Information Security Maturity Key to GRC

Editor’s Note: While Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, the company also sells a comprehensive software platform that integrates content and commonly accepted and proprietary frameworks with consulting expertise to help companies manage and mitigate risk and compliance issues.

by Scott Wisniewski and Piyush Agrawal of Protiviti

Most IT organizations understand their role in helping to support the objectives and adapt to the growing needs of their businesses. However, not all are capable of managing the inherent risks in the IT processes and applications used to support their company’s operations.

A mature IT organization differentiates itself by first anticipating and then safeguarding itself from potential risks. By doing so, it instills more confidence in its ability to support newer technologies, applications and user communities.

To achieve this end, companies gradually adopt best practices such as COBIT, ITIL, Risk IT and ISO 17799 to guide IT personnel. However, they’ve quickly realized that the implementation of best practices must be aligned with the enterprise’s risk management and control framework, and integrated with their existing methods and practices.

For instance, while many companies have yet to embrace online social networking, more and more organizations see it as an enabler of business opportunities similar to other communication mediums such as email. While opening access in the workplace to social networks can create numerous long term benefits, there are risks, including reduced employee productivity and, perhaps more notably, information security breaches.

As technology controls are gradually developed, the responsibility for security needs to shift from technology-based to people-focused controls. Furthermore, by building a strong communication program and heightening the overall risk consciousness, organizations can train their employees to pursue recommended ways of using social media and to respond effectively to attacks, thus creating a “human security perimeter.”

The Feds

In addition to self-managed data policing efforts, companies now need to address a number of recently introduced state, federal and international data security regulations. Organizations dealing with private information of company stakeholders — customers, employees, shareholders and vendors — are required to adopt necessary safeguards to manage and protect this information.

The first step for companies that handle such information is to get a clear understanding of what this data is along with its dependencies. The second step is to assign ownership of processes, applications and data to appropriate stakeholders in the organization.

Given the tight association of process, application and data, organizations can employ multiple blends of ownership structures such as application ownership across business processes, or application ownership at one facility and process ownership at another. The third step is to continuously monitor and audit the use of data as it leaves the realm traditionally controlled by the owner, whether it’s a particular application, business process, or data type.

Partners and vendors

In today’s interconnected world, securing and maturing one’s own organization is not enough. Vendors play a critical role and have significant ownership of company processes, applications and data. Vendor education, awareness, adherence to company policy and self-assessments should be critical components of a company’s GRC program.

A consolidated vendor assessment engine using any of the industry standard questionnaires, such as the Payment Card Industry Data Security Standard (PCI DSS) questionnaire, Self-Assessment Questionnaire (SAQ), or the Standardized Information Gathering questionnaire (SIG), helps automate the vendor management process. GRC technologies are designed to “grade” vendors based on criticality of service provided and the maturity of their security environment. Audit findings and remediation plans can be managed and tracked on a consolidated interface by both the vendor and the company on the same system.

IT risk management is the second major maturity enabler and is addressed at length in ISACA’s Risk IT framework. ISACA describes IT risk as the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. Companies adopting such frameworks need to identify and document all of the detailed IT risks and map them to the broader enterprise wide risk management framework.

Increasing negative publicity surrounding internal breaches has expanded the responsibilities of the enterprise security team within most organizations. Additionally, the interest by upper management in the activity and results of security processes and spending is growing. They need to see how myriad security initiatives and risk frameworks are adding value to the broader compliance and maturity goals of the organization.

At most organizations, no single technology vendor can enable a complete GRC technology ecosystem. Technology buyers should look for solutions that enable connectivity with third party systems for inputs. For instance, training and awareness user tasks in one system should enable linkage to third party e-learning solutions. Similarly, vulnerability scan, penetration test and continuous control monitoring results from one system could be actionable in another.

The figure below provides an overview of the three key areas of risk and control management — Policy and Governance; Process and Control; and Training and Communication — underpinned by a supporting “Toolkit” that can be applied within an IT group. These three areas collectively establish a comprehensive foundation for stakeholder reporting and interface with all relevant enterprise risk management activities.

All frameworks and regulations discussed in this article require documentation, process workflow and tracking of detailed metrics. Most organizations initially start out with Microsoft Office and unstructured document management systems, but soon migrate to specialized GRC systems to manage documentation of a comprehensive risk universe, deployment of risk assessment tasks, tracking of control status, security metrics, incidents and remediation activities. Companies also use these systems for enterprise risk reporting.

A good GRC system addresses all three key areas of risk and control management and simplifies decision making by prioritizing, aggregating and highlighting the most critical metrics, findings and risks facing the organization.

Cost control

The cost of not securing information entrusted to an organization can be enormous. A number of recent surveys of both small businesses and large corporations have found that a significant percentage of companies have experienced confidential data loss in the last few years. In addition to litigation costs, the embarrassment and reputation costs are particularly excessive when the loss of customer data (e.g., credit card information) is reported to the public. It is important that organizations pursue a multipronged approach, as outlined in these three areas of risk and control management.

Lastly, the effectiveness of data security and IT risk management activities can be rated on widely recognized maturity scales such as Carnegie Mellon’s Capability Maturity Model Integration (CMMI) scale. Maturity models help an organization understand its shortcomings and set targets for where they need to be.

Scott Wisniewski is director of Governance Portal product management for the Risk Technologies group within Protiviti, a global consulting and internal audit firm specializing in risk, advisory and transaction services. Wisniewski is actively involved in worldwide GRC implementations related to IT security risk, regulatory compliance, Sarbanes-Oxley, internal audit, operational risk, and more.

Piyush Agrawal is Governance Portal product manager in Protiviti’s Risk Technologies group. Agrawal manages GRC product and business development initiatives, with a focus in the financial sector.