IT Governance, Risk, and Compliance (ITGRC)

Businesses rely on their IT departments and resources for competitive advantages and business to business transactions and cannot afford to apply to IT anything less than the same level of commitment they devote company assets. IT offers extraordinary opportunities to transform the business; however IT must deliver value and enable the business, and IT-related risks must be mitigated. Governance of IT, Information Security, and Risk Management encompasses several initiatives for executive management. At a glance, they must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate and measure performance, understand risk and obtain assurance.

Corporate Governance:

Before discussing Information Technology and Security Governance, one must look at that broader issue of Corporate Governance in the enterprise. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.

Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.

Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.

IT Governance Role:

IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the leadership and organizational structures and processes that ensure that the organization’s Information Technology sustains and extends the organization’s strategies and objectives. Also, IT governance is the term used to describe how those persons responsible for governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the business will have an immense impact on whether the business will attain its vision, mission or strategic goals. In today’s economy, and with most businesses reliance on IT for competitive advantage, businesses simply cannot afford to apply to their Information Technology anything less than the level of commitment they apply to overall governance.

Who is Responsible for IT Governance and Risk Management:

Board of Directors (BODs) and executive management have a joint responsibility to protect shareholder value. This responsibility applies just as stringently to valued information assets as it does to any other asset. BODs and management must recognize that securing information and information assets is not just an investment; it is essential for survival in all cases and for many it guarantees competitive advantage. Additionally BODs and management must accept the responsibility of ensuring that:

• IT Governance is aligned with the overall Corporate Governance structure within the enterprise.
• IT Governance includes an alignment with the Enterprise Risk Management Program, which is a responsibility of the BODs and Management
• There is a balance of the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their enterprise’s business strategy and objectives.
• Risks and threats are identified, categorized and mitigated to acceptable levels.
• IT Governance obtains coordinated and integrated action from the top down.
• IT investments are not mismanaged or misdirected.
• IT Governance rules and priorities are established and enforced.
• Trust is demonstrated toward trading partners while exchanging electronic transactions.

In Closing:

IT governance covers a number of activities for the board and for executive management, such as becoming informed of the role and impact of IT on the enterprise, assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance.
IT Governance is focuses two categories: (1) IT’s delivery of value to the business and (2) mitigation of IT risks. In order to have an effective IT and Security Governance strategy businesses must address the following questions:

• What decisions must be made to ensure effective management and use of IT?
• Who should make these decisions?
• How will these decisions be made and monitored?

Always remember that managing information security risks as part of operational risk involves establishing an effective IT governance and control architecture.


Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

Best Practices for Performing Risk Assessments

In today’s blog, we will discuss best practices for performing risk assessments.

Assessing business and information risk, in most organizations, are often challenging and performed in silos. This is why risk experts are encouraging companies to take a closer look at their risk assessment strategies and think of ways to simplify, integrate, and collaborate on their assessment tasks across the enterprise.

Risk Assessment Frequency:

This topic is often debated; however, in my professional opinion, organizations should perform their risk assessments at least annually. The most common approach is that companies asses their enterprise business risks on a calendar year. I also recommend that most organizations review their risk assessment strategies on a quarterly basis as business processes, systems, strategies, etc, may also change during the course of the year. This way the annual risk assessment plan will account for those changes. I am also seeing organizations that have very inefficient risk assessment strategies and some without any at all. The only way to ensure that your organization is risk intelligent is to implement an effective risk assessment strategy that covers the entire organization. Risk assessment results should stored so that risk trending and analysis can be performed.

Tearing Down the Risk Assessment Silos:

The most challenging aspect of a successful enterprise risk assessment strategy involves “the silo approach to risk assessment”. If you search businesses today, you will find that a smaller percentage do not have a “central” ERM group or Chief Risk Officer that will collaborate business process leaders to consolidate risk assessment activities. In order to give BODs oversight of business risks, organizations should seek to improve their efforts by bringing risk assessment efforts under one “umbrella” for centralize management and reporting.

Measuring and Weighing Risks:

There are many ways that an organization can measure and weigh their risks. The most common measurement of risk is likelihood and magnitude of impact. I have also worked with clients that measured their risks based on complexity, speed of onset, and/or dollar value. The key here is to choose a measurement that is right for your business and modify over time or assessment needs change. As far as weighing or ranking risk, I prefer to use the NIST model or approach to do so. It relatively simple and do not require you to be a mathematician to rank and score your risks.

I would like to hear your views on the following:

1. How do you measure and rate your risks?
2. Do you have a centralized risk assessment strategy?
3. Do you have a Chief Risk Officer?

Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

Data Theft

In today’s blog, we will discuss the issues concerning insider data theft and the selling of customer data. I would also like to hear your views on information risk management. Enjoy!

Over the last couple of years, insider data theft has become an major issue that companies are dealing with and seeking preventative controls. Even more shocking, some employees and contractors that have access to customer information have managed to make extra income in selling this information to the “electronic black market”.

The Issue:

The FBI has cited that 85% of data theft is caused by internal employees that have access to confidential data. In the month of July alone, two major data theft cases made headlines. Certegy Check Services, a subsidiary of Fidelity National Information Services, has announced that it has discovered that an employee sold identifying data on 2.3 million customers to a data broker and, more recently, a subcontractor working for a company that processes and fulfills orders for the Disney Movie Club sold credit card numbers and other account information belonging to an unknown number of customers to undercover law enforcement agents. The data stolen in both cases contained names, addresses, birth dates, and account information.

The Consumer Data Black Market:

The following types of information are being sold in the black market as follows:

* $980-$4,900 - Trojan program to steal online account information
* $490 - Credit card number with PIN
* $78-$294 - Billing data, including account #, address, Social Security number, home address, and birth date
* $147 - Driver's license
* $147 - Birth certificate
* $98 - Social Security card
* $6-$24 - Credit card number with security code and expiration date
* $6 - PayPal account logon and password


Major Cause of Data Breach:

Nearly fifty percent of professionals take corporate data with them when they changed jobs, according to a recent online survey, with many of them simply e-mailing it to themselves or storing it on a peripheral device. In fact, a CSI/FBI survey reported that the most serious financial losses occurred through theft of proprietary information. Much like other security vulnerabilities, non-malicious errors—otherwise known as social engineering—contributes largely to the problem. The leading cause of a data security breach is non-malicious employee error (39 percent), followed by malicious employee activities (30 percent) and hacker or external penetration (16 percent). Other data breaches include:

* Stolen Laptops
* Social Engineering
* Dumpster Diving
* Information left on printing and fax devices


Some Solutions:

Once the initial identification and classification of sensitive data has been determined, one can implement a number of automated methods to maintain these classifications. Linguistic signatures or forensic-based “file crawlers” can watch and sustain classifications as the original files change and new files are added to protected directories. These devices can be configured to navigate through file systems to watch protected files and directories in a number of ways:

* Protect and watch specific files. As the file contents change, so will the data in the signature repository.
* Protect all contents of a directory. File crawlers can be set to watch and protect directories containing proprietary source code.
* Protect all files matching a specific template within a directory. As file names and content within documents change all drafts of the document are protected.
* Protect all files with a given extension in a directory. For example, selecting the .xls extension enables protection for all Excel spreadsheets in the finance department’s directories.


Other solutions includes notifying departments to new threats and risk areas, it enables them to fully understand the cause of the threat thus allowing them to determine how to mitigate it; implement new controls; and then apply that knowledge to other areas. Finally organizations should review the following file system security components and implement security controls to mitigate the risk of data theft:

* File System Permissions
* Access Management and Frequent Monitoring/Review
* Network Access Management
* Hardened Systems and Hosts


In Closing:
In order to minimize the risk of data theft, organizations should consider the following approaches:

* Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations
* System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) and (ii) monitor information system security alerts and advisories and take appropriate actions in response.
* Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
* Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals


I would like to hear your views on the following:

1. IT risk assessment strategies; what is your process and approach?
2. Have you made the transition from information security to information risk management?
3. How are you measuring information risks?
4. How does your information security governance strategy fit into your organization’s corporate governance process?


Thank you