IT Security under COSO's ERM Framework and Key Risk Indicators Adrianne Lopes & Xuyang Xie 1 Instruction A corporation is built on the fundamental idea that its objective is to provide value to its stakeholders. Though it is a simple principle, an entity faces uncertainty and many risks in completing this objective. Enterprise Risk Management (ERM) provides a means for management to deal with this uncertainty Though investors face risk, the world today is also dangerous for corporations. Though technology has provided tremendous opportunities, it also has exposed many organizations to some unlikely risks. To manage such risks, firms must understand their threat environment. The security objectives of confidentiality, integrity, and availability thus become an essential part of ERM. IT security is not just a product, but a process and must be taken on proactively. 2 COSO’s ERM Framework It is required by the Sarbanes-Oxley Act that a corporation utilizes a well developed comprehensive control framework. Though the act does not require a specific framework, it does list only one single one acceptable, and that is the COSO framework: Main Objectives of COSO framework Operations-- -The firm wishes to operate effectively and efficiently. It is necessary for the firm to control its general internal operations to do this Financial Reporting---The firm must create accurate financial reports Compliance---The firm wishes to be in compliance with external regulations 3 COSO’s ERM Framework (continued) 5 Components to evaluate internal controls Control environment--the foundation and tone of the organization. It 4 involves the integrity, ethical values, competence, philosophy, and operating style of all levels of employees and managers. Risk Assessment--involves identifying, analyzing, and managing the risks that may impede objectives. Risks can be operating, economic, industry regulated, or regulatory in nature. Control Activities--how the identified risks are mitigated. Policies should be in place such as segregation of duties, approvals, reviews, reconciliations and authorizations. Information and Communication--should be shared on both internal and external events. It is very important that it is timely in order to be relevant Monitoring--Risks and procedures should be continually monitored and changed as necessary. COSO’s ERM Framework (continued) Section 404 of SOX mandates that public companies demonstrate due diligence on their disclosures of financial information. Organizations must also implement the appropriate internal controls and procedures to communicate, store, and protect that data Section 404 of SOX requires: Overhaul or upgrade financial systems to meet regulatory requirements for more accurate, detailed, and timely filings. Examine the control processes within the IT department and apply best practices to comply with the act’s goals associated with COSO and ERM objectives. Ensure that information system customizations are not overriding controls by working with internal and external auditors. Work with corporate officers to create a document-retention-anddestruction policy. 5 Key Risk Indicators A Key Risk Indicator (KRI) is “a measure used in management to indicate how risky an activity is”. Risk indicator is an important tool within risk assessment, risk monitoring and risk control. Organizations use key risk indicators to detect early signals of increasing risk exposures in different areas of the enterprise. 6 Key Risk Indicators (Continued) Purposes (functions) of using risk indicators Risk monitoring-They can be used to track changes in the exposure 7 to operational risk, help to identify: Emerging risk trends , Current exposure levels, Events that could be occur again To support operational risk assessments--they provide a way to track a company’s risk exposures between full updates of its operational risk assessment process. To support risk appetite monitoring and governance--they link current ‘real time’ exposure levels to risk appetite. To support performance and strategic management--indicators can be used as measures of how a company is going about achieving its overall objectives and as means of measuring the performance of those activities which are important to achieve its goals. To support regulation and capital assessments--the risk indicator data can highlight potential areas of weakness Key Risk Indicators (continued) Effective KRIs: The selection and design of effective KRIs is important Goal: To identify relevant metrics that provide useful insights about potential risks that may have an impact on the achievement of the organization’s objectives 8 Key Risk Indicators (continued) Characteristics of KRIs: Relevance--must have relevance to what is being monitored that means risk indicators must monitor risk exposure levels. Measurable--Indicators should be numbers or counts ,monetary values, percentages, ratios, time duration or a value from some pre-defined rating Predictive--Predictive indicators mean they make predictions what is going to happen, rather than simply infer that something is changing, single indicators by themselves are of little use, as they need context in order to become predictive. 9 Key Risk Indicators (continued) Characteristics of KRIs: Easy to monitor--The data should be relatively easy to interpret, understand and monitor Auditable--Be easy to verify. an independent validation of the indicator selection process is necessary. Comparability--A company’s indicator and its selection process should specifically assess the level of comparability, both within the company and more broadly across the industry which the indicator reflects 10 IT Security and IT Security Exploits Threat environment: The type of attackers and attacks that a company faces Security goals – CIA Confidentiality Integrity Availability 11 IT Security and IT Security Exploits (Continued) Information security-- refers to all the steps taken to protect information and information systems from unauthorized access, use, disclosure, disruption or destruction Comprehensive security—Organizations must close off all possible routes of attack. An attacker only needs one unprotected avenue of attack to succeed. Weakest link failure--If the failure of a single element of a system will ruin security, this is called weakest link failure. 12 IT Security and IT Security Exploits (Continued) Vulnerability: A security weakness which allow an attacker to reduce a system’s information assurance. An exploit takes advantage of vulnerabilities. The first step of a company’s risk analysis is to figure out what the security vulnerabilities are. Types of Vulnerability Hardware vulnerability Software vulnerability Network vulnerability Personal vulnerability Site vulnerability Organizational vulnerability 13 Examine the IT Security Companies need to identify all of their resources to find out where will be the weakest links (vulnerabilities) and develop KRIs and security program for each one Using the COSO’s ERM framework and standards of KRIs to examine company’s comprehensive IT security . 14 Examine the IT Security --Hardware Hardware vulnerabilities are relative easier to detect and monitor, but damage can be huge and irreversible. Most hardware vulnerabilities: Susceptibility to humidity, dust and soiling Susceptibility to unprotected storage Sabotage by an attacker Controls on hardware security Hardware sighting and protection Supporting utilities Cabling security Security during offsite equipment maintenance Security of equipment off-premises Secure disposal or reuse of equipment Rules for the removal of property 15 Examine the IT Security - Software Software is easier to exploited by hackers due to insufficient testing and lack of an audit trail. Response to the risk of software Do internal and external vulnerability test Output: a list of recommended fixes and follow-up should be done Build a software trail from the beginning to keep tracking the qualities of software Audit the current software 16 Examine the IT Security - Network Most companies’ external and internal communications are based on network. Most attackers’ exploits are by network. Sources of network vulnerability: Unprotected communication lines Insure network architecture Response to the risk of network: According to the safety level protect communication lines Secure network architecture at the beginning and do vulnerability test Firewall 17 Examine the IT Security - Personal Personal risk is more difficult to manage because it’s abstract. Key risk indicators include Poorly recruited candidates Current employees who do not abide or pay attention to the process in place Response to personal risk Audit employee access to IT systems and cuttoff access privileges for 18 terminated or resigning employee More security and training for employees, including ethics and acceptable use policies Set standards and guidelines for employees Segregation of duties within the systems development staff Authentication for confirming users’ identities and authorization processes permitting permission to have or do something Examine the IT Security - Site Unexpected external threats such as flood and unreliable power source, etc. A company should realize the risk of an occurrence and take the necessary precautions and established an emergency plan of action. Response to site risk Proper planning is used to prevent site risks E.g., house main server to an upper level to prevent flood Generators and power back-up to present data lost during power outage 19 Examine the IT Security - Organizational Arise from the lack of monitoring and auditing policies and procedures implemented Response to organizational risk A company’s objective should be more then to meet compliance standards, as noted earlier just because security measures appear to be functioning, IT security threats run deeper then what is tested to receive a clean audit opinion Built-in preventive IT controls like edit checks can automatically ensure that transactions are complete, accurate, authorized, and valid. Organizations should test to confirm and validate the existence and operating effectiveness of general and application controls . Internal auditors should use corrective controls such as IT control mapping and alarms or alerts to look at key controls that are weak or missing and compensate for the controls as necessary For effective ERM implementation all controls must be continuously monitored as IT and organizational changes occur rapidly 20 Conclusion IT security exploits pose a risk to firms and key risk indicators are used to assess these risks. These are essential to the internal controls of a business entity and become a major factor in enterprise risk management. The organization’s mission and risk appetite influences the objectives they choose for operating, financial reporting, and compliance objectives Management must address and monitor all IT security components, even the ones that aren’t audited for compliance and outside the general accepted framework to ensure they are truly managing their risks 21