Abstract—Recently personal information leakage and

computer hacking occur constantly. The majority of the incidents are caused by the negligence of IT internal control. It is practically impossible to prevent all the security incidents caused by the insider. However, an Automated IT internal control system - considered about administrative, technical and physical internal control reinforcement for precaution and rapid response against the incident in the early stage - can reduce the security threat considerably. The object of this paper to present an IT internal control framework with enterprise-wide perspective embraced administrative, technical and physical internal control reinforcement.

Index Terms —IT GRC, IT Internal Control, Governance, Risk Management, Compliance

I. INTRODUCTION Recently personal information leakage and computer

hacking occur constantly. The majority of the incidents are caused by the negligence of IT internal control. Authorities had established some regulations and standard criteria for IT internal control enhancement but companies need a solution for IT internal control for themselves.

Following the internal control improvement strategy issue

report of finance IT[1] published by Financial Security Agency in 2011, 60 percent of the security accidents are caused by insider and large companies are more vulnerable about insider threats.

According to CERT USA in 2009, representative insider

security incidents types are as follows: IT Sabotage by system administrator who has

dissatisfaction about their work or company and a special privileged user (45%).

Theft or modification aimed at monetary profit by a user who has legitimate system access privileges in working hours (44%).

Theft or modification aimed at business profit by the person in charge.

Server/Network shut down and delete data by Ex-Gucci

America employee in April, 2010 is for a typical example of insider security incident. Gucci America estimated the damage at $200,000. The majority reason of this incident is poor access

control. Another example is Bank of America confidential information leakage. This incident caused by ex-program developer.

Organization which audits accounting internally are doing IT

internal control using risk management, regulation and testing in IT fields. However, it is usually just a formality. Organization is using an information security program for control and response efficiently for increasing security treats of inside of the organization, but the program used very limited area of internal control. That is organization make an effort to reinforce the internal control, but it is insufficient enterprise-wide internal control framework which can maintain administrative, technical and physical ways at one point.

It is practically impossible to prevent all the security

incidents caused by the insider. However, an Automated IT internal control system - considered about administrative, technical and physical internal control reinforcement for precaution and rapid response against the incident in the early stage - can reduce the security threat considerably. For reduce the security treats, it need to build an IT internal control framework embrace administrative, technical, physical internal control reinforcement.

This research present an embracing administrative, technical

and physical internal control reinforcement IT internal control framework based on IT GRC(Governance, Risk management, Compliance). Governance defines administrative plans such as polish management, IT audit and response security incidents. Risk management defines technical and physical plans such as access control, server vulnerability, personal information access, information leakage component. Compliance defines Control Self Assessment (CSA) and compliance component such as personal information level evaluation.

This framework is an unified IT internal control framework

which satisfied personal information access record archiving and privacy internal control system in Privacy Security Act Korea and inside data leakage prevention in industrial Technology Security law and differentiated from integrated log management, security management, or ESM.

IT GRC-based IT internal control framework

Young Rok Yu*, Seong Chae Seo**, Byung Ki Kim** *CAS Inc., Seoul Korea

** Department of Computer Science, Chonnam National University, Korea yryu@casit.co.kr, seseo@jnu.ac.kr, bgkim@jnu.ac.kr

ISBN 978-89-968650-0-1 382 January 27 ~ 30, 2013 ICACT2013

II. RELATED RESEARCH

A. IT GRC IT GRC consists of Governance, Risk and

Governance is composed of leadership, organiand the process that IT supports and extends tstrategies and objectives [2]. In the current control framework, research such as Polish Audit is not satisfactory.

IT Risk is a business risk associated with IT

operation, involvement, influence and adoptioin a variety of ways, such as IT benefits / valprogram and project delivery, IT operatidelivery [3]. However, the implementatiframework is rather weak to accommodate (Enterprise Risk Management).

IT Compliance means domestic and foreig

and regulations. Financial IT security compliaaccordance with the law and the nature ofclassified as a total of 19 financial, secursecurity standards [4].

B. IT GRC Framework for Consideration IT GRC process model is a combination o

Risk management and IT Compliance to panalysis and control [5]. The model IT governthe figure below follows ISO/IEC 385management the COSO ERM framework compliance generic model to follow.

[Figure 1] IT GRC process model

Gartner identifies four primary functions ogovernance, risk, and compliance platforms: acompliance management, risk managememanagement [8].

C. Information Security Control Activity Jeong [9] has been studied empirically

effects on organizational effectiveness of Infocontrol activities (physical security, adminitechnical security). He verified the impact o

d Compliance. IT izational structure the organization’s

field of internal Management, IT

T use, ownership, on. It is classified lue realization, IT ons and service

ion of Risk IT the COSO ERM

gn IT related laws ance framework in f the standard is rity related laws,

of IT governance, proceed with the

nance, as shown in 00:2008[6]; risk

[7]; finally, IT

of enterprise-wide audit management, ent, and policy

y the moderating ormation Security istrative security, on organizational

effectiveness of Information Se(physical security, technical securityand the result of verification, phsecurity, administrative security effectiveness has been revealed stati

III. IT INTERNAL CONTR

This chapter presents the componinternal control framework and inter

[Figure 2] IT GRC-based IT Interna

A. Component Elements This chapter defines the compone

control, IT GRC perspective. From tGovernance, polish management, ITcontinuous monitoring, response maIT Compliance, CSA, level of assess

[Figure 3] IT Internal Control Frame Polish management

Polish management administers aneeded to IT internal control. It consmanagement for IT Risk continuouswarning, checklist management for Clevel assessment indicators for evaluInformation Security Evaluation, dathe status of the overall internal contconfiguration management to managlaw and regulations

Risk Scenario is a narrative about

impact on the business. To monitor tcollects personal information access

ecurity control activities y, administrative security); hysical security, technical factors on organizational istically significant.

OL FRAMEWORK nents that comprise the IT rnal control practices.

l Control Framework

ent needed in internal the perspective of IT

T Audit; IT Risk, nagement, risk assessment; sment.

ework Diagram

n enterprise-wide policy sists of scenario monitoring and early CSA, management of the uation of the level such as shboard that can determine trol, law and regulations ge internal control relevant

t IT incidents that can he possible vulnerability, it

s record, DLP(Data

ISBN 978-89-968650-0-1 383 January 27 ~ 30, 2013 ICACT2013

Leakage Protection), VPN(Virtual Private Necontrol and a variety of based security systemscenario where IT Risk on. For example, it peamounts of personal information that allowedand download if the mail is sent.

All scenario defines specification for contin

KRI (Key Risk Indicator) for measuring the riscenario, multiple KRI can be defined. This isprinciple as the one to measure various eventsrisk score so that appropriate indicators of norcaution, warning threshold, and correspondingassessed. From the existing scenario and the sscenario target, the user responds to changes iscenario generation, simulation and registratio

1…* 1…1 1

Threshold max normal caution warning

Risk Score = (Finance+Media+Users) effecRisk Level = {A, B, C, D, E}

[Figure 4] IT Risk Model

Checklist is the check item to manage IT Cthe enterprise self-check. It manages check coitems, detailed items, ratings, check intervals,target institution.

Level of evaluation indicator manages indicinternal and external IT Compliance level, incInformation Security level diagnosis, Privacy diagnosis. It manages diagnostic items, detaileitems, check point, judgment, improvement andiagnostic results. IT Audit

IT Audit manages the process for IT Audit.audit planning, audit execution and follow-upAudit utilizes continuous monitoring status toaudit planning and proceed to perform audit pexecution, audit reports based on the audit pladisciplinary management of post based on theBy utilizing the status of IT Risk monitoring, risk-based IT audit such as focused audit mattauditable selection. Continuous Monitoring

Continuous monitoring constantly monitor that is subject to the IT internal control. IT Ribe divided into personal information, informavulnerability. Continuous monitoring can drilfor each scenario and check the detailed inforsummary. If possible to take place of the vuln

Scenario KRI

etwork), access ms; and it creates a ertains to large d non-IP access

nuous monitoring, isk. In one s the same s. KRI manages rmal values, the g risk can be source data of in the business on.

min

ct * weighting

Compliance across ontents, check , importance,

cators to diagnose cluding Security level ed diagnostic nd measures,

. It consists of p management. IT o make Yearbook preparation, audit an, and perform e results of audit. it performs ters, inspired,

IT Risk scenarios isk scenarios can ation leakage l down statistics

rmation in the nerability while

checking the details of the scenario, vulnerability and generate a list of v Response Management

By IT Risk scenarios, internal conrequest, and it provides response perexplain the reason rationally. Risk Assessment

By assessing the degree of IT Riskscenario-specific, personalized, orgais used as a reference or the strategyimprovement.

[Figure 5] IT Internal Control Work CSA

CSA plans, assesses the evaluatiocontrol checklist and compiles statisof awareness of the enterprise-wide

[Figure 6] CSA result Example Level Assessment

Level Assessment manages the cuInformation Security evaluation, Prithe level of the internal and external

Threshold

Risk Score

it can take advantage of the ulnerabilities.

ntrol personnel responses rsonnel an opportunity to

k Scenarios incurred into anization, Risk Assessment y for future IT audit and

flow

on of the defined internal stics to determine the level internal control.

urrent level based on the vacy evaluation defined at evaluation indicators.

ISBN 978-89-968650-0-1 384 January 27 ~ 30, 2013 ICACT2013

[Figure 7] G-ISMS(Government-ISMS) LeveExample

B. IT Internal Control Instances For internal control, IT Risk scenario consis

information, information leakage and vulnerabscenario means to misuse the personal informafor access to personal information processing Information leakage scenario means a scenariand confidential information can be leaked. Vscenario can cause internal vulnerabilities frommanagement and access control.

IV. RESULT AND DISCUSSION

Below is the example that implements IT secontrol system using IT internal control frame

[Figure 8] IT GRC-based IT Security InternalFramework Control for external attacks is being built, and being operated by DLP, VPN, access control; information leakage and IT Sabotage occurs c By utilizing IT internal control framework, povulnerability or early detection of vulnerability

el Assessment

sts of the personal bility. Personal ation in the record system.

io where personal Vulnerability

m right

N ecurity internal ework.

l Control

internal control is however, internal

consistently.

ossible y can be managed.

With the future security area, IT inteextend the area to IT strategy, build

V. SUMMARY AND CAlthough there are already a varie

solutions, the internal control systemto internal control issues, such as infneeds to have integrated IT internal systemizing it and set up a culture of

REFERENCE

[1] S. H. Hong, “Strategy for Strengthen Fi Isssue Report, vol. 2011-008, Financia

[2] Electronic Publication: “Cobit 5.0”, at http://www.isaca.org/Knowledge-Cente

[3] Electronic Publication: “Risk IT”, at http://www.isaca.org/Knowledge-CentePages/Risk-IT1.aspx

[4] T. H. Kim, Y. T. Kim and J. M. Sung, “Compliance Framework” in ProceedingProcessing.

[5] N. Racz, A. Seufert, and E. Weippl, “Agovernance, risk, and compliance manaNinth Baltic Conference on Databases a2010), 2010, pp. 155–170

[6] Electronic Publication: C. McClean, KTechnology Puzzle: Getting all the PiecJanuary, 2010, at http://www.forrester.com/Research/Doc1,45772,00.html

[7] M. Rasmussen, “Hand in Hand,” BusinMay 2007, pp.44–46.

[8] N. Racz, E. Weippl and A. Seufert, “Go(GRC) Software – An Exploratory StudResearch Perspectives”, 2011, ProceediInternational Conference on System Sci

[9] G. H. Jeong, S.R, Jeong, “The Effect Control Activities on OrganizationaEffects of Information ApplicationInformation Systems vol. 17:1. Ma

Young Rok Yu havescience from Chonnamreceived the MSc deChonnam National Unfor CAS Inc. in Seoul,in GRC(Governance, software security, softw Seong Chae Seo recefrom Chonnam Natireceived the MSc deChonnam National Unan post-doctoral reseaChonnam National Unresearch interests areengineering, softwarsoftware process, UML Byung Ki Kim receChonbuk National Uniof Korea Information He is currently a full the Chonnam NationaHis research interests engineering, softwarsoftware process, softw

ernal control zone can and operation.

CONCLUSION ety of security-related

m is required for responding formation leakage. Also, it control system for f internal control.

ES inancial IT Internal Control”, al Security Agency, 2011

er/cobit/Pages/Overview.aspx

er/Risk-IT-IT-Risk-Management/

“A Study on Financial IT Security gs of the Korea Information

A process model for integrated it agement,” in Proceedings of the and Information Systems (DB&IS

. McNabb and A. Dill, “The GRC ces to Fit,” 2009. Accessed 10

cument/Excerpt/0,721

ness Trends Quarterly, vol. 2:2,

overnance, Risk & Compliance dy of Software Vendor and Market ings of the 44th Hawaii iences. of Information Protection al Effectiveness : Mediating

n”, Intelligence and y 2011, pp. 71-90.

e completed a PhD in computer m National University in 2001. He egree in computer science from niversity in 1998. He has worked , Korea. His research interests are Risk management, Compliance), ware engineering.

eived his PhD in computer science ional University in 2006. He egree in computer science from niversity in 1997. He is currently archer of computer science in the niversity in Gwangju, Korea. His e in software analysis, software re quality, software security, L. ived his PhD in mathmatics from iversity in 2000. He was chairman Process Science(KIPS) in 2007. professor of computer science in l University in Gwangju, Korea. are in software analysis, software re quality, software security, ware testing.

ISBN 978-89-968650-0-1 385 January 27 ~ 30, 2013 ICACT2013