Recent Internal Control Framework Updates - COSO, COBIT, ISO27000, PCI and More! Larry Hessney, Partner, ERM May 2014

Transcription

1 Recent Internal Control Framework Updates - COSO, COBIT, ISO27000, PCI and More! Larry Hessney, Partner, ERM May 2014

2 My current experience is with a: A. Public company with ICFR audit requirement B. Public company without ICFR audit requirement C. Private company with internal control reporting requirements (such as financial institutions) D. Private company without internal control reporting requirements E. Public accounting firm F. Other

3 My level of awareness of the changes to the COSO Framework is: A. I have read the newly released Framework and followed the exposure draft process B. I have read an article or summary of the changes C. This presentation is my first look at the changes D. I don t know what COSO is; I just need CPE

4 Why update what works? The Framework has become the most widely adopted control framework worldwide. Original Framework COSO s Internal Control Integrated Framework (1992 Edition) Refresh Objectives Reflect changes in business & operating environments Expand operations and reporting objectives Articulate principles to facilitate effective internal control Enhancements Updates Context Broadens Application Clarifies Requirements Updated Framework COSO s Internal Control Integrated Framework (2013 Edition)

5 Intended benefits of updated Framework Improve governance Expand use beyond financial reporting Improve quality of risk assessment Strengthen IT guidance Strengthen anti-fraud efforts Adapt controls to changing business needs Greater applicability for various business models External Parties Management and Board of Directors Performance Confidence Slide Source: COSO IC-IF Outreach Deck_ ( Other Users

6 What is not changing vs. What is changing

7 Why COSO Update expected to increase ease of use and broaden application What is not changing... What is changing... Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control ERM Framework distinct from Internal Control Framework, but complementary Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness Principles-based: Fundamental concepts underlying five components articulated as principles Increased guidance/ease of use: Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added Changes in business and operating environments considered Operations and reporting objectives expanded

8 What is changing (continued) Addition of 17 principles that are necessary for effective internal control - Must be in place or proven why not relevant Describes 81 Points of Focus that are typically important characteristics of the principles - Do not need to be proven Significant documentation considerations in transition Other changes to components

9 COSO 2013 Internal Control Framework The 17 Principles Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Slide Source: COSO IC-IF Outreach Deck_ (

10 Update describes important characteristics of principles as Points of Focus - Example Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. Points of Focus: Sets the Tone at the Top Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner Points of focus may not be suitable or relevant, and others may be identified Points of focus are typically important characteristics of principles that may facilitate designing, implementing, and conducting internal control There is no requirement to separately assess whether points of focus are in place Refer to Appendix A for a complete listing of the Points of Focus

11 Risk assessment Risk assessment A dynamic and iterative process for identifying and assessing risk to the achievement of objectives. Newly defined principles 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control.

12 Steps for implementing 2013 Framework Understand the Framework Identify key stakeholders Awareness / education / training Map existing controls to principles Gap analysis / remediation Update documentation Timing considerations Updated Framework will supersede original Framework on December 15, 2014 Earlier implementation encourage During the transition external reporting should disclose which version of the Framework was used

13 Appendix A Points of Focus Risk Assessment Principle 6. Specifies suitable objectives Operations objectives Reflects management s choices Considers tolerances for risk Includes operations and financial performance goals Forms a basis for committing resources External financial reporting objectives Complies with applicable accounting standards Considers materiality Reflects entity activities External non-financial reporting objectives Complies with externally established standards and frameworks Considers the required level of precision Reflects entity activities Internal reporting objectives Reflects management s choices Considers the required level of precision Reflects entity activities Compliance objectives Reflects external laws and regulations Considers tolerances for risk Principle 7. Identifies and analyzes risk Includes entity, subsidiary, division, operating unit, and functional levels Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Determines how to respond to risks Principle 8. Assesses fraud risk Considers various types of fraud Assesses incentive and pressures Assesses opportunities Assesses attitudes and rationalizations Principle 9. Identifies and analyzes significant change Assesses change in the external environment Assesses change in the business model Assesses change in leadership

14 Appendix A Points of Focus Monitoring Activities Principle 16. Conducts ongoing and/or separate evaluations Considers a mix of ongoing and separate evaluations Considers rate of change Establishes baseline understanding Uses knowledgeable personnel Integrates with business processes Adjusts scope and frequency Objectively evaluates Principle 17. Evaluates and communicates deficiencies Assesses results Communicates deficiencies Monitors corrective actions

15 COBIT 5 Areas of Change The following slides summarise the major changes in COBIT 5 content and how they may impact GEIT implementation/improvement: 1. New GEIT Principles 2. Increased Focus on Enablers 3. New Process Reference Model 4. New and Modified Processes 5. Practices and Activities 6. Goals and Metrics 7. Inputs and Outputs 8. RACI Charts 9. Process Capability Maturity Models and Assessments 14

16 3. New Process Reference Model Source: COBIT 5, figure ISACA All rights reserved. 15

17 4. New and Modified Processes There are several new and modified processes that reflect current thinking, in particular: APO03 Manage enterprise architecture. APO04 Manage innovation. APO05 Manage portfolio. APO06 Manage budget and costs. APO08 Manage relationships. APO13 Manage security. BAI05 Manage organisational change enablement. BAI08 Manage knowledge. BAI09 Manage assets. DSS05 Manage security service. DSS06 Manage business process controls. 16

18 ISO/IEC2700:2013 Changes The new standard puts more emphasis on measuring and evaluating how well an organisation's ISMS is performing, [6] and there is a new section on outsourcing, which reflects the fact that many organisations rely on third parties to provide some aspects of IT. [7] Overall, 27001:2013 is designed to fit better alongside other management standards such as ISO 9000 and ISO 20000, and it has more in common with them (written using the new high level structure, which is common to all new management systems standards). This will make integration straightforward. Terminology changes have been made and some definitions have been removed or relocated

19 ISO/IEC2700:2013 Changes More attention is paid to the organisational context of information security, and risk assessment has changed. [ Risk assessment requirements have been aligned with BS ISO Management commitment requirements have a focus on leadership Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships. Greater emphasis is on setting objectives, monitoring performance and metrics

20 ISO/IEC2700:2013 New Controls A Information security in project management A Restrictions on software installation A Secure development policy A Secure system engineering principles A Secure development environment A System security testing A Information security policy for supplier relationships A Information and communication technology supply chain A Assessment of and decision on information security events A Response to information security incidents A Availability of information processing facilities

21 What s new in PCI DSS 3.0 PCI 3.0 emphasizes security versus compliance, and a more proactive, business-as-usual approach to protecting cardholder data. Key themes: Education and awareness Increased flexibility Security as a shared responsibility Guidance on emerging technologies 3 types of changes: Clarification Additional guidance Evolving requirement 20

22

23

24

25 Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1

26 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management IT and Security Concepts COBIT and COSO Perspectives Monitoring Procedural and Technical Page 2

27 Information Security Some Industry Standards International Standards Organization (ISO) Series Information Security Forum (ISF) Standard of Good Practice for Information Security National Institutes of Standards and Technology (NIST) Payment Card Industry Data Security Standard (PCI DSS) SANS Top 20 Controls Page 3

28 Information Security - Definition ISACA defines information security as something that: Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability). Page 4

29 COBIT 5 for Information Security Extended view of COBIT 5 Explains each component from information security perspective Provides: Guidance on drivers and benefits Principles from an information security perspective Enablers for support Alignment with standards Page 5

30 COBIT 5 for Information Security Policy Framework Input Information Security Principles Information Security Policy Specific Information Security Policies Information Security Procedures Information Security Requirements and Documentation Mandatory Information Security Standards, Frameworks and Models Generic Information Security Standards, Frameworks and Models Source: COBIT 5 for Information Security, figure ISACA All rights reserved Page 6

31 Information Security and COBIT 5 Information Security Principles Support The Business Defend the Business Promote Responsible Information Security Behavior Information Security Policy Scope including: A definition for the enterprise Responsibilities Vision, with appropriate goals and metrics Page 7

32 Information Security and COBIT 5 (Cont.) Policy Driven by Information Security Access Control Personnel Information Security Policy Physical and Environmental Information Security Policy Policy Driven by the Enterprise including: Business Continuity and Disaster Recovery Acceptable Use Communication and Operations Risk Management Page 8

33 Information Security and COSO Control Environment Principal 1: The organization demonstrates a commitment to integrity and ethical values Principal 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives Principal 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives Page 9

34 Information Security and COSO (cont.) Risk Assessment Principal 6: Identifies and analyzes risk Principal 9: Identifies and analyzes change Control Activities Principal 12: Deploys policies and procedures Monitoring Activities Principal 16: Conducts evaluations Evaluates and communicates deficiencies Page 10

35 COBIT 5 and PCI DSS PCI DSS 3.0 Requirements Page 11

36 COBIT 5 Security and PCI DSS COBIT 5 Enabling Processes Page 12

37 COBIT 5 Security and PCI DSS Example Mapping Page 13

38 Risk Management Page 14

39 Current Threats Statistics Top 5 Threat Actions 1) Use of Stolen Credentials (hack) 2) Export Data (malware) 3) Phishing (social engineering) 4) Ram Scraper (malware) 5) Backdoor (malware) Source: Verizon Data Breaches Investigative Report 2014 Page 15

40 Current Threats Statistics Top 5 Breach Incident Methods 1) 35% Web App Attacks 2) 22% Cyber-espionage 3) 14% POS Intrusions 4) 9% Card Skimmers 5) 8% Insider Misuse Source: Verizon Data Breaches Investigative Report 2014 Page 16

41 Risk Management Have you assessed the risk of your IT environment? For example, your Internal Controls may prevent an employee from creating fraudulent checks, but... Is your (or your customer s) information being siphoned off the network? Page 17

42 Risk Management (cont.) The Goal of an IT Risk Assessment Define threats and potential threats (internal or external) Identify areas that are not adequately protected Identify areas that do not meet regulatory requirements (compliance) Understand the security impact of new technologies Page 18

43 Risk Management (cont.) Identify Threats and Vulnerabilities Critical Asset Known Threats Vulnerabilities Information, Server, Website Cyber attack, DDOS attack, Staff errors Internal network not patched; external defenses weak Page 19

44 Risk Management (cont.) Rank the risk to each asset Likelihood or Probability How likely is the threat to occur? Or how likely is the vulnerability to be exploited? Severity or Impact What would be the cost to the business? Consider downtime, brand name, cost of recovery, and cost of penalties. Page 20

45 Risk Management (cont.) One way to rank risks (time for some math) Probability (%) = Likelihood of threat occurring and being successful (Threat + Vulnerability) Impact (1-5, where 5 is highest impact) = Actual or anticipated cost to the business Risk = Probability X Impact Page 21

46 Monitoring Page 22

47 Incident Discovery Remember the threats from earlier? 98% of all attacks lead to a compromise in LESS THAN 1 DAY! Only 25% of all companies detected the compromise in less than 1 day *Median days to discovery 229 DAYS! Sources: Verizon Data Breaches Investigative Report 2014 *Mandiant M-Trends 2014 Report Page 23

48 Monitoring COSO Monitoring and COBIT 5 16 The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. MEA02 The COBIT 5 Processes enabler guidance specifically addresses monitoring, evaluation and assessment of internal control adequacy (COBIT 5 process MEA02 Monitor, evaluate and assess the system of internal control). 17 The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. EDM05 MEA02 In addition to MEA02, COBIT 5 process EDM05 Ensure stakeholder transparency includes practices and activities to evaluate, direct and monitor stakeholder reporting and communication requirements, including those related to control deficiencies, to senior management and the board, as appropriate. Page 24

49 Monitoring Network Activity Network Monitoring It is necessary to understand your network If you do not know what is on your network, you cannot defend it effectively. If you do not know how devices on your network are configured and set up, you cannot know how to protect and secure them. --Dr. Eric Cole, recent inductee to the Infosecurity Europe Hall of Fame Page 25

50 Monitoring Network Activity Don t forget to look inside Your network There s a whole network behind your firewall Page 26 Page 26

51 Monitoring Network Activity Look inside your network to discover Malicious software, trojan horses, spam-bots, etc. All phone home to a command and control (C2) system Watch your outgoing traffic, not just incoming Page 27 Page 27

52 Page 28