IT Security under COSO's ERM Framework and Key Risk Indicators

Adrianne Lopes & Xuyang XieIT Security under COSO's ERM Framework and Key Risk Indicators1InstructionA corporation is built on the fundamental idea that its objective is to provide value to its stakeholders. Though it is a simple principle, an entity faces uncertainty and many risks in completing this objective. Enterprise Risk Management (ERM) provides a means for management to deal with this uncertaintyThough investors face risk, the world today is also dangerous for corporations. Though technology has provided tremendous opportunities, it also has exposed many organizations to some unlikely risks. To manage such risks, firms must understand their threat environment. The security objectives of confidentiality, integrity, and availability thus become an essential part of ERM. IT security is not just a product, but a process and must be taken on proactively.2COSOs ERM Framework It is required by the Sarbanes-Oxley Act that a corporation utilizes a well developed comprehensive control framework. Though the act does not require a specific framework, it does list only one single one acceptable, and that is the COSO framework:Main Objectives of COSO framework Operations-- -The firm wishes to operate effectively and efficiently. It is necessary for the firm to control its general internal operations to do thisFinancial Reporting---The firm must create accurate financial reportsCompliance---The firm wishes to be in compliance with external regulations

3COSOs ERM Framework (continued)5 Components to evaluate internal controlsControl environment--the foundation and tone of the organization. It involves the integrity, ethical values, competence, philosophy, and operating style of all levels of employees and managers.Risk Assessment--involves identifying, analyzing, and managing the risks that may impede objectives. Risks can be operating, economic, industry regulated, or regulatory in nature.Control Activities--how the identified risks are mitigated. Policies should be in place such as segregation of duties, approvals, reviews, reconciliations and authorizations.Information and Communication--should be shared on both internal and external events. It is very important that it is timely in order to be relevantMonitoring--Risks and procedures should be continually monitored and changed as necessary.

44COSOs ERM Framework (continued) Section 404 of SOX mandates that public companies demonstrate due diligence on their disclosures of financial information. Organizations must also implement the appropriate internal controls and procedures to communicate, store, and protect that dataSection 404 of SOX requires:Overhaul or upgrade financial systems to meet regulatory requirements for more accurate, detailed, and timely filings.Examine the control processes within the IT department and apply best practices to comply with the acts goals associated with COSO and ERM objectives.Ensure that information system customizations are not overriding controls by working with internal and external auditors.Work with corporate officers to create a document-retention-and-destruction policy.5Key Risk IndicatorsA Key Risk Indicator (KRI) is a measure used in management to indicate how risky an activity is. Risk indicator is an important tool within risk assessment, risk monitoring and risk control. Organizations use key risk indicators to detect early signals of increasing risk exposures in different areas of the enterprise.

6Key Risk Indicators (Continued)Purposes (functions) of using risk indicatorsRisk monitoring-They can be used to track changes in the exposure to operational risk, help to identify: Emerging risk trends , Current exposure levels, Events that could be occur againTo support operational risk assessments--they provide a way to track a companys risk exposures between full updates of its operational risk assessment process.To support risk appetite monitoring and governance--they link current real time exposure levels to risk appetite.To support performance and strategic management--indicators can be used as measures of how a company is going about achieving its overall objectives and as means of measuring the performance of those activities which are important to achieve its goals.To support regulation and capital assessments--the risk indicator data can highlight potential areas of weakness7Key Risk Indicators (continued)Effective KRIs:The selection and design of effective KRIs is importantGoal: To identify relevant metrics that provide useful insights about potential risks that may have an impact on the achievement of the organizations objectives8Key Risk Indicators (continued)Characteristics of KRIs:Relevance--must have relevance to what is being monitored that means risk indicators must monitor risk exposure levels.Measurable--Indicators should be numbers or counts ,monetary values, percentages, ratios, time duration or a value from some pre-defined ratingPredictive--Predictive indicators mean they make predictions what is going to happen, rather than simply infer that something is changing, single indicators by themselves are of little use, as they need context in order to become predictive.9Key Risk Indicators (continued)Characteristics of KRIs:Easy to monitor-- The data should be relatively easy to interpret, understand and monitorAuditable--Be easy to verify. an independent validation of the indicator selection process is necessary.Comparability--A companys indicator and its selection process should specifically assess the level of comparability, both within the company and more broadly across the industry which the indicator reflects10IT Security and IT Security ExploitsThreat environment: The type of attackers and attacks that a company facesSecurity goals CIAConfidentialityIntegrityAvailability

11IT Security and IT Security Exploits (Continued)Information security-- refers to all the steps taken to protect information and information systems from unauthorized access, use, disclosure, disruption or destruction Comprehensive securityOrganizations must close off all possible routes of attack. An attacker only needs one unprotected avenue of attack to succeed.Weakest link failure--If the failure of a single element of a system will ruin security, this is called weakest link failure.

12IT Security and IT Security Exploits (Continued)Vulnerability: A security weakness which allow an attacker to reduce a systems information assurance.An exploit takes advantage of vulnerabilities.The first step of a companys risk analysis is to figure out what the security vulnerabilities are.Types of VulnerabilityHardware vulnerabilitySoftware vulnerabilityNetwork vulnerabilityPersonal vulnerabilitySite vulnerabilityOrganizational vulnerability

13Examine the IT Security Companies need to identify all of their resources to find out where will be the weakest links (vulnerabilities) and develop KRIs and security program for each oneUsing the COSOs ERM framework and standards of KRIs to examine companys comprehensive IT security .14Examine the IT Security --HardwareHardware vulnerabilities are relative easier to detect and monitor, but damage can be huge and irreversible.Most hardware vulnerabilities:Susceptibility to humidity, dust and soilingSusceptibility to unprotected storageSabotage by an attackerControls on hardware securityHardware sighting and protectionSupporting utilitiesCabling securitySecurity during offsite equipment maintenanceSecurity of equipment off-premisesSecure disposal or reuse of equipmentRules for the removal of property

15Examine the IT Security - SoftwareSoftware is easier to exploited by hackers due to insufficient testing and lack of an audit trail.Response to the risk of softwareDo internal and external vulnerability testOutput: a list of recommended fixes and follow-up should be doneBuild a software trail from the beginning to keep tracking the qualities of softwareAudit the current software

16Examine the IT Security - NetworkMost companies external and internal communications are based on network. Most attackers exploits are by network.Sources of network vulnerability: Unprotected communication linesInsure network architectureResponse to the risk of network:According to the safety level protect communication linesSecure network architecture at the beginning and do vulnerability testFirewall17Examine the IT Security - PersonalPersonal risk is more difficult to manage because its abstract.Key risk indicators includePoorly recruited candidates Current employees who do not abide or pay attention to the process in placeResponse to personal riskAudit employee access to IT systems and cuttoff access privileges for terminated or resigning employeeMore security and training for employees, including ethics and acceptable use policiesSet standards and guidelines for employeesSegregation of duties within the systems development staff Authentication for confirming users identities and authorization processes permitting permission to have or do something18Examine the IT Security - SiteUnexpected external threats such as flood and unreliable power source, etc.A company should realize the risk of an occurrence and take the necessary precautions and established an emergency plan of action.Response to site riskProper planning is used to prevent site risksE.g., house main server to an upper level to prevent floodGenerators and power back-up to present data lost during power outage19Examine the IT Security - OrganizationalArise from the lack of monitoring and auditing policies and procedures implementedResponse to organizational riskA companys objective should be more then to meet compliance standards, as noted earlier just because security measures appear to be functioning, IT security threats run deeper then what is tested to receive a clean audit opinionBuilt-in preventive IT controls like edit checks can automatically ensure that transactions are complete, accurate, authorized, and valid. Organizations should test to confirm and validate the existence and operating effectiveness of general and application controls. Internal auditors should use corrective controls such as IT control mapping and alarms or alerts to look at key controls that are weak or missing and compensate for the controls as necessaryFor effective ERM implementation all controls must be continuously monitored as IT and organizational changes occur rapidly

20ConclusionIT security exploits pose a risk to firms and key risk indicators are used to assess these risks. These are essential to the internal controls of a business entity and become a major factor in enterprise risk management. The organizations mission and risk appetite influences the objectives they choose for operating, financial reporting, and compliance objectivesManagement must address and monitor all IT security components, even the ones that arent audited for compliance and outside the general accepted framework to ensure they are truly managing their risks21