ZenGRC

Simply Powerful GRC

Risk Management

Why Segregation of Duties is Important for Information Security

· ·

Segregation of duties can be a tricky concept for many business owners. For example, if Adam knows how to do systems administration and handles corporate finance too, then why would a company hire a second person to do either job? Wouldn’t that be an unnecessary expense? 

It may seem that way, but look forward a few years. Adam has embezzled $200,000 from the company and there’s no way to prove it, because the finance server crashed a month prior—conveniently erasing all records, and prompting Adam to quit the company.

That’s the lesson here: it’s unwise to have one person controlling too many business processes. The duties that make a business run should be segregated among multiple people, so that no single individual amasses so much power that he or she could wreck the business. Segregation of duties is a crucial component of risk management. 

“SoD” arises most often when talking about corporate accounting and information security, because the people in those roles can cause tremendous damage to the enterprise even by accident. 

Meanwhile, motivations for deliberate misconduct are numerous. An employee might believe that he or she “needs” to commit fraud, to pay off debts or medical expenses. Criminals might blackmail employees into committing misconduct, or pay them handsomely to commit corporate espionage. Resentment over not getting a promotion, the desire to appear powerful to impress romantic partners, political motivations—the list is endless. 

Hence senior executives need to give segregation of duties the attention it deserves. It’s crucial to construct roles in the IT security function so that no single person has too much power. 

One law that gave force to segregation of duties was the Sarbanes-Oxley Act of 2002. Passed in response to a wave of corporate accounting scandals, SOX made corporate audit committees responsible for the accuracy of published financial statements. As part of implementing that law, the Securities and Exchange Commission said firms must build an effective system of internal controls over financial reporting, and segregation of duties is a key concept for such systems. 

Thanks to SOX and similar laws, most financial firms now enforce separation of roles, such as the person developing an application cannot also be the person who tests the application. 

How do you implement segregation of duties?

  • Perform a risk assessment, where you catalog specific duties and who performs them, even if one person performs multiple roles. To create an SOD framework, you need to know exactly what those duties are, as well as what risks are inherent to each task. Consider which tasks could be easily performed by the same team member and which tasks must be separated to maintain security. 
  • Use a framework to devise new roles as necessary, where proper segregation of duties is implemented. You may find that the system you previously used doesn’t meet your current security needs. It’s possible that you will need to rearrange existing duties, or hire new team members to fill new roles. Don’t hesitate to reimagine the structure of your organization if necessary; it will be easier to reorganize now than to be unprepared in a crisis later on. 
  • Where segregation of duties can’t be accomplished because of insufficient manpower, add compensating controls as necessary, such as an additional layer of management review. If these controls need to be tested more regularly, or monitored by multiple managers, build these arrangements into your framework. 
  • Test all controls to assure they work. Controls are a crucial piece of any information security system. If a control fails, financial and legal repercussions can follow, as well as harm to your corporate reputation, which could prevent you from gaining new clients down the line. By testing your controls thoroughly and frequently you can be sure that they are effective. If a control should fail your test, reexamine your SoD framework and make the appropriate changes as soon as possible. 
  • Document all roles, responsibilities, and controls. Do not skip this step! All of the important work you’ve done to develop your system can be easily forgotten over time or lost completely when a new employee is brought on. Your best defense is to create detailed documentation of the roles within your organization and the risk ownership of each member of your team. 
  • Repeat your risk assessment and remediation as necessary—either periodically (say, once a year) or after any significant change in operations (merger, downsizing, new tech vendors, and so forth). Risk management is not a static process, and the framework you create initially may not endure as your organization grows. To make sure your SoD grows with you, reassess your risks and controls on a regular basis and alter them if necessary. 

If you’re having trouble determining the best Segregation of Duties for your company, ZenGRC can help. This platform offers you an integrated experience that allows you to track data, risk, and ownership with ease. You’ll also be able to consolidate and automate compliance requirements and monitor third party vendors, all from the same place. Schedule a demo today and learn more about how ZenGRC can help you and your team create a framework that will work for you.

What should you include in a successful Supply Chain Risk Management Plan

· ·

2020 visited a host of challenges on businesses around the world, but one was as jarring as the empty supermarket shelves that appeared around the world at the start of the pandemic: supply chain disruption

For consumers, those empty store shelves were a temporary annoyance. For businesses, however, they were a painful reminder that any disruption in the supply chain can lead to dire problems in production and operations, loss of market share and profit, and deep drops in customer satisfaction. Without thoughtful planning, supply chain disruptions can be a mortal threat to business continuity. 

To draft an effective Supply Chain Risk Management (SCRM) plan, begin by mapping out as many nodes of your supply chain as possible. Then identify the potential risks associated with each node and its potential failure. 

Global supply chains are more vulnerable than local chains, and require a more detailed examination since they may include many levels of subcontractors; each contractor brings a new level of risk to the table. For instance, organizations that rely heavily on imported components may be at a higher risk for unintentionally incorporating counterfeit products—which can be very hard to trace, but lead to costly product recalls. 

1. Identify risks in the supply chain 

Potential risks to a supply chain can be divided into two broad categories: the risks you can know and control, and the risks you can’t. 

Your suppliers are the foremost example of your “known risks.” How well do you know them? Are they reliable? Do they have strong financial footing?  Are you doing what you can to build strong supplier relationships? Strong relationships will lead to a higher degree of transparency and openness, including when something goes wrong, such as a shipment of dud components.  

The risks you can’t control include climate disasters, political unrest in areas where you source materials, and cybersecurity risks your contractor is willing to accept even if they make you uncomfortable. Some other risks to consider: 

  • Financial risk. Prices and currency values constantly fluctuate; international agreements like Brexit may hinder import and export. 
  • Data breach. Breaches lead to loss of customer confidence and violations of compliance rules and regulations, which can lead to costly fines.  
  • Natural disasters. These span everything from earthquakes to wildfires, hurricanes to torrential rains, droughts and more.
  • Political unrest.  Labor disputes, protests and contentious elections can leave a supplier vulnerable or unable to deliver as promised.  
  • Environmental risks. For example, a critical raw material may be close to depletion, making it too expensive to extract; or a process used by a subcontractor could turn out to be environmentally dangerous. 
  • Pandemics. As we all now know, COVID obstructed travel and shipping for many months. 
  • Human error. Mistakes and malicious actions still happen, even for businesses that rely on sophisticated computer technology and information systems to run their production. 

2. Assess the potential impact of the disruption associated with each risk 

A well-designed supply chain risk management plan is a framework that can help with decision making and risk mitigation, even when your business is under extreme pressure because a failure has occurred. 

Companies can use enterprise risk management (ERM) to assess the potential cost of each identified risk, then rank those risks according to potential harm, and then devise a plan to recover as quickly as possible and return to ordinary levels of output. This last part is also known as risk mitigation, and it addresses how to deal with a potential risk once it manifests. 

Assume the worst and make sure you have strong contingency plans in place that are easily accessible to your staff, and have been clearly communicated across all departments and platforms. 

3. Evaluate and prepare for the next time 

Once you have established a strong SCRM plan, make certain it’s communicated clearly across all levels and departments of your company. This helps you train a risk-aware workforce that understands risk identification and analysis, and also how high-risk behaviors can harm the organization. For instance, you may not meet a production goal or a deadline, which could then lead to financial penalties.

Prepare for the worst. As you hire new suppliers and subcontractors, build a risk assessment component into your requests for proposals (RFPs). This will help you with ongoing risk analysis 

After each supply chain disruption, evaluate how you fared: what worked and what didn’t work, whether your contingency plans lived up to the standards you require, and whether you could recover quickly enough to avoid large losses. Analyzing each failure will help you improve your supply chain management in the future. 

Risk management tools

As you forge a path for your business through the pandemic and our highly interdependent world, many tools can help keep your business safe and structure a tight supply chain risk management plan. 

ZenGRC’s compliance management, risk and workflow management software is an intuitive and easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has manifested as a real threat. 

Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.

Top 4 InfoSec Trends for 2021

· ·

Adaptability. This would prove to be the top requirement for businesses to survive 2020.

By mid-March, virtually every employee around the globe found themselves asking the same questions: How do I access business-critical tools? Or customer data? Or maintain communication both internally and externally? Can I use my own computer? And what about public Wi-Fi?

The stress of the unknown was real. And everyone was feeling it.

But on top of all those challenges, information security was charged with not just navigating and distributing all of this information, but protecting all of it as well. In many cases, this demand involved implementing completely new processes, tools, certifications and requirements — on an extremely limited budget and an underskilled staff — all working from the couch.

So for those of you that navigated these waters and made it through to 2021, congratulations! Reflecting on 2020’s absolutely unprecedented year of challenges, we’ve broken down the four key lessons we learned and how they will drive information security in the year ahead.

TREND #1: CIOs and CISOs shift from a hierarchical relationship to a true partnership.

Historically, we have seen these roles share mutual interests, with a CISO owning implementation and reporting into a CIO, who oversees all facets of security. However, in 2020, with companies moving away from on-prem solutions and adopting third-party and external vendors for security tools, companies’ reliance on security has become a top priority. This shift has been the driving force in elevating the role of the CISO, owning all business, data and IT security and risk management. This includes, but is not limited to, vendor relationships, due diligence, business delivery and communicating security risks with the executive board.

TREND #2: Zero trust is no longer a buzzword — it’s today’s operational reality.

As organizations moved all operations from in-office to on-couch in just a matter of days, this required many businesses to rapidly shift from on-prem to cloud security tools — and in turn, realign security prioritization from being data-focused to role-based. Differently than the traditional “trust but verify” approach to network security, the Zero Trust model requires all users, even those inside an organization’s enterprise network, to be authenticated, authorized and continuously validated before being granted or keeping access to applications and data. In practice, this means one-time validation won’t suffice, hence the need for advanced technologies and security measures, such as multi-factor authentication.

TREND #3: The role of communicating security risk to your board of directors has never been more important — or nuanced.

Boards, ultimately, have one goal: making money for your company. And in many cases, it’s hard for boards to draw the connection between implementing extraneous, expensive security measures and profitability. In a year in which so many shifts in security had to take place alongside frozen budgets, the case to be made for increased investment wasn’t easy but, also, never more important. The key for CISOs in 2021 will be to communicate on the grounds of financial viability, in the context of risk over profitability. After all, a company at risk of a breach, even when all the “security boxes have been checked,” is not only putting profitability at risk — but it’s survival altogether. 

TREND #4: The infosec labor force is underskilled yet over-available.

Simply put: the job description for infosec has changed, but the pool of candidates has not. Last spring the infosec field got absolutely gutted, while simultaneously leaving gaping holes on virtually every IT team. As on-prem servers collect dust, so do their corresponding highly intelligent network engineers in an ever-growing community of unemployed talent.

This means that as shiny new cloud-based tools get licensed, no one is there to implement and manage them. And with droves of organizations shifting to a permanent, remote-first model, on-prem experienced infosec talent will need to study up quick if they want to resuscitate their careers in 2021. The good news? IT teams globally have a severe shortage for cloud-experienced talent. Meaning jobs are available, if you’re willing to put in the work to make a shift in expertise.

Cost-Effective Risk Project Management Methods to Consider

· ·

Tackling risk management effectively takes time, energy, and critical thinking about your organization’s processes and goals. While it may feel like a big undertaking, your organization can make it less painful by assessing risk for each new project using a consistent framework.

What are the five methods of risk management?

The risk management process is comprehensive, spanning from a high-level risk analysis of organizational processes all the way down to project-based and ongoing risk assessments. To minimize time—and money—use the following methods of a well-rounded risk project management plan.

1. Identify risks

The first step in risk management is risk identification. When determining risks for a project, conduct a thorough examination of each step of the project and identify what threats exist. Try to look at a project from multiple angles—determine risk factors for any subcontractor work, timeline disruptions, supplier or service interruptions, or IT failures.

2. Analyze risks

When your team has identified risks, the next step is analyzing each potential risk and its primary driver. For example, a shortage of equipment or qualified staff could disrupt the project timeline. Or, insufficient cybersecurity protocols could lead to an information security breach. An appointed risk manager should be able to financially assess each risk, perhaps with the use of risk analysis software.

3. Prioritize risks

While risk identification could unveil an overwhelming amount of threats, it’s vital to prioritize risks based on the likelihood and impact of occurrence. Not only will prioritization save time, but it will also allow your organization to focus on threats that pose the greatest potential for financial damage to your business. 

4. Create an action plan

For each prioritized risk, develop an action plan to prevent the risk from occurring or to reduce the impact of each risk event. For example, if your organization has identified a fault in a product line, it may be necessary to change materials or subcontractors to minimize the future risk of sub-standard goods. Create contingency plans for risks that can’t be prevented, such as floods or other natural disasters.

5. Monitor risks

When your action plans are in place, the final step is reviewing and monitoring each risk. A risk manager should work with project managers and keep tabs on each risk while observing for any changes. The risk management process should be responsive and evolve with new projects and organizational goals.

How do you use risk management for projects?

Beyond broad organizational risk management, it’s helpful to use the above methodology for each new project within your organization. To do this efficiently, risk managers and project managers should work together in the initial stages of the project creation to thoroughly assess risk and action plans. 

Project managers should also incorporate team members to collaboratively assess potential threats, and any other stakeholders involved in the project. By holding a collaborative risk identification session, your team will have an opportunity to identify risks from multiple perspectives.

When a risk management plan is in place for a given project, project managers should take responsibility for ongoing monitoring and assessment of each identified risk. Hold regular meetings with your project team, and use the monitoring framework to manage changes or new risks as they present themselves through the lifecycle of your project.

Techniques for measuring project risk

There are several tools and procedures that may be helpful during your risk identification session with your teams, such as brainstorming, root cause analysis, and the SWOT matrix.

Brainstorming

The first step in your risk identification process is the brainstorming session. As described above, the more collaborative your brainstorming, the more complete your risk analysis will be. Include all members of your team, including subcontractors and periphery support including IT and cybersecurity professionals in your organization. 

Each team member should consider potential shortfalls or issues that could arise in their project contribution, and risk managers alongside project managers should compile all risks for analysis.

Root cause analysis

Root cause analysis looks at the fundamentals of each risk and possible preventive measures. This process can dig up deeper issues that may have larger impacts than initially identified, such as procedural shortfalls or inadequate staff training.

SWOT

SWOT stands for strengths, weaknesses, opportunities, and threats, and is used to help identify project risks.

First, identify the project strengths, whether it’s product design or branding successes. Then, consider weaknesses to help identify where risks may sneak in. Opportunities refer to the possible positive outcome for the project, and threats help to identify risks that could prevent your ability to achieve your project objectives.

Compile your findings into a four-square grid, with the strengths on the left and weaknesses on the right. Place opportunities under strengths, and threats under weaknesses. By organizing your findings this way, your team will be able to easily identify and cross-reference internal and external threats for risk assessment.

By using the risk management framework for each project and initiative, your organization will have a solid methodology in place to maintain cost- and time-efficiency. Identifying risks and establishing action plans will help avoid costly mistakes or errors, and will help your organization be fundamentally agile in its processes.

The Role of Information Security Risk Management in Healthcare

· ·

While historically, healthcare risk management strategies revolved around patient safety and reducing medical errors, it’s far more complex today. Beyond patient care, new healthcare technologies have significantly increased the need for risk management. 

With everything existing in the digital realm, cybersecurity has emerged as a major source of concern for healthcare industries. Another area that requires heightened risk management is the healthcare industry’s constantly evolving regulatory, legal, and political environment.

A risk management process, in a healthcare organization setting, can save a person’s life. It can prevent malpractice, minimize mistakes, and ensure patient privacy. Healthcare risk management involves a comprehensive approach, from updating prescription policies to installing firewalls to prevent cyber attacks.

Why is healthcare cybersecurity a risk management issue?

Your organization’s risk managers have a complex job: Not only should they be assessing and mitigating internal risks, but also third-party threats. Third-party risk in health care refers to information security: The healthcare industry is full of personally identifiable information, which is highly sought after by cyber criminals.

One way the healthcare industry has defended patient information is through the Health Insurance Portability and Accountability Act (HIPAA). Healthcare cybersecurity risk management is, in large part, ensuring HIPAA compliance.

HIPAA compliance isn’t just recommended for risk management; it’s required. HIPAA was signed into U.S. law not only to improve patient safety and privacy, but also to place safeguards on patient data, also known as protected health information or PHI. Organizations who violate HIPAA could face fines up to $25,000 per compromised record.

Beyond the vital role of protecting patient data, healthcare cybersecurity must also defend against ransomware attacks that can remotely disable lifesaving medical devices. This is why risk managers should ensure their organization maintains a robust cybersecurity system—one that can fend off data breach attempts and operational meddling. 

What are the key concepts of risk management in healthcare?

Many healthcare facilities today are taking a more holistic approach to assessing organizational threats by using the plan-based Enterprise Risk Management or ERM. strategy While each organization’s risk management plan will differ slightly, many ERM plans will follow key components: assessing risk, prioritizing risks, risk mitigation, and monitoring. 

Assessing risk 

Rather than being overwhelmed, use data and industry knowledge to successfully identify threats. Risk management managers should take advantage of institutional knowledge to uncover potential risks. Data can be a great way to illuminate negative trends and provide evidence-based information regarding medical errors or consistent problems within your organization.

Once you’ve done the work to identify threats, the next step is analyzing risk. It can be helpful to use factors including the likelihood of occurrence, what the occurrence’s impact would be on your organization, and the speed at which your organization will feel the impact. Another factor includes the potential severity of the occurrence: What’s the worst-case scenario?

Prioritizing risk

By identifying and analyzing risks, you’ll be on the right path to then prioritizing potential threats to your organization. Your risk managers should be able to rank risks based on their likelihood of occurrence and potential level of severity. This information will be useful for the next phase: mitigating risk.

Risk mitigation

The mitigation step is about making a rock-solid risk management plan to prevent specific threats outlined in the identification process. Your mitigation plan will provide options for handling potential risks, and outline prevention strategies including evaluating staff competencies and implementing proper education and training for your staff. 

Consistent monitoring

It’s crucial to lay out a framework for ongoing monitoring for potential new risks. One area where your risk managers should keep a close watch on is cybersecurity. Cyberattackers consistently develop new tactics for stealing information and causing data breaches, so ensure your risk managers are evaluating for new threats with your information technology team. 

The role of healthcare risk managers

When crafting a risk management plan for your organization, it’s vital to establish a risk manager. A healthcare risk manager should have a broad understanding of the potential threats and processes in multiple settings of your healthcare organization, whether it’s assessing quality control checklists or managing financial risk to your facility.

Risk managers are responsible for identifying potential injuries to your patients, staff, and visitors, and taking any prevention steps necessary. Risk managers should also be able to do risk assessments in various areas of your organization, including insurance management, incident reporting, clinical research, mental health care, and emergency preparedness.

For example, a risk manager should be able to develop a strategy that prevents an organization’s pharmacy from filling an expired prescription. Another role of a risk manager should be to increase or improve patient communication to prevent improper medication use. Risk managers also ensure quality of care by standardizing pre-op checklists before sending a patient into surgery.

A qualified risk manager will not only be able to assess your organization’s data to identify potential threats and risks, but also be able to develop a comprehensive mitigation plan.

How is risk management used in healthcare?

Risk management allows healthcare organizations to be responsive and proactive when it comes to various threats. When an organization identifies a new risk, it may be necessary to adapt and introduce a new process to mitigate future adverse events. 

It may be helpful for your organization to review other risk management studies for guidance. Guidelines from governing organizations such as the American Society for Healthcare Risk Management (ASHRM) can help ensure risk management compliance for your organization.

Risk management in healthcare is not only about ensuring patient safety and medical compliance, but also about managing third-party risks such as cybersecurity threats.