ZenGRC Team

iPhone X and Security: Becoming James Bond and Protecting Your Organization

ZenGRC Team · September 21, 2017 ·

When Apple announced its high tech facial recognition software, the iPhone X and security suddenly stepped out of the dark and into the light. For many, the ability to hold up a phone and unlock it with your face seems like something out of a James Bond movie or a science fiction spy book. We may not have Marty McFly’s hoverboards on our sidewalks, but we will have James Bond-esque biometrics in our hands.

Where do iPhone X and security overlap? Looking at the compliance landscape, the reasons for the iPhone X FaceID are the same reasons you need to secure your password management program. If you’re looking for the compliance equivalent of smartphone technology‘s ease, complete this form to schedule an appointment with one of our GRC experts.

How the iPhone X and Security Concerns Correlate

Two-factor and multi-factor authentication requirements are rapidly becoming business norms. Protecting data means finding as many ways as possible to thwart malicious intentions.

Security analysts have long noted that facial recognition isn’t that safe. In fact, Samsung even admitted that the Galaxy S8’s recognition software was flawed in the early stages. Many security professionals have therefore been wary about Apple’s FaceID.

Unlike others facial recognition programs, however, the Apple model uses 3D scanning to create the saved image. This means that it looks at more data points and angles to make its recognition as precise as possible.

For everyday users, the available information is contentious. Apple argues that FaceID is safer. News outlets argue that there could be better options. Some even argue that it would be safest to require passcodes, so why move on to face scanning if that isn’t actually a security upgrade?

Why You Need to Promote Security Awareness

One of the largest security flaws in any organization is its employees. Human error and human laziness are two of the largest reasons that Apple is moving to facial recognition technology. The same problems plague your organization.

Why not continue to unlock smartphones with passcodes? Because people don’t make strong passwords. They use easy-to-remember passcodes or default passcodes. In fact, in the wake of the Equifax breach, news outlets noted that the company used “admin” as the password for one of its non-US databases.

Technology companies created facial recognition and fingerprint identification in response to ongoing security awareness problems. These are precisely the problems that put your organization at risk. If employees don’t understand the value of protecting their own information, they may not understand the value of protecting yours.

How to Incorporate Security Awareness into Your Information Security Management System

Just because an organization understands the value of security awareness, it might not easily incorporate that understanding into its information security management system (ISMS). The goal of any ISMS is to mitigate security risks.

Training employees is the cornerstone of that mitigation. The problem is that trainings need to occur more than once a year. They need to be ongoing and engaging—if people don’t see the value, they tune out.

Security awareness needs to be more than a top-down mandate governed by your IT department. Employees need to understand that just as others are protecting them, they need to help protect you.

Why an Effective Information Security Awareness Program Needs You to Be James Bond

To promote security awareness, you need intelligence on employee habits. Though you’re not walking around in a tuxedo carrying your stirred martini, you’re still sleuthing.

Understanding employee habits and weaknesses requires documentation of your compliance standards and controls. Whether you’re reviewing user authentication settings or creating a password management program, you need to go undercover to understand how employees are engaging with your systems.

Gaining intel doesn’t mean looking over employees’ shoulders. If you send out fake phishing emails to test employee savvy and employees still click through, then your trainings aren’t working.

Why Automating GRC Is the iPhone X of Infosec Compliance

GRC automation and the iPhone X FaceID fulfill the same ease of use function. Where FaceID intends to ease the consumer burden of passcode strength, GRC automation eases the burden of security documentation, reporting, and tracking.

Documenting security awareness training means engaging in metrics that involve all employees. To do this, you need to track new employees as well as current employees. You may have to follow up with employees who did not take the training. You have to make sure that they pass the training with the grade required by your policy.

Moreover, employee education may be an objective for more than one program. You need to be able to map that objective easily across the different programs and standards. Then you need easy access to reports that show your compliance.

With the ability to incorporate multiple standards into your program, you have the ease of one-touch reporting capabilities. Instead of having to review multiple pages of spreadsheet documentation, you can more easily compile the data for your auditor. With a single source of truth, you can easily and seamlessly prove your compliance. Just as consumers simply need to look at their phones to turn them on, you simply need to push a button to prove your compliance.

Whether you like your martinis shaken or stirred, what you undoubtedly will like is the ability to meet audit documentation requirements easily.

To see how you can become James Bond, book a demo, tuxedo optional.

5 Compliance Lessons Learned from the Equifax Breach

ZenGRC Team · September 13, 2017 ·

As consumers reel from news of another major identity theft incident, businesses look for lessons learned from the Equifax breach. According to CNBC, 143 million consumers affected by the breach. The irony is lost on no one: the data breach that will lead to identity theft was perpetrated against the company responsible for helping monitor identity theft. Five main compliance lessons learned from the Equifax breach should help companies regroup.

Lesson 1: Use the Buddy System Wisely

Since the breach, everyone has been pointing fingers. First, Equifax pointed fingers at Apache. Then Apache pointed right back at Equifax.

Equifax argues that the Apache vulnerability was in the code for years. Apache points out that there’s a difference between known vulnerabilities and zero-day exploits. Even if the vulnerability existed for nine years, Apache may not have known about it and therefore may not be liable for the risk.

Imagine that Equifax and Apache Struts are in a Kindergarten classroom together. They both want to build with the classroom LEGO blocks. Apache Struts starts the foundation of the house but unknowingly leaves a weakness in one of the walls. Equifax builds on top of that and when the blocks come tumbling down, Equifax doesn’t want to clean up before playtime is over.

Regardless of who caused the mess, it needs to be cleaned up because walking across a floor covered in LEGO bricks is going to hurt.

Working with vendors means trusting them and doing your due diligence. Unfortunately, even with due diligence, vulnerabilities can exist.

Lesson 2: Patch, Patch, and Patch Again

Equifax argues that it was breached in May 2017, but there are two sets of code that could be involved. One was fixed in March 2017 and the other was announced only in September 2017.

If it turns out that the exploited code comes from the March 2017 vulnerability that Apache fixed, Equifax is going to be in the same boat as many others before it. An unpatched vulnerability led to a breach that could have been prevented.

Lesson 3: Don’t Let Your Business Card End Your Business

With hundreds of patches being released each month, businesses feel they’re set up for failure. The more software you use, the greater your risk of missing an important security update.

Managing this risk means understanding what needs to be done immediately and what can wait. The malicious attackers used a back door to gain entry to the Equifax information.

Consumer websites pose greater risks than most businesses recognize. While most organizations see them as digital business cards, hackers see them as entryways. Non-ecommerce websites are the perfect access point to an organization’s database precisely because they seem innocuous. Since many companies have not required a security audit on their website, they do not appropriately calculate the risk their corporate website might open themselves up to.

When engaging in risk rating your assets, it’s important to look at even the most unsuspecting areas. If you would lock the windows on the second floor of your house because they still pose a risk of robbery, then lock down that corporate website, too.

Lesson 4: Insurance is Not Invulnerability

Why is Equifax trying to point fingers at Apache Struts and vice versa? Because this breach is going to be expensive. So very expensive.

Equifax has already noted that despite carrying cyber-insurance, they aren’t sure if their property and business interruption coverage will be able to compensate those affected. Moreover, given the litigious nature of society, lawsuits have already started trickling in.

Carrying cyber-insurance can help defray the costs of a breach. Protecting your business with cyber insurance is becoming a necessity, but you also need to recognize the limitations of that coverage.

Lesson 5: Documentation of Compliance Can Save Your Business

One of the most important lessons learned from the Equifax breach is that compliance starts and ends with strong documentation. As Equifax scrambles to hire a forensic firm and locate the cause of the breach, documentation is going to be key to determining their liability. Being able to trace processes and controls can save an organization from going bankrupt or from incurring reputational damage that could end the business.

In the current climate, businesses will be breached. Being able to prove that you not only followed best practices but also constantly monitored your landscape may help mitigate liability.

In larger organizations, the documentation is harder to consolidate. With information spread across departments that use different applications, having a single source of truth can be the difference between keeping your databases safe and being an Equifax by removing compliance gaps.

Automation not only consolidates data, but it creates accountability. When organizations can show that they were working hard to protect their consumers, they gain the trust that allows them to continue to do business.

For more information about how automation can help you protect your organization, read our eBook, “eBook: Insider’s Guide to Compliance: How To Get Compliant and Stay Agile.”

HITRUST Framework Helps HIPAA and Vendor Management: Bloody Fingerprint Problem

ZenGRC Team · September 7, 2017 ·

Understanding the HiTrust Certification Process

Just when you figured out how to negotiate the “business entity” definition, Congress hit you with the Omnibus rule. Thanks to the Health Information Trust Alliance (HITRUST), the HITRUST Framework helps HIPAA and vendor management which had suddenly become “a thing.” Managing patient health information (PHI) feels like gathering evidence from a crime scene.

Anyone who remembers the O.J. Simpson trial remembers the infamous bloody fingerprint. The sample of O.J. Simpson’s blood went missing during the police investigation. Only 6 ml of the 8 ml of the blood drawn from Simpson was accounted for, causing people to suspect evidence was planted. While HIPAA may not be as exciting as a high speed car chase, tracking your chain of evidence—or in compliance speak, chain of trust—matters.

What is PHI?

PHI incorporates multiple types of information available to health providers. When looking at the ways that the HITRUST Framework helps HIPAA and vendor management, the first thing to do is to learn the various terms under this umbrella.

Health Information

“Health information” encompasses information created or received by a health care provider, health plan public health authority, employer life insurer, school or university, or healthcare clearinghouse. This information can relate to past, present, or future physical health, mental health, or condition of any individual. In easy terms, this covers all the information a patient gives to health care workers when admitted to a health care office or facility.

Individually Identifiable Health Information

“Individually identifiable health information” includes any demographic information that can be linked back to the patient. In other words, this may not be specific to the condition but is part of the history and clearly identifies the individual or can be used to identify the individual. For example, this not only includes name, address, and social security number, but may also include date of birth, zip code, or county location. If the information can be traced back to a specific individual, not just a population, then it falls under this umbrella.

Protected Health Information

“Protected health information” means any individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media. The kicker here is that the definition of PHI excludes education records protected by the Family Educational Rights and Privacy Act, records described in 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer. In other words, when records are protected under educational or employment law, that overrides HIPAA.

What exactly does “business associate” mean?

While “business associate” may conjure up Marlon Brando in The Godfather obliquely referring to gangsters, it isn’t quite that exciting under HIPAA.

According to HIPAA, a business associate is a person or entity, other than a member of a covered entity’s workforce, who performs functions or activities on behalf of, or provides services to, a covered entity that accesses protected health information.

In regular business terms, a business associate is a vendor who somehow, by virtue of their role as a partner, comes into contact with the kind of information that needs to be protected.

For example, this could be a cloud storage vendor or a cleaning service working around files. Most likely, it won’t be a plumber.

How does a health information exchange fit into this??

Health information exchange is one of those IT terms that has a variety of meanings. Generally, it’s the back and forth digital information sharing that takes place between providers. In some places, it refers to the larger concept of general information movement between stakeholders. When it comes to the ways the HITRUST Framework helps HIPAA and vendor management, the term can also be used to refer to the organization or entity that aids in information movement.

This means that the phrase “health information exchange” can refer to the vendors handling your patient data. Ultimately, vetting these vendors is critically important because of the overall safety concerns that come with this information.

What is a chain of trust partner agreement?

Unfortunately, or maybe fortunately if you’ve had the experience of living with a toddler, the chain of trust partnership isn’t about working with Thomas and his Very Useful Crew. HIPAA and vendor management is similar to other forms of vendor monitoring but feels even more invasive, particularly if you’re the vendor.

Working with vendors under HIPAA means having to trust them with not just your own information but also the information your clients entrust to you. This means that while you may not need to be SOC compliant and complete an SSAE 18 review, you do need to understand the way in which your vendors interact with information and monitor their information security measures.

Think of a chain of trust partner agreement as a written trust fall exercise. In corporate trainings, there used to be “trust falls.” Two people stand together in a line, one falls down backward, and the second person catches them. Now, imagine this as people set up like a series of dominoes, one after another after another. The first person falls onto the second, who falls onto the third, until you get to the last person. Each person needs to be strong enough to ensure the person in front doesn’t fall, even with the added weight of the people before them.

A chain of trust agreement is the adult, contractual version of this. The business entity at the top of the chain contracts with its vendor. This relationship is covered by the contract between those two. However, that vendor may want to have vendors for itself. This means that despite having the degrees of separation from the original business entity, these vendors are also related to the business entity through their work with the other vendors.

To put it graphically:

Business Entity → Contract with Vendor A → Contract with Subvender 1 → Contract with Subsubvendor !

Now, Subsubvendor !, by virtue of its relationship with Subvendor 1, which has a relationship with Vendor A, is also related to the Business Entity. As such, even though Subsubvender ! may have nothing to do with health care, that entity is now responsible for the privacy interests of HIPAA and and the risk management involved.

How the HITRUST Framework helps HIPAA and vendor management by mitigating the impact to your business

If your organization is anywhere in the stream of a business entity, this means that you’re going to need to determine how to be HIPAA compliant.
Many of the HIPAA compliance requirements can be found in other frameworks governing information systems such as NIST, ISO, and FISMA. However, if you’re already implementing HIPAA or planning to in the future, you want to consider possible gaps.

If you really want to be HIPAA compliance, the HITRUST Cybersecurity Framework (HITRUST CSF) is your safest bet. The HIPAA Security Rule is based on administrative, technical, and physical safeguards as well as organizational requirements such as policies, procedures, and documentation.

The HITRUST CSF is based on the HIPAA Security Rule but also incorporates specific controls within a common security framework that specifically addresses information security concerns. This compliance framework incorporates 14 control categories, 49 objectives, and 149 total control specifications. The prescriptive and scalable HITRUST CSF helps create a system of access control to protect PHI.

If you’re using spreadsheets, this becomes overwhelming quickly. Trying to cross reference multiple standards takes manpower and hours. Tying up these valuable resources on a single task may seem cost inefficient.

How GRC Automation overlaps with the way the HITRUST Framework helps HIPAA and vendor management pain

HIPAA compliance can feel overwhelming. The potential for civil and criminal penalties can scare organizations away from incorporating HIPAA as part of their compliance program which, in turn, can lead to lost revenue.

With ZenGRC, you can visualize compliance gaps to determine the additional work necessary to be compliant. As you map controls to a particular standard or framework, ZenGRC allows you to map that control to other standards or frameworks that it satisfies.

The first step in the successful implementation of the HITRUST CSF is to engage in a CSF Self-Assessment with the help of a CSF assessor. CSF assessors are consulting firms that HITRUST approved to perform the assessment. Using this information, you can gauge your system and regulatory requirements to help determine your risk and scope.

Suppose that you are currently ISO 27001 compliant. One of your controls is a firewall. If you choose to incorporate PCI DSS compliance, a firewall is also an accepted control. Once you set up your controls in ZenGRC, it automatically maps current controls to new standards as you add them. This means that your ISO 27001 controls will be mapped to your new PCI DSS compliance framework. All you need to do now is determine what additional controls you need to incorporate.

If you then choose to implement the HITRUST CSF, you can run a gap analysis to determine the additional work necessary to be compliant.
Not only does this make incorporating new standards into your overall landscape easier, it also means that you can expand your business into revenue streams that seemed too onerous before.

Automation offers companies the ability to expand their business offerings more easily. When compliance offers a barrier, automation can be the battering ram.

To read more about how automation can establish better business practices, read our eBook, “Compliance Management Best Practices: When Will Excel Crush You?”

Compliance Reporting Metrics: Moving Away from Emojis

ZenGRC Team · August 31, 2017 ·

Using compliance reporting metrics often feels like using emojis to answer a math problem. While putting together the compliance program may be time-consuming, it has clear directions. Assessing the compliance program, however, often seems more qualitative than quantitative. Fortunately, ISO 27004: 2016 helps make compliance reporting metrics more clear.

Why do compliance reporting metrics matter?

Anyone who has a smartphone has learned the value of the all-powerful emoji. The little pictures that express ideas or emotions in shorthand have created a language all their own. However, they work to express an idea only if the person receiving the message understands them.

For example:

How many of those would you have figured out on your own?

If a reader is not well versed in the descriptive language, then using emojis to express an idea conveys no meaning.

Compliance reporting metrics work similarly. While qualitative reporting can offer insight into how a program works, truly assessing the stance means offering meaningful numbers to illustrate the value of controls and processes.

How can quantitative compliance reporting metrics strengthen audit results?

Auditors know the emojis. They understand the shorthand and the language. In fact, one of the main reasons for choosing compliance with various standards lies in the ability to have a well-referenced stance that offers confidence to customers and vendors.

Qualitative compliance reporting helps show specific cases within the organization. A large part of business value relies on intangibles related specifically to a given company. For example, any peer group reviews will be based less in specifics than in descriptions. This makes sense since an organization does not have insider information about its competitors.

Within the information technology area, one of the easiest examples is the idea of reputation. Reputation cannot be quantified mathematically. Since reputation is based on how large groups of people subjectively view an organization, a company can argue they are in the top 10% of customer confidence scores. However, those scores are defined by qualitative measures, not “hard” data.

Quantitative measurements, by contrast, offer an objective look into how an organization operates. Instead of relying on the capricious whims of others, qualitative measures rely on data gathered through verified measures.

When auditors are checking off boxes, they want to see data that represents repeatedly verifiable information. Therefore, compliance reporting metrics may lead to better audit outcomes because there is more consistency and less room for subjective interpretation.

How Did ISO 27004: 2016 Impact Compliance Reporting Metrics?

While ISO 27001:2013 set out prescriptive standards in many areas, it set forth non-prescriptive methods for evaluating an information security management system (ISMS). While these non-prescriptive specifications created best practices and offered flexibility, they did not necessarily provide a strong basis for evaluating effectiveness.

With this in mind, ISO established ISO 27004:2016 Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation. This new standard supplements rather than supplants ISO 27001. The goal of ISO 27004:2016 is to help organizations quantify their processes and controls to create statistically sound compliance reporting metrics.

Section 5, titled, “Rationale,” explains the importance of incorporating measurements and validation to ensure information safety. In section 5.3, the ISO guidance notes,

5.3 Validity of results ISO/IEC 27001:2013, 9.1 b) requires that organizations choose methods for measurement, monitoring, analysis and evaluation to ensure valid results. The clause notes that to be valid, results should be comparable and reproducible. To achieve this, organizations should collect, analyse, and report measures, taking the following points into consideration:

a) in order to get comparable results on measures that are based on monitoring at different points in times, it is important to ensure that scope and context of the ISMS are not changed;
b) changes in the methods or techniques used for measuring and monitoring do not generally lead to comparable results. In order to retain comparability, specific tests such as parallel application of the original as well as the changed methods can be required;
c) if subjective elements are part of the methods or techniques used for measuring and monitoring, specific steps can be needed to obtain reproducible results. As an example, questionnaire results should be evaluated against defined criteria; and
d) in some situations, reproducibility can only be given in specific circumstances. For example, there are situations where results are non-reproducible, but are valid when aggregated.

This discussion regarding comparable results and reproducibility underlies the importance of compliance reporting metrics. To prove compliance, organizations need to not only explain but also quantify their success.

To continue to succeed, companies need reliable measurements that show why their programs meet compliance standards. This type of objective specificity requires more than narrative responses.

With this in mind, ISO 27004:2016 offers three specific guidances to help firms move forward towards a more analytical approach to compliance.

How does Annex A offer insight into compliance reporting metrics?

Annex A sets forth a measurement information model to help organizations determine how to link information to math. For example, Annex A discusses how to link employee knowledge of information security policy to the relevant ISMS entities.

In other words, to fully evaluate a compliance program, companies need to create a process to quantify needs and outcomes. The first step is to determine what information is necessary to measure compliance and then find a measurable concept. From there, the organization needs to create a base measure for analyzing data.

For example, if the goal is to ensure that employees understand an information security policy, your organization could require annual reading of and testing on the policy. If this is done through an online program, your organization can require a minimum score and track the number of attempts it took each employee to meet that score. This data provides measurable, repeatable information for analysis.

How Does Annex B Build Upon Annex A?

Annex B offers greater detail to assist with implementing the overall guidelines of Annex A. Within Annex B, ISO has incorporated tables that cross-reference objectives to ISO 27001:2013. This helps organizations follow the more prescriptive goals of ISO 27004:2016.

For example, Section B.12 offers suggestions regarding Information Security Training metrics as discussed above. It states that information is needed “to evaluate compliance with [the] annual information security awareness training requirement,” and suggests the “percentage of personnel who received annual information security awareness training” as the coordinating measure.

However, instead of merely suggesting these as goals, Annex B provides a prescriptive formula to show compliance:

[Number of employees who received annual information security awareness training/number of employees who need to receive annual information security awareness training] * 100

Further, it provides a Target Range to determine how best to analyze whether or not the organization is in compliance:

0-60% – Red;

60-90% – Yellow;

90-100% Green.

For Yellow, if progress of at least 10% per quarter is not achieved, rating is automatically red.

Red – intervention is required, causation analysis must be conducted to determine reasons for non-compliance and poor performance.

Yellow – indicator should be watched closely for possible slippage to Red.

Green – no action is required.

By establishing guidelines based on mathematical principles, Annex B provides a way to specify compliance outcomes and prove that a program’s controls work.

What Does Annex C Provide that Helps Clarify the Other Two?

Annex C offers an example of how to write a free-text form measurement construction. In the event that an organization does not like to use charts, Annex C gives a “word problem” that narratively explains the mathematical process of determining the metrics.

How Does GRC Automation Ease the Process of Gathering Compliance Reporting Metrics?

GRC automation offers a way to streamline the data collection process. Using an automated platform not only offers a centralized location for the collection of data, but also provides an easier tracking method.

When collecting and organizing the necessary quantitative data, smaller organizations start with spreadsheets and emails. As organizations grow, they add employees and applications that lead to a more complex posture, making it increasingly cumbersome to coordinate the people and information to provide quantitative data.

GRC automation streamlines this process. Using a SaaS platform, an organization can schedule tasks and reminders that trigger employee responses. In addition, the information is more easily accessible when an auditor requests documentation.

As technology increasingly drives business outcomes, compliance reporting metrics will become more commonplace. ISO 27004:2016 is the first step in the standardization of qualitative audit performance standards.

For more information on how GRC automation can help streamline the process of engaging in qualitative compliance, read our ebook,”Compliance Management Best Practices”

Segregation of Duties in IT: Ya Gotta Keep ‘Em Separated

ZenGRC Team · August 29, 2017 ·

Segregation of duties in IT security is one of the most basic ways to protect your environment. ISO/IEC 27001 requires separation of duties and responsibilities that potentially conflict. In doing this, your organization lowers the risk of both malicious and accidental modification or misuse. In addition, the standard incorporates these conflicting duties and areas as part of the ongoing risk assessment.

Why Segregation of Duties in IT Matters

The first reason businesses segregate duties is to prevent a conflict of interest, wrongful act, fraud, abuse, or error. The second reason is to make sure that any control failures are detected. If an employee is responsible for reporting on themselves or their superior, their fear of repercussion may impede them from fixing a faulty control.

At the most basic level, no single person should be able to change or destroy information without others noticing. However, you also have to make sure that all sensitive information is appropriately protected. Finally, the person who controls the design and implementation of IT controls needs to be different from the person who reports on how well those controls work.

Fundamentally, internal and external audit function as ways to incorporate segregation of duties. Since internal audit may have a vested interest in not reporting problems, external audits are the gatekeepers for internal audit.
While these multiple control layers can feel redundant or excessive, the financial risk and reputational cost associated with misused information can ruin your business. Keeping access and reporting segregated ensures ongoing compliance.

How to Segregate Job Functions

While businesses normally think of segregating duties in IT controls as a matter of software or hardware safety, the reality is that employees present the largest risk to most companies. Whether you do it purposefully or accidentally, segregating your employees’ access and duties within your organization is one of the best ways to protect your physical and technological assets.

As with any other controls you put in place, documentation of how you separate the different employee duties is key to compliance. To make sure that the appropriate employees have the correct access, you need to align job descriptions with software settings. To do this, you need to make sure that you have an effective user access review program in place.

In assigning access based on job function, you want to start by assessing risk. For example, if the same person who reviews time cards also has custody of paychecks, this poses a huge risk of fraud. Most businesses recognize this and separate those job roles.

What Steps Help Segregate Duties

Sometimes the types of duties clearly lend themselves to segregation from one another. Sometimes, however, the conflict of interest is embedded within the overall function.

Dividing the functions necessary to your organization acts as the first step. Once you have done this, you need to break down those functions into their discrete parts. Think about it like breaking apart a machine, comprised of many intricate gears that integrate to function fully. However, some gears are more vital than others for the machine’s efficiency. A weakness in one area can compromise the whole machine.
The same is true with companies. Breaking out your functions into their individual steps allows you to see points of potential abuse or weakness. Moreover, should a function be compromised, you can better track the source of the problem if you know the steps involved.

Once you determined the various points of potential weakness, you need to segregate the duties. There are several ways to do this. Authorization function requires two people to give approval for something. Documentation function requires that one person write down the function while another approves it. Custody of assets means that you put creation and storage of information in two different places. Reconciliation or audit means that one person takes inventory while the other reviews the work for completeness.

How GRC Automation Helps Track Controls Over Segregation of Duties in IT

When a single function can be broken down into multiple steps, tracking the controls can become frustrating. For a small organization, the functions might be easy to track because there are a limited number of employees.

Once an organization incorporates startup budget constraints, its management often chooses to organize these controls in spreadsheets. However, as the company expands and matures, so do the processes.

Being able to more efficiently map job descriptions to employee access means having stronger controls. Automation allows clearer visibility into how functions are separated into their parts and how those parts work to create a whole. By having a single source of truth, you can see all of your internal controls in one place and ensure that the appropriate segregations have been established.

How to Use Audit to Help with Segregation of Duties in IT

Traditionally, your CIO has handled reporting on the end testing controls. However, since the CIO oversees and designs implementation, they have a vested interest in the controls’ effectiveness. This is one of the reasons that having both a CISO and CIO matters.

Audit, however, has an interest only in testing the controls. This means that having an audit function automatically segregates duties over the controls. The question then becomes, why have an internal and external audit?

Your internal audit function is a self-assessment of your business. Pretend to be your internal auditor for a moment. Controls cost money. As the internal auditor, your job is to make sure those controls are appropriate. However, when you tell those in charge of the controls that problems exist, they get upset. Sometimes, the Board gets upset. Sometimes, the boss gets upset.

Though this is the internal auditor’s job, corporate culture can lead the internal auditor to prioritize protection of themselves or the departments with whom they work over robust information security. Perhaps they massage the message. If that happens, the report may technically note issues in the controls, but may do so in a way that makes it seem less important.

The potential for that conflict of interest means that external audit acts as balance to internal politics. Moreover, it acts as a check on internal audit’s capabilities. This shores up your compliance program. In many ways, this offers a segregation of duties that provides a check and balance similar to tripartite government.

You need both an external audit and or an internal auditor to monitor your controls most effectively. Your internal auditor helps monitor your organization with a sense of how your company works. They provide you with someone who knows your business and can continually monitor your controls. Your external auditor provides an entirely independent review unconnected to your company’s internal politics, offering insights that come from a fresh set of eyes.

How Using Automation Creates Better Audit Outcomes

Automation provides a single source of truth for audits. Internal audit needs to work with external audit to both create and disseminate documentation of your controls.
Internal audit contacts individuals to get documentation that supports the written segregation processes. However, this information gathering can be cumbersome. Multiple emails with various individuals can lead to ongoing communication problems.

GRC automation facilitates the scheduling of tracking and notifications. In addition, instead of having to spend time sifting through emails to track down responses, internal audit can review the submissions in one place. This single source of truth then provides the internal audit function with the appropriate documentation for external audit.

Streamlining the documentation process leads to greater cost savings when it comes to time spend on audit work. Internal audit can spend more time on the review process and focus more on the details of reconciliation. External audit can see more clearly into your organization’s compliance stance. All of this leads to stronger audit ratings and faster audits.

Auditing segregation of duties in IT helps keep your company free from fraud and creates greater security over your information assets. Using GRC automation to create a single source of truth for your audits provides a value add by lowering the amount of time spent on mundane administrative work.

For more information about how GRC automation offers efficiency and cost savings, watch our on-demand webinar, “6 Time Saving Steps to Simplifying Your GRC Strategy.”