IT GOVERNANCE GSI 615 Carmen R. Cintrón Ferrer © 2014.
-
Upload
mervin-goodman -
Category
Documents
-
view
218 -
download
0
Transcript of IT GOVERNANCE GSI 615 Carmen R. Cintrón Ferrer © 2014.
IT GOVERNANCEGSI 615
Carmen R. Cintrón Ferrer © 2014
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
2
IT Governance
Scope Governance Risk Management Compliance IT Resources Management IT Governance IT Leadership and Innovation Governance and Ethics
3
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Compliance
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
4
What is compliance?
Compliance is a desired outcome with regard to: Laws and regulations Internal policies and procedures Commitments to stakeholders – Mission Reliability and Assurance of information
Achieved through managed investment of time and resources by inserting into day to day processes: Controls Legal and Tactical activities Metrics
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
5
Compliance
Compliance definition: (Video)Conformance to established or generally accepted regulations, standards and/or legislation
Compliance components: Awareness of boundaries Structure support for accountability Culture and consistency Automated processes and controls to avoid gaps and
prevent failure Metrics that enable compliance Technology integration to alert/prevent possible
incompliance
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
6
Compliance with Laws and Regulations
Which Laws & Regulations Those which the entity is subjected to follow
Challenges Lacking in harmony Complex & decentralized Dependent on manual controls
Implement via: Policies and Procedures Insert technology to support compliance
Rely upon ethical behavior and transparency
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
7
Comply with what?
National & International Laws and Regulations
Standards and Best Practices Governmental regulatory agencies rules Codes of Ethics Organizational Policies, Procedures,
Guidelines Business Code of Ethics Professional Code of Conduct
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
8
Regulatory compliance areas (sample list)
Financial transactions and records: Gramm-Leach-Bliley Privacy Act (GLBA) Payment Card Industry Standards (PCI) Basel I & II Sarbanes Oxley Act (SOX)
Health Transactions and records: Health Records Insurance Portability & Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act
Intellectual property: Digital Millenium Copyright Act (DMCA)
Personal Data Privacy: Family Education Rights and Privacy Act (FERPA - Buckley Amm.) Electronic Communications Privacy Act (ECPA) The Lisbon Treaty Data Protection framework as a fundamental human right
National Security, Information Security and Telecommunications: Federal Information Securty Management (FISMA) Computer Fraud and Abuse Act USA Patriot Act
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
9
What, Who, When?
What? Determine the level of compliance required Identify responsible parties (Roles & Responsibilities) Adopt (modify) Policies and Procedures Communicate, Train and Monitor
Who? Organization as a whole Board, Officers, Senior and Line Management and staff Compliance Officer, Internal Auditor and Legal Counsel
When? Continuous compliance process By request of Regulatory Agency, contractual agreement
and/or lawsuit
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
10
Responsibility
Dimension of Responsibility Strict (Directly responsible) Indirect and vicarious Fiduciary responsible Negligent acts or absence of
Standard of Due Care: States the measures that should be in place to
mitigate or reduce the responsibility Requires to Act as expected (within the
legal/regulatory framework) SOX Standards – ISO 17799
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
11
Compliance Exercise 1
Choose a regulation from the Personal Data Protection List
Determine dimension of responsibility for: Board Officers & Managers IT Management and Staff Staff
What would the Standard of Due Care be if there is a: Breach of security and clients’ data is exposed? Scenario of industrial espionage? Major fraud involving securities transactions (SEC)? Unethical behavior by an Officer/Manager/Staff Employee?
Compliance Laws and Regulations Personal Data and Privacy Protection (limited listing)
Carmen R. Cintron Ferrer, 2014, Reserved Rights
Electronic Communications Privacy Act PL 99-508 (1986)
Children's Online Privacy Protection Act PL 105-277 (1998)
Health Insurance Portability & Accountability ActHealth Information Technology for Economic and Clinical Health (HITECH) Act
PL 104-191 (1996)PL 111-5 (2009)
Family Education Rights and Privacy Act (Buckley Amm.) (1974)
Sarbanes Oxley Act PL 107-204 (2002)
Gramm-Leach Bliley Financial Privacy Act (GLB) PL 106-102 (1999)
Digital Millenium Copyright Act (DMCA) PL 105-304 (1998)
Control Assault of Non-Solicited Pornography & Marketing Act PL 108-187 (2003)
Electronic Signatures in Global & National Commerce Act PL 106-229 (2000)
Communications Assistance for Law Enforcement Act PL 103-414 (1994)
Real ID Act PL 109-13 (2005)The Lisbon Treaty significantly affects the dataprotection framework. It establishes that Personal datprotection is a fundamental human right
http://europa.eu/lisbon.treaty
Federal Information Securty Management (FISMA)Computer Fraud and Abuse ActCyber Security Enhancement Act
PL 107-347 (2002)PL 107-296 (2002)
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
PL 107-56 (2001)
Cyber stalking, Cyber Harrasment & Cyber Bullying laws http://www.ncsl.org/default.aspx?tabid=13495
Federal Information Security Management Act PL 107-347 (2002)
Electronic Freedom of Information Act PL – 104-231 (1996)
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
13
Compliance Exercise 1(a)
Dimension of Responsibility
Board of Directors
Officers
Managers
IT Mangement & Staff
Other Staff
Strict/Direct
Indirect/ Vicarious
Fiduciary
Negligent actions
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
14
Compliance Exercise 1(b)
Expected Standard of Due Care
Board of Directors
Officers
Managers
IT Mangement & Staff
Other Staff
Client’s Data Exposed
Industrial Espionage
SEC fraud
Unethical behaviour
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
15
Compliance Management
Identify Regulatory requirements Select Compliance Frameworks Document Business processes and controls:
Implement or update Processes & Controls Determine Control Gaps Address - close gap(s)
Monitor control status and effectiveness: Identify and remediate issues Review and update control environment Certify effectiveness
Communicate results of analysis to key stakeholders: Train for Compliance Generate evidence to support audit requirements Assess impact of events on controls
16
Compliance Management Process
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Regulatory Requirements
Compliance Framework
Business Processes
Monitor Controls
Communicate & Train
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
17
Compliance Management Issues No Compliance oversight function and/or very low
confidence level in risk management Lack of Compliance Awareness and Education Outdated Policies and Procedures Informal Procedures and Practices Unknown and/or not well informed and understood
Policies, Procedures, Strategic Plans, Budget and Resources Allocation-Management
Inconsistent application of policies and practices among different areas/departments
Ineffective/Inefficient controls Personal accountability is unenforceable or wrongly
placed
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
18
Environment for Compliance
Establish an incentive and reward system based on excellence and hard work.
Develop an ethical environment that can foster and sustain responsible decisions.
Build a system of ethical practice throughout the compliance program and the organization.
Assign the resources and communicate a clear message
Move the cultural change: Compliance is the right thing to do
Michael Volkov, Creating a Culture of Ethics and Compliance
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
19
SOX Compliance
Sec 302 - Faulty Financial Reporting (Data Safeguard) Prevent data tampering Accurate reporting and timelines Track data access Operational safeguards Safeguards effectiveness Security breaches detection
Sec 404: Disclosure and transparency (Data Security) Disclose security safeguards Disclose security breaches Disclose failure of safeguards
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
20
Sox Compliance Frameworks Cobit 5 (www.isaca.org/cobit5) ISO 27000 (http://www.oanc.ir/iso27k.pdf) COSO (http://www.coso.org) SANS Approach:
An Overview of SOX A Compliance Primer SOX IT Compliance Audit
Some IT Support Solutions: Computron CorreLog Oracle
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
21
SOX Compliance References
Computron, Sarbanes-Oxley Compliance: A Checklist for Evaluating Internal Controls
Correlog, Sarbanes-Oxley (SOX) Compliance Checklist
Deloitte, Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002
Ernst & Young, The Sarbanes-Oxley Act at 10, Enhancign the reliability of financial reporting and audit quality
KPMG, Sarbanes-Oxley Section 404: Summary of key points from submissions to the SEC
J. StephenMcNally, CPA, The 2013 COSO Framework & SOX Compliance, One Approach to Effective Transition
Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, FAQ’s Regarding section 404
SPLUNK, SOX Compliance
Environments changes... …have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules, regulations, and standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and detecting fraud
COSO Cube (2013 Edition)
Update considers changes in business and operating environments
COSO 2013(Committee of Sponsoring Organizations - Threadway Commission)
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
COSO 2013 Updated Model
1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability
6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change
10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures
13.Uses relevant information14.Communicates internally15.Communicates externally
16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies
COSO - Example on how controls effect principles
Control Environment
(1) The organization demonstrates a commitment to integrity and ethical values.
Component
Principle
Controls embedded
in other components may effect
this principle
Human Resources review employees’ confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity
Control Environment
Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information
Information & Communication
Internal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon
Monitoring Activities
25
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
GR&C Wrap-up
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
26
GRC or ECRG
Governance Risk and Compliance (Video) Why a GRC Framework ? (Video) GRC: The Power to decide (Video) Ethics, Compliance, Risk Management &
Governance: Should it be GRC or ECRG? (Why/Why not?) What does the Ethical Component
introduce? How can Ethical Governance become the
axis?
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
27
Ethics and Compliance or Compliance and Ethics
Society of Corporate Compliance and Ethics, Sally March, Compliance in Europe
Alstom, Ethics and Compliance: "clean business is great business"
Lilly, Ethics and Compliance Program Ethics & Compliance Officer Association,
Standards of Conduct for Ethics and Compliance Professionals
Education Portal, Corporate Social Responsibility Dilbert on Ethics for e-CPE DigiPharm,
The relationship between compliance and ethics Funny FCPA trainings Click4Compliance, Global Anti-corruption laws
28
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Teamwork Exercise
Governance Cases
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
29
Cases in GovernanceEnron
Lee Ann Obringer - Stuffworks http://money.howstuffworks.com/cooking-books7.htm
Robert Jon Petersen – Sophia.org http://www.sophia.org/tutorials/enron-case-study
The Economist - http://www.economist.com/node/940091
The FBI, Crime in the Suites: A look back at the Enron Case - http://www.fbi.gov/news/stories/2006/december
Leigh Tesfatsion – Iowa State University - http://www2.econ.iastate.edu/classes/econ353/tesfatsion/enron.pdf
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
30
Cases in Governance Tyco International
Lee Ann Obringer – Stuffworks - http://money.howstuffworks.com/cooking-books10.htm
Tyco Fraud InfoCenter - http://www.tycofraudinfocenter.com/information.php
Daniels Fund Ethics Initiative – University of New Mexico - http://danielsethics.mgt.unm.edu/pdf/Tyco%20Case.pdf
Law Teacher – Unethical issues or legal issues in Tyco International - http://www.lawteacher.net/company-law/essays//unethical-issues-or-legal-issues-in-tyco-international-company-law-essay.php
Study Mode - http://www.studymode.com/essays/Tyco-International-Case-Study-1022395.html
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
31
Cases in Governance WorldCom
Lee Ann Obringer – Stuffworks - http://money.howstuffworks.com/cooking-books9.htm
Romar et als – Santa Clara University – World Com Case Study http://www.prmia.org/sites/default/files/references/
WorldCom_Case_Study_April_2009.pdf http://www.scu.edu/ethics/dialogue/candc/cases/wo
rldcom-update.html
Kristin A. Kennedy – An Analysis of Fraud … - University of New Hampshire http://scholars.unh.edu/cgi/viewcontent.cgi?article=1099&context=honors
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
32
Cases in Governance Adelphia
The Adelphia Case Scandal - https://www.google.com.pr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&ved=0CDQQFjAC&url=http%3A%2F%2Fwww.aicpa.org%2FInterestAreas%2FAccountingEducation%2FResources%2FDownloadableDocuments%2Fadelphia.ppt&ei=8i_wUtHdMZG8kQfJuIDYCg&usg=AFQjCNEhptLoBmQE4mMGBg0lUoPs6TikXQ
CNN Money – The Adelphia Story - http://money.cnn.com/magazines/fortune/fortune_archive/2002/08/12/327011/
C.P. Carter et als. – The Adelphia Fraud – American Accounting Association, http://aaahq.org/fia/attachments/fia-newsletter-v2n3.pdf
Adelphia Communications Case Study http://www.docstoc.com/docs/23287542/Adelphia-Communications-A-Case-Study
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
33
Cases in Governance Peregrine Systems
FBI – Peregrine Systems Indictment – http
://www.fbi.gov/news/pressrel/press-releases/executives-and-auditor-of-peregrine-systems-inc.-indicted-on-securities-fraud-charges
http://en.wikipedia.org/wiki/Peregrine_Systems