Tag Archives: Sarbanes-Oxley

The Tao of GRC

I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War).

The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet acceptable usage violations in the workplace. $14BN a year is spent in the US alone on corporate-governance-related IT spending .

It’s a space that’s hard to ignore.

Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies .

This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach “GRC 2.0” and base it on 3 principles.

1.    Adopt a standard language of GRC
2.    Learn to speak the language fluently
3.    Go green – recycle your risk and compliance

GRC 1.0

GRC (Governance, Risk and Compliance) was first coined by Michael Rasmussen.  GRC products like Oracle GRC Suite and Sword Achiever, cost in the high six figures and enable large enterprises to automate the workflow and documentation management associated with costly and complex GRC activities.

GRC – an opportunity to improve business process

GRC regulation comes in 3 flavors: government legislation, industry regulation and vendor-neutral security standards.  Government legislation such as SOX, GLBA, HIPAA and EU Privacy laws were enacted to protect the consumer by requiring better governance and a top-down risk analysis process. PCI DSS 2.0; a prominent example of Industry regulation, was written to protect the card associations by requiring merchants and processors to use a set of security controls for the credit card number with no risk analysis.  The vendor-neutral standard, ISO27001 helps protect information assets using a comprehensive set of people, process and technical controls with an audit focus.

The COSO view is that GRC is an opportunity to improve the operation:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…the same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”

GRC 2.0

The COSO position makes sense, but in practice it’s difficult to attain process improvement through enterprise GRC management.

Unlike ERP, GRC lacks generally accepted principles and metrics. Where finance managers routinely use VaR (value at risk) calculations, information security managers are uncomfortable with assessing risk in financial measures. The finance department has quarterly close but information security staffers fight a battle that ebbs and flows and never ends. This creates silos – IT governance for the IT staff and consultants and a fraud committee for the finance staff and auditors.

GRC 1.0 assumes a fixed structure of systems and controls.  The problem is that, in reducing the organization to passive executives of defense rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow. Learning about changes must be at the heart of day-to-day GRC management.

A fixed control model of GRC is flawed because it disregards a key feature of security and fraud attacks – namely that both attackers and defenders have imperfect knowledge in making their decisions. Recognizing that our knowledge is imperfect is the key to solving this problem. The goal of the CSO/CISO should be to develop a more insightful approach to GRC management.

The first step is to get everyone speaking the same language.

Adopt a standard language of GRC – the threat analysis base class

We formalize this language using a threat analysis base class which (like any other class), has attributes and methods. Attributes have two sub-types – threat entities and people entities.

Threat entities

Assets have value, fixed or variable in Dollar, Euro, and Rupee etc.  Examples of assets are employees and intellectual property contained in an office.

Vulnerabilities are weaknesses or a lacking in the business. For example – a wood office building with a weak foundation built in an earthquake zone.

Threats exploit vulnerabilities to cause damage to assets. For example – an earthquake is a threat to the employees and intellectual property stored on servers in the building.

Countermeasures have a cost, fixed are variable and mitigate the vulnerability. For example – relocating the building and using a private cloud service to store the IP.

People entities

Business decision makers encounter vulnerabilities and threats that damage company assets in their business unit. In a process of continuous interaction and discovery, risk is part of the cost of doing business.

Attackers create threats and exploit vulnerabilities to damage the business unit. Some do it for the notoriety, some for the money and some do it for the sales channel.

Consultants assess risk and recommend countermeasures. It’s all about the billable hours.

Vendors provide security countermeasures. The effectiveness of vendor technologies is poorly understood and often masked with marketing rhetoric and pseudo-science.

Methods

The threat analysis base class prescribes 4 methods:

  • SetThreatProbability -estimated annual rate of occurrence of the threat
  • SetThreatDamageToAsset – estimated damage to asset value in a percentage
  • SetCountermeasureEffectiveness – estimated effectiveness of the countermeasure in a percentage.
  • GetValueAtRisk

Speak the language fluently

A language with 8 words is not hard to learn, it’s easily accepted by CFO, CIO and CISO since these are familiar business terms.

The application of our 8 word language is also straightforward.

Instances of the threat analysis base class are “threat models” – and can be used in the entire gamut of GRC activities:  Sarbanes-Oxley, which requires a top down risk analysis of controls, ISO27001 – controls are countermeasures that map nicely to vulnerabilities and threats (you bring the assets) and PCI DSS 1.2 – the PAN is an asset, the threats are criminals who collude with employees to steal cards and the countermeasures are specified by the standard.

You can document the threat models in your GRC system (if you have one and it supports the 8 attributes). If you don’t have a GRC system, there is an excellent free piece of software to do threat modeling – available at http://www.ptatechnologies.com

Go green – recycle your threat models

Leading up to the Al Qaida attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

This sort of GRC disconnect in organizations is easily resolved between silos, by the common, politically neutral language of the threat analysis base class.

Summary

Effective GRC management requires neither better mathematical models nor complex enterprise software.  It does require us to explore new threat models and go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies that may threaten our business.  If you follow the Tao of GRC 2.0 – it will be more than a fulfillment exercise.

Tell your friends and colleagues about us. Thanks!
Share this

SOX IT Compliance

A customer case study – SOX IT Compliance

We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company. The objectives for the study were to evaluate the internal and external threats that impact the company’s information assets. Using the Business threat modeling (BTM) methodology, a practical threat analysis PTA threat model was constructed and a number of threat scenarios were analyzed. Data was collected using structured interviews and network surveillance (with a Fidelis XPS appliance). Assets were valuated by the CFO and the IT security operations and technologies were valuated by the CIO. The output of the study was a cost-effective, prioritized program of security controls.This program was presented and approved by the management board of the company- leading to an immediate cost savings of over $120,000/year in the information security budget.

The detailed threat model was provided to the client and is currently used to perform what-if analysis and track the data security implementation. 

Download the data security case study and download the data security report to the management.

Conclusions

  1. The bulk of the security budget is currently spent on sustaining network perimeter security and system availability. Not surprisingly, these countermeasures are not particularly effective in mitigating insider threats such as lost or stolen hardware and information leakage, which now dominate the company’s risk profile.

  2. In corporate IT Security operations: The two major data security systems that were purchased in 2007, Imperva and Fidelis XPS Extrusion Prevention System have not yet been fully implemented and do not provide the expected benefit. To be specific, Imperva needs to be able to produce real-time alerts on violations based on logical combinations of OS user, DB application and DB user. Fidelis needs to be deployed in the subsidiaries. Monitoring from both systems needs to become a daily operational tool for the security officer.

  3. In the Asia Pacific region: Loss of notebooks to the tune of 2-3 / quarter is a major vulnerability although content abuse of the corporate network is assessed as negligible due to cultural factors.

  4. In general: Publicly facing FTP servers must be monitored carefully for violations of the company acceptable usage policy. In the course of the risk assessment, we discovered strategic plans and proprietary source codes that were stored on publicly accessible FTP servers.

Tell your friends and colleagues about us. Thanks!
Share this

10 guidelines for a security audit

What exactly is the role of an information security auditor?  In some cases, such as compliance  by Level 1 and 2 merchants with PCI DSS 2.0,  external audit is a condition to PCI DSS 2.0 compliance.   In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike PCI and HIPAA, ISO regards certification, not compliance as the goal).

There is a gap between what the public expects from an auditor and how auditors understand their role.

Auditors look at transactions and controls. They’re not the business owner and the more billable hours, the better.

The “reasonable person” assumes that the role of the security auditor is to uncover vulnerabilities, point out ways to improve security and produce a report that will enable the client to comply with relevant compliance regulation. The “reasonable person” might add an additional requirement of a “get out of jail free card”, namely that the auditor should produce a report that will stand up to legal scrutiny in times of a data security breach.

Auditors don’t give out “get out of jail” cards and audit is not generally part of the business risk management.

The “reasonable person” is a legal fiction of the common law representing an objective standard against which any individual’s conduct can be measured. As noted in the wikipedia article on the reasonable person:

This standard performs a crucial role in determining negligence in both criminal law—that is, criminal negligence—and tort law. The standard also has a presence in contract law, though its use there is substantially different.

Enron, and the resulting Sarbanes-Oxley legislation resulted in significant changes in accounting firms’ behavior,but judging from the 2009 financial crisis from Morgan Stanley to AIG, the regulation has done little to improve our confidence in our auditors. The numbers of data security breaches are an indication that the situation is similar in corporate information security.  We can all have “get out of jail” cards but data security audits do not seem to be mitigating new risk from tablet devices and mobile apps. Neither am I aware of a PCI DSS certified auditor being detained or sued for negligence in data breaches at PCI DSS compliant organizations such as Health Net where 9 data servers that contained sensitive health information went missing from Health Net’s data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.

The security auditor expectation gap has sometimes been depicted by auditor organizations as an issue to be addressed  by educating users to the audit process. This is a response not unlike the notion that security awareness programs are effective data security countermeasures for employees that willfully steal data or bring their personal device to work.

Convenience and greed tend to trump awareness and education in corporate workplaces.

Here are 10 guidelines that I would suggest for client and auditor alike when planning and executing a data security audit engagement:

1. Use an engagement letter every time. Although the SAS 83 regulation makes it clear that an engagement letter must be used, the practical reason is that an engagement letter sets the mutual expectations, reduces risk of litigation and by putting mutual requirements on the table – improves client-auditor relationship.

2.Plan. Plan carefully who needs to be involved, what data needs to be collected and require input from C-level executives to  group leaders and the people who provide customer service and manufacture the product.

3. Make sure the auditor understands the client and the business.  Aside from wasted time, most of the famous frauds happened where the auditors didn’t really understand the business.   Understanding the business will lead to better quality audit engagements and enable the auditor and audit manager to be peers in the boardroom not peons in the hallway.

4. Speak to your predecessor.   Make sure the auditor talks to the people who came before him.  Speak with the people in your organization who did the last data security audit.   Even if they’ve left the company – it is important to understand what they did and what they thought could have been improved.

5. Don’t tread water. It’s not uncommon to spend a lot of time collecting data, auditing procedures and logs and then run out of time and billable hours, missing the big picture which is” how badly the client organization could be damaged if they had a major data security breach”. Looking at the big picture often leads to audit directions that can prevent disasters and  subsequent litigation.

6. Don’t repeat what you did last year.  Renewing a 2,000 hour audit engagement that regurgitates last years security check list will not reduce your threat surface.  The objective is not to work hard, the object is to reduce your value at risk, comply and …. get your “get out of jail card”.

7. Train the client to fish for himself.   This is win-win for the auditor and client. Beyond reducing the amount of work onsite, training client staff to be more self sufficient in the data collection and risk analysis process enables the auditor to better assess client security and risk staff (one of the requirements of a security audit) and improves the quality of data collected since client employees are the closer to actual vulnerabilities and non-compliance areas than any auditor.

As I learned with security audits at telecom service providers and credit card issuers, the customer service teams know where the bodies are buried, not a wet-behind-the-ears auditor from KPMG.

8. Follow up on incomplete or unsatisfactory information.  After a data security breach, there will be litigation.  During litigation, you can always find expert testimony that agrees with your interpretation of information but

The problem is not interpreting the data but acting on unusual or  missing data.  If your ears start twitching, don’t ignore your instincts. Start unraveling the evidence.

9. Document the work you do.  Plan the audit and document the process.  If there is a peer review, you will have the documentation showing the procedures that were done.  Documentation will help you improve the next audit.

10. Spend some time evaluating your client/auditor.   At the end of the engagement, take a few minutes and interview your auditor/client and ask performance review kinds of questions like: What do think your strengths are, what are your weaknesses?  what was succesful in this audit?  what do you consider a failure?   How would you grade yourself on a scale of 10?

Perhaps the biggest mistake we all make is not carefully evaluating the potential we have to meet our goals as audit, risk and security professionals.

A post-audit performance review will help us do it better next time.

Tell your friends and colleagues about us. Thanks!
Share this

Compliance, security and Wikileaks

This is an essay I wrote in 2004.  There is nothing here that doesn’t still ring true, especially with the latest round of Wikileaks disclosures. I wrote then and I still hold that  compliance and and data security technology cannot protect an organization from a data breach. The best security countermeasures  for protecting a company’s digital assets and individuals’ private information are uncompromising ethics and honest management.

On security and compliance

It’s impossible to ignore the fact that compliance (like it or not) is a driver for companies to invest in improving their software and data security past running a firewalls and anti-virus. While compliance drives companies into taking action, do compliance activities actually result in implementing and sustaining strong data security  management and technology countermeasures?  We will see that the answer is generally no.

There is plethora of compliance regulations. There is regulation for  Privacy(HIPAA/HHS), for Children: (Children’s Online Privacy Protection Act (COPPA) for Credit Card holders: (FCRA), for merchants (PCI DSS), for Public entities (Sarbanes-Oxley), for Insurance (State laws) , for Securities trading (SEC), for Telecom (New York State Public Service Commission rulings) and many many more.

Looking at the wide variety of regulations and standards we can see that compliance really comes in only 3 flavors:

  1. Governance regulation such as HIPAA and SOX.  Government compliance regulation is focussed on customer protection and requires a top down risk analysis process.
  2. Industry compliance regulation such as PCI DSS that focuses on protecting the card association supply chain, doesn’t require risk analysis and mandates a fixed control set (if you think that best-practice security control sets are a good idea, then stop and consider the abysmal failure of the Maginot line in WWII and the Bar Lev line in the Yom Kippur war in 1973).
  3. Vendor-neutral standards such as ISO 27001 that focuses on data and system protection, doesn’t require risk analysis nor consider asset values although it does provide what is arguable the most comprehensive set of controls.

Well-meaning as the regulators may be, there are two fundamental flaws in the security-by-compliance model:

  1. You can comply without being secure and use compliance as a fig-leaf for lack of data security
  2. You can invest in software and data security without being compliant

…We don’t invest in data loss prevention technology because it’s a criminal offense when one of our employee breaches critical filings. We feel the legal deterrent is sufficient.
IT Manager – Securities and Exchange Commission in a Middle East country

Privacy regulation trends in the US and Europe

Government-regulated privacy-protection of information is a natural response rooted in the field of telecommunications, since countries either own the telecom business outright or tightly regulate their industry. This has largely led to a view of electronic privacy as an issue of citizen rights versus state legislation and monopoly.

In the information age, privacy has two dimensions – intrusion and data breach:

  • Protection against intrusion by unwanted information or criminals; similar to the constitutional protection to be secure in one’s home.
  • Protection against data breach by controlling information flows about an individual’s or a business’s activities; for example preventing identify theft or protecting a company’s trade secrets.

Regulation has moved in two major directions–centralized general protection and decentralized ad-hoc protection. The EEC (European Economic Community ) has pursued the former, and passed comprehensive data protection laws with coordination on information collection and data flows. The United States, in contrast, has dealt with issues on a case-by-case basis (health-care, credit cards, corporate governance etc…) resulting in a variety of ad hoc federal and state legislation.

A synthesis of the European and the American approaches is to formulate a set of broad rules for vertical industry. This was the direction taken by the New York Public Service Commission on the issue of telecommunications privacy. However, U.S. privacy legislation remains considerably less strict than European law in the regulation of private databases. Two Representatives in the House Select Committee on Homeland Security are calling for a Privacy Czar. The Privacy Czar would be responsible for privacy policies throughout the federal government as well as ensuring private technology does not erode public privacy.

“Right now, there’s no one at home at the White House when it comes to privacy. There’s no political official in the White House who has privacy in their title or as part of their job description. Congress should take the lead here because this administration has not,” says Peter Swire, an Ohio State University law professor and former chief privacy officer in the Clinton administration in an interview with Wired back in 2006 – and in the Obama administration has anything changed?
(http://www.wired.com/news/privacy/0,1848,63542,00.html )

Horizontal applications

Sarbanes Oxley: enforcing corporate governance

The Sarbanes-Oxley Act (SOX) has had a major impact on US corporate governance SOX was a response to the accounting scandals and senior management excesses at some public companies in recent years. It requires compliance with a comprehensive reform of accounting procedures for public corporations to promote and improve the quality and transparency of financial reporting by both internal and external independent auditors. SOX regulation is enforced by the Public Company Accounting Oversight Board (“the Board”).

SOX Section 404 – “Management Assessment Of Internal Controls ” is indirectly relevant to data breach. It requires an “internal control” report in the annual report which states management responsibility and assesses effectiveness of internal controls. Companies are also required to disclose whether they have adopted a code of ethics for senior financial officers and the contents of that code.

SOX Section 409 – “Real Time Disclosure” implies that a significant data breach event be disclosed on “a rapid and current basis”. SOX also increases the penalties for mail and wire fraud increased from 5 to 10 years and creates a crime for tampering with a record or otherwise impeding any official proceeding.

HSS/HIPAA: enforcing patient privacy

Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gave Congress 3 years to pass health privacy legislation. In May 2003 – the HHS (Dept of Health and Human services implemented federal protections for the privacy of individual health information under the Privacy Rule, pursuant to HIPAA. Because of limitations of HIPPA, the rule is far from seamless and will require a lot more work in the US Congress by both parties to ensure privacy of personal health information.

My conclusion on all of this is:

  • SOX has been a strong driver for sales of  IT  products and services, but it’s totally unclear that the billions spent by corporate America on compliance has actually done much to improve customer protection.

Vertical Industries

Securities: Did we leave the cat guarding the cream?

Annette L. Nazareth, market regulation director at the U.S. Securities and Exchange Commission, outlined proposals at a securities industry conference in New York on May 21 calling for stock exchanges, as the Associated Press put it, “to abide by most of the requirements they set for companies they list.”
(http://www.sec.gov./news/speech/spch052104aln.htm )

Wow.

Insurance Industry: Federal versus free market

October 2003, witnesses before the Senate Commerce committee testified regarding insurance industry regulations. The committee analyzed the current US system, which relies on state law, and examined proposals for improving industry regulation. One of the central issues was whether or not the federal government should play a larger role in insurance industry regulation. Also discussed was the need to provide protection for consumers without forcing unnecessary regulations on insurance companies. Some senators expressed concerns about high insurance rates.

Conclusion

If you’re a vendor of IT products and services, it has become increasingly difficult to sell security with rising complexity of attacks and countermeasures and decision makers who find it difficult to understand what works and what doesn’t.

What will happen to the B2C security industry is hard to say. Perhaps the Intel McAfee acquisition is a sign of things to come where security becomes a  B2B  industry  like safety manufacturers for the aerospace and automotive industries.

Until security becomes built-into the cloud, my best suggestion for a business is don’t leave your ethics at home and don’t wait for the government to tell you what you learned from your parents at age 5 – put your toys away and don’t steal from the other kids.

Tell your friends and colleagues about us. Thanks!
Share this

Sharing security information

fragmentationI think fragmentation of knowledge is a root cause of data breaches.

It’s almost a cliche to say that the  security and compliance industry has done a poor job in preventing data breaches of over 245 million personal records in the past 5 years.

It is apparent that government regulation is  ineffective in preventing identity theft and major data loss events.

Given: direct data security countermeasures go a long way;  data loss prevention and network surveillance work well inside a  feedback loop to improve security of systems, increase employee awareness and support management accountability.

However: I believe that even if every business deployed Fidelis XPS Extrusion Prevention system or Verdays Digital Guardian or Websense Data Security suite – we would still have major data loss events.

This is because a major data loss event has three characteristics:

1.Appears as a complete surprise to the organization
2.Has a major impact to the point of maiming or destroying the company
3.Event, after it has appeared, is ‘explained’ by human hindsight.

The root cause of the surprise is, in most cases, a lack of knowledge – not knowing what is the current range of data security threat scenarios in the wild or not even knowing what are the top 10 in your type of business.

The root cause of the lack of knowledge is fragmentation of knowledge.

Every business from SME to Global 2000 deals with security issues and amass their own best practices and knowledge base of how to protect their information.  But, the knowledge is fragmented, since business organizations don’t share their loss data, and the dozens or maybe hundreds of vendor web sites that do disclose and categorize attacks don’t provide the business context of a loss event.

Fragmentation leads to waste and duplication, as well as frustrating, expensive and sometimes dangerous experiences for companies facing a data loss event.

So what’s the solution?

With our clients, we see growing evidence that the more organized a company is with their security operation – having a single security organization responsible for digital assets, physical security, permissions management and compliance – the better security they deliver. What’s more, they may be able to reduce value at risk at lower costs due to higher levels of competence, knowledge and economy of scale.

The concept of sharing best practices  and  aggregating support so that companies of all sizes can access knowledge and support resources is not new, it’s a common theme in  industrial safety and Free Open Source worlds – to name two. I imagine that there are a few more examples I am not familiar with.

But what’s in it for security professionals? In addition to the satisfaction and prestige in helping colleagues, how about learning from the biggest and best practioners in the world; having access to resources to improve your own systems and procedures and having the ability to analyze the history of a data loss event from disclosure to analysis to remediation? How about having peers with a common goal of providing the best security for customers?

It’s time for policymakers and large commercial organizations to support organized security knowledge sharing systems, starting with compensation to employees and independent consultants that rewards high-quality, coordinated, customer-centric security  across the full continuum of security, not just point technology solutions or professional regulatory services. And it’s time for firms to recognize that sharing some data may be worth the benefits to them and their customers.

That’s my opinion. I’m Danny Lieberman.

Tell your friends and colleagues about us. Thanks!
Share this

Compliance that makes us complacent

I’m surprised with the blood bath in the financial markets and demise of WaMu, Lehman Brothers et al – that there has not been a cry to investigate the auditors of these companies.

Did any of the SOX-compliant firms like AIG and Lehman Brothers really comply?

I don’t think so.

What should have happened if Lehman Brothers was really SOX-compliant?

Section 409 of SOX requires real-time disclosure of problems in “financial condition or operations… in terms that are easy to understand supported by trend and qualitative information of graphic presentations as appropriate”

A year ago there were numerous publicly-available indicators of problems.   The current crisis may have started following the 9/11 attack on the US – when the Fed reduced interest rates and the the home-equity bubble started building up.  In other words – the current firestorm was not born overnight.

What actually happened?

SOX empowers an audit committee of the board of directors to monitor and control all company financial reporting. SOX requires that the CEO personally sign off on the financial statements.   In order to be on safe ground – CEOs demanded a compliance-certificate from the external auditors and that’s how Sarbanes-Oxley became a multi-billion dollar/year franchise for the audit industry.  I suppose, it’s a corporate form of a “get out of jail free” card.

Compliance created a budget line-item mentality – if there was a Sarbanes-Oxley line item – it got filled by the accounting firm. This created an effect of starving out bona-fide business threat analysis projects that are tasked with hunting down and mitigating the root cause fraud, data loss and … risky business practice.

Sarbanes-Oxley was supposed to help prevent the financial and accounting fraud that happened at Enron, Worldcom and other companies by ensuring that internal controls were sufficiently strong.

Instead – compliance made executive management at companies like Lehman Brothers, complacent, less competitive and distracted them from their primary mission – making money for the shareholders and protecting their customers from threats.

Tell your friends and colleagues about us. Thanks!
Share this