Ralph Villanueva SCCE Presentation 2016-Sands Format (3).ppt
Transcript of Ralph Villanueva SCCE Presentation 2016-Sands Format (3).ppt
1
1Confidential
Monday, October 10, 2016
The Venetian | The Palazzo | Sands Expo | Sands Bethlehem | Paiza | Sands Macao
The Venetian Macao | Four Seasons Hotel Macao | The Plaza Macao | Sands Cotai Central | Marina Bay Sands
INFORMATION SECURITY AND THE COMPLIANCE OFFICER
Ralph Villanueva CISA CISM CRMA CIA CFE ITIL
Presented for the 15th Annual Compliance and Ethics Institute
Sheraton Grand Chicago, September 25 to 28, 2016
2Confidential
OBJECTIVES
� Discuss the role of the compliance officer in an IT
Department
� How to handle IT professionals at work
� How to get results from your IT professionals and
enhance IT security
2
3Confidential
ABOUT THE SPEAKER� IT Compliance Analyst for over 5 years and Internal Auditor, Accounting
Manager and Financial Controller for over 20 years,
� Certified Information Security Manager (CISM), Certified Information
Systems Auditor (CISA), Certification in Risk Management and
Assurance (CRMA), Certified Internal Auditor (CIA), Certified Fraud
Examiner (CFE) and IT Infrastructure Library (ITIL) ,
� Spoke about audit, fraud and compliance topics since 2010,
� Believes that effective information security depends on effective
communication between compliance and IT professionals, and
� Believes that the compliance officer is the most important person in the
C Suite.
4Confidential
WHY IS INFORMATION SECURITY IMPORTANT?
�Intellectual Property Theft
�Cyber Crime Threats
�Regulatory Penalties
3
5Confidential
INTELLECTUAL PROPERTY THEFT
“MIDWEST AGRICULTURE IS A PRIME TARGET FOR THEFT OF INTELLECTUAL PROPERTY AND CYBER ATTACKS”
Laurie Bedord, Successful Farming online magazine, April 5, 2016
6Confidential
CYBER CRIME THREATS
Source: McAfee 2015 Cyber Security Study
4
7Confidential
Clip from March 2016 Verizon Data Breach
8Confidential
PENALTY FOR LACK OF INFORMATION SECURITY
Source: 2016 Cost of Data Breach Study by Ponemon Institute and IBM
5
9Confidential
REGULATORY PENALTIES
“HOME HEALTH CARE PROVIDER HIT WITH $240,000 HIPAA PENALTY”
Tim Mulaney, Home Health Care News online magazine, February 3, 2016
10Confidential
Information Security is top of mind in fellow compliance professionals“Even if they are technologically challenged, CCOs, senior
managers and principals should become familiar with the
security measures that can help to thwart a cyber attack.”
- Les Abromovitz, Put Compliance Chores on your To Do
List, Compliance and Ethics Professional magazine, June
2016 issue
“Organizations need to treat each privacy incident as a
potential breach.”
- Mahmood Sher-Jan, Data Mishaps: Everyday Events,
Inevitable Incidents and Data Breach Disasters,
Compliance and Ethics Professional magazine, September
2016 issue
6
11Confidential
Information Security is top of mind in fellow compliance professionals“Companies seeking to strengthen data security should
heed the findings of a recent survey showing workers have
careless security habits and poor security training.”
- Survey: Data Security Risks Heightened by Bad Habits,
Poor Training, Compliance and Ethics Professional
magazine, July 2016 issue
“Once you have identified the information that should be
protected, how do you protect it? It goes without saying
that you have to have a policy.”
- Mary Ellen O’Neill: Every Company Needs a
Comprehensive Confidential Data Protection Program,
Compliance and Ethics Professional magazine, July 2016
issue
12Confidential
WHAT IS INFORMATION SECURITY?
“Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction”
From US Code, Title 44, Chapter 35, Subchapter III, Section 3542
7
13Confidential
THREE INFORMATION SECURITY CONSIDERATIONS
�Confidentiality
�Integrity
�Availability
14Confidential
SEVEN ROLES OF A COMPLIANCE OFFICER
� Designing, implementing, overseeing and monitoring the compliance program
� Reporting on a regular basis to the organization’s governing body, CEO
and compliance committee
� Revising the compliance program periodically as appropriate
� Developing, coordinating and participating in a multifaceted educational
and training program
� Assisting with internal compliance review and monitoring activities
� Assuring management has mechanisms in place to mitigate risks
� Assuring management takes corrective action to resolve the
noncompliance problems identified
Source: Compliance 101, 2nd edition by Debbie Troklus and Sheryl Vacca
8
15Confidential
IT SECURITY AND COMPLIANCE
IT Security Confidentiality,
integrity and
availability of data
CompliancePolicies, rules and
regulations
16Confidential
INFORMATION SECURITY AND COMPLIANCE
Confidentiality, Integrity and Availability Model (from ISACA)
Requirement Impact and Potential
Consequences
Method of Control
Confidentiality-the protection of
information from unauthorized
disclosure
Disclosure of information protected
by privacy laws
Loss of public confidence
Loss of competitive advantage
Legal action against company
Access controls
File permissions
Encryption
Integrity-the accuracy and
completeness of information in
accordance with business values and
expectations
Inaccuracy
Erroneous decision
Fraud
Access controls
Logging
Digital signatures
Hashes
Encryption
Availability-the ability to access
information and resources required
by the business process
Loss of functionality and operational
effectiveness
Loss of productive time
Interference with company
objectives
Redundancy
Back ups
Access controls
9
17Confidential
INFORMATION SECURITY AND COMPLIANCE
Examples of what compliance officers can do to enhance IS
� Ask about compliance with IS aspects of regulations applicable to their
industry (i.e. PCI, HIPAA, BASEL II etc.)
� Look into information security portion of compliance programs
� Gauge degree of management involvement in information security
� Discuss with peers the current issues about information security and
compliance
� Talk to the IT Department about processes and technologies geared
towards information security
18Confidential
WHEN IT COMES TO ENFORCING IT
COMPLIANCE POLICY…………….SITUATIONS ARE
10
19Confidential
“I DON’T CARE” SITUATION
20Confidential
“WHAT TOOK YOU SO LONG” SITUATION
11
21Confidential
“SPEAKING IN CODES” SITUATION
22Confidential
THREE PROBLEMS WITH INFORMATION SECURITY COMPLIANCE
�Communication with IT professionals
�Management culture
�Budget
12
23Confidential
COMMUNICATION WITH IT PROFESSIONALS
Does your IT Dept communicate this way?
(clip from The IT Crowd)
24Confidential
First, recognize the problem.
“The communication gap between IT and the business
community is a contributing factor in the underestimation
and lack of appreciation of each other.” Robert Putrus,
CISM and IT Professional (A Nontraditional Approach to
Prioritizing and Justifying Cybersecurity Investments,
ISACA Journal, Volume 2, 2016)
COMMUNICATION WITH IT PROFESSIONALS
13
25Confidential
COMMUNICATION AND TECHNICAL KNOWLEDGE ARE IMPORTANT
“The communication gap between IT and the business
community is a contributing factor in the underestimation and
lack of appreciation of each other.” Robert Putrus, CISM and IT
Professional (A Nontraditional Approach to Prioritizing and
Justifying Cybersecurity Investments, ISACA Journal, Volume
2, 2016)
COMMUNICATION WITH IT PROFESSIONALS
26Confidential
SECOND STEP: SIZE UP THE SITUATION
A typical day the IT Department
�User provisioning
�Reset user name and password
�Configure PC, server & other hardware
�Load back-up media (tape, disc etc.)
�Update applications to latest version
�Test network connectivity
�Open and close ports
�Trouble shoot user issues
COMMUNICATION WITH IT PROFESSIONALS
14
27Confidential
SECOND STEP: SIZE UP THE SITUATION
A typical day for the rest of us
�Go over the latest pronouncements from the Treasury Department
�See if the new procedure for hiring employees include a signed agreement to
use computer and information resources for lawful and company purposes only
�Reviewing the legality of a merger with a competitor
�Go over the latest OSHA report on workplace safety compliance
�Meet with various departments and try to fit in their work into the compliance
framework
COMMUNICATION WITH IT PROFESSIONALS
28Confidential
REASONS WHY SMART PEOPLE HAVE DIFFICULTY IN COMMUNICATING IN LAYMAN’S TERMS:
1. They were taught how to communicate to peers, not to broader audiences
2. They live in a bubble
3. They’re too busy
4. They’re driven by ego
From the book “Supercommunicator: Explaining The Complicated So Anyone Can Understand” by Frank Pietrucha, published in 2014
COMMUNICATION WITH IT PROFESSIONALS
15
29Confidential
From “State of Cybersecurity: An ISACA Perspective” by Ron Hale PhD, CISM, March 8, 2016
COMMUNICATION WITH IT PROFESSIONALS
30Confidential
THIRD STEP:COMMUNICATE
HOW TO BRIDGE THE GAP BETWEEN IT AND NON-IT
1. Learn to communicate to a broader audience
2. Look beyond your specialty
3. Find time to simplify
4. Seek to be understood
COMMUNICATION WITH IT PROFESSIONALS
16
31Confidential
THIRD STEP:COMMUNICATE
Plus
� Read up on IT terminology and concepts, and
� Get out of your offices and initiate face-to-face communication with
the IT Dept employees
COMMUNICATION WITH IT PROFESSIONALS
32Confidential
COMMUNICATION WITH IT PROFESSIONALS
17
33Confidential
MANAGEMENT CULTURE
(Clip from Office Space)
34Confidential
Company culture
Does your company allow open collaboration across departments? Can compliance officers easily access IT personnel?
MANAGEMENT CULTURE
18
35Confidential
Organizational structure
Is there too much bureaucracy? Should compliance officers get 10 approvals before they get the reports they need?
MANAGEMENT CULTURE
36Confidential
Training
Are IT personnel trained to generate the results you need? Are employees from other departments conversant with IT terminology?
MANAGEMENT CULTURE
19
37Confidential
Personality
Are IT people trained to value co-workers as internal customers? Are compliance professionals coached in dealing with difficult IT personnel?
MANAGEMENT CULTURE
38Confidential
Planning
Did you ask IT for the right time to observe payroll controls? Is IT informed of the compliance requirements they need to generate ahead of time?
MANAGEMENT CULTURE
20
39Confidential
Timing
Are you asking for reports while the IT Department is responding to a cyber attack? Does compliance synchronize its schedule with IT?
MANAGEMENT CULTURE
40Confidential
People Skills
“People skills are the various attributes and competencies that allow one to play well with others.” Communications coach and author David Parnell from “The 20 People Skills You Need To Succeed At Work, Forbes magazine, November 15, 2013
MANAGEMENT CULTURE
21
41Confidential
BUDGET
42Confidential
Funding
Does the company have enough funds to upgrade hardware and software? Is CAPEX for compliance reporting and compliance requirements included in annual planning?
BUDGET
22
43Confidential
Technology
Does your IT people have all the tools they need to meet your needs? Is compliance provided the necessary tools to generate reports from IT system?
BUDGET
44Confidential
Manpower
Does IT have enough people for your compliance requirements or recommendations? Will the additional IT FTE justify the cost of increased compliance?
BUDGET
23
45Confidential
SUMMARY
CIA – Confidentiality, Integrity
and Availability
CMB-Communication,
Management and Budget
46Confidential
FINAL THOUGHTS
Sense of Humor
“A sense of humor is part of the art of leadership, of getting along with people, of getting things done.” US President Dwight Eisenhower
24
47Confidential
WHEN IT AND COMPLIANCE ARE IN SYNC
FINAL THOUGHTS