Understanding Enterprise Risk Management In-Depth

In today’s blog, we will discuss “Understanding ERM In-Depth; Using the Right ERM Strategy as A Catalyst for Addressing Risk, While Improving Audit Outcome”.

Companies are under significant pressure to stay abreast of a wide array of business risks that may impact their organization’s success and sustainability. BODs and senior management’s risk oversight role is becoming as critical to the sound running of an organization, especially for companies with significant market risk exposures. This has caused BODs and corporate officers to become more involved in strategic ERM planning at early stages, rather than just reviewing and signing off on an ERM strategy after it has been fully developed by management. Furthermore, the increasing demands and high expectations from the BOD levels have caused a major shift in how audit committees and chief audit executives approach their internal audit programs. Internal auditors are encouraged to incorporate a risk-based approach to internal controls auditing.

ERM Framework and Strategy:

I’ve seen many clients undergo major efforts in developing an ERM framework that work for their business. Most of these frameworks, in my opinion, appear to be nothing more than an over-engineered process that could have been completed with a COSO-based or NIST-based ERM framework. Bottom line here is to take advantage of frameworks that have already been established so that you are not “re-inventing” the wheel. Your ERM framework should capture ALL key and critical business areas within your organization. Your framework should also account for both, business and information risks. Key word here….ENTERPRISE!

ERM and Internal Audit:

The role of the internal auditor and the internal audit process is quickly changing. Today, internal auditors are encouraged to take a risk-based approach to their audit programs. I am working with a particular client where they are using risk composites to drive or “trigger” their audits. The way it works is that when both the likelihood and the MOI (magnitude of impact) of the threat are equally high, the audit department is notified to audit the control(s) that are supposed to mitigate the risks or threats. As an auditor, I strongly encourage that your audit team employ a risk-based approach to your audit strategy. Additionally, getting integrated with your ERM division offers great rewards in this process. This strategy will also improve your audit outcome. Know the risk….employ the effective control(s)….mitigate the risk….you get the idea!

ERM and GRC (Governance, Risk, and Compliance):

I had a customer ask me. “What is the most critical component of the GRC Process”? Although this is a tough question and every component of the GRC process is important, it is my opinion that cornerstone of GRC is risk (R). Without knowing and understanding the risks that businesses face today, it would be difficult to provide BODs with risk oversight, identify controls that need continuous monitoring, and achieve a risk-based approach to compliance management. Once your risk appetite has been determined and your business risks have been identified, you can perform risk analytics and modeling to further enhance your ERM program and provide BODs and corporate officers with oversight of their enterprise risks. All in all you can see the importance and significance of ERM within a GRC or corporate governance strategy. I’m curious to hear other approaches to this thought.

I would like to hear your views on the following:

1. What is your approach to Enterprise Risk Management?
2. How do you incorporate risk into your GRC or Corporate Governance Strategy?
3. What ERM framework works best for your organization?

Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

Data Theft

In today’s blog, we will discuss the issues concerning insider data theft and the selling of customer data. I would also like to hear your views on information risk management. Enjoy!

Over the last couple of years, insider data theft has become an major issue that companies are dealing with and seeking preventative controls. Even more shocking, some employees and contractors that have access to customer information have managed to make extra income in selling this information to the “electronic black market”.

The Issue:

The FBI has cited that 85% of data theft is caused by internal employees that have access to confidential data. In the month of July alone, two major data theft cases made headlines. Certegy Check Services, a subsidiary of Fidelity National Information Services, has announced that it has discovered that an employee sold identifying data on 2.3 million customers to a data broker and, more recently, a subcontractor working for a company that processes and fulfills orders for the Disney Movie Club sold credit card numbers and other account information belonging to an unknown number of customers to undercover law enforcement agents. The data stolen in both cases contained names, addresses, birth dates, and account information.

The Consumer Data Black Market:

The following types of information are being sold in the black market as follows:

• $980-$4,900 - Trojan program to steal online account information
• $490 - Credit card number with PIN
• $78-$294 - Billing data, including account #, address, Social Security number, home address, and birth date
• $147 - Driver's license
• $147 - Birth certificate
• $98 - Social Security card
• $6-$24 - Credit card number with security code and expiration date
• $6 - PayPal account logon and password

Major Cause of Data Breach:

Nearly fifty percent of professionals take corporate data with them when they changed jobs, according to a recent online survey, with many of them simply e-mailing it to themselves or storing it on a peripheral device. In fact, a CSI/FBI survey reported that the most serious financial losses occurred through theft of proprietary information. Much like other security vulnerabilities, non-malicious errors—otherwise known as social engineering—contributes largely to the problem. The leading cause of a data security breach is non-malicious employee error (39 percent), followed by malicious employee activities (30 percent) and hacker or external penetration (16 percent). Other data breaches include:

• Stolen Laptops
• Social Engineering
• Dumpster Diving
• Information left on printing and fax devices

Some Solutions:

Once the initial identification and classification of sensitive data has been determined, one can implement a number of automated methods to maintain these classifications. Linguistic signatures or forensic-based “file crawlers” can watch and sustain classifications as the original files change and new files are added to protected directories. These devices can be configured to navigate through file systems to watch protected files and directories in a number of ways:

• Protect and watch specific files. As the file contents change, so will the data in the signature repository.
• Protect all contents of a directory. File crawlers can be set to watch and protect directories containing proprietary source code.
• Protect all files matching a specific template within a directory. As file names and content within documents change all drafts of the document are protected.
• Protect all files with a given extension in a directory. For example, selecting the .xls extension enables protection for all Excel spreadsheets in the finance department’s directories.

Other solutions includes notifying departments to new threats and risk areas, it enables them to fully understand the cause of the threat thus allowing them to determine how to mitigate it; implement new controls; and then apply that knowledge to other areas. Finally organizations should review the following file system security components and implement security controls to mitigate the risk of data theft:

• File System Permissions
• Access Management and Frequent Monitoring/Review
• Network Access Management
• Hardened Systems and Hosts

In Closing:
In order to minimize the risk of data theft, organizations should consider the following approaches:

• Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations
• System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) and (ii) monitor information system security alerts and advisories and take appropriate actions in response.
• Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
• Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals

I would like to hear your views on the following:

1. IT risk assessment strategies; what is your process and approach?
2. Have you made the transition from information security to information risk management?
3. How are you measuring information risks?
4. How does your information security governance strategy fit into your organization’s corporate governance process?

Thank you