ZenGRC

Simply Powerful GRC

Risk Management

Guide to COBIT Best Practices

· ·

Established by the Information Systems and Audit Control Association (ISACA), the Control Objectives for Information and Related Technologies (COBIT) framework provides a framework for organizing enterprise IT management. Aligning your security-first information security compliance initiatives to COBIT best practices enables organizations to maintain a continuous risk management program.

COBIT Best Practices

Who is ISACA?

Initially founded in 1969, ISACA creates globally recognized IT certifications and develops auditing control guidances. Boasting its COBIT 5 as the only business framework for IT, ISACA formed an IT Governance Institute (ITGI) that focuses on researching and publishing resources that provide updated guidance and benchmarks for maintaining up-to-date information security controls.

What is COBIT 5?

COBIT 5 provides an IT framework which incorporates ISACA’s proprietary Val IT, Risk IT,  and Information Technology Infrastructure Library (ITIL) with relevant standards produced by the International Organization for Standardization (ISO).
By combining these elements, COBIT 5 offers an overarching cybersecurity program for enterprise IT governance.

Who uses COBIT 5?

COBIT 5 provides any organization a way to evaluate and defend data as part of its business processes. With a goal of enabling commercial, non-profit, and public sector companies, COBIT focuses on providing guidance for providing quality, reliability, and control of information and related technology.

ISACA notes on its COBIT 5 resource page that key users include audit and assurance, compliance, IT operations, governance, and security and risk management executives and consultants.

Why should I choose COBIT 5?

COBIT 5 allows you to align many of your current controls with a variety of other standards and regulatory compliance requirements. For example, organizations that need to comply with the COSO Framework can use COBIT 5 as a way to define and measure IT control effectiveness.

Moreover, COBIT 5 defines five maturity models that help you determine where you are on the road to complete compliance.

  • Level 0: Non-existent

No current process in place

  • Level 1: Initial/Ad Hoc

 No standardized process in place

  • Level 2: Repeatable but Intuitive

Procedures exist but require highly knowledgable individuals and little standardization exists.

  • Level 3: Defined Process

Standardized procedures exist but remain unsophisticated.

  • Level 4: Managed and Measurable

Standardized procedures include key performance indicators and error detection methods

  • Level 5: Optimized

Refined, standardized processes exist and maintain strong practice levels that reduce variances

By measuring your cybersecurity protections against the COBIT 5 maturity models, you can review the work you’ve done and compare it to the work that you need to do.

How to use the COBIT framework five principles to creating best practices

ISACA based COBIT 5 on five fundamental principles. These five guiding principles underlie COBIT 5’s approach to information management and governance. By aligning your IT processes and internal controls based on these high-level principles, you can establish an enterprise approach consistent with your business objectives.

Principle 1: Meet Stakeholder Needs

ISACA recognizes that your enterprise has a variety of stakeholder with different, and sometimes conflicting, needs. For example, your marketing department needs to use social media to build your brand voice. However, social media third party applications provide and often ignored data threat that your IT department needs to mitigate.

Best Practices:

  • Define relevant and tangible goals
  • Define levels of responsibility
  • Identify and communicate enablers’ importance

Principle 2: Cover the Enterprise End-to-End

Information governance and management needs to a part of enterprise IT governance but also needs to include all other information and related technology. All members of your organization need to be aware of the information assets that enable their business objectives.

Best Practices:

  • Define governance enablers
  • Define governance scope
  • Assign roles and activities to the relationships

Principle 3: Apply a Single Integrated Framework

COBIT 5 aligns to a variety of frameworks – risk management and IT related – to enable a unified approach to data management. From the enterprise management perspective, it draws from COSO, COSO ERM, ISO/IEC 9000, and ISO/IEC 31000. As related specifically to IT, COBIT 5 focuses on bringing together ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, and CMMI.

Best Practices:

  • Review the standards related to your organization
  • Engage in the appropriate risk identification
  • Ensure COBIT 5 aligns to overarching enterprise goals

Principle 4: Enable a Holistic Approach

As part of creating a holistic approach to information governance, COBIT focuses on aggregating the factors that individually and collectively influence meeting objectives. Principles, policies, and frameworks tie together the processes, organizational structures, and corporate ethical culture to information, services/infrastructures/applications, and people/skills/competencies.

Best Practices:

  • Outline practices and activities that achieve objectives
  • Define key decision-making entities
  • Define the behaviors, of individuals and the organization, that are most important
  • Establish the policies derived from principles and frameworks to guide day-to-day practices
  • Review all information used by the organization to enable business operations or are part of services provided
  • Incorporate infrastructure, technology, and application that enable business operations and processes
  • Define roles based on individuals’ skills and competencies to complete activities, make decision, and take corrective actions.

Principle 5: Separate Governance from Management

Governance involves evaluating, directing, and monitoring the information management program. Management involves planning, building, running, and monitoring the daily activities.  The Board of Directors is responsible for governance while executive management, led by the CEO, is responsible for management. Although the COBIT framework incorporates five domains and 37 processes, the high level overview provides an outline of steps organizations can take to separate governance and management.

Best Practices for Governance:

  • Create enterprise guiding principles
  • Establish decision model
  • Create authority levels
  • Review enterprise governance communications
  • Receive feedback on governance effectiveness and performance

Best Practices for Management

  • Communicate ground rules
  • Establish IT-related policies
  • Communicate IT objectives
  • Suggest process improvement opportunities
  • Create a communications package
  • Establish quality management standards
  • Establish a process for measuring quality of service goals and metrics
  • Continually review and improve good practices
  • Establish quality review benchmark results
  • Establish monitoring targets
  • Review performance reports
  • Define remedial actions
  • Assign responsibility for remedial actions
  • Establish and review internal control monitoring
  • Review benchmarks and evaluations
  • Create self-assessment plans and criteria
  • Review self-assessment results
  • Locate and review control deficiencies
  • Create and review assurance plans and their results
  • Communicate new compliance requirements

How ZenGRC Enables Enterprise Level Compliance

COBIT 5 uses a language reminiscent of project management to better align business leaders to IT principles. Incorporating terms such as value creation, stakeholders, strategic objectives, and stakeholder management help bridge the gap between the IT department, management, and the Board of Directors.

However, the way in which COBIT 5 focuses on stakeholder communication. Moreover, it’s first principle focuses specifically on the variety of stakeholders involved in the process. Therefore, if you’re looking to be COBIT compliant you need to make an IT investment that helps you manage communications between your stakeholders.

ZenGRC provides task prioritization that help let you track compliance activities that reduce vulnerabilities by scheduling reviews and monitoring their completion dates.
As a single-source-of-information, the platform stores and supports remediation activities to prove your continuous compliance and continuous auditing approach to information security.

By using our intuitive interface, you can easily upload frameworks, objectives, and controls while also managing changes to those controls across a variety of frameworks.

For more information on how ZenGRC can enable your compliance efforts, contact us for a demo.

How Technology Helps You Better Manage Compliance

· ·

Whether you’re looking to implement artificial intelligence, bid data, machine learning, or simply find an easy-to-navigate Software-as-a-Service platform to streamline your information security monitoring efforts, compliance technology is the newest trend in enabling businesses to maintain a strong cybersecurity risk, compliance, and governance program. Understanding the different ways to use technology is the best way to help you find the right risk management solution for your organization.

Technology For Compliance

What does Compliance Technology do?

As a phrase, compliance technology can mean a variety of services you use to help stay up-to-date with standard and regulatory requirements. Compliance technology began as nothing more than a large data storage location for documentation. However, increasingly, compliance technology platforms offer a variety of services enabling better compliance program management. Particularly in the IT security arena, regulatory requirements update nearly continuously.

In the last twelve months, two new cybersecurity regulations went into effect – the European Union’s General Data Protection Regulation (GDPR) and the New York Department of Financial Services Cybersecurity Regulations (NYDFS 3 NYCRR Part 500). Additionally, California passed its Consumer  Privacy Act of 2018 which may herald a groundbreaking change in how United States businesses collect and use data.

Moreover, 2018 brought updates to standards set out by the Internationals Standards Organization (ISO), the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the Payment Card Industries Security Standards Council (PCI SSC).

Between updates and new requirements, you need to have one location where you can monitor and manage your compliance.

What is automated compliance technology?

Automation is a software or hardware that handles a process or task without you needing to help it. You define the actions or tasks, and the computer does the rest.

An example of automation is scheduling recurring events. In compliance, automation enables workflows and regular reviews. Rather than having to manually input the same data multiple times, you can assign a task to an individual, set a time frame for recurrence, and manage reminders.

Automation as a compliance technology removes the time-consuming administrative tasks associated with audit documentation collection and review scheduling.

How does Big Data help manage compliance?

Big data allows you to incorporate a review of otherwise overwhelming amounts of information across your enterprise as well as the internet. In the case of information security compliance, many tools enable you to review security concerns facing your organization.

For example, new, previously undisclosed vulnerabilities, also known as “zero-day attacks,” can compromise your organization, even if you’ve incorporated a security first approach to compliance. Big data allows you to track these threats as they occur.

In other cases, big data enables you to review the relationships you have with your third-party business partners to determine threats to your data environment and ecosystem. You not only place your data at risk by threats to your environment, but your vendors put your data at risk when they don’t protect their own environment.

What is artificial intelligence based compliance technology?

Artificial intelligence (AI) based compliance technology comes in a variety of forms. Artificial intelligence uses machines to carry out mundane, time-consuming tasks. Traditional notions of AI focus on using machines to do “intelligent” tasks such as seeing, using tools, reasoning, and formulating plans and objectives.

For example, AI can review information across the internet to help consolidate compliance requirements. By reviewing the information available, it can search for words that help keep you up-to-date on changes to regulations so that you maintain a continuous compliance approach.

In other ways, it helps review compliance risks. You can program computers to assign risk levels to certain threats based on the likelihood of the event and the criticality of the information.

Finally, when bringing together a variety of requirements and controls, you can use artificial intelligence, in the traditional sense, to find the similarities across frameworks then help provide a gap analysis.

Where does machine learning fit into compliance technology solutions?

Machine learning is the newest iteration of artificial intelligence. Machine learning uses big data to teach computers to take in data, analyze it, and make predictions.

For example, machine learning processes can review current ransomware threats, review the actions they make a computer perform, and then predict whether you’ve been hit with a ransomware attack based on your device’s program activities.
Rather than simply completing a task, machine learning takes that task and extends using information available across the internet to predict what might happen next.

How to choose the right compliance technology to monitor security risks

Creating a security first approach to compliance requires continuous control monitoring. Malicious actors never stop trying to find new vulnerabilities which means that the controls that protect your data today may not work tomorrow.

Compliance technology tools can enable you to review the threats to your data environment and ecosystem when deployed meaningfully. For example, a technology that reviews software updates released can ensure that you patch security flaws more rapidly, thus mitigating the chance of a data breach.

Choosing the appropriate compliance technology to manage your cyber security risks means asking questions about your company’s maturity level, future business objectives, and desire to scale.

When choosing a compliance technology, you want to ask:

  • How large is my organization?
  • How many critical systems, networks, and software assets do I have?
  • Where am I now?
  • Where do I want to be in five years?
  • How many additional compliance requirements will I be adding to get from where I am to where I want to be?
  • How many people need to be involved in the compliance process?
  • How much information do I need to collect?
  • How big is my data environment?
  • How many vendors do I need to monitor?
  • Do I have the right compliance technology to manage requirements for risk analysis, risk management, control creation, threat monitoring, business continuity, disaster recovery, and incident response?

How ZenGRC’s Compliance Technology Streamlines the Process

ZenGRC provides task prioritization that help let you track compliance activities that reduce vulnerabilities by scheduling reviews and monitoring their completion dates.
As a single-source-of-information, the platform stores and supports remediation activities to prove your continuous compliance and continuous auditing approach to information security.

By using our intuitive interface, you can easily upload frameworks, objectives, and controls while also managing changes to those controls across a variety of frameworks.

For more information on how ZenGRC can enable your compliance efforts, contact us for a demo.

Vendor Management Workflow for Vendor Risk Assessments

· ·

Chances are, your enterprise uses third-party vendors to streamline your business processes. However, those vendors have digital connections, and so increase the risk to your data security controls.

A strong vendor risk management program is critical to overall enterprise risk management. And successful vendor risk management requires a well-organized workflow so that you always know what’s being done, who’s doing it, and where tasks stand as you respond to operational risks and threats arising from third-party vendors.

Here we’ll provide tips to strengthen your vendor risk management program. For a more thorough and detailed look at third-party risk management, check out our ultimate guide to third-party vendor risk management.

Tips to Improve Your Vendor Risk Assessment Process

Today’s business lives in the cloud, never more so than now, when more employees than ever are working from home in the wake of the COVID-19 pandemic. Using cloud service providers, remote conferencing software, and other third-party vendors, however, increases your risk.

The first step toward managing vendor risks is to assess them. Here’s how to get started:

  1. Mind Your Supply Chain

    According to Dark Reading, third-party providers cause the most expensive data breaches. Some of the costliest data breaches have involved third-party-hosted infrastructure vendors and third-party cloud services.

    These third parties may have nearly unlimited access to your information–such as the web applications that provide employees access to your organization’s databases. These databases may contain highly sensitive information.

    Stay apprised of your third parties’ security, including that of your cloud provider. Know what third parties your third parties use, and so on, all along the supply chain, and how secure those fourth and fifth parties are.

  2. Know Your Regulatory Compliance Requirements

    Industry standards such as those established by the International Standards Organization (ISO) provide guidance for establishing best practices. Non-compliance with regulations and laws, however, increase the risks to your organization as well as the likelihood of penalties and fines.

    Federal and state laws regulate risk management in the financial services industry. The Federal Financial Institutions Examination Council (FFIEC) IT examination handbook requires banks to:

    • Assess whether each third-party relationship supports the institution’s overall objectives and strategic plans
    • Evaluate prospective third-party providers based on the scope and importance of the services they provide
    • Tailor their third-party management program based on an initial and ongoing risk assessment of third parties and the services they provide

    The US Department of Health and Human Services, which oversees the Health Insurance Portability and Accountability Act of 1996 (HIPAA), notes that as part of the National Institute of Standards and Technology (NIST) security risk assessment, healthcare providers should ask:

    • What are the external sources of electronic personal health information (e-PHI)? For example, do our vendors or consultants create, receive, maintain, or transmit e-PHI?

    While some organizations seek compliance certifications as a way to gain customer trust, the healthcare and financial services industries must comply with regulations or face possible fines and penalties. Will you be ready at audit time?

  3. Conduct a Third-Party Risk Assessment

    “Trust but verify” is advice we often hear from information security professionals. Verification can be difficult. You may not be familiar with your vendors’ business processes. A risk assessment can give you the information you need to keep your data and systems safe and secure.

    Vendor risk assessments follow a workflow similar to the risk analysis you use for your business operations. Questions include:

    • What types of information do your vendors collect, transmit, and store?
    • Which vendors are critical to business operations?
    • Which vendors access your systems, networks, and servers?
    • What levels of access do your vendors have to these systems, networks, and servers?

    High-risk vendors critical to your business operations usually have access to sensitive data in your systems, networks, and servers. For example, your human resources department may use a third-party healthcare benefits platform that allows employees to set up their insurance. A breach of that vendor could compromise your private employee information.

  4. Do your Due Diligence

    Identifying risks is only your first step to third-party risk management due diligence. Your second step is to verify that your vendors follow the protocols they detailed in the documents they filled out for you.

    Historically, vendor risk management has relied on questionnaires and audit reports, trusting the vendor to provide accurate, up-to-date information.

    These questionnaires provide insight into the strategies that companies intend to use–but communications may break down or daily business practices fall out of alignment with intentions. Meanwhile, cybersecurity threats emerge and change continually. A vendor may be secure today, but a new threat may arise tomorrow that makes them a liability.

    Appropriate due diligence requires that you continuously monitor of the vendor’s data environment.

How to Create a Security-First Vendor Management Program

If you have many vendors, managing them may seem overwhelming–unless you realize that vendor management is merely one component in your overall compliance strategy. If yours is a security-first compliance program, you’re a step ahead of many companies.

When you view security as your primary goal and then align compliance to your controls, you most likely continuously monitor your data environment. Extending that monitoring to your vendor management program means eyeing your vendors’ security controls the way you monitor your own.

Use real-time threat monitoring to review the potential threats your vendors pose and help them secure their data so that you can protect your own.

Use ZenGRC for Simple, Security-First Vendor Management

Vendor risk management means reviewing your third-party providers’ security as diligently as you review your own. However, CISOs need tools that help manage the influx of alerts.

One person can’t be in contact with every vendor, every day. Even businesses with few vendors can find it difficult to get organized enough to continuously monitor and stay in contact with them.

ZenGRC, our software-as-a-service, simplifies task management for vendor risk management programs. Using it, compliance officers can assign remediation work and capture all the relevant data about each task: the requester, the assignee, the current status of the task, and the necessary deadlines.

Now your CISO can use a workflow that streamlines your vendor management program and helps keep your organization secure. With ZenGRC, you’ll know where tasks stand in the process. Nothing falls between the cracks because there are no cracks. Vendor risks get managed with ease and efficiency, and you’re free to turn your attention to other, more pressing tasks, like satisfying your customers and boosting your bottom line.

Worry-free vendor risk management is the Zen way. Why not contact us for a demo today?

How to Reduce Operational Risk in Banking

· ·

The 2018 Verizon Data Breach Investigations Report once again pointed to financial services organizations being a primary target for hackers. Although trending downward from 2015-2017, external actors account for 79% of breaches. Moreover, the August 2018 Fiserv security vulnerability highlighted the impact of operational risk and cybersecurity. As a payment processing vendor, Fiserv’s weakness is an operational risk for any banks using the system.

Control Operational Risk for Banks with Effective Workflow Management

Where Operational Risk and Cybersecurity Overlap

Data breaches last longer than the initial discovery. The costs associated with them can continue for two years or more. Unfortunately, current financial institution compliance requirements become outdated rapidly as cybercriminals continue to evolve their attack methods.

Every day, hackers look to find new, previously un-discovered vulnerabilities in systems and software, frequently referred to as “zero-day” attacks. These attacks put even the most secure system at risk. After all, you can’t secure something you don’t know is vulnerable.

Modern operational risk management must account for the risk of loss arising out of failed or inadequate internal business processes caused by both people and technology.

What Do Financial Services Organizations Struggle With?

Defining operational risk continues to challenge banks. In May 2018, the Board of Governors of the Federal Reserve System outlined three primary challenges facing financial institutions when attempting to calculate operational risk costs.

External losses

External data loss reporting remains a primary limitation for bank models. Although a few vendor datasets exist, most information available focuses on large losses and comes from publicly available sources, like news articles and financial disclosures.

Scenario analysis

A primary operational risk analysis approach incorporates bringing together a variety of stakeholders to estimate exposure. These workshops identify key risks and estimate potential frequency and severity. The external loss data limitations once more impact the ability to adequately evaluate cyber risks. Unlike the abundance of market risk historical data that enables a strong assessment, cyber risk remains elusive not just because the information isn’t available but also because the historical context is limited.

Business, environment, and control factors (BEICF)

BEICF, the catchall for other factors impacting operational loss exposure, often relies on subject risk control self-assessments that suffer from the external loss data problem. Others, like key risk indicators, lack standardization.

Where Basel 4 Fails

In 2017, the Basel Committee on Banking Supervision (BCBS) released its finals rules on operational risk capital. The new operational risk capital calculation implemented a Standardized Approach (SA) that will apply beginning January 1, 2022.

Basel 4 intends to simplify and standardize operational risk capital requirements to overcome the problems associated with the Advanced Measurements Approach (AMA). However, the new SA lacks the risk sensitivity factor because it incorporates a ten-year loss data capture requirement.

Basel III incorporated two types of risk sensitivity. Ex ante risk sensitivity focused on distinction arising out of individual exposures or transactions. Ex post risk sensitivity looked at risks that could only be assessed after a loss event occurred. Thus, cyber risk events and cyber risk appetite were difficult to estimate. Data limitations and the range of bank complexities created a challenge for determining ex ante risk. Meanwhile, since ex post risk requires an event to have occurred, this modeling lacked predictive powers since assumptions might fail.

Removing the risk sensitivity factor when creating the SA calculation ignores the potential impact that external events, specifically cyber attacks, have on operational risk. While KPMG noted that national supervisors might continue to push for banks to focus on mitigating operational risk arising out of cyber events, the official standardized calculation ignores the impact and removes the incentive for cyber risk mitigation strategies.

How Using a Security-First Compliance Approach Helps the Bottom Line

While Basel 4 attempts to standardize operational risk capital calculations, it fails banks by ignoring the interconnectedness between operational risk, legal risk, and reputation risk.

Traditionally, market risk, operational risk, legal risk, reputation risk, and credit risk were often independent of one another. For example, credit risk focuses on the potential that a borrower will fail to meet their credit obligations, such as loan and credit card payments. Banks could easily disaggregate credit risk from operational risk.

However, today, operational risk potentially impacts credit risk. A failed data control opens up the bank’s systems to cybercriminals who then steal identities. When the cybercriminal makes unauthorized purchases with the credit card, the customer no longer need to pay it back. Now, the bank has a credit risk exposure. If multiple customer credit cards were used, then the credit loss increases exponentially.
Those customers then sue the bank under a variety of cybersecurity and privacy laws. Additionally, the bank’s reputation lowers, leading to fewer deposits.

Ultimately, a single breach impacts four of the five major capital risks, not just one.
Expanding the scenario to incorporate the increasing use of hacktivists and nation-state actors, the breach may impact more than a single targeted bank. Coordinated data attacks affecting a shared vulnerability through a shared fintech vendor could impact market risk as well.

Creating an Operational Risk Monitoring Workflow

Security-first compliance incorporates continuous monitoring of your data environment to mitigate the risk of an attack. With more vendors accessing banks’ information, financial institutions increase their risk of a data breach. A single zero-day attack across a shared vendor can impact institutions across the industry. To protect against this, financial institutions need to secure their environments and ecosystems.

As part of the security-first continuous monitoring and continuous compliance approach, organizations also engage in continuous auditing. Being alerted to threats is the first step. Responding to them to maintain compliance is the second step. Proving the threats were remediated is the third step.

ZenGRC enables continuous monitoring through a centralized dashboard. With real-time notifications, organizations can prioritize alerts and delegate risk management tasks. Continuous monitoring allows continuous compliance. Moreover, as a single-source-of-truth, ZenGRC creates an audit trail that enables continuous auditing to document the organizations can prove the effectiveness of their security controls and their remediation efforts in the event of a new security risk.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.