is what happens to the businesses themselves in these ebb and flow moments in our history? I go into great detail on this fact in my book, but want to point out specific areas of focus.
The concept of “consolidating” regulators and legislation to create a super structure to protect the citizens has the net effect of watering down guidance and regulation. This is a common complaint for individuals adopting (fully) ITIL v3 or COBIT. These are too broad to properly fit any one organization, and unlikely to address the risks any one organization faces adequately.
Given this observation, executives should consider:

Embrace public; international; open governance / security frameworks and cut from here your own program
Cost to compliance should DECLINE and not increase over time - unless your business is expanding at which point the cost curve should be correlated to that of the expansion costs
The achievement of compliance is not sufficient to thwart the risks to the business - security, privacy, operational integrity, and satisfaction of contractual agreements require a cultural and organic approach

Practitioners must take it upon themselves to educate and communicate when compliance F.U.D. and marketing take over a business’ risk management programs. Only through communication will everyone know what risks exist; what risks are addressed; which risks are immaterial; and how they fit together to form the information security program and governance processes.

Other insights and perspectives on the affect of consolidating and “watering down” effective controls and safeguards to the point where they do not address the original intent?

Kind regards,

James DeLuccia IV

Cost of a Lost Laptop

James — Mon, 04 May 2009 12:41:16 +0000

There are numerous instances where laptops and portable devices are lost / stolen. The classic CEO whose laptop disappeared at a conference to those thieves who coincidentally opened the one trunk of an auditor’s rental car and gained access to significant sensitive information sprinkle the news wires.
While imagination can speak to what the impacts may be - Intel sponsored a report by the Ponemon institute on this very topic.
The net result is the majority of costs are derived from the substance of the data and not the actual laptop itself - meaning if there is Proprietary IP or protected sensitive data the costs are impactful. Check out the Intel page here, and the straight link to the paper here.
The report is centered explicitly on the costs and highlights the worst case scenarios without providing alternate avenues of thought and opportunity. I would challenge readers of the report to consider how data is managed and utilized in the organization before safety cabling every laptop, deploying full-disk encryption (not a bad idea), or rolling out full dumb-terminal netbooks.
In addition - consider the other devices that are transported with these laptops that can carry just as sensitive (or the same data) without any of the particular solutions or safeguards - your iphone / BB, a collection of USB tokens, CDs, ipod, Kindle, etc…

Consider all the data carriers before pushing out point solutions - data should be managed within an evolving program to satisfy each new channel and environment (Social networks, twitter, IM, torrent …)

Thoughts?

James DeLuccia IV

Data Security and Privacy in a Downturn with 3rd Party Providers

James — Fri, 27 Feb 2009 14:35:00 +0000

Recently I contributed to a CIO Magazine and Network World piece on what is the impact to - Security and Privacy - in a downturn. Specifically, what happens to all that sensitive data that was once locked behind doors and large security systems when the lights go out and the auction gavel hits the block? Please see the article here at Network World for a nice article, and a timely post at LogBlog entitled “Is your data protected if the company closes its doors?“.

Given those articles as the backdrop - there are two major concerns for executives and businesses that rely on third party firms (which is approximately 99% of the world).

The first is the ability to deliver services without the incumbent service provider

When setting up third party service providers consideration must be placed on the exact details of how the data flows will occur. This should be defined in the contract.
A common, and costly mistake by companies, is to not establish mechanisms to extract their business from a specific service provider. This is caused by customizing your business to fit their processes, and thereby creating only one vendor that can service your firm. Businesses must regularly review how these third party processors are integrated and establish a Back-Out Plan. Similar in principle to a Disaster Recovery Plan (DRP), our BOP provides the organization with a full record of all business data and a workable repository that can be connected to a different vendor. A consumer example - Ability to export your Google Contacts to your Exchange Server and vice versa, the easier it is the more likely you are to experiment and keep long term costs low.

The second is concern relating to the data and proprietary (patented?) processes and technology that may vanish when the business partner disappears.

The amount of information passed through a vendor varies, but inevitably sensitive information will be processed or transmitted. The business owners should - in a contract, establish the ability to quarantine their data to specific systems, and may even consider “buying” these pieces of hardware to insure against losses in the future.
An alternate approach is to limit the data prudently to eliminate the possibility of company information being exposed. This can be achieved by placing some processing in house and then passing along data to the vendor in a less sensitive manner. A consumer example is highlighted on the Kindle2 and the 3rd party conversion process, and what if any data is being passed and processed. (A single example of numerous services that slice through the daily business process that is seldom considered or understood, and only when problems (Breached / Hacked Organizations) make the news do we consider the full ramifications, let alone if the business itself vanishes.

As is obvious, there are many approaches for businesses to leverage the BPO market while protecting the integrity of the business operations.

Best Regards,

James DeLuccia IV

**Speaking at RSA 2009 on the Payment Card Industry, April 22nd 2009**

Positive Book Review

James — Fri, 20 Feb 2009 15:55:27 +0000

A new book review has been placed online by MSI. A nice overview and elaboration of the book content. A nice highlight:

“DeLuccia lays a foundation by examining the importance of internal IT controls…explains why silo IT strategy wastes time and resources, offering a better solution in having an IT enterprise control environment”

Comments and challenges?

James DeLuccia