IT Security under COSO's ERM
Framework and Key Risk Indicators
Adrianne Lopes & Xuyang Xie
1
Instruction
 A corporation is built on the fundamental idea that its objective is
to provide value to its stakeholders. Though it is a simple
principle, an entity faces uncertainty and many risks in completing
this objective. Enterprise Risk Management (ERM) provides a
means for management to deal with this uncertainty
 Though investors face risk, the world today is also dangerous for
corporations. Though technology has provided tremendous
opportunities, it also has exposed many organizations to some
unlikely risks. To manage such risks, firms must understand their
threat environment. The security objectives of confidentiality,
integrity, and availability thus become an essential part of ERM. IT
security is not just a product, but a process and must be taken on
proactively.
2
COSO’s ERM Framework
It is required by the Sarbanes-Oxley Act that a corporation utilizes a
well developed comprehensive control framework. Though the act
does not require a specific framework, it does list only one single
one acceptable, and that is the COSO framework:
 Main Objectives of COSO framework
 Operations-- -The firm wishes to operate effectively and efficiently. It
is necessary for the firm to control its general internal operations to
do this
 Financial Reporting---The firm must create accurate financial reports
 Compliance---The firm wishes to be in compliance with external
regulations
3
COSO’s ERM Framework (continued)
 5 Components to evaluate internal controls
 Control environment--the foundation and tone of the organization. It




4
involves the integrity, ethical values, competence, philosophy, and
operating style of all levels of employees and managers.
Risk Assessment--involves identifying, analyzing, and managing the
risks that may impede objectives. Risks can be operating, economic,
industry regulated, or regulatory in nature.
Control Activities--how the identified risks are mitigated. Policies
should be in place such as segregation of duties, approvals, reviews,
reconciliations and authorizations.
Information and Communication--should be shared on both internal
and external events. It is very important that it is timely in order to
be relevant
Monitoring--Risks and procedures should be continually monitored
and changed as necessary.
COSO’s ERM Framework (continued)
Section 404 of SOX mandates that public companies demonstrate
due diligence on their disclosures of financial information.
Organizations must also implement the appropriate internal
controls and procedures to communicate, store, and protect that
data
 Section 404 of SOX requires:
 Overhaul or upgrade financial systems to meet regulatory
requirements for more accurate, detailed, and timely filings.
 Examine the control processes within the IT department and apply
best practices to comply with the act’s goals associated with COSO
and ERM objectives.
 Ensure that information system customizations are not overriding
controls by working with internal and external auditors.
 Work with corporate officers to create a document-retention-anddestruction policy.
5
Key Risk Indicators
 A Key Risk Indicator (KRI) is “a measure used in
management to indicate how risky an activity is”. Risk
indicator is an important tool within risk assessment, risk
monitoring and risk control. Organizations use key risk
indicators to detect early signals of increasing risk exposures
in different areas of the enterprise.
6
Key Risk Indicators (Continued)
 Purposes (functions) of using risk indicators
 Risk monitoring-They can be used to track changes in the exposure




7
to operational risk, help to identify: Emerging risk trends , Current
exposure levels, Events that could be occur again
To support operational risk assessments--they provide a way to track
a company’s risk exposures between full updates of its operational
risk assessment process.
To support risk appetite monitoring and governance--they link
current ‘real time’ exposure levels to risk appetite.
To support performance and strategic management--indicators can be
used as measures of how a company is going about achieving its
overall objectives and as means of measuring the performance of
those activities which are important to achieve its goals.
To support regulation and capital assessments--the risk indicator data
can highlight potential areas of weakness
Key Risk Indicators (continued)
 Effective KRIs:
 The selection and design of effective KRIs is important
 Goal: To identify relevant metrics that provide useful insights
about potential risks that may have an impact on the
achievement of the organization’s objectives
8
Key Risk Indicators (continued)
 Characteristics of KRIs:
 Relevance--must have relevance to what is being monitored
that means risk indicators must monitor risk exposure levels.
 Measurable--Indicators should be numbers or counts
,monetary values, percentages, ratios, time duration or a
value from some pre-defined rating
 Predictive--Predictive indicators mean they make predictions
what is going to happen, rather than simply infer that
something is changing, single indicators by themselves are of
little use, as they need context in order to become predictive.
9
Key Risk Indicators (continued)
 Characteristics of KRIs:
 Easy to monitor--The data should be relatively easy to
interpret, understand and monitor
 Auditable--Be easy to verify. an independent validation of the
indicator selection process is necessary.
 Comparability--A company’s indicator and its selection
process should specifically assess the level of comparability,
both within the company and more broadly across the
industry which the indicator reflects
10
IT Security and IT Security Exploits
 Threat environment: The type of attackers and attacks that a
company faces
 Security goals – CIA
 Confidentiality
 Integrity
 Availability
11
IT Security and IT Security Exploits
(Continued)
 Information security-- refers to all the steps taken to protect
information and information systems from unauthorized
access, use, disclosure, disruption or destruction
 Comprehensive security—Organizations must close off all
possible routes of attack. An attacker only needs one
unprotected avenue of attack to succeed.
 Weakest link failure--If the failure of a single element of a
system will ruin security, this is called weakest link failure.
12
IT Security and IT Security Exploits
(Continued)
 Vulnerability: A security weakness which allow an attacker to
reduce a system’s information assurance.
 An exploit takes advantage of vulnerabilities.
 The first step of a company’s risk analysis is to figure out what
the security vulnerabilities are.
 Types of Vulnerability
 Hardware vulnerability
 Software vulnerability
 Network vulnerability
 Personal vulnerability
 Site vulnerability
 Organizational vulnerability
13
Examine the IT Security
 Companies need to identify all of their resources to find out
where will be the weakest links (vulnerabilities) and develop
KRIs and security program for each one
 Using the COSO’s ERM framework and standards of KRIs to
examine company’s comprehensive IT security .
14
Examine the IT Security --Hardware
 Hardware vulnerabilities are relative easier to detect and monitor, but
damage can be huge and irreversible.
 Most hardware vulnerabilities:
 Susceptibility to humidity, dust and soiling
 Susceptibility to unprotected storage
 Sabotage by an attacker
 Controls on hardware security
 Hardware sighting and protection
 Supporting utilities
 Cabling security
 Security during offsite equipment maintenance
 Security of equipment off-premises
 Secure disposal or reuse of equipment
 Rules for the removal of property
15
Examine the IT Security - Software
 Software is easier to exploited by hackers due to insufficient
testing and lack of an audit trail.
 Response to the risk of software
 Do internal and external vulnerability test
 Output: a list of recommended fixes and follow-up should be done
 Build a software trail from the beginning to keep tracking the
qualities of software
 Audit the current software
16
Examine the IT Security - Network
 Most companies’ external and internal communications are
based on network. Most attackers’ exploits are by network.
 Sources of network vulnerability:
 Unprotected communication lines
 Insure network architecture
 Response to the risk of network:
 According to the safety level protect communication lines
 Secure network architecture at the beginning and do
vulnerability test
 Firewall
17
Examine the IT Security - Personal
 Personal risk is more difficult to manage because it’s abstract.
 Key risk indicators include
 Poorly recruited candidates
 Current employees who do not abide or pay attention to the process
in place
 Response to personal risk
 Audit employee access to IT systems and cuttoff access privileges for




18
terminated or resigning employee
More security and training for employees, including ethics and
acceptable use policies
Set standards and guidelines for employees
Segregation of duties within the systems development staff
Authentication for confirming users’ identities and authorization
processes permitting permission to have or do something
Examine the IT Security - Site
 Unexpected external threats such as flood and unreliable
power source, etc.
 A company should realize the risk of an occurrence and take
the necessary precautions and established an emergency plan
of action.
 Response to site risk
 Proper planning is used to prevent site risks
 E.g., house main server to an upper level to prevent flood
 Generators and power back-up to present data lost during
power outage
19
Examine the IT Security - Organizational
 Arise from the lack of monitoring and auditing policies and procedures
implemented
 Response to organizational risk
 A company’s objective should be more then to meet compliance standards,
as noted earlier just because security measures appear to be functioning, IT
security threats run deeper then what is tested to receive a clean audit
opinion
 Built-in preventive IT controls like edit checks can automatically ensure that
transactions are complete, accurate, authorized, and valid. Organizations
should test to confirm and validate the existence and operating effectiveness
of general and application controls
 . Internal auditors should use corrective controls such as IT control mapping
and alarms or alerts to look at key controls that are weak or missing and
compensate for the controls as necessary
 For effective ERM implementation all controls must be continuously
monitored as IT and organizational changes occur rapidly
20
Conclusion
 IT security exploits pose a risk to firms and key risk
indicators are used to assess these risks. These are essential to
the internal controls of a business entity and become a major
factor in enterprise risk management. The organization’s
mission and risk appetite influences the objectives they
choose for operating, financial reporting, and compliance
objectives
 Management must address and monitor all IT security
components, even the ones that aren’t audited for
compliance and outside the general accepted framework to
ensure they are truly managing their risks
21