Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
ERM from a $100M, public company perspectiveDavid Wagner, Chief Financial Officer, Entrust, Inc.Presentation to NC State University College of Management: Enterprise Risk Management Round tableNovember 18, 2005
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 2
Enterprise Risk Management“An Information Security CFO’s point of view”
• Introduction
• Small Company response to SOX 404
• Information Security Risks
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 3
David Wagner, CFO Entrust, Inc.
• BS Accounting, Pennsylvania State University
• MBA, Finance, Pennsylvania State University
• Raytheon Corporation - 1986-1991• Nortel Networks - 1991-1995• Entrust Inc., Controller - 1995-2003• Entrust Inc., CFO - 2003- present
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 4
We are Security Specialists…• Headquartered in Dallas (offices in Ottawa,
Washington DC, London, Germany, China & Japan)
• #12 of 600+ security software companies, with approx. $100M in annual revenues
• Industry pioneer and leader, with approximately 500 employees, market leading products and over 100 patents
• Best in class service and support, and integration for leading technology vendors
• Strong financial position - $83M of cash- no debt.
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 5
Known by the Customers We Keep• More than 1450 enterprises and global governments
worldwide in over 50 countries have licensed Entrust’s products
• Entrust has prominence with industry leaders around the globe:– 8 of the top 10 Global Telecom companies– 7 of the top 10 Global Pharmaceutical companies– 8 of the top 10 Global Aerospace and Defense Companies– 7 of the top 10 Global Commercial Savings Banks– 4 of the top 5 Global Petroleum Companies
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 6
Enterprise Risk Management“An Information Security CFO’s point of view”
• Introduction
• Small Company response to SOX 404
• Information Security Risks
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 7
Sox 404 at Entrust
1) Approach – A case study
2) Lessons learned about Sox 404
3) Lesson learned about Enterprise Risk
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 8
Approach – Accounts & ProcessesPer PCAOB and COSO guidance; Risk assessment
– Team identified
– Significant accounts identified– Materiality– Inherent Risk
– Significant processes identified– Control risk
– Intersection point of all above: ‘The Matrix’
– Set priority to attack processes
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 9
The 404 Team Audit Committee
CFO CIO
Project Manager
Corporate Controller
FinanceAccounting
StaffIT Operations Legal Third Party
Audit FirmExternalAuditor
Lucky Good
- Project Manager on staff - Strong Accounting staff (5 CA of 9 staff in 1997)
- Strong CIO with Governance Bias - Good process culture, executive support
- Audit Committee support
-----------------
Testing of all key
controls
AttestationDocumentation/Peer Reviews/Testing of low risk accounts & processes.
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 10
Management Assertion
What could go wrong?
What are the key controls?
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 11
Approach – Initial Findings
• Controls Operating and Effective but not documented– Example: Finance Balance Sheet Review meetings.
• Second Level reviews and sign-offs– Example: Payroll Canada; one person enters, submits,
processes and reconciles. Added second level review of key reports and authorization of any ‘one-off’ payments.
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 12
Approach –Risk & Controls Repository
Use of existing portal
- Entrust get Access
- Lotus Domino Database
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 13
0 %1 8 %
2 4 %
1 8 %
8 %
3 2 %
0 %0 %0 %0 %
7 2 %
1 0 %
1 2 %
3 % 3 %
7. Internal Testing
8. GT Formal Review
3. Owner Rework4. Second Team Review
6. Test Plan
April July
September 1 Owner Documentation2 First Team Review3 Owner Rework4 Second Team Review5 E&Y Review6 Test Plan7 Internal Testing8 GT Formal Review9 Formal Remediation10 Ongoing Monitoring
Project Management - Status
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 14
Timeline - SeptemberEntrust Sarbanes-Oxley Compliance Project
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
High Level Timeline
Milestones
1 Set Objectives and Team2 Process, Risks, & Controls Documentation3 Initial owner & team assessments4 Ongoing Remediation of Controls5 Formal Internal Control Test Plan & Testing 6 Interim Internal Control Enhancements/Fixes7 Intermin Review, Test & Feedback8 Ongoing Control Monitoring9 Final Signoff
2004
Original Timeline - April 2004Updated Timeline - July 2004Updated Timeline - Sept 2004
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 15
Internal Testing Results: Individual Controls (December)• Total 116 individual controls
identified to test– Green: Testing completed &
passed– Yellow: Testing in progress, item
to be reviewed at year end, or in Remediation.
– Red: Testing resulting in significant issue, or further testing not yet resolved
THEN:
Entrust Control Testing Status October
NOW
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 16
Approach – IT General Controls• Information Security Governance Process
– Risk assessment by business unit based on ISO17799
– Very little guidance existed for SOX IT issues before July 2004
– Compliance requirements for SOX and other legislation (SB1386, PIPEDA) incorporated in framework and process
– Unacceptable risks result in action item (SOX compliance example would include missing documentation of key control is considered risk)
– Focus on Finance data and application:• Confidentiality• Integrity• Availability
– Mapping of ‘COBIT for SOX’ items back to framework to ensure coverage
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 17
Entrust 404 Project Summary
• 42 Accounts and 66 processes identified• 41 Key processes documented• 116 key controls identified & tested in Finance• 92 IT general controls supporting 2 Key applications
Entrust 404 Project Cost
• ~ 20% of 2004 Finance & Accounting staff hours , plus one full-time project manager
• ~ 30% of 2004 IS/IT resources• + 55% additional fees for external testing (not auditor) • + 101% additional audit fees to external auditor
Entrust 404 Project Scope
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 18
2 Questions on 4041) Was it worth what paid for?
No! $2.5 million - 2.5% of Revenue
2) Did you get anything worthwhile from 404?Yes!
- Risk Based Review of the organizations;
- Internal controls and processes documented
- Internal control processes permeated throug the organization- Operations- HR- Legal- IT
- Strengthened Ownership of Internal Controls
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 19
Lessons Learned• Risk based
- focus on significant accounts and processes, and then- key controls within those accounts and processes.
• Complete documentation internally• Do not get caught up in a software implementation, but tools are
important.• Establishing a common framework is fundamental
- Information Security Governance- Risk Based Assessment and mitigating controls
• Intellectual Property Processes• Information Systems and Controls are fundamental
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 20
Going Forward – 2005 and Beyond
Maintain documentation as you go.Build control documentation into everyday processes.Continuous monitoring and project management.Objective to reduce costs 50%
- Moved 60% of 3rd party testing in-house- Continue to work with external auditor to alternatives to traditional
working paper documentation
On-going risk based focus.
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 21
Enterprise Risk Management“An Information Security CFO’s point of view”
• Introduction
• Small Company response to SOX 404
• Information Security Risks
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 22
Business compliance realities:
Access to Services & Information
CustomersStreamlined Business
Processes
SuppliersEmployees
Improved Productivity & Self-Service
CorporateCompliance
RegulatoryCompliance
Enterprises & Governments are Extending Outside
Increased Legislation Compliance Anxiety
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 23
Governance & RegulationExtended Enterprise & Govt.
HIPAAGLBA
SEC Regulations
BASEL II
Sarbanes-Oxley
EU Data Protection Act
FISMA
Employees SuppliersCustomers
Enterprise-wide policies required:
Policy&
AccessManagement
Shift from Compliance to Risk
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 24
• Not cyber terrorism, but cyber crime• Intent is to steal personal information for
monetary gain• Diverse targets across different regions and
sectors– Retailers (DSW, BJ Wholesaler’s)– Data brokers (Choice Point, LexisNexis)– Universities (USC, Duke, Purdue, Tufts) – Banks (BOA, Citibank, Wachovia)– Corporations (Motorola, Time Warner, SAIC)– Healthcare (Kaiser, San Jose Medical Group)
Identity Theft
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 25
Customer Implications • Cost of incident
– A Gartner study found the average identity breach costs a consumer $1,500.• End User Loyalty and Preferences
– A Nationwide Mutual Ins. study found that it takes approximately 81 hours for a consumer to repair the damage caused by identity theft
• Business Relationships– Visa severed business relationship with CardSystems Solutions, Inc.
• Drop in Stock Price– Firms that have a security breach involving credit card information
suffered a stock market loss of 9.3 % the first day, increasing to 14.9% over three days.
• Stagnant Market Growth– Online banking stagnant at 39% of Americans over past 12 months
Brand Impact
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 26
Online Identity Fraud Driving Industry Mandates
Financial Institutions will be expected to achieve compliance…no later than year-end 2006
The guidance describes enhanced authentication methodsthat regulators expect banks to use
when authenticating the identity of customers…
18% of all respondentsstopped or decreased online banking in last 12 months!
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 27
Information Security Governance
Info Security has become a fundamental business issue at the CEO and Board levelBalance IT investments with business risk decisions and put into a framework for implementationOutlines accountability at various management levels, plus core elements of an information security programRecognized the need to treat info security as a continuous improvement process
Corporate Governance Task Force – Apr. 2004
www.cyberpartnership.org
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 28
Why Enterprise Risk Management?
• Information security– Headlines confirm failures produce real business impact
• Regulatory compliance– Inconsistent “best” practices being self-imposed
• Enterprise risk management– Help position audit findings and legal liabilities
• Search for the Holy Grail– A single framework to provide focus and efficiency
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 29
ISG – Keys to Successful Deployment
• Identify key systems (NIST SP800-18)• Simple subjective risk assessment (OMB A-130 App. III)• Risk expressed in words (threat, vulnerability, impact)• Red - Yellow - Green ranking (FIPS-PUB 199)• Iterative process, progressive detail (GAO/AIMD 00-33)• Transparent process with summary reporting
(GAO/AIMD 98-68)
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 30
One Way Forward• One-hour sessions quarterly with managers to review:
– Ask them what they think the risks are– Assessment of controls/residual risk per ISO17799 element– Use the session to raise awareness of threats and risks– Follow-up with groups they defer to (IT, Legal, HR)
• Consolidate view across the organization– Feedback to managers where they stand relative to others– Share results up the management chain, request feedback
• Let the managers do the assessment– If you can't convince them it's a risk, they won't deal with it– They can put it into business terms better than you can
• Executive Sponsorship is NOT required– They are accountable, work with it
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 31
How did ISG help our compliance efforts?• almost immediate reduction in D&O insurance• framework for internal control assessment
– processes and responsibilities were already defined– it was not a separate compliance effort – SOX control assessment fit into it
• provided laser focus on the compliance issues– covered all audit topics at heart of major regulations– still little guidance, poor audit standards, multiple regulations to check– ISG provided us with the list of concerned areas with very little excess
• contained our audit fees– we experienced over 100% increase, and they called us “best in class”– knowing our business risks made it easy to focus on our risks & our systems,
not simply “best practices”
© Copyright Entrust, Inc. 2005 CONFIDENTIAL 32
Conclusions• SoX 404 Impacts
– changed Corporate Governance permanently– need to improve cost benefit through risk-based assessment
• Enterprise Risk is increasingly important– Provides a common framework for evaluating non-ROI projects– Executive Officers are accountable
• Information Security issues moving to Risk Management– Enterprises are increasingly based on information– Higher value assets are intangible; related business risk increasing– Inherent conflict between ROI focused CIOs and Information risk mitigation
• Continuous Improvement – Quality Model