risk

Cloud computing data security creates challenges for compliance officers

Cloud computing is just another form of outsourcing, and like outsourcing, it comes with its own set of risks and compliance challenges. As the data center begins to disappear into the cloud, data security tops the list.

But is encryption, specifically public key infrastructure, up to the task of protecting data that could reside anywhere? Will standards emerge that will govern the relationship between data owners and cloud service providers?

In this Compliance Advisor podcast, security expert Steven Ross discusses the compliance issues of the “disappearing data center” with SearchCompliance.com Executive Editor Scot Petersen.

 

 Cloud computing compliance [15:12m]: Play Now | Play in Popup | Download

Freerisk financial risk modeling services challenge S&P, Moody’s

In the wake of the financial meltdown trigged by the subprime mortgage crisis in the fall of 2008, credit ratings agencies like Moody’s and Standard and Poor’s became the focus for some of the blame. Did they ignore key risk indicators that would have alerted investors much earlier to the house of cards that would come crashing down? In this Compliance Advisor podcast, Jesper Andersen, co-founder with Toby Segaran of Freerisk.org, discusses their open financial services project, which will offer data, algorithms and tools to perform financial risk modeling.

Find out the origins of Freerisk and its philosophy, its position on XBRL and how it plans to work with Moody’s and S&P to create a more transparent ratings process.

 

 Freerisk challenges Moody's, S&P [13:40m]: Play Now | Play in Popup | Download

The future of compliance policy management

Compliance is not just “one thing” for businesses anymore. Compliance has become a broad subject like “finance” or “security,” with many sub-topics underneath that umbrella. The best strategy for the range of compliance policy management issues facing IT and business managers today is to take a risk-based approach, says compliance and security consultant Kevin Beaver. In this week’s edition of the IT Compliance Advisor podcast, find out where big and small businesses should be focusing their compliance management efforts.

 

 The future of compliance [10:23m]: Play Now | Play in Popup | Download

Vetting users exposes new compliance risks

Most visitors to websites arrive and leave relatively anonymously. But as e-commerce evolves, businesses are using the Web to invite in specific users, in order to offer special services to them or participate in a study such as a clinical trial.

Steve Ross, a director in the Security & Privacy practice of Deloitte & Touche LLP, has some thoughts in this IT Compliance Advisor podcast about the privacy and compliance risks associated with bringing in these “vetted” users.

 

 Vetting users exposes new compliance risks [11:13m]: Play Now | Play in Popup | Download

Ross, a former international president of ISACA and IS Security Matters columnist for the ISACA Journal, explains to SearchCompliance.com Executive Editor Scot Petersen what constitutes a vetted user, what are the compliance risks that come with a vetted user, and what are some best practices for ensuring privacy of the vetted user.

How do you align an IT risk assessment with COBIT controls?

[One of our readers, compliance officer Ramon de Bruijn, wrote to the editors of SearchCompliance.com at editor@searchcompliance.com last month looking for some advice. Specifically, he asked "What is the best way to implement a risk assessment in an IT department that aligns COBIT controls with risks?" In her first post for IT Compliance Advisor, Sarah Cortes, PMP, CISA, provides an answer to his question. -Ed.]

Implementing a risk assessment that will align the COBIT control framework with risks is a valuable undertaking and a smart way to approach the challenge. If approached with a working knowledge of COBIT, it should take no longer than any other risk assessment approach.

In the long run, it will likely shorten the overall cycle:

Risk assessment -> Recommendation -> Solution implementation -> Audit

This is because COBIT can provide a thorough checklist of potential risk areas that might otherwise be missed, requiring multiple passes or potential wasted effort implementing solutions to lower-priority risks, while ignoring those with a higher priority.

One thing to keep in mind is that COBIT controls are not just “in an IT department.” They include controls for business interruption and other business problems that have traditionally fallen to IT to deal with, rightly or wrongly.

The first step is to obtain a copy of COBIT controls, which you can do from ISACA.org or other sources on the Web.

The second step is to provide education, if necessary. Make sure key individuals in your organization have heard of COBIT and understand it is an internationally accepted standard. No need to worry anyone will know it better than you. Even auditors and CISA professionals can achieve only a moderate level of memorization of all aspects of COBIT. COBIT changes all the time. Technology in some areas moves beyond it in areas. In general, COBIT is too far-reaching for even the most seasoned IT professional to avoid re-reading and referring to it frequently when working with it.

After obtaining a copy and getting buy-in, the third step is to put it away. You need to ask yourself and others where the known risks to IT and business lie. This bottom-up approach is critical to avoiding “over-COBITING,” a common affliction.

Once you have carefully listened to IT professionals and others with respect to control weaknesses and the risks that actually “keep them up at night,’ you are ready to pull out your COBIT framework again. Review a fuller set of risks with those same individuals. See if that uncovers risks they may have missed the first time. This checkpoint is one benefit of COBIT.

Finally, you should document your risk assessment and note areas listed in COBIT that individuals in your organization did not consider worthy of note. Each COBIT area should be covered. If the risk included in COBIT is not prioritized in the risk assessment, a specific reason should be noted, along with the individual who decided to assume or dismiss that risk. This will come in handy later, trust me.

If you follow these steps, you will be further ahead than 99% of professionals and IT departments in your shoes. Good luck, and happy documentation!

Sarah Cortes is a senior technology manager with extensive experience in all aspects of delivering information technology systems and services to Fortune 500 firms in the financial services industry, as well as biotechnology, media and higher education. Sarah Cortes has managed numerous major Code Red business and system interruptions, including the 9/11 failover of trading, accounting and other critical business systems during Marsh McLennan’s WTC data center collapse. You can learn more her work at InmanTechnologyIT.

Blogroll: IT Governance, Risk, and Compliance

Earlier today,  we added Charles Denyer’s Regulatory Compliance, Governance and Security to the blogroll.

Next up: Robert E. Davis, at IT Governance, Risk, and Compliance.

As a CISA, Davis has provided data security consulting and information systems auditing services to the Securities and Exchange Commission, the United States Enrichment Corporation, Raytheon Co., the Interstate Commerce Commission, Dow Jones & Co. and Fidelity/First Fidelity (Wachovia) corporations.

Davis joined ITKE recently and has focused initially on a series of blog posts that offer guidance on protecting critical data, noting how an information security governance framework can provide “essential information asset coverage.”

• Safeguarding Information Assets - Part I
• Safeguarding Information Assets - Part II
• Safeguarding Information Assets - Part III

You can subscribe to IT Governance, Risk and Compliance here.

The importance of risk management in IT compliance

This is a guest post by Cass Brewer, the founder of Truth to Power Association.

John Rostern recently blogged here about the dangers of checkbox compliance, noting that regulatory compliance doesn’t always bring information security.

I’ll take that argument a step further: Especially in terms of PCI DSS, most companies might get better ROI and comparable outcomes if they simply lied on their PCI DSS self assessments and returned to sprinkling salt around their servers, or whatever (apparently) prevented system breaches before PCI DSS came along. As John so aptly notes, siloed, point-in-time compliance is generally inadequate — in terms of both control and cost.

Unfortunately, external mandates tend to pervert otherwise healthy plan-do-check-act operational strategies. In the rush to comply with regulatory panaceas for perceived pervasive risks, managers too often deprecate their own informed risk judgments.

This is a backward response. Enterprise risk management should be both an input and output of any compliance program. As an input, it lets managers “just say no” to immaterial audit recommendations, defines implementation priorities and ensures that relevant controls aren’t displaced by compliance checkboxes.

Management can operationally parse broad compliance requirements by aligning control responses with actual material and significant risks. Or it can limit the in-scope environment of specific controls to particularly critical or sensitive information: cardholder data, customer PII, systems logs, etc. Either way, the bulk of risk management should occur on the front (planning) end of compliance. The risk management output of compliance programs is generally limited to risk mitigation.

Defining and measuring risks up front is also a cost-containment strategy. Under the Sarbanes-Oxley Act and other rules, organizations can exclude irrelevant “compliance” activities aimed at immaterial and insignificant threats. Of course, concrete documentation (and lots of it) is the key to defending such exclusions against auditor challenges.

Risks characteristics including existence, criticality, likelihood and period can further hone appropriate control responses. If a particular risk arises only once a year and potentially impacts just one disconnected system, a siloed, periodic response might be adequate. Of course, most risks are more constant and/or pervasive. Control efforts should respond to those characteristics, hitting compliance goals incidentally.

A risk management approach to compliance has opportunity benefits, too. It’s difficult to measure risk value (or risk abatement value) without understanding business-process value. In many cases, key risk indicators (KRIs) are complements to key performance indicators (KPIs). Defining one provides a base line for defining the other; and that base line is, in turn, a costing base line that supports more broadly strategic business decisions.

How does this work? Learn how to factor risk management into compliance assessments at SearchCompliance.com.

Cass Brewer is the founder of Truth to Power, a free and open research community for better information governance. At T2P and in her previous role as director of the IT Compliance Institute (ITCi), Cass has worked with thousands of compliance, audit, business, and IT leaders to develop practical guidance for corporate compliance and risk management. She can be reached at cbrewer@t2pa.com.