IT GOVERNANCE GSI 615

Transcription

1 IT GOVERNANCE GSI 615 Carmen R. Cintrón Ferrer 2014

2 IT Governance 2 Scope Governance Risk Management Compliance IT Resources Management IT Governance IT Leadership and Innovation Governance and Ethics

3 3 Compliance

4 What is compliance? 4 Compliance is a desired outcome with regard to: Laws and regulations Internal policies and procedures Commitments to stakeholders Mission Reliability and Assurance of information Achieved through managed investment of time and resources by inserting into day to day processes: Controls Legal and Tactical activities Metrics

5 Compliance 5 Compliance definition: (Video) Conformance to established or generally accepted regulations, standards and/or legislation Compliance components: Awareness of boundaries Structure support for accountability Culture and consistency Automated processes and controls to avoid gaps and prevent failure Metrics that enable compliance Technology integration to alert/prevent possible incompliance

6 Compliance with Laws and Regulations 6 Which Laws & Regulations Those which the entity is subjected to follow Challenges Lacking in harmony Complex & decentralized Dependent on manual controls Implement via: Policies and Procedures Insert technology to support compliance Rely upon ethical behavior and transparency

7 Comply with what? 7 National & International Laws and Regulations Standards and Best Practices Governmental regulatory agencies rules Codes of Ethics Organizational Policies, Procedures, Guidelines Business Code of Ethics Professional Code of Conduct

8 Regulatory compliance areas (sample list) 8 Financial transactions and records: Gramm-Leach-Bliley Privacy Act (GLBA) Payment Card Industry Standards (PCI) Basel I & II Sarbanes Oxley Act (SOX) Health Transactions and records: Health Records Insurance Portability & Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act Intellectual property: Digital Millenium Copyright Act (DMCA) Personal Data Privacy: Family Education Rights and Privacy Act (FERPA - Buckley Amm.) Electronic Communications Privacy Act (ECPA) The Lisbon Treaty Data Protection framework as a fundamental human right National Security, Information Security and Telecommunications: Federal Information Securty Management (FISMA) Computer Fraud and Abuse Act USA Patriot Act

9 What, Who, When? 9 What? Determine the level of compliance required Identify responsible parties (Roles & Responsibilities) Adopt (modify) Policies and Procedures Communicate, Train and Monitor Who? Organization as a whole Board, Officers, Senior and Line Management and staff Compliance Officer, Internal Auditor and Legal Counsel When? Continuous compliance process By request of Regulatory Agency, contractual agreement and/or lawsuit

10 Responsibility 10 Dimension of Responsibility Strict (Directly responsible) Indirect and vicarious Fiduciary responsible Negligent acts or absence of Standard of Due Care: States the measures that should be in place to mitigate or reduce the responsibility Requires to Act as expected (within the legal/regulatory framework) SOX Standards ISO 17799

11 Compliance Exercise 1 11 Choose a regulation from the Personal Data Protection List Determine dimension of responsibility for: Board Officers & Managers IT Management and Staff Staff What would the Standard of Due Care be if there is a: Breach of security and clients data is exposed? Scenario of industrial espionage? Major fraud involving securities transactions (SEC)? Unethical behavior by an Officer/Manager/Staff Employee?

12 Compliance Laws and Regulations Personal Data and Privacy Protection (limited listing) Electronic Communications Privacy Act PL (1986) Children's Online Privacy Protection Act PL (1998) Health Insurance Portability & Accountability Act Health Information Technology for Economic and Clinical Health (HITECH) Act Family Education Rights and Privacy Act (Buckley Amm.) (1974) PL (1996) PL 111-5(2009) Sarbanes Oxley Act PL (2002) Gramm-Leach Bliley Financial Privacy Act (GLB) PL (1999) Digital Millenium Copyright Act (DMCA) PL (1998) Control Assault of Non-Solicited Pornography & Marketing Act PL (2003) Electronic Signatures in Global & National Commerce Act PL (2000) Communications Assistance for Law Enforcement Act PL (1994) Real ID Act PL (2005) The Lisbon Treaty significantly affects the data protection framework. It establishes that Personal dat protection is a fundamental human right Federal Information Securty Management (FISMA) Computer Fraud and Abuse Act Cyber Security Enhancement Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act Cyber stalking, Cyber Harrasment & Cyber Bullying laws PL (2002) PL (2002) PL (2001) Federal Information Security Management Act PL (2002) Electronic Freedom of Information Act PL (1996) Carmen R. Cintron Ferrer, 2014, Reserved Rights

13 Compliance Exercise 1(a) 13 Dimension of Responsibility Board of Directors Officers Managers IT Mangement & Staff Other Staff Strict/Direct Indirect/ Vicarious Fiduciary Negligent actions

14 Compliance Exercise 1(b) 14 Expected Standard of Due Care Board of Directors Officers Managers IT Mangement & Staff Other Staff Client s Data Exposed Industrial Espionage SEC fraud Unethical behaviour

15 Compliance Management 15 Identify Regulatory requirements Select Compliance Frameworks Document Business processes and controls: Implement or update Processes & Controls Determine Control Gaps Address - close gap(s) Monitor control status and effectiveness: Identify and remediate issues Review and update control environment Certify effectiveness Communicate results of analysis to key stakeholders: Train for Compliance Generate evidence to support audit requirements Assess impact of events on controls

16 Compliance Management Process 16 Regulatory Requirements Compliance Framework Business Processes Monitor Controls Communicate & Train

17 Compliance Management Issues 17 No Compliance oversight function and/or very low confidence level in risk management Lack of Compliance Awareness and Education Outdated Policies and Procedures Informal Procedures and Practices Unknown and/or not well informed and understood Policies, Procedures, Strategic Plans, Budget and Resources Allocation-Management Inconsistent application of policies and practices among different areas/departments Ineffective/Inefficient controls Personal accountability is unenforceable or wrongly placed

18 Environment for Compliance 18 Establish an incentive and reward system based on excellence and hard work. Develop an ethical environment that can foster and sustain responsible decisions. Build a system of ethical practice throughout the compliance program and the organization. Assign the resources and communicate a clear message Move the cultural change: Compliance is the right thing to do Michael Volkov, Creating a Culture of Ethics and Compliance

19 SOX Compliance 19 Sec Faulty Financial Reporting (Data Safeguard) Prevent data tampering Accurate reporting and timelines Track data access Operational safeguards Safeguards effectiveness Security breaches detection Sec 404: Disclosure and transparency (Data Security) Disclose security safeguards Disclose security breaches Disclose failure of safeguards

20 Sox Compliance Frameworks 20 Cobit 5 ( ISO ( COSO ( SANS Approach: An Overview of SOX A Compliance Primer SOX IT Compliance Audit Some IT Support Solutions: Computron CorreLog Oracle

21 SOX Compliance References 21 Computron, Sarbanes-Oxley Compliance: A Checklist for Evaluating Internal Controls Correlog, Sarbanes-Oxley (SOX) Compliance Checklist Deloitte, Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002 Ernst & Young, The Sarbanes-Oxley Act at 10, Enhancign the reliability of financial reporting and audit quality KPMG, Sarbanes-Oxley Section 404: Summary of key points from submissions to the SEC J. StephenMcNally, CPA, The 2013 COSO Framework & SOX Compliance, One Approach to Effective Transition Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, FAQ s Regarding section 404 SPLUNK, SOX Compliance

22 COSO 2013 (Committee of Sponsoring Organizations - Threadway Commission) Update considers changes in business and operating environments Environments changes... have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition)

23 COSO 2013 Updated Model Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies

24 COSO - Example on how controls effect principles Component Control Environment Principle (1) The organization demonstrates a commitment to integrity and ethical values. Controls embedded in other components may effect this principle Human Resources review employees confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity Control Environment Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information Information & Communication Internal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities

25 25 GR&C Wrap-up

26 GRC or ECRG 26 Governance Risk and Compliance (Video) Why a GRC Framework? (Video) GRC: The Power to decide (Video) Ethics, Compliance, Risk Management & Governance: Should it be GRC or ECRG? (Why/Why not?) What does the Ethical Component introduce? How can Ethical Governance become the axis?

27 27 Ethics and Compliance or Compliance and Ethics Society of Corporate Compliance and Ethics, Sally March, Compliance in Europe Alstom, Ethics and Compliance: "clean business is great business" Lilly, Ethics and Compliance Program Ethics & Compliance Officer Association, Standards of Conduct for Ethics and Compliance Professionals Education Portal, Corporate Social Responsibility Dilbert on Ethics for e-cpe DigiPharm, The relationship between compliance and ethics Funny FCPA trainings Click4Compliance, Global Anti-corruption laws

28 28 Governance Cases Teamwork Exercise

29 Cases in Governance 29 Enron Lee Ann Obringer - Stuffworks Robert Jon Petersen Sophia.org The Economist - The FBI, Crime in the Suites: A look back at the Enron Case - Leigh Tesfatsion Iowa State University -

30 30 Cases in Governance Tyco International Lee Ann Obringer Stuffworks - Tyco Fraud InfoCenter - Daniels Fund Ethics Initiative University of New Mexico - Law Teacher Unethical issues or legal issues in Tyco International - Study Mode - Case-Study html

31 31 Cases in Governance WorldCom Lee Ann Obringer Stuffworks - Romar et als Santa Clara University World Com Case Study _Case_Study_April_2009.pdf Kristin A. Kennedy An Analysis of Fraud - University of New Hampshire

32 32 Cases in Governance Adelphia The Adelphia Case Scandal - 3&cad=rja&ved=0CDQQFjAC&url=http%3A%2F%2Fwww.aicpa.org%2FI nterestareas%2faccountingeducation%2fresources%2fdownloadabledocu ments%2fadelphia.ppt&ei=8i_wuthdmzg8kqfjuidycg&usg=afqjcnehp tlobmqe4mmgbg0luops6tikxq CNN Money The Adelphia Story / C.P. Carter et als. The Adelphia Fraud American Accounting Association, Adelphia Communications Case Study Case-Study

33 33 Cases in Governance Peregrine Systems FBI Peregrine Systems Indictment