IT GOVERNANCEGSI 615

Carmen R. Cintrón Ferrer © 2014

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

2

IT Governance

Scope Governance Risk Management Compliance IT Resources Management IT Governance IT Leadership and Innovation Governance and Ethics

3

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

Compliance

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

4

What is compliance?

Compliance is a desired outcome with regard to: Laws and regulations Internal policies and procedures Commitments to stakeholders – Mission Reliability and Assurance of information

Achieved through managed investment of time and resources by inserting into day to day processes: Controls Legal and Tactical activities Metrics

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

5

Compliance

Compliance definition: (Video)Conformance to established or generally accepted regulations, standards and/or legislation

Compliance components: Awareness of boundaries Structure support for accountability Culture and consistency Automated processes and controls to avoid gaps and

prevent failure Metrics that enable compliance Technology integration to alert/prevent possible

incompliance

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

6

Compliance with Laws and Regulations

Which Laws & Regulations Those which the entity is subjected to follow

Challenges Lacking in harmony Complex & decentralized Dependent on manual controls

Implement via: Policies and Procedures Insert technology to support compliance

Rely upon ethical behavior and transparency

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

7

Comply with what?

National & International Laws and Regulations

Standards and Best Practices Governmental regulatory agencies rules Codes of Ethics Organizational Policies, Procedures,

Guidelines Business Code of Ethics Professional Code of Conduct

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

8

Regulatory compliance areas (sample list)

Financial transactions and records: Gramm-Leach-Bliley Privacy Act (GLBA) Payment Card Industry Standards (PCI) Basel I & II Sarbanes Oxley Act (SOX)

Health Transactions and records: Health Records Insurance Portability & Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act

Intellectual property: Digital Millenium Copyright Act (DMCA)

Personal Data Privacy: Family Education Rights and Privacy Act (FERPA - Buckley Amm.) Electronic Communications Privacy Act (ECPA) The Lisbon Treaty Data Protection framework as a fundamental human right

National Security, Information Security and Telecommunications: Federal Information Securty Management (FISMA) Computer Fraud and Abuse Act USA Patriot Act

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

9

What, Who, When?

What? Determine the level of compliance required Identify responsible parties (Roles & Responsibilities) Adopt (modify) Policies and Procedures Communicate, Train and Monitor

Who? Organization as a whole Board, Officers, Senior and Line Management and staff Compliance Officer, Internal Auditor and Legal Counsel

When? Continuous compliance process By request of Regulatory Agency, contractual agreement

and/or lawsuit

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

10

Responsibility

Dimension of Responsibility Strict (Directly responsible) Indirect and vicarious Fiduciary responsible Negligent acts or absence of

Standard of Due Care: States the measures that should be in place to

mitigate or reduce the responsibility Requires to Act as expected (within the

legal/regulatory framework) SOX Standards – ISO 17799

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

11

Compliance Exercise 1

Choose a regulation from the Personal Data Protection List

Determine dimension of responsibility for: Board Officers & Managers IT Management and Staff Staff

What would the Standard of Due Care be if there is a: Breach of security and clients’ data is exposed? Scenario of industrial espionage? Major fraud involving securities transactions (SEC)? Unethical behavior by an Officer/Manager/Staff Employee?

Compliance Laws and Regulations Personal Data and Privacy Protection (limited listing)

Carmen R. Cintron Ferrer, 2014, Reserved Rights

Electronic Communications Privacy Act PL 99-508 (1986)

Children's Online Privacy Protection Act PL 105-277 (1998)

Health Insurance Portability & Accountability ActHealth Information Technology for Economic and Clinical Health (HITECH) Act

PL 104-191 (1996)PL 111-5 (2009)

Family Education Rights and Privacy Act (Buckley Amm.) (1974)

Sarbanes Oxley Act PL 107-204 (2002)

Gramm-Leach Bliley Financial Privacy Act (GLB) PL 106-102 (1999)

Digital Millenium Copyright Act (DMCA) PL 105-304 (1998)

Control Assault of Non-Solicited Pornography & Marketing Act PL 108-187 (2003)

Electronic Signatures in Global & National Commerce Act PL 106-229 (2000)

Communications Assistance for Law Enforcement Act PL 103-414 (1994)

Real ID Act PL 109-13 (2005)The Lisbon Treaty significantly affects the dataprotection framework. It establishes that Personal datprotection is a fundamental human right

http://europa.eu/lisbon.treaty 

Federal Information Securty Management (FISMA)Computer Fraud and Abuse ActCyber Security Enhancement Act

PL 107-347 (2002)PL 107-296 (2002)

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

PL 107-56 (2001)

Cyber stalking, Cyber Harrasment & Cyber Bullying laws http://www.ncsl.org/default.aspx?tabid=13495 

Federal Information Security Management Act PL 107-347 (2002)

Electronic Freedom of Information Act PL – 104-231 (1996)

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

13

Compliance Exercise 1(a)

Dimension of Responsibility

Board of Directors

Officers

Managers

IT Mangement & Staff

Other Staff

Strict/Direct

Indirect/ Vicarious

Fiduciary

Negligent actions

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

14

Compliance Exercise 1(b)

Expected Standard of Due Care

Board of Directors

Officers

Managers

IT Mangement & Staff

Other Staff

Client’s Data Exposed

Industrial Espionage

SEC fraud

Unethical behaviour

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

15

Compliance Management

Identify Regulatory requirements Select Compliance Frameworks Document Business processes and controls:

Implement or update Processes & Controls Determine Control Gaps Address - close gap(s)

Monitor control status and effectiveness: Identify and remediate issues Review and update control environment Certify effectiveness

Communicate results of analysis to key stakeholders: Train for Compliance Generate evidence to support audit requirements Assess impact of events on controls

16

Compliance Management Process

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

Regulatory Requirements

Compliance Framework

Business Processes

Monitor Controls

Communicate & Train

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

17

Compliance Management Issues No Compliance oversight function and/or very low

confidence level in risk management Lack of Compliance Awareness and Education Outdated Policies and Procedures Informal Procedures and Practices Unknown and/or not well informed and understood

Policies, Procedures, Strategic Plans, Budget and Resources Allocation-Management

Inconsistent application of policies and practices among different areas/departments

Ineffective/Inefficient controls Personal accountability is unenforceable or wrongly

placed

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

18

Environment for Compliance

Establish an incentive and reward system based on excellence and hard work.

Develop an ethical environment that can foster and sustain responsible decisions.

Build a system of ethical practice throughout the compliance program and the organization.

Assign the resources and communicate a clear message

Move the cultural change: Compliance is the right thing to do

Michael Volkov, Creating a Culture of Ethics and Compliance

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

19

SOX Compliance

Sec 302 - Faulty Financial Reporting (Data Safeguard) Prevent data tampering Accurate reporting and timelines Track data access Operational safeguards Safeguards effectiveness Security breaches detection

Sec 404: Disclosure and transparency (Data Security) Disclose security safeguards Disclose security breaches Disclose failure of safeguards

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

20

Sox Compliance Frameworks Cobit 5 (www.isaca.org/cobit5) ISO 27000 (http://www.oanc.ir/iso27k.pdf) COSO (http://www.coso.org) SANS Approach:

An Overview of SOX A Compliance Primer SOX IT Compliance Audit

Some IT Support Solutions: Computron CorreLog Oracle

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

21

SOX Compliance References

Computron, Sarbanes-Oxley Compliance: A Checklist for Evaluating Internal Controls

Correlog, Sarbanes-Oxley (SOX) Compliance Checklist

Deloitte, Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002

Ernst & Young, The Sarbanes-Oxley Act at 10, Enhancign the reliability of financial reporting and audit quality

KPMG, Sarbanes-Oxley Section 404: Summary of key points from submissions to the SEC

J. StephenMcNally, CPA, The 2013 COSO Framework & SOX Compliance, One Approach to Effective Transition

Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, FAQ’s Regarding section 404

SPLUNK, SOX Compliance

Environments changes... …have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations

Changes and greater complexity in business

Demands and complexities in laws, rules, regulations, and standards

Expectations for competencies and accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and detecting fraud

COSO Cube (2013 Edition)

Update considers changes in business and operating environments

COSO 2013(Committee of Sponsoring Organizations - Threadway Commission)

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

COSO 2013 Updated Model

1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability

6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change

10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures

13.Uses relevant information14.Communicates internally15.Communicates externally

16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies

COSO - Example on how controls effect principles

Control Environment

(1) The organization demonstrates a commitment to integrity and ethical values.

Component

Principle

Controls embedded

in other components may effect

this principle

Human Resources review employees’ confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity

Control Environment

Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information

Information & Communication

Internal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon

Monitoring Activities

25

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

GR&C Wrap-up

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

26

GRC or ECRG

Governance Risk and Compliance (Video) Why a GRC Framework ? (Video) GRC: The Power to decide (Video) Ethics, Compliance, Risk Management &

Governance: Should it be GRC or ECRG? (Why/Why not?) What does the Ethical Component

introduce? How can Ethical Governance become the

axis?

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

27

Ethics and Compliance or Compliance and Ethics

Society of Corporate Compliance and Ethics, Sally March, Compliance in Europe

Alstom, Ethics and Compliance: "clean business is great business"

Lilly, Ethics and Compliance Program Ethics & Compliance Officer Association,

Standards of Conduct for Ethics and Compliance Professionals

Education Portal, Corporate Social Responsibility Dilbert on Ethics for e-CPE DigiPharm,

The relationship between compliance and ethics Funny FCPA trainings Click4Compliance, Global Anti-corruption laws

28

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

Teamwork Exercise

Governance Cases

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

29

Cases in GovernanceEnron

Lee Ann Obringer - Stuffworks http://money.howstuffworks.com/cooking-books7.htm

Robert Jon Petersen – Sophia.org http://www.sophia.org/tutorials/enron-case-study

The Economist - http://www.economist.com/node/940091

The FBI, Crime in the Suites: A look back at the Enron Case - http://www.fbi.gov/news/stories/2006/december

Leigh Tesfatsion – Iowa State University - http://www2.econ.iastate.edu/classes/econ353/tesfatsion/enron.pdf

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

30

Cases in Governance Tyco International

Lee Ann Obringer – Stuffworks - http://money.howstuffworks.com/cooking-books10.htm

Tyco Fraud InfoCenter - http://www.tycofraudinfocenter.com/information.php

Daniels Fund Ethics Initiative – University of New Mexico - http://danielsethics.mgt.unm.edu/pdf/Tyco%20Case.pdf

Law Teacher – Unethical issues or legal issues in Tyco International - http://www.lawteacher.net/company-law/essays//unethical-issues-or-legal-issues-in-tyco-international-company-law-essay.php

Study Mode - http://www.studymode.com/essays/Tyco-International-Case-Study-1022395.html

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

31

Cases in Governance WorldCom

Lee Ann Obringer – Stuffworks - http://money.howstuffworks.com/cooking-books9.htm

Romar et als – Santa Clara University – World Com Case Study http://www.prmia.org/sites/default/files/references/

WorldCom_Case_Study_April_2009.pdf http://www.scu.edu/ethics/dialogue/candc/cases/wo

rldcom-update.html

Kristin A. Kennedy – An Analysis of Fraud … - University of New Hampshire http://scholars.unh.edu/cgi/viewcontent.cgi?article=1099&context=honors

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

32

Cases in Governance Adelphia

The Adelphia Case Scandal - https://www.google.com.pr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&ved=0CDQQFjAC&url=http%3A%2F%2Fwww.aicpa.org%2FInterestAreas%2FAccountingEducation%2FResources%2FDownloadableDocuments%2Fadelphia.ppt&ei=8i_wUtHdMZG8kQfJuIDYCg&usg=AFQjCNEhptLoBmQE4mMGBg0lUoPs6TikXQ

CNN Money – The Adelphia Story - http://money.cnn.com/magazines/fortune/fortune_archive/2002/08/12/327011/

C.P. Carter et als. – The Adelphia Fraud – American Accounting Association, http://aaahq.org/fia/attachments/fia-newsletter-v2n3.pdf

Adelphia Communications Case Study http://www.docstoc.com/docs/23287542/Adelphia-Communications-A-Case-Study

Carmen R. Cintrón Ferrer, 2014, Reserved Rights

33

Cases in Governance Peregrine Systems

FBI – Peregrine Systems Indictment – http

://www.fbi.gov/news/pressrel/press-releases/executives-and-auditor-of-peregrine-systems-inc.-indicted-on-securities-fraud-charges

http://en.wikipedia.org/wiki/Peregrine_Systems