compliance

Information security officers are a must

I was talking with a client last week about a perceived gap in their organization.  Despite having to address multiple regulations cutting across several oversight bodies, they were lacking a single point of contact or central coordinator for all information security related activities.  Their sense was that they were long overdue for some form of a chief information security officer (CISO) and I had to agree.

The same point was underscored earlier this week during a kick-off meeting with a client regarding a pending audit.  Almost all of the requests for information, including policy and procedure documentation were redirected to their most senior IT person.  As we were wending our way through the items on the list and they kept verbally pointing to the IT person, I started wondering how he could be responsible for all of these information security related items and perform his regular IT duties.  The answer of course is that he can’t, not effectively anyway.

There’s a discipline involved with regards to regulatory and industry compliance that requires someone be committed to both understanding what needs to be done and then making sure that it’s happening.  This isn’t a new consideration; I’ve blogged in the past how we’ve moved from an age where you simply needed documentation to one where actionable steps are required.  It’s not enough to have an information security policy in place, you also need to comply with it and then be able to prove that fact upon request.  You can’t talk about how you restrict access to systems and information and not be able to provide a recent access review/report.

I’m routinely amazed by how few of my clients understand the growing need for the role of a CISO despite their awareness and sensitivity to the increasing regulatory burden.  Many financial institutions will offer up that they have a BSA officer and some will introduce a compliance “person” who is almost always focused on AML/Patriot Act activities and not much else.  I’ve interviewed several dozen people over the years who were included in the audit or assessment process because I asked to speak to their head compliance person and it turned out that they had very little if anything at all to do with information security and GLBA-related activities.  How is that possible?

How can you expect someone who is an expert in technology to to also be an expert in information security and GLBA?

The answer is obvious, you can’t.  First, there’s a very real conflict of interest in asking the person who owns many of the required controls to also monitor themselves.  Second, I’ve yet to meet a technology person in all but the largest institutions who didn’t end the day with more to do than when they started it.  Third, it’s very unlikely that a technologist will interpret and apply the myriad rules around information security for all in-scope regulations and apply them correctly.  I’ve been doing this sort of work for more than a decade and it’s a full-time job just keeping up with the changes let alone figuring out how to properly comply.

There needs to be an assigned gatekeeper for information security, plain and simple.  And the size of your institution doesn’t matter.  I’ve worked with very small financial institutions (under $100m in assets) that had a single, non-IT person in charge and it worked out quite well.  In one case the individual was also responsible for business continuity and vendor management, which oddly enough isn’t so odd.  Both of those require a certain degree of expertise that exceeds what you’d expect a technology person to have and more importantly, both of those activities need to cover the entire organization, not just what runs on the network.   When I worked within the technology infrastructure, I never understood why these things always got dumped there and now that I’m on the other side of things I know that it doesn’t make sense.

When the examiners or auditors ask to speak to your CISO, ISO, head security person, compliance officer or compliance manager, you need to have a name to give them not some vague answer or explanation about how it’s done piecemeal.  This is 2009 and the demands of compliance are great and they’re real.  Ignoring the obvious or incorrectly assuming that this is a part-time job is no longer acceptable.

Accountability key to banking recovery

Every day, I receive a semi-deluge of industry related emails.  Between the various agencies, media sites, organizations and associations I tend to receive more communiqués than I know what to do with.  But I developed an interesting habit last year when the banking industry first started its tailspin dive by making certain to read every single issuance from the FDIC.

Going back to at least last September I have read and saved each and every one of them (several hundred I might add).  I’m sure some of my peers will beg to differ, but for me this is where anyone in the industry should’ve been looking during the crisis for the best indicators of what’s going on.

Yesterday, I was glad for this somewhat addictive habit of mine.  For what may be the very first time since Lehman went belly-up, I may have found the first true concrete piece of evidence that we’re on the road to recovery, if only in some small way.

The FDIC agency alert yesterday announced plans to bolster the Deposit Insurance Fund (DIF) by requiring insured institutions (mostly the banks you and I know) to prepay on their quarterly premiums so that the fund remains viable and liquid through the still unfolding resolution of the banking mess.  And that’s significant because unlike a year ago, this time around the plan calls for the industry to take responsibility for itself and not go running to Capitol Hill for help, an option FDIC Chairman Sheila Bair has denounced on several occasions.

Here’s what Bair had to say in the announcement:

“The decision today is really about how and when the industry fulfills its obligation to the insurance fund. It’s clear that the American people would prefer to see an end to policies that look to the federal balance sheet as a remedy for every problem. In choosing this path, it should be clear to the public that the industry will not simply tap the shoulder of the increasingly weary taxpayer. This proposal is a vote of confidence for the banking industry’s resilience, and it will continue to recover its strength as we work through the significant challenges ahead.”

The reason for my optimism is that this action shifts control back to the banking sector to fix its own mess.  It puts greater emphasis on each individual institution to fulfill its obligations to the DIF in advance of using those same funds for more traditional activities commonly associated with generating profits.  I think accountability is necessary, if not essential, to repairing the damage inflicted on the industry and repairing its reputation with depositors, investors and borrowers (something the NCUA had figured out much sooner).  And so I’m feeling a little better about where we’re heading, economically speaking.

Oh, and Comptroller of the Currency John C. Dugan (that’s the OCC head honcho in case you didn’t recognize the handle) agrees with me.  Mr. Dugan said of the FDIC plan: “The actions we are taking today represent a balanced approach to raising needed money for the deposit insurance fund without impairing the ability of our banks and thrifts to support economic recovery.”  He added, “I think this is a very positive proposal. The staff did an excellent job, and I support the way you handled it”.

I’d like to chalk it up to “great minds think alike.”

By the way, if anyone knows of a Sheila Bair Fan Club or is thinking of starting one I’d appreciate if you would let me know.  She won my admiration last year (no surprise to my regular readers) and has routinely found ever more ways to score points with me.  She continues to step up and talk straight, smart and to the point about what’s going on with the banks and what to do about it.  I look forward to the President acting out on the banking reform plans announced earlier this year and I sincerely hope he put Bair in charge of the new entity.

For now, though, I have to go; seven more FDIC email alerts have landed in my inbox and I need to check ‘em out.

Can the economy rebound without the banks?

I had one of those odd moments yesterday regarding the banking industry that I wanted to share with you.

On the homepage of a major news website were two headline stories. The first was about how Ben Bernanke believes the recession we’re in is coming to an end. Immediately to the left of the story was the following headline: “Don’t be surprised to see more banks failures.” I don’t know if the site editors were funnin’ with us or just simply didn’t realize the irony in how they stacked the items, but it certainly caught my eye.

How can the recession be ending while more banks are expected to fail?

I’m not an economist but I’m reasonably certain I don’t need to be in order to grasp the financial fundamentals of the situation. If the banking crisis is far from over, if there are still significant cash shortfalls that need to be flushed out of the banking system, how can we begin a recovery? And as if though the contradicting stories weren’t enough to make me rush to my digital soapbox, there was another headline a short while ago that read “Banks’ commercial real estate exposure probed” with the subhead, “Delinquency rates on commercial loans have doubled in the past year.”

More bank failures expected, commercial real estate portfolios tanking at an accelerating rate….. sure sounds like we’ve turned the corner to me, wouldn’t you agree?

I’m onsite at clients all of the time and one of my favorite pastimes is to spend time with the people who pretty much run their institutions be it from the front or backseat position and get their take on both the banking industry and state of the economy. These are the people who understand how a fractional increase in an interest rate can make or break an institution and see in the dense pile of numbers a pattern that must be very much like tea leaves. They know what they know and don’t much care for the headlines or industry pundits who tell us what to think. And so I look to them for guidance on what to expect and gauge where we are based on what they see.

They’re still freaked out.

One recent conversation was a mini-dissertation on the looming collapse of the commercial real estate market. There are empty storefronts everywhere you look and even emptier office buildings. How many construction sites sit idle with partially constructed buildings waiting for an infusion of cash to get them finished? What happens to the banks that provided the loans for these empty or incomplete structures? You now hold paper on structures that are worth much, much less than what you estimated and there’s no market to sell that paper or move those properties. What do you do next?

Another conversation was with someone who is about as expert as you get on residential real estate and they shared their opinion that the worst is far from over. Too many saturated markets have failed to yield sufficient reductions to bring things back into alignment and that needs to happen before the healing can begin. That means there are more foreclosures looming on the horizon, which will only grease the slippery slope the banking industry is currently on. And when you factor in that President Obama has said there will not be anymore bailout activities beyond what’s already been made available you have to assume that we’re in for even more tough times ahead.

Again, I’m no economist but I get to shoot the breeze with some fairly bright bulbs and they’re not lining up behind Mr. Bernanke.

I’ll admit that I’m ready to see the light at the end of the recession tunnel. I’m ready to stop reading about bank failures and predicting how many more are going to fail (is that even newsworthy anymore?) and start reading about how the industry is going to be regulated in the future to prevent this from happening again. Because the real story to me is that over a year has passed since this financial free-fall first started and nothing has changed to keep it from happening again.

I suppose you can say I’m looking for closure of a different variety.

IT audits versus reviews

I had mentioned in my last post a recent conversation with my partner regarding a proposed IT general controls (ITGC) audit. My primary role in our practice is to head up regulatory compliance services which includes audits, assessments and program development; my partner’s primary role is head of sales and business strategy. However, there’s a significant amount of overlap between our two sides and I sometimes forget that I’m the compliance expert when we’re discussing the industry. His knowledge of the myriad regulations is impressive and there are times where I’ll vet ideas through him to validate my own thinking.

Anyway, he’d mentioned a conversation with the client around the proposed ITGC audit in which the project sponsor asked what the difference is between an audit and a review. I knew right away where the question stemmed from because of my experience in the industry. Many firms we compete with (and some I’ve even worked for in another time and place) don’t conduct audits, they conduct reviews. Sometimes they don’t even conduct a review or an audit but rather an assessment. I’ve struggled with this blurred use of terms because in my mind there are very clear delineations. The lifecycle of the governance, risk and compliance (GRC) domain is as such: identify and assess risk, design controls to mitigate those risks and test to validate that those controls are functioning as expected. And so, a risk assessment is conducted, governance elements are introduced in the form of policies and procedures, and regularly scheduled tests occur to make sure that the whole enchilada is actually getting the job done. And so when practitioners offer services that aren’t specific to one of the key areas of the GRC spectrum, it bothers me.

See, an audit is an audit is an audit; you determine the control objectives that are supposed to be supported by the entity that are in scope for the type of audit, identify the related control activities that either are or should be in place and then design a series of test steps to determine if those activities are occurring and tie back to the overall objective. The auditor has some leeway when it comes to offering an opinion as to what the results actually mean (one auditors pass is oft times another auditors finding) but fundamentally the audit results tend to be binary, you either pass or fail. It’s all fairly straight forward.

Now a risk assessment is not an audit; it’s a bit more arbitrary. Management generally is polled to determine what areas of their infrastructure (including finance, operations and technology) they are most concerned with, factor in regulatory and industry requirements and then come up with a plan for conducting the risk assessments. As these assessments occur, what they reveal would be factored into the overall audit plan to make certain that the areas presenting the greatest risk to the business are being examined closely and in a timely fashion.

So here’s my question: what exactly is a review? If you’re conducting tests and examining evidence you’re conducting an audit. If you’re interviewing stakeholders and determining what controls are in place but not testing their effectiveness then you’re conducting a risk assessment (assuming you’re asking the right sort of questions – a post for another day). Is there some odd dimension between the risk assessment and the audit I’m unaware of where this review occurs? And what exactly are you expecting from the results of this review? Because I’ll tell you this much, examiners only recognize risk assessments and audits. You can present them with a report that’s called a review in the title and tell them it’s actually an audit but you’d better be prepared to produce work papers because they’re going to ask you for them, trust me on this point. But my experience is that reviews don’t produce work papers because evidence is generally not formally collected in support of the report and requires significantly less effort to conduct. Which is why when we discussed the semantics of our industry, my partner is fond of saying that the difference between an audit and a review is about 50% of the proposed amount.

And as long as I’m ranting on the topic, how many of you out there include work papers as a deliverable when you contract with external entities to conduct audits? I’ve long been amazed at how many audit projects I’ve managed where work papers weren’t required or provided because it wasn’t included in the statement of work. I’m of the opinion that a summary audit report by itself is useless if you don’t have the supporting documentation because it’s the only true way to confirm that the testing occurred and support the findings. And of course it’s important to loop back to my earlier comment: Examiners will absolutely ask you for the work papers. I routinely receive phone calls from clients I’ve worked with at my previous firms asking if I still had access to their work papers because their examiner is asking for them. It’s awful for me because I have to tell them that while the evidence is still available (I keep everything for seven years for fieldwork I’ve conducted) there are no formal work papers to provide. Thus the reason that when we started our firm and developed the methodologies, I made certain that part of the scoping process included asking the client if work papers were to be included in the deliverables. It adds time to the project and so there’s a cost implication, but it’s the right way to run an audit and so really a need-to-have. You can take a short cut where applicable and only document findings but even so, how can you prove that a successful test was actually successful? For those practitioners looking for shortcuts it provides the wrong incentive.

If you want/need an audit, schedule an audit. If you want/need a risk assessment, schedule a risk assessment. If you’re considering a review or a generic assessment reconsider; decide which of the two proper categories your work fits into and than schedule accordingly. This isn’t rocket science; the FDIC and NCUA have been quite clear as to what you’re required to do so keep it simple. And if the resources you’re using aren’t speaking in the common audit and compliance vernacular force their hand and make them do so. Audit or risk assess, pick one.

Let the FDIC lead the way!

I can’t think of any more telling comment about where I am in my professional life than what I’m about to offer:

Sheila Bair rocks!

If you don’t know who she is, well, shame on you.  Because over the past year or so as the banking world has been in a near free-falling, tail-spinning heap of confusion, the chairman of the Federal Deposit Insurance Corporation (FDIC) remains perhaps the only reason why we haven’t been experiencing pure panic in the banking sector.  We’ve all watched as she calmly navigates from bank failure to bank failure, never losing her composure or allowing the dire circumstances to consume her or the FDIC.  She routinely offers sound and sensible insight and perspective, framing what’s happening in the banking world and making sure that everyone knows that the FDIC continues to have our back.   From the very first publicized collapse last year (IndyMac) straight through to last week’s speech before the Senate Committee on Banking, she has proven that there’s no substitute for having the right person in the right job.

As to why I’m waving my Sheila Bair banner so vigorously this week you need only read the transcripts from her aforementioned Senate testimony last week.

She was among the very first and remains one of the very few industry leaders to rail against the idea that any financial institution is “too big to fail.”  Last week, she expanded on that considerably.  She discussed how the “notion of too big to fail creates a vicious circle that needs to be broken” or rather, “we need to end too big to fail.”  She highlighted how so much of what’s caused this nightmare stems from “the presence of significant regulatory gaps with the financial system” and followed that up by suggesting that “we need to develop a resolution regime that provides for the orderly wind-down of large, systemically important financial firms, without imposing large costs to the taxpayers.”

Wow!  I mean, like, wow!

So really what she’s saying is that if you’re, say Citigroup or Bank of America, and you’ve managed to paint your institution into a financial corner from which you can’t legitimately escape, the only thing to do is go out of business.  Y’know, sort of like the core principles of a free market economy would dictate, or so we all believed until this past year.  None of this government bailout activity would be allowed that essentially transferred risk from for-profit institutions to us, the taxpayers.  You mismanage your bank, you run out of options, you close; simple and fair.

Chairman Bair further expanded on her proposal by explaining that with a resolution regime “losses would be borne by the stockholders and bondholders of the holding company, and senior management would be replaced.”  Or rather in my own words, accountability would be enforced; those who made the decisions that caused the problem would be forced out and those that were banking on a windfall that until now was almost guaranteed would have to accept the unfortunate risk-side of their investment (no more “sure things”).  And towards that end, she suggested that “each bank holding company with subsidiaries engaged in non-banking financial activities would be required to have, under rules established by the FDIC, a resolution plan that would be annually updated and published for the benefit of market participants and other customers.”   This I’ve come to think of this as a disaster recovery plan of an entirely different nature.

Think about what’s being proposed: accountability, acceptance of risk and the need to plan for all potential outcomes, favorable or otherwise.  What a concept!  And what a breath of fresh air!

Chairman Bair also offered the concept of forming a Financial Services Oversight Council that effectively “should be able to harmonize rules regarding systemic risks to serve as a floor that could be met or exceeded, as appropriate, by the primary prudential regulator.”  But wait, there’s more.  Of the council she also suggested that “primary regulators would be charged with enforcing the requirements set by the Council. However, if the primary regulators fail to act, the Council should have the authority to do so.”  This would eliminate the current design restrictions in which individual oversight agencies could only pursue punitive and/or corrective actions to a point but once their jurisdiction ended so too would their ability to take additional and often necessary steps to address the issues at hand.  Generally speaking, this would eliminate a number of loopholes that currently exist in the system.

I find all of this remarkably refreshing.  It’s so simple and straightforward, it’s all but impossible to reject or ignore (but I’m sure our politicians will try just the same).  And to a very large degree, these proposed changes would work, maybe not completely but certainly enough so that it would be worth our time to at least attempt implementing them.

But does everyone think so highly of Ms. Bair and her proposal?  It’s received pitiful little coverage in the press (I couldn’t find anything on two of the major news sites and on the third it was skewered to look like partisan politics) and none of my contemporaries were even aware that she had spoken.  Frankly, I don’t understand why.

I’ll put it out there right now: If I have a vote that can be cast in support of her plan it’s hers; there’s no need to ask me twice.  And if I need to poke a senator or two from my home state to help inspire them to support her plan, someone only has to let me know and I’ll happily go call on them (at home or in DC, it’s close enough to drive).

Does compliance equate to secure?

Despite earning a living in the space, I often question the value of regulatory compliance.

How is it that a business can be PCI-compliant but still have glaring vulnerabilities?  How is it that despite layer upon layer of controls it’s still entirely possible for an executive to fudge numbers in a spreadsheet and alter a company’s financial reports?  How is it possible that a financial institution undergoes an annual exam and, despite not adhering to the most basic tenants of FFIEC guidance, still receives a favorable report?  And how is it that there’s a regulation that made an entire industry jump all at once but has never actually been enforced (can I see a show of HIPAA hands)?

And don’t think these statements are pure hyperbole; these all come directly from the field and from engagements I’ve been on in the last few years.

Why, you may ask, am I feeling a bit down on the regs this week?  A couple of three reasons:

It started on Monday when I was catching up on my industry reading.  There was an article about data leak prevention (DLP) software and how sales have been heating up lately.  Of the reasons given by survey respondents as to why they were considering purchasing a DLP solution, the top two were pretty much pointing the finger at either industry or regulatory demands.  The third reason was to avoid damage to the company brand/reputation, the fourth was to avoid lawsuits and finally, all the way down at number five on the list of reasons: to prevent the theft of proprietary information.  That’s just Depressing (note the capital “D”).  I thought it was embarrassing that the vast majority of survey respondents were looking to prevent data theft not because it was the right thing to do or to protect customers’ or employees’ sensitive data but rather because they’re being made to do so.  And so maybe you can make the case that regardless of the reason, at least companies are being forced to do something about protecting their information.  Sadly, that’s exactly my problem.  When it comes to doing things for the sake of compliance most companies only take things as far as they need to in order to achieve/maintain compliance.  The people on the front lines sort of lack enthusiasm for doing these things and figure their job ends once the auditors and examiners are happy.

My week of regulatory woe continued on Tuesday when while reviewing key activities aligned against one of the aforementioned frameworks, I identified what was a potentially significant gap not in how the client was conducting their work, but rather in what the regulation specifically required.  In other words, despite my client being completely compliant with this stringent, well respected framework, there was still the very real possibility that a vulnerability could exist.  I dug a bit deeper, made some phone calls to associates whom I often consider to be way smarter than I and the result was that I was right, the gap existed.  One of my associates pointed out that in a well-run shop with a hardened infrastructure you would expect the situation I identified to be managed properly, but the reality is that unless they have to, few managers have the ability to go beyond what’s required (either by the business or regulations).  I suppose if ever a day comes to exist when an IT department has finally cleared out their project queue and has money left in the budget they may very well get around to it, but I’m not volunteering to hold my breath.

And finally, my week is closing with news that a former client of mine is on its financial ropes and very likely about to declare bankruptcy.  Really, in the end it’s just a sign of the times and the sad state of our economy.  They appeared to be making the necessary adjustments over the past few years by trimming back staff and scaling back on non-critical projects, but they’re a half-inch to the left of the epicenter of this whole financial mess and in the end I guess there was no way to avoid the inevitable.  But still, I think of all the money they’ve spent on compliance-based initiatives since SOX first hit the scene and I can’t help but wonder if all of that spend could’ve been put to better use.  In the end, despite all of the great work that was done they still weren’t going to be able to prevent someone from massaging the numbers in a spreadsheet (a personal pet peeve of mine)   Thinking about the number of people they’d brought in to size up and conduct the work to bring their controls up to the necessary levels and the fees they’ve paid to their external auditors to conduct the SOX audits is just plain depressing.  Maybe if they’d used that money to fund a project to offer a new product line or enhance an existing one, they’d have found additional streams of revenue that could’ve helped them through this mess.

I suppose it comes down to this: anything worth doing is worth doing right.  But in the regulatory space that’s not the general rule and I’m thinking that until the oversight bodies figure out a way to provide the proper incentives, the work will always be lacking if not deficient.  Until being compliant also means being secure the job isn’t truly getting done.

Along those lines check back next week; I have an idea I’d like to share with you about how to make things better for all of us in the regulatory domain and turn things around.

How’s about a federally mandated Information Security Assessment?

I had a eureka moment recently that I’d like to share.

In considering the implications of the recently announced changes by MasterCard that will now require PCI Level 2 merchants to be assessed by a Qualified Security Assessor (QSA) it occurred to me that they may be onto something. Why would the credit card industry restrict who needs to be assessed based on size? Why not simply require any business entity that either issues, accepts or processes credit cards to be regularly assessed against the PCI standard by a properly trained practitioner? The size factor could come into play based on the frequency of these assessments but in general everyone would need to have one conducted.

That wasn’t the eureka moment.

It wasn’t until a day or two later, while reading about newly emerging state data privacy laws, that the clouds parted and the sun shone through. With the MasterCard news kicking around in the back of my mind, I started thinking about how these state-based laws were going to come into play, and when I tried to tie all of this back to the Obama administration’s cybersecurity plan, it happened.

What if all business entities that issue, accept or process personal information, regardless of their vertical, are required to have an information security assessment conducted (think GLBA meets NERC CIP meets PCI) by a Certified Information Security Auditor? Think about it; ISACA could be broken up with the subset that oversees the CISA process becoming federally chartered to both manage the framework and issue the certification (think PCI on steroids). The framework would include portions that are of the one-size-fits-all variety and others that are specific to an industry and would be scalable based on the size of an entity. The CISA practitioners would all be trained on the framework and how to apply it properly and would need to attend agency-sponsored seminars at least annually.

Rather than have multiple frameworks to wrestle with, business entities would be able to distill information security regulations down to a single, stronger entity (and reduce all the redundant activities that so many of my clients are forced to struggle with). It would bump the IT general controls audit up a level to encompass more than just bits and bytes and allow the entity to tie together related activities that are assessed through a single pass. And the icing on the cake is that the resulting report could also be used in place of a SAS 70 (and finally provide a modicum of consistency to the SAS 70 process as well).

But the best part of my idea is that the business entity could staff up with their own certified assessors that would not only conduct the required work, but also serve as internal advisors year-round. They’d still need to be properly certified and maintain that certification, but there would be no need to constantly pay premium prices for external firms and/or resources.

Maybe the idea was inspired by the fact that I’m just burned out a little from working on multiple compliance initiatives or maybe it stems from my concerns that true IT governance is a generation away. However, after my eureka moment and after sharing the idea with a few associates of mine I’m still liking it.

Does anyone have a direct line to the White House I can use?

2 for 1 sale: How governance leads to compliance.

A while back I’d written about the Unified Compliance Framework from Network Frontiers, which takes quite literally every regulation and framework within the IT domain and maps them in such a way where you can identify how a single control addresses multiple requirements. In this day and age, the era of regulatory overload, with even more regulations heading our way I consider the product an essential tool in managing the required work. However there’s in important caveat to throw out there; the benefits of the UCF product can only be fully realized if it serves as the underpinnings of an IT governance program.

Ah yes, IT governance, a favorite topic of mine and one that’s a sure-fire way to get me to whip out my soapbox and fire-up the accompanying rhetoric. I’m a practitioner first and a theorist second and the combined perspective provided by both has forced me to become a huge advocate of governance as not only the best way to achieve regulatory compliance but perhaps the only way. I’ve reached the end of my rope when it comes to the currently popular way to pursue compliance, which is to build silos and assign each its own regulation or industry framework. How does it makes sense to have, for example, two or more groups of people testing user account provisioning when a single test can be used to satisfy both? It doesn’t and by doing so it wastes time, resources and money.

And so now I’m getting to do something about it.

My current “big” project has multiple parts. The client is managing the consolidation of two business entities including their regulatory compliance initiatives. It’s resulted in their needing to build out a plan to merge four sets of existing regulatory compliance frameworks as well as taking over responsibility for another that’s brand new to their mix. Beyond the doubling up of the required work, it’s also resulted in a new compliance team that’s sizable and using headcount within an IT organization doing work that’s not really IT-specific. That’s the bad news.

The good news is that the client had empowered the team responsible for managing compliance to switch to a governance approach a few years back. Rather than serve as an after-the-fact function that tests to make sure controls are working effectively, this group has served as both an adviser to IT, helping strengthen controls and has streamlined the testing process so that stakeholders pass along evidence of their daily activities, thus reducing the need for the typical testing cycle fire drill that most of know. It’s served two purposes for the IT organization: It eased their burden in the compliance process and made them more trusting of the audit and assessment function.

But in the short term, the consolidation has dramatically increased their workload and at a time when management is looking for ways to reduce expenses and get more for less. How do they proceed? How do they consolidate the related frameworks, assume oversight for the new ones and continue delivering the value and efficiencies that they’ve come to be known for? There’s only one way: by taking IT governance to the next stage of its evolution.

They already understand and practice the basic elements of IT governance and so the foundation has been laid. Now it’s time to take it up a notch to the next level. Thus the tie-back to the UCF approach. If you have multiple frameworks to comply with, the commonalities to be found between them are significant. I know this based on my own research and analysis and can now prove it courtesy of UCF. The manager of the IT governance function is also a believer of this approach and the plan is to build out a true IT governance program so that all in-scope frameworks are to be managed via a consolidated approach. All current and effective frameworks will be supported through the end of 2009 but along the way each control and related activity is being reviewed to identify opportunities for consolidation. Once done, all IT-based activity will be viewed through the lenses of the new governance framework so that compliance is maintained and changes to the infrastructure are evaluated for any potential regulatory impact. And the best part is that all of this will likely be done with less effort, thus freeing up resources to focus on more IT-centric tasks.

Imagine that, a world where compliance is achieved through a coordinated proactive governance approach and IT resources are free to focus on technology-based activities. It’s like solving two problems for the price of one with the added benefit of actually spending less money overall.   What CIO/CTO wouldn’t like that?

Financial regulations and my crystal ball.

I had a great piece lined up for this week about a governance project I’m working on but was waylaid by all the news that hit the radar around regulatory reform.

In what may be the understatement of the year, the plans revealed last week by President Obama and his administration to overhaul the financial regulatory domain is stunning.   It was equal parts common sense (dissolution of the Office of the Thrift) , politics as usual (government intervention for distressed larger institutions) and forward thinking (creation of a consumer oversight body).  But for practitioners in the regulatory space such as myself the news was a warning that we all had better pay close attention to what’s about to happen.

The largest percentage of work my practice does has less to do with making sure our clients are in compliance with the broad range of regulations they operate under and more to do with educating them on what that means and how best to achieve it.  The very first step our practice takes with our clients is in understanding their profile, size and risks and then set about designing or assessing them based on what makes sense.  Take for example vendor management; not every vendor needs to be part of your vendor management program but because so many institutions form a baseline based on vendors in their accounts payable system they tend to add an enormous amount of work that’s just not necessary (a particular sticking point for my partner).  Regulatory compliance is not a one-sized-fits-all exercise and after nearly a decade of dealing with the regulatory alphabet soup of GLBA, SOX and PCI (in varying lengths of time) it’s amazing how little is truly understood about each framework and how best to apply their principles.

And now it’s all about to change… again.

Much like what occurred with the last major regulatory step forward with the Identity Theft – Red Flags law that went into effect in 2008, we’re going to need to work hard to get out in front and understand the new rules as they’re being rolled out.  Traditionally, much of what’s necessary to comply with any regulation already exists in large part within any organization.  The work that’s typically required is in identifying where it is and making sure it’s documented sufficiently so the work can be measured and assessed properly.   I’m sure that much of the work that’s going to result from the proposed changes will align with quite a bit of what’s already in place (or should have been in place).  But understanding the new rules is going to be a huge amount of work for those needing to comply and will require time and effort.  And all this at a time when headcount has already been thinned out and staff is working extra time to keep up with their day-to-day workload.

So for my fellow practitioners I’m putting it out there that we need to step it up too.  We need to make sure that we’re engaged in the dialogue early on and that we’re working quickly to interpret the new rules as they’re working their way through the system.  The current regulatory burden has proved to be challenge enough and with the likely musical chairs scenario that’s going to ensue as the rules shift around, it’s incumbent upon us to be prepared to ease the burden, flatten the learning curve, and help the affected institutions fall into line while keeping up with the speed of business.

The sad irony for me in all of this is that despite all the work that’s about to ensue, I’m somewhere close to certain that very little will improve as a result of the exercise.  I was looking through all of what’s been proposed and I mapped it back to the issues I’ve encountered over the years I’ve been toiling in the regulatory space and there’s still a gap.  The biggest problems originated from a lack of proper regulatory oversight resources in terms of both the hours and skills to conduct the necessary work.  You can have a strong set of rules that need to be followed but if the people assessing your performance against those rules either don’t understand what to look for or don’t have the time to conduct the necessary steps, what’s the point?  And consider what happened in the credit union space this year where, due to the onetime assessment, many CU’s fell below required reserve amounts and thus were considered to be at risk.  The NCUA instructed their examination teams to still assign an appropriately adjusted rating but to go easy on the report because there was a new normal (I’m paraphrasing a bit but that was clearly the gist of their message).  The rules were there for a good reason and the measurements tried and true but when circumstances called for it they were pushed to the back-burner; how is that going to change?   And finally, I offer my favorite broken control and one that’s potentially at the heart of this economic crisis we’re struggling with: real estate valuation.  When I bought my last house in New York, the appraiser conducted all his required steps (e.g. physical survey, square footage and finding recent comparable sales, etc.) and when all was said and done he declared the house was worth the purchase priced we’d offered.  I asked our real estate agent how it happened to be that his appraisal and our offer were identical and she told me that with the market so volatile it was impossible to conduct a meaningful appraisal and so they typically just went with the offer price.  How did that add any value to the process?  Will any of the new laws implement the proper checks and balances to assign accountability to lenders and their agents in the field?

Ultimately, I’m thinking the problem hasn’t been with the current regulatory rules but rather their inconsistent application and enforcement.  Regardless, change is a comin’ and it’s going to be an interesting and bumpy ride as we wend our way through it all so strap yourself in and hold on tight.

Risk is at the heart of what matters most.

I had two great conversations this week regarding risk assessments (jeez, does that ever sound geeky).

The first conversation centered on what an associate was expecting  to accomplish via the risk assessment process and the second one was a general conversation about the proper approach to conducting one in support of PCI.  Fundamentally, at some higher level a risk assessment looks like a risk assessment regardless of its intended purpose.  But at the ground level, there are huge swings and variances between different types of assessments and how they’re conducted.

The first go-round centered on GLBA and was with a fellow practitioner I’ve worked with before on audits.  The conversation started because my associate was preparing to conduct an information security risk assessment later this month and was talking about all of the planning effort required before, during and after the fieldwork.  I commented that it sounded more like he was conducting an audit rather than an assessment; his reply “same difference.”  And I thought to myself “funny, it sounded like he just said that an audit and an assessment were the same thing.”  So I asked him to clarify and he did by stating that the only difference between the two was whether or not you needed to create work papers.  I was stunned by this shocking admission and obvious lack of understanding of our trade.  An audit tests in-place controls to determine if they’re working as designed and are sufficient to address the related risks those controls are intended to manage or mitigate.  An assessment examines objectives or assets, identifies risks to either and then looks to see if there are controls in-place to manage those risks.  I can get more granular than that but at its most basic level, that’s how it’s supposed to work.  Risk assessments identify risks and related control activities and audits test to see if the necessary controls are present and that they’re working properly.  He also shared with me that he uses the same general outline of questions and topics for both, that they’re both based on FFIEC guidance and that it’s exactly what the examiners are expecting.

OK, first of all, the examiners are not expecting that the same work is being done for both an audit and an assessment.  I’ve spoken with enough of them to know that plus I’ve heard several of them stand before large audiences and explain the nuances of both and so I know they get the differences.  Second of all, the entire purpose of a GLBA-based assessment is to ensure that at some acceptable frequency (which secretly means annually) each financial institution should conduct a thorough assessment of their infrastructure (not just IT, by the way) and identify and measure risks and threats to the customer data they manage and store.  If you move right past the assessment and conduct an audit you’ll never truly know if you’re missing something because you’re only testing what you can see.  I’ve participated in and conducted enough of these to know this to be true.  And if you conduct an assessment like it’s an audit, you have the same basic issue.  Thus the reason why you typically schedule an assessment first and an audit second.  I was about to explain this to my associate but decided against it; I somehow thought it would’ve fallen on deaf ears.

In the second conversation I participated in around risk assessments it was all about PCI.  This one was much easier because the team running the assessment had built a high-level approach based on guidance from the PCI DSS Council itself and displayed a clear understanding of what they were to do.  While they hadn’t developed any of the templates to be used (it’s not due to be conducted until next month) they were well into the planning stages.  My role was to simply listen and provide any meaningful feedback.   The one potential gap in their intended approach is that they were taking an asset-based approach to the assessment.  What that effectively means is that they only look for and attempt to measure risks around what they can see be it a piece of equipment or a documented process.  But if there’s something that doesn’t appear on an inventory, a network diagram or exist in a binder somewhere, they’ll potentially miss it.  A great PCI for-instance is what happens when a customer service rep writes down sensitive information on a pad because their system is hanging and they’re trying to keep the call within acceptable time frames?  It’s not supposed to happen but I’ve been in a dozen call centers over the past few years and have personally witnessed it happening in almost all of them.  If you were to rely exclusively on what’s documented, you would note that typically erasable whiteboards are to be used for such situations and so you would consider that to be low risk.  But the risk increases significantly if you move past the “thing” you’re looking at and poke around a bit.  Assuming that they do use a scratch pad on occasion, what happens to that piece of paper after the transaction is completed?   Is it thrown out and if so, is it placed in a secured bin or in the regular trash?  And so I advised the client to approach the assessment like it’s an Easter egg hunt.  Deviations and violations are always swirling about (we’re human, we make mistakes) and as part of the assessment process you should be looking for where that might be happening.  But the best part of the Easter egg approach is that it gets everyone involved in the conversation thinking a bit outside the box and that’s where the really neat information is found.  And really, in the end, that’s what a well-run risk assessment should be all about: seeking out and measuring risk wherever it may be hiding.

When the PCI conversation concluded I was feeling a bit energized because in brainstorming with the client I had the ideas flowing freely.   And than I recalled the first conversation and I could almost hear the screeching tires and smell the burning rubber where my creativity came to a complete halt.  It’s amazing to me how the term “risk assessment” can mean completely different things to different people.  I was as impressed with my client asking for guidance and wanting to get it right as I was disappointed in my colleague for having it all wrong.  This wasn’t an issue of principle but rather results; how can you properly manage this thing called risk if you don’t even know how to begin looking for it?

Speaking of risk, check back next week when I jump back onto the GRC train of thought and bring you up to speed with something I’m working on.