GRC (Governance Risk & Compliance)

Best practices and Knowledge base on Governance Risk Compliance

soc2 compliance

When to consider SOC2 Certification

Information security is a reason for concern for all organizations, including those that outsource key business operation to third-party vendors (e.g., SaaS, cloud-computing providers). Rightfully so, since mishandled data—especially by application and network security providers—can leave enterprises vulnerable to attacks, such as data theft, extortion and malware installation. SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place. Trust principles are broken down as follows: 1. Security The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information. IT security tools such as network and web application firewalls (WAFs), two factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorized access of systems and data. 2. Availability The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties. This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context. 3. Processing integrity The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized. However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity. 4. Confidentiality Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information. Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems. 5. Privacy The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP). Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access

IT governance on value delivery header

Role of IT governance on value delivery

Information technology governance, however, is a subset discipline of Corporate Governance. Although it is sometimes mistaken as a field of study on its own, IT Governance is actually a part of the overall Corporate Governance Strategy of an organization. In simple words, IT Governance is putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework answers some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making. The primary goals of IT Governance are to assure that the investments in IT generate business value, and to mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications and infrastructure. Organizations and businesses need a structure or framework to ensure that the IT function is able to sustain the organization’s strategies and objectives. The framework and level we need depends on the size, industry or applicable laws or regulations. In general, the larger and more regulated the organization, the more detailed the IT governance structure should be. IT Governance Framework It doesn’t make sense to reinvent the wheel by starting from scratch. Start with a IT governance framework; there are many to choose from, but using at least one means everything has already been organized by industry experts. A IT governance framework includes three elements: Governance principles – the principles by which all IT initiatives will be governed Governance structure – the roles and responsibilities of the major stakeholders in the IT governance decision-making process, including committees and organizational elements at the branch level Governance process – the various stages required to review, assess and approve or reject new IT initiatives Implementing good IT governance requires a framework. COBIT The framework Control Objectives for Information and related Technologies (COBIT) was developed in 1996, from the Information Systems Audit and Control Association (ISACA), is probably the most popular. Basically, it’s a set of guidelines and supporting tool set for IT governance that is accepted worldwide. It’s used by auditors and companies as a way to integrate technology to implement controls and meet specific business objectives. COBIT 2019 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL) and related standards from the International Organization for Standardization (ISO). The Information Technology Infrastructure Library (ITIL) from the government of the United Kingdom runs a close second to CoBIT. The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist. ITIL describes processes, procedures, tasks and checklists that are not organization-specific, used by an organization for establishing integration with the organization’s strategy, delivering value and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.

IT governance on value delivery header

Talk about challenges in IT risk management

What are the biggest issues in risk management today? How do you expect them to evolve in the future? A few points that need to be looked into while doing a risk assessment or establishing a process for risk management are as follow: Risk Decision making structure or framework: A lack of risk decision making structure and lack of accountability for risk decisions in an organization. Almost every business executive is comfortable with risk decision making, however, in many cases the right people aren’t making those decisions. In many cases, big risk decisions are being made too low in organizations, with people who aren’t incentivized to make the right decisions for the organization. For example, a project manager may accept a large information security risk that can lead to compliance and reputational issues simply because they only thing they get incentivized on is getting the new product out the door. However, the executive in charge of the business unit, accountable for sustained results may make a very different decision. Organizations need to develop a structure so that the important risk-based decisions are made by the right people, those who are accountable for the impacts – good or bad. This typically means some kind of risk governance structure that defines what decision making powers each level of the organization has and an oversight structure and escalation path for those risks that need monitored or managed higher up in the food chain. The lack of meaningful risk assessment process. There are organizations that consider risk management something they have to do from a compliance standpoint who conduct superficial risk assessments. Others just don’t have the right skills to develop a meaningful risk assessment process. A meaningful process enables the identification of risks based on the goals of the organization and describes those risks in business terms either qualitatively or qualitatively through a common risk taxonomy. Enabling risks to be compared as apples-to-apples is extremely important for decision makers who need to be able to allocate resources across complex organizations. In terms of risk assessment effectiveness, organizations who take a control based approach to risk assessment are often missing the business context required to make the right decisions. There’s a common approach of “I’ve compared myself to a best practices list and anything I am missing must not be a risk” which misses the point. The best practices should be adopted as controls to manage the risks you’ve identified. Taking a list and just applying it wholesale means you’re likely not going to be spending your money in the controls you need to manage your real top enterprise risks and overspending in areas for small gains in risk mitigation. A true, goals-based risk management strategy facilitates a more effective allocation or risk mitigation resources and sometimes even saves money! A lack of an open, risk -ware culture. In order to build a culture where business managers are willing to be transparent to their executives, the executives have to be careful to craft the kind of culture that fosters this transparency. Open dialogs about concerns, risks, and trade-offs necessary without “shooting the messenger” are often missing in organizations that lack effective risk management.