ZenGRC

Simply Powerful GRC

Risk Management

What Are SOX Compliance Requirements?

· ·

The Sarbanes-Oxley (SOX) Act was signed into law on July 30, 2002. The law drafted by congressmen Paul Sarbanes and Michael Oxley aimed to improve corporate financial governance and accountability while protecting shareholders from accounting errors and fraudulent activity. 

The real fuel for the SOX law came from the inappropriate financial conduct of three large companies Enron, Tyco, and WorldCom. SOX compliance impacts every public company in the United States and is the basis for financial data security.

One of the largest effects that the Sarbanes-Oxley Act of 2002 had on public companies is how to store corporate electronic records. The law doesn’t necessarily dictate how the records should be stored, but it does specify what kind of records should be stored and for how long. 

An organization needs to keep electronic records and messages for a minimum of five years. The records held are used for financial reporting as well as financial statements compliance requirements. While many companies leverage accounting firms to validate SOX compliance, Chief Financial Officers (CFO’s) work hand in hand with corporate information technology leaders to make sure that SOX is implemented enterprise-wide.

All public companies must comply with SOX and have rolled key components of the law into company business and information technology internal controls. There are several SOX compliance requirements that organizations leverage for corporate governance. The two primary sections from SOX are Section 302 and Section 404.

Section 302: Corporate Responsibility for Financial Reports – Safeguards your organization against faulty financial reporting. Special care is given to protect against inaccurate data, data that has been tampered with, or data that is faulty in general.  The essence of Section 302 states that the CEO and CFO are directly responsible for the accuracy, documentation and submission of all financial reports as well as the internal control structure to the SEC.

Section 404: Management Assessment of Internal Controls – All annual financial reports must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure.  Data needs to be verifiable by a third-party auditor. The verified information is then shared with shareholders and public entities. The main point is to enforce security breach reporting as well as guarantee that auditors have access to verified information.

There are ten main compliance requirements that organizations should consider when seeking SOX compliance:

  1. Implement safeguards to protect against data tampering (Section 302.2)
  2. Establish safeguards to prove timelines (Section 302.3)
  3. Implement verifiable controls to track access to data (Section 302.4b)
  4. Prove that safeguards are operational (Section 302.4c)
  5. Report on a periodic basis the effectiveness of safeguards (Section 302.4d)
  6. Detect security breaches (Section 302.5a and Section 302.5b)
  7. Disclose safeguards to SOX auditors (Section 404.a.1.1)
  8. Disclose security breaches to SOX auditors (Section 404.a.2)
  9. Disclose failure of any security safeguards to SOX auditors (Section 404.b)
  10. Implement internal control framework (various mentions)

It is important to remember that the signing officer must validate and attest to the reported information.

Implement safeguards to protect against data tampering (Section 302.2)

The best way to safeguard against data tampering is to implement Identity and Access Management (IAM), Enterprise Resource Planning (ERP), and Governance Risk and Compliance (GRC) systems. The systems need to track who has access to what, what they are doing with the access, and whether that access is required. User access logs need to be tracked to identify any sensitive data access attempts or tampering anywhere that data is stored.

Implement safeguards to prove timelines (Section 302.3)

As with Section 302.2 IAM, ERP, and GRC systems are required. That being said, the real focus is on being able to prove timestamps as they occur in real-time. The information needs to be relayed for storage offsite when it is received. The reason for the transmission is to prevent alteration to the data record. Logs need to be stored offsite as well and an encrypted MD5 checksum must be used to prove data integrity. 

Implement verifiable controls to track access to data (Section 302.4b)

The implemented IAM, ERP, and GRC systems must scale to meet the demands of various data sources. The systems will collect data access controls from all data sources within the organization including but not limited to FTP, databases, and unstructured data. 

Prove that safeguards are operational (Section 302.4c)

Implemented systems need a way to prove they are operational. Several examples of compliance include daily digest emails from the systems, feeding health status to a Security Information and Event Management (SIEM), and reports published to an intranet.

Report on a periodic basis the effectiveness of safeguards (Section 302.4d)

The systems in the organization need layered reporting on overall environmental health. Robust systems contain self-check capabilities that help identify potential issues to security or availability. Alerts, reports, and messages need to be integrated with a ticketing system that has archive capabilities for auditable records.

Detect security breaches (Section 302.5a and Section 302.5b)

Threat Intelligence systems, as well as User and Entity Behavior Analytics (UEBA), need to be integrated with IAM, ERP, and GRC to aid in security breach detection. Notification and the ability to track and archive events are critical to SOX compliance. Ultimately an auditor is going to want to see what happened to cause the security breach and what was done to remediate and contain the damage.

Disclose safeguards to SOX auditors (Section 404.a.1.1)

Role-based access to systems is critical in SOX compliance. SOX auditors need access to systems, but only the right amount of access. Keys to the kingdom should not be given and instead, a specific auditor role needs to be created and leveraged for read-only report access.

Disclose security breaches to SOX auditors (Section 404.a.2)

The SOX auditor is going to want to see logs indicating any security breaches and how the breach was resolved. All events need to be archived and reported on at a later date. SIEM systems are a great way to track and present information to an auditor.

Disclose failure of any security safeguards to SOX auditors (Section 404.b)

Testing the resiliency of IAM, ERP, and GRC systems should happen on an ongoing basis. Auditors want to make sure that the identified safeguards in an organization are actually working. There is a wide variety of ways to test systems such as penetration testing and vulnerability scanning. Any testing needs to be recorded for future analysis.

Implement internal control framework (various mentions)

Internal control frameworks like COBIT or COSO are important to SOX compliance for three key reasons:

  1. Internal control framework adapts to the changing business environment
  2. Control frameworks mitigate risk
  3. Information governance and decision making are easier with structured controls.

Ultimately, SOX compliance is helping organizations verify that there are adequate controls protecting financial data. SOX compliance is required for public entities and private entities are encouraged to follow the same practices. 

SOX is in existence to prevent another scandal as we saw with WorldCom, Enron, and Tyco. Auditors exist to review and verify controls, while policies and procedures are in place to protect shareholders. It is in an organization’s best interest to make a SOX auditor’s job easier by providing seamless read-only access to systems, reports, and data.

How is COBIT Related to Risk Management?

· ·

First released in 1996, Control Objectives for Information and Related Technology (COBIT) is a framework developed by the Information Systems Audit and Control Association (ISACA) that can help you create and implement strategies around IT management and IT governance. 

The COBIT management framework helps you deal with the risks to enterprise IT and the impacts those risks can have on your company, business processes, and IT systems. 

It’s no secret that cybercrime is increasing and hackers are always looking for new methods to infiltrate your IT systems despite whatever information security measures you have in place. That’s why risk assessment and IT risk management should be part of your organization’s information security.

Assess and manage IT risk

Assessing and managing IT risk can help your company operate more efficiently by linking information and technology risk to the achievement of its strategic objectives. 

That’s where COBIT comes in. As part of creating a holistic approach to information governance, COBIT aims to help you develop, organize, and implement strategies that align your IT infrastructure with business goals. It offers different maturity models and metrics that measure how well IT is contributing to achieving these objectives.

Initially, COBIT was created as a set of information technology control objectives to help financial firms with their IT auditing. However, over the years, its applications have expanded and COBIT now covers information governance and IT management methods, including information to help with risk management.

ISACA released COBIT 4 in 2005, followed by COBIT 4.1 in 2007. These versions included more details about information technology and communication technology governance. 

Holistic cybersecurity program

Released in 2012, COBIT 5 provides an IT framework that incorporates ISACA’s proprietary Val IT, Risk IT, and Information Technology Infrastructure Library (ITIL) with relevant standards produced by the International Organization for Standardization.  

In addition, COBIT 5 works with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to help you create a controlled landscape and a risk and governance model to enable security to comply with regulatory requirements. 

For example, if you need to comply with the COSO Framework, you can use COBIT 5 as a way to define and measure the effectiveness of your IT controls. Uniting these components, COBIT 5 offers a holistic cybersecurity program for enterprise IT governance. In addition, COBIT 5 defines five maturity models to help you determine where you are on your journey to total regulatory compliance.

Using COBIT 5, an organization can improve its IT risk-related capabilities, awareness, communication, decision making, and outcomes by giving key stakeholders an accurate, consistent, and validated assessment of the current level of IT risk and its impact on the business. Evaluating your cybersecurity protections against the COBIT 5 maturity models lets you assess the work you’ve completed and compared it to the work that you still need to finish.

IT risk is business risk

COBIT 5 for Risk characterizes IT risk as business risk, that is the business risk that’s linked to the use, ownership, operation, involvement, influence, and adoption of IT in an organization. 

COBIT 5 for Risk, which leverages the COBIT 5 framework, offers guidance to help risk professionals manage risk, incorporate IT risk into enterprise risk management, and help IT and business managers understand how to identify and manage IT risk effectively. 

COBIT 2019, the most recent version of the framework released in 2018, enables organizations to develop, organize, and implement more collaborative and flexible governance strategies. COBIT 2019 also addresses new and evolving technologies, trends, and requirements for businesses. 

COBIT 2019 includes other frameworks, such as The Open Group Architecture Framework (TOGAF), Capability Maturity Model Integration (CMMI), and ITIL. It’s especially helpful for companies that want to use it as an overall framework linking different processes running in their organizations while focusing on risk management, governance, and security.

Bottom Line

The COBIT framework stresses regulatory compliance, allows companies to get more value from IT, and helps align IT with the goals of the business to enable organizations to manage risk more effectively.

Inherent Risk in the Retail Industry: What You Should Know

· ·

The retail industry is undergoing an incredible transformation as emerging technologies, omnichannel shopping, as well as digital and social media, compel organizations to figure out how to operate more efficiently and better accommodate customers. 

Leaders of companies in the retail industry understand the importance of the digital forces at work in the sector and are looking more closely at the inherent risks these digital forces present. 

Every business comes with inherent risks, and running an e-commerce website or retail store isn’t any different. As more consumers shop online, e-commerce crimes are increasing and retailers are becoming more vulnerable.

Consequently, as organizations in the retail industry develop innovative ways to meet consumer demand, they also have to find better approaches for managing this inherent risk.

The following are just some of the inherent risks that affect companies in the retail industry:

Cybercrimes

Digital cybercriminals can target companies in the retail industry in several ways. For example, a hacker could launch a sophisticated phishing scam and convince your unwitting customers and/or employees to give up personal information, such as their credit card data. 

A distributed denial of service attack can take down your company’s servers, preventing customers from purchasing products. Cyber thieves can also target brick-and-mortar retailers by hacking into their point-of-sale (POS) systems. Hackers can also infect a retailer’s systems with ransomware and malware.

Companies in the retail industry can manage these inherent risks by replacing legacy POS equipment and having a cybersecurity specialist audit their systems and software.

Reputation Risk Factors

Organizations in the retail industry are impacted by direct contact with consumers. The fact is that with the growth of social media, companies no longer control their own messaging. 

Just one negative Facebook post, blog entry, tweet, or YouTube video can spell disaster for your company. Considering a large number of customer touchpoints, the chances that your brand’s reputation—and your revenue—will be negatively affected is pretty high.

To ensure your customers are happy, you should conduct consumer satisfaction surveys periodically to identify customer needs and expectations. You can also implement a customer relationship management system to deal with any complaints and reply to any questions. It’s also important to establish a policy to deal with social media so you can quickly respond to customers who leave negative comments about your company or products.

Not complying with laws and industry regulations

Companies that don’t adhere to government regulations as well as maintain the validity of their agreements and licenses, such as lease agreements, business licenses, advertising licenses, etc., may go out of business, suffer financial losses, or pay penalties. All of which could ruin a company’s reputation.

As such, you should ensure that your company:

  • Adopts procedures to identify and comply with any changes in government and/or industry regulations.
  • Implement processes to follow up on the terms of agreements and licenses.
  • Establishes a time period to begin the action that’s necessary to renew agreements and licenses before they expire.

Supply chain risks

Over the last decade, supply chain risk management has emerged as a challenge for companies in the retail industry. Customers want to receive their products whenever and wherever they want them. So to meet customer demand and remain competitive, you have to transform your supply chain or risk losing out to your rivals. 

Consequently, it’s imperative that you implement digitally enabled supply networks to enable cross-channel shopping with multiple delivery options and an easy return process. In addition, you have to assure customers that you have their items in stock and can deliver them when you say you will, as well as offer them a way to communicate with you in real-time.

Establishing a Digital Risk Framework

All your sensitive corporate data, automation, connectivity—all things digital—are inherently at risk because they are entry points for hackers. And the potential damage from just one cybersecurity incident is amplified because your digital systems are so embedded in your daily operations.

Companies in the retail industry that properly manage inherent risks become more competitive. Senior management should look to risk management to help them make better decisions about the company’s investments and its sustainability.

Digital risk management comprises numerous layers of risk defense, each linked via specific roles and responsibilities. However, it’s senior management who is responsible for setting the vision and assigning and coordinating these lines of defense. This helps them identify and correct redundancies in their organization’s risk management structure and prioritize how to control risks. 

Generally, your business units should be the first line of defense in terms of dealing with digital inherent risk. They should work with your information technology department to incorporate risk-informed decision-making into your company’s daily operations.

In addition, they should figure out the level of risk they’re willing to accept, mitigate risks as appropriate, and escalate problems when the risks are more than the company is able to tolerate.

The second line of defense is the risk management function that establishes governance and oversight procedures, sets risk baselines, and implements risk management tools and processes.

The audit function is the third line of defense. Your internal auditors verify how effective your digital risk management process is and assures leadership and the board of directors that this process is working properly. 

Additionally, your internal auditors let your company’s executives know if they have to make any improvements in the risk management process that can help the company to achieve its objectives. 

Developing a digital risk management framework also helps your auditors evaluate the established controls you have in place to adequately address such risks.

Typically, an organization maintains multiple digital assets across a number of digital channels. The organization owns and controls some of these digital channels, including mobile apps, e-commerce websites, and IT infrastructure. Others are outside of the company’s direct control, such as what people say about the organization or its digital assets in the digital space.

Implementing a digital risk management framework can help companies in the retail industry expose potential risks. Doing this allows you to establish controls and repeatable processes as well as streamline your responses to these risks. A digital risk framework enables management to begin evaluating how well your company can sense and respond to digital risk.

This ongoing “sense and respond” approach to digital risk management crosses silos and affects all stakeholders. The building blocks for this method make up a comprehensive lifecycle process to help you do as much as you can to protect against these inherent risks—with the greatest competitive benefits. 

There are a number of actions executives in companies in the retail industry can take to manage risk, including:

  • Frame and benchmark the current risk management strategy. Then take an inventory of the supporting processes, policies, controls, and metrics, particularly as they apply to your digital assets and channels.
  • Establish a digital governance structure as well as risk mitigation and response plans. Develop policies and procedures for the new digital age and implement risk management processes to support those policies and procedures.
  • Launch an integrated risk management program, including assurance programs, frameworks, and activities, to business units and other relevant areas, such as your internal audit department and IT.
  • Put business and digital risk management strategies in place. Test your risk processes and internal controls. For example, conduct escalation and response scenario testing. Also, implement reporting and performance management.

With a comprehensive risk framework, your company leaders can better manage risk. And by implementing a retail risk management strategy, you can nullify many threats before they happen. In addition, this risk framework allows executives to consider the level of risk the company is willing to take on while pursuing innovation and potentially profitable new ideas. 

Increasingly, digital is becoming the center of the shopping experience. Therefore, it’s imperative that companies in the retail industry meet their customers’ growing demands while avoiding the inherent risks that may surface along the way.

What is Holistic Risk Management?

· ·

Holistic Risk Management (HRM) is the practice of an organization’s understanding at a deep level its risk, how risk components fit together, and how grouping risks affect the overall program. Enterprise Risk Management (ERM) is often considered a holistic approach to proactively identify and mitigate risk and is used in conjunction or as a program replacement for HRM.

Risk assessments support HRM by breaking down the traditional risk silos and opening the way for integrated risk management. Operational risk and operational risk management generally lead the pack when it comes to strategizing the risk appetite of cybersecurity organizational leadership.

There are several elements that make up a holistic approach to risk management:

  • Organizational structure to understand risk across silos
  • Management framework and policy management
  • Analysis and measurement framework, or metrics.

The strength of an HRM program starts with enterprise-wide decision-making capabilities. Financial institutions often spend the most time on defining specific risks and developing risk profiles when compared with other industries to understand the impact of risk. Financial impact is one of the key metrics when analyzing or scoring risks. Other risk factors include velocity, likelihood, importance, control strength, and responsiveness. For a systematic way to manage risks holistically, read about Reciprocity’s Advanced Risk Management capabilities within ZenGRC.