ZenGRC

Simply Powerful GRC

Audit Management

eBook: Compliance Management Best Practices

· ·

As new regulations and updated industry standards bombard businesses, compliance management becomes a focus for all industries. However, increasingly, these new compliance requirements mean checking, double-checking, and triple checking spreadsheets. Cybersecurity analysts note that reviewing your data environment and ensuring control effectiveness can help mitigate the potential for a data breach. However, if your information remains siloed in different departments, you may not be maintaining accurate, up-to-date information.

Compliance Management Best Practices: When Will Excel Crush You?

How to create an effective corporate compliance program

Creating a corporate compliance program means building a team dedicated to overarching legal and industry requirements. However, while traditionally the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) worked with your compliance officer, times they are a’changin’.

Today, your organization needs to establish cross-departmental communications. As your business increasingly incorporates more Software-as-a-Service (SaaS) platforms to enable business operations, you need more internal stakeholder discussions.

For example, your human resources department may be using multiple SaaS platforms to enable their operations, such as a billing platform to pay employees and a platform to track hours. Meanwhile, your marketing department may be using a social media scheduling platform and a contacts database platform. Each of these SaaS enablements increases your compliance risk.

Thus, your corporate compliance program must consist of an interdepartmental team so that you can log all assets.

How to create an effective risk management program

Once you’ve built a working team, everyone needs to sit down together and discuss the risks that their assets create. Creating an effective risk management program requires you to determine not only what digital assets can be breached but also the impact of an information type being breached.

The first step is creating a catalog of all digital information assets. This should include everything from systems and networks to applications and software.

The next step involves reviewing the information those assets store, transmit, and process. The type of information with which your digital assets interact can change the level of risk associated with them. Personally identifying information, depending on the regulation or standard, can be as singular as an IP address or as multi-varied as a name, birthdate, and another identifier.

For example, under the General Data Protection Regulation (GDPR), website cookies that track user interaction care considered technical identifiers of personal data. Meanwhile, under the Payment Card Industry Data Security Standard (PCI DSS), protected cardholder data includes a combination of the primary account number (PAN), in conjunction with either cardholder name, expiration date, or service code.

Data that you must secure changes based on what it is, who’s using it, how they’re interacting with it, where they’re storing, and how they’re transmitting it.

How to effectively manage vendor risk

Vendor risk, with the increased use of SaaS services, becomes an even deeper quagmire. Regulatory compliance requirements such as the New York Department of Financial Services (NY DFS) Cybersecurity Rule and GDPR focus heavily on securing supply chain security monitoring.

Monitoring your vendors increases the amount of documentation required to establish an effective compliance program. You need to ensure that you catalog all your vendors – humans as well as digital – and ensure they maintain security controls.

You need to ensure that your internal stakeholders understand their responsibilities for overseeing their vendors.

You need to document vendor access and authorization to your systems, software, and networks.

You need to maintain updated lists proving effective monitoring over their controls as well as your ability to keep up with any security updates they offer.

You need to make sure that you’ve reviewed their security controls, documented their responses to questionnaires, and examined any internal or external audits they completed.

All of this work also needs to include documentation from the vendors that you store in a single location.

Why spreadsheets are an inefficient compliance management system

When you started tracking your cybersecurity compliance, you either had few integrations or were a small business. Thus, your compliance management system may have started by using a spreadsheet. Simple to use and cost-effective, they allowed you to document your controls easily. As cloud drives enabled document sharing and editing, you found a new way to create internal stakeholder accountability without having to spend more money.

As your reliance on SaaS providers increased and your business scaled, however, those spreadsheets became longer. More vendors meant adding more tabs to a spreadsheet. More employees meant more people working in the same documents.

Additionally, since cloud drives save the most recent data added, you found it hard to track mistakes. Comparing various document histories became overwhelming. You couldn’t determine whether the appropriate responsible parties managed their reviews effectively.

Updates to controls such as security patches were harder to document adequately.

All of this hassle became time-consuming and created a potential compliance risk.

Moreover, your internal audits took longer since auditor questions led to your compliance officer reviewing messy historical documentation to prove that you maintain effective controls.

ZenGRC Eases the Compliance Management Burden

With ZenGRC, you have a single source of truth for overseeing your compliance management program.

Our easy to use platform allows you to create role-based access to documents so that internal stakeholders access only the information they need. You establish access to records by aligning them to job roles and functions so that HR can just make changes to their vendors while Marketing can access only theirs. This allows your compliance manager to more efficiently track changes and ensure appropriate documentation.

Moreover, with our workflow and task management capabilities, you can assign tasks to individuals and track their completion. This eases the burden associated with continuously sending email updates and requests.

Finally, with the platform as a single-source-of-truth for internal and external audit documentation, you save time responding to auditor requests as well as money on the audit itself. For audits that go over their intended time frame, you can be charged by the hour, increasing audit costs. If you streamline the process, then you save money by not needing to respond to audit findings or additional requests.

To learn more about whether your system of using spreadsheets is hindering your compliance, check out our Compliance Management Best Practices eBook.

Audit Requirements for Private Companies in the United States

· ·

Audit Requirements for public companies

“Nope, that’s not my problem” – said every privately held company in February 2018 when  Securities and Exchange Commision (SEC) released the “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” However, in reality, audit requirements for private companies in the United States predominantly align with many of the requirements public companies have. Therefore, while ignorance may mean bliss when you hear your pet knock something over in the kitchen, it doesn’t when it comes to cybersecurity and audit practices.

Auditing Standards for Private Companies

What is the Financial Accounting Standards Board (FASB)

Founded in 1973, FASB is an independent, not-for-profit organiation that establishes accounting and reporting standards recognized by the American Institute of Certified Public Accountants (AICPA). Recognized by the SEC, FASB sets the accounting standard for public companies in the United States.

What are the Generally Accepted Accounting Principles (GAAP)

GAAP principles focus on determining your assets and liabilities by looking at  variety of factors that impact your financial reporting and health.

Economic Entity Assumption

Business transactions differ between a sole proproetorship and business owner personal transactions. Under accounting principles, you “gotta keep ’em separated.”

Monetary Unit Assumption

All money is measured in US dollars without accounting for inflation.

Time Period Assumption

All financial statements need to clearly label a start month, day, and year and an end month, day, and year.

Cost Principle

Based on the amount of money spent at the time you originally obtain an asset, this does not reflect increase or decrease in value.

Full Disclosure Principle

Financial statements provided to investors or lenders must include a description of potential impacts, such as lawsuits or data breaches, to your financial stability.

Going Concern Principle

Accountants will determine whether or not your business will be able to continue to function based on comparing your assets to your liabilities.

Matching Principle

You need to match expenses to revenues. You need to align employee wages for when the employees worked not when you paid them. Bonuses, for example, need to be reported for the year you promised them, not the following year when you pay them out.

Revenue Recognition Principle

This aligns to the matching principle since you need to report revenue for the time period when you complete a project rather than when you get paid. Revenue includes the promise of a payment even when the payment has yet to be made.

Materiality

As part of financial reporting, you can choose to expense an entire technology purchase for the year in which you buy it rather than split that cost up for the number of years you use the product. It also means that dollars are rounded to the nearest whole number rather than using fractions.

Conservatism

This principle requires you to account for a net loss or gain based on potential outcomes. For cybersecurity, this is a primary financial reporting concern since data breaches remain a “when” rather than “if” question. However, part of the accounting principle includes likelihood of the cost so maintaining a security-first cybersecurity posture helps strengthen your stance.

When to apply GAAP

As a privately held company, it’s easy to assume that your financial reporting requirements are different from those used by publicly held companies. However, many startups and other privately held companies look to investors or financial services institutions to enable their businesses.

If you’re one of these types of companies, you’re going to need to prove your financial stability before someone gives you a loan or investment. As part of that, GAAP-based financial reporting provides confidence in your business.

How cybersecurity applies to audited financial statements

So, you’ve decided to apply GAAP to your organization and now you need to understand how you translate your cybersecurity risks into lines on your financial statements.

SEC Cybersecurity Guidande

For public entities, the February 2018 SEC interpretation on cybersecurity disclosures meant that any data breaches need to be reported as soon as possible.  The SEC noted specifically that companies’ “exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased.”

As such, public entities need to disclose risks associated with cybersecurity and cybersecurity incidents. For private companies, the guidance gives you a roadmap for how to assess cybersecurity risks as part of your evaluation of potential losses.
A strong security-first approach lessens your likelihood of breach meaning that your financial statements can reflect assurance over data protection. This enables you to provide a financial services institution or investor confidence over your assets.

FASB Accounting Standards Codification 606

Although originally released in May 2014, all nonpublic entities who use GAAP principles must comply by December 31, 2019. Titled “Revenue from Contracts with Customers,” the guidance provides insight for recognizing revenue. Revenue recognition requires you to account for evidence of an arrangement (often a service-level agreement), delivery of services, fixed price, and ability to collect.
In cybersecurity, vendors may work with their customers for more than a single year. Because of this, the accounting standards require you to take a princples-based review of the amount and timing of revenue. Where previously you were able to spread out revenue for long-term contracts, you may no longer be able to.
While this may not sound cybersecurity related, your current data collection and information technology systems may be inadequate for assessing these new costs. With that in mind, you may need to engage additional vendors which then requires additional cybersecurity monitoring to maintain your current cybersecurity stance.

FASB Accounting Standards Update 2018-15

The August 2018 Accounting Standards Update (ASU) focused on how you report cloud computing agreements. Under the new ASU, you can spread out the costs associated integration and testing over time to reflect changes in the market and security threats. For example, ASU 2018-15 addresses:

Accounting for costs of reengineering activities, which often are associated with new or upgraded software applications.

As part of your vendor management program, you’re ensuring that the software maintains cybersecurity levels that align to your risk tolerance. The new accounting standard allows you to incorporate re-engineering or upgrades as part of your financial reporting.

How ZenGRC Enables Private Companies to Meet Audit Standards

ZenGRC provides task prioritization that help let you track compliance activities that reduce vulnerabilities by scheduling reviews and monitoring their completion dates.
As a single-source-of-information, the platform stores and supports remediation activities to prove your continuous compliance and continuous auditing approach to information security.

By using our intuitive interface, you can easily upload frameworks, objectives, and controls while also managing changes to those controls across a variety of frameworks.

For more information on how ZenGRC can enable your compliance efforts, contact us for a demo.

Data Analytics Strategy For Internal Audit Effectiveness

· ·

Annually, Price-Waterhouse Cooper (PWC), the high profile audit firm, releases its “State of the Internal Audit Profession Study.” In 2018, this study focused on the difference between “Evolvers, “Followers,” and “Observers” for organizational approaches to adopting a data analytics strategy for internal audit effectiveness. The research found that those organizations embracing technology more often better aligned internal audit outcomes to their strategic plans – something that cybersecurity standards increasingly require.

Internal Audit Data Analytics Strategy

What is an Evolver?

PWC defines Evolvers as organizations advanced in their technology adoption. Meanwhile, Followers lag behind and adopt these technologies at a slower right. Finally, Observers take no notice of technology use to enable their internal audit functions.

Problematically, the report only defines 14% of organizations as Evolvers. However, it’s important to note that 75% of Evolvers highly value their internal audit function.

How Evolvers use Collaboration Tools

74% of Evolvers and 43% of Followers currently use collaboration tools. As your audit program matures, more stakeholders need to be included in the audit process . For example, shared drives and intranet sites enable cross functional communication between internal stakeholders.

However, these tools still require you to manage the conversations and reminders. As you increase the number of stakeholders, you also increase the number of administrative follow-up tasks. The creates a burden for the internal auditors limiting their ability to effectively and efficiently carry out audit tasks. With time allocations being a key performance indicator for many audits, workflow struggles can diminish the effectiveness of the internal audit function.

Supervision and gathering audit documentation remain primary reasons for audits to take longer than their allocated time. The Chartered Institute of Internal Auditors explains that conversations between the audit manager and internal auditor eases the time management burden. Moreover, gathering audit evidence often increases the time allocated as risks not being appropriately controlled need additional investigations.

Using dashboards with effective workflow task management functionalities enables audit teams to not only communicate effectively but to share documentation that diminishes the time spent on audits.

How Evolvers use Risk Assessment and Audit Planning Tools

Evolvers focus on having an analytics strategy that enables stronger risk management to focus audit testing procedures on prioritized risks. As part of the enterprise risk management process, you need insight into the continuously evolving risks that threatening your organization. A primary directive of governance, risk, and compliance (GRC) program objectives includes not simply moment-in-time risk evaluation but continuous monitoring of the environment.

In cybersecurity, this continuous monitoring becomes more important. Zero day attacks, attacks that use previously undiscovered vulnerabilities, can undermine controls at any moment.

Since cyberseccurity risks can change in a heartbeat, big data that reviews threats as they arise can enable a stronger security, compliance, and audit stance. Open source intelligence (OSINT) has been around for more than fifty years, but big data collection and analysis allows for more organizations to incorporate it.

For example, malicious actors review vulnerabilities across the internet to try to gain unauthorized access to your information. Public facing systems, like customer portals, offer insights to hackers that you might otherwise miss. The Google Hacking Database allows insights into your systems without actually touching them. Using these types of publicly available OSINT services allow you to better evaluate risks so that you can more appropriate target the highest risks for auditing purposes.

How Evolvers use Reporting and Ongoing Monitoring Tools

The same tools that enable stronger risk management strategies also enable you to continuously monitor and report your security, compliance, and auditing effectiveness.

Taking a security first approach to compliance and audit requires automation and, increasingly, artificial intelligence. To better enable you internal audit department, you need tools that help you look at what has happened, what is currently happening, and what may likely happen.

Utilizing analytics capabilities, you can incorporate predictive outcomes that are likely to threaten your data environment. For example, the PWC “What to expect from artificial intelligence” report explains that AI is enabling malicious actors to more rapidly advance malware.

If you’re using similar predictive technologies to advance your analytics maturity level, you’re less likely to have a security breach. Fewer security breaches, even with the advent of new risks, allow you to maintain the appropriate level of security that mitigates outdated standard and regulatory required best practices. The required control may fail under a zero-day attack, but with analytics capabilities, you can maintain effective data protection.

How Evolvers Maintain Continuous Auditing Capabilities

Reviewing risk is the first step. Maintaining a strong cybersecurity control system is the second step. Proving that you’ve mitigated risks as part of your internal audit procedures is the third, and final, step.

Evolvers incorporate not only data analytics to manage and mitigate cybersecurity risks, but they also incorporate dashboard and Software-as-a-Service (SaaS) tools to continuously document their compliance stance. A traditional audit approach focuses on a single moment-in-time glimpse at your IT security. However, increasingly you need real-time insights to prove a continuous compliance approach to data protection.

With that in mind, you need a told that not only eases communication between stake-holders but that enables continuous documentation and insight.

How ZenGRC Creates Evolvers

ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

PCI Log Management Requirements For CISO’s

· ·

Whether you’re in the healthcare, retail, or hospitality industry, you’re going to need to protect your customer information if you collect payments. The Payment Card Industry Data Security Standard (PCI DSS) not only sets the standard for cardholder data (CD), but it also enforces the standard with penalties.

PCI DSS Logging and Log Monitoring Requirements

What is the Payment Card Industry Data Security Standard (PCI DSS)?

In the early 2000’s, the five major payment card companies, American Express, Discover Financial Services, JCB International, MasterCard, and Visa, Inc. banded together to create the Payment Card Industry Security Standards Council (PCI SSC). The organization wanted to create a series of information security standards processing payments that protected customers from identity theft and the card industry from paying for data breaches.

PCI SSC worked together to establish “best practices” for protecting information which became standardized as PCI DSS.

What Are The Penalties for Noncompliance?

While PCI DSS is considered a “standard” and not a regulation, many merchants incorrectly assume compliance is optional. Noncompliance leads to consequences that can cause business failure.

Card brands and acquiring banks can, at their discretion, fine noncompliant merchants anywhere from $5,000 to $100,000 per month for a violation. Depending on an organization’s size, these fines can be either crippling or devastating.

Who Needs to Be PCI DSS Compliant?

Regardless of your size or industry, any company accepting, transmitting, or storing cardholder data must maintain PCI DSS compliance.

What is PCI DSS Requirement 10?

PCI DSS Requirement 10 focuses on monitoring access to networks and data. In its most broad definition, Requirement 10 states:

Requirement 10: Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

Essentially, Requirement 10 requires you to continuously monitor the user access to your environment. Setting up user access controls is the first step to maintaining a secure cardholder data environment (CDE), but you also need to ensure that those controls work.

Embedded within Requirement 10, however, are 39 subparts. Since PCI DSS is a highly prescriptive standard, it sets out a clear list of the steps and documents needed to meet its requirements.

What records are necessary for Requirement 10 Compliance?

If you’re looking to be PCI DSS compliant, the standard not only lists the sections and subsections and parts of subsections, but it also incorporates Guidance to help understand effective control review. As such, the following steps can help you log data necessary to prove your compliance:

  1. Create a system or process linking user access to the system components accessed and make sure you can trace suspicious user activity to a specific user.
  2. Generate audit trails that prove the system administrator receives suspicious activity alerts and follows up on them.
  3.  Record all individual accesses to the CDE to show that new or unauthorized user accounts have not accessed the systems and networks.
  4. Ensure you collect records of activities performed by “administrator” or “root” accounts that show potential misuse of these accounts and can trace the issue to a specific action and individual
  5. Maintain file integrity of audit logs by having a way to identify changes, additions, and deletions to them.
  6. Record invalid login attempts to trace “brute force” attacks or password guesses.
  7. Maintain records that allow you to trace activities indicating manipulation of authentication controls by attempting to bypass them or impersonating a valid account, including but not limited to records that verify mechanisms, elevation of privileges, and any changes/additions/deletions to root or administrative accounts.
  8. Document any pauses or restarts to your audit logging processes.
  9. Maintain records to show that system-level object, such as databases or stored procedures, have not been created or deleted by unauthorized accounts.
  10. For all system components, maintain an event log that records user identification, event type, date/time stamp, success/failure indication, event origination, and affected data, system component or resource identity/name.
  11. Synchronize clocks across systems to maintain exact sequences of events for forensics teams.
  12. Use “principle of least privilege” for audit log access to maintain security and integrity of the information.
  13. Backup logs to a centralized server or media that maintains data integrity.
  14. Write logs directly, or offload or copy from external systems to a secure internal system or media.
  15. Use file-integrity monitoring or change-detection systems to ensure notification of audit log changes that may indicate a compromise.
  16. Engage in regular log reviews either manually or by using a log harvesting, parsing, and alerting tool.
  17. Engage in daily review of security daily for notifications or alerts indicating suspicious activity and critical system component logs.
  18. Schedule periodic reviews for all system components that indicate potential issues or attempt to gain access to sensitive systems by using less sensitive systems.
  19. Document investigations of exceptions and anomalies.
  20. Retain all records for at least a year.
  21. Ensure employees are trained and aware of security policies and monitoring.

Service providers are subject to the following additional requirements:

  1. Establish formal procedures to detect and alert critical security control failures, such as a firewall erasing rules or going offline.
  2. Document evidence supporting the response to a security failure, including the processes and procedures as well as the actions and responses.

How ZenGRC Eases Best Practices For PCI DSS Audit Log Management

ZenGRC’s system-of-record enables organizations to store all their information in a single location. Collecting all your audit log information in a single place allows you to manage audit information and document your compliance activities.

With a single source of information, your audit logging staff can communicate efficiently with one another. Our role-based authentications enable audit log security and integrity since only the people who need access can interact with the information.

Finally, our system-of-record enables your audit log review staff to trace outstanding tasks without emails. This capability not only makes communication easier but protects the data by keeping it within our protected platform rather than insecure emails.

Managing audit information in a single location helps you detect real-time risks and prove continuous monitoring by documenting all your ongoing compliance activities.
For more information about how ZenGRC eases the burden of audit log management and analysis, contact ZenGRC to schedule a demo.