Raleigh issa chapter april meeting - managing a security & privacy governance function - 04.03.14

  • View

  • Download

Embed Size (px)


Audrey Foster presented at the April 2014 Raleigh ISSA Chapter meeting



Managing a Security &

Privacy Governance FunctionApril 3, 2014

Audrey Foster, CPA, CISA, CGMA, CITP

Director of AICPA Internal Audit, Risk & Compliance

American Institute of CPAs


Definition of Governance

the action or manner of governing.

Definition of Govern

conduct the policy, actions, and affairs of (a state, organization, or people).

control, influence, or regulate (a person, action, or course of events).

conduct oneself, esp. with regard to controlling one's emotions.

serve to decide (a legal case).

Session Goals

Importance of Security & Privacy Governance

Setup of Governance within a Security & Privacy Function

Examples of Governance within a Security & Privacy Function


American Institute of CPAs

Security & Privacy (S&P)


Security: Protecting information from unauthorized

access, use, disclosure,

disruption, modification,

perusal, inspection, recording

or destruction.

Privacy: Understanding the relationship between collection

and dissemination of data,

technology, the public

expectation of privacy, and the

legal and political issues

surrounding them.

Understanding of group:

Who works in just security?

Who works in just privacy?

Who works in both?

Who works in audit?

Who reports through IT?

Who reports outside IT?

Importance of Governance


American Institute of CPAs

Importance of Governance


and risk-basedintent

American Institute of CPAs

Importance of Governance



American Institute of CPAs

Setup of Governance


Audit & S&P Committees

Internal Audit, Risk & Compliance


Internal Audit Security & Privacy Exams Compliance


Establish clear S&P

organizational structure.

Reporting lines provide an organizational wide

perspective and authority.


American Institute of CPAs

Setup of Governance

Define S&P goals and follow them!

Ensure they are balanced with a risk-based approach where your organization wants you to be at the table.

Actions speak louder than words, walk the talk, etc!


Strengthen processes and procedures

Ensure sustainable change

Monitor environment

Continuous assessment of risk

Allow business opportunity

- Dont be a no team!

- Control beneficial risks


American Institute of CPAs

Setup of Governance

Define the S&P mission and communicate it!


Provide leadership in the development, delivery, maintenance, and monitoring of the Institutes information security, risk management and privacy programs.

Provide strategic assistance in the safeguarding of information assets and the supporting infrastructure against unauthorized

use, disclosure, modification, damage or loss.


American Institute of CPAs

Setup of Governance

Define S&P areas and scope of work.

Example Breakdown of Key Areas of Work:

Project Consulting

- S&P performs independent reviews and consulting

engagements to improve the organizations operating and internal control environment around privacy and information


Program Development

- S&P develops frameworks, and distributes privacy and

information security focused policies and procedures and

practice aids, enabling the Institute to effectively and

efficiently navigate privacy laws and information security



American Institute of CPAs

Setup of Governance Compliance Monitoring

- S&P identifies areas for improvement or deficiencies through

compliance audits, process reviews, risk assessments,

vulnerability assessments, and security awareness training;

and leads efforts to improve and/or establish risk mitigating

processes and systems to make operations within the

Institute more effective and efficient.

Incidents & Inquiries

- S&P facilitates the response plan and triage activities for

information security incidents & inquiries, following through

to successful closure while also identifying efforts to improve

and/or establish processes and systems geared toward

reducing the risk of subsequent occurrences. Additionally,

S&P functions as a vendor and contract reviewer/approver

for services where either the Institute/member data is shared

with a third party, or include changes to our information

security architecture.


American Institute of CPAs

Setup of Governance

Establish policy, but

Create value-add policies that truly mean something and that you are willing to devote staff hours to monitor compliance with

that policy.

Higher likelihood that users within your organization will be aware and following S&P policies.

Speak the executive voice.

Know your audience (concept versus detailed based).

Summarize what is really important with enough substance for them to understand key concepts.

Know when they need to be decisions makers and give a pro/con analysis with a recommendation.


American Institute of CPAs

Examples of Governance

S&P Function Reporting Structure

Example #1 in the following slides.

Streamlined Annual Risk Assessment/ Project Plan

Example #2 in the following slides.

Finding Process for Consulting Engagements

Example #3 in the following slides.


American Institute of CPAs

Example #1S&P Function Reporting Structure


The security function within the organization was not providing the oversight and governance needed to meet the current

business environment nor strategic initiatives, including privacy


Innovative Thought

Create a Security & Privacy (S&P) function which reports up through Internal Audit (IA) which already has a reporting

structure within the organization that allows independent thought

along with established processes to plan projects to allow S&P

to step into the needed oversight and governance role.


American Institute of CPAs

Example #1 OutcomeS&P Function Reporting Structure


The creation of a S&P Committee made up of senior leadership which guides the actions of the S&P function and allows IA to be

independent, along with some additional external audits.

A reporting structure which allows an ability organizational wide to establish and execute projects, policies and oversight needed

to address the key S&P risks within the organization.

A holistic team that can work with management and various governance committees and boards to understand and respond

to a full breath of organizational risks, strategic initiatives, and

compliance requirements to ensure adequate measures are in

place to protect the organizations interests.


American Institute of CPAs

Example #2Streamlined Annual Risk Assessment/ Project Plan


Risk register had many detailed listing of potential risks which was overwhelming to evaluate and didnt consider strategic initiatives or other key team activities.

Disruptive Thought

Stop doing risk assessments.

Innovative Thought

Have no more than 20 risks to assess where every single risk means something, auditable/ reviewable strategic initiatives

along with activities within mission critical teams are evaluated.


Streamlined annual risk assessment process where projects are focused on the true needs of the organization with a nimbleness

that allows resources to be reallocated as needed. 15

American Institute of CPAs 16


Prelim. Annual Plan


Final Annual Plan & ERM

NovemberApril AugustJanuary

Primary Inputs & Prelim.

Focus Areas

Final Focus Areas &

Annual Plan

IA/S&P Annual Plan

Strategy Annual Plan

Audit Committee Approval

Example #2 OutcomeManaging Organizational Risks

American Institute of CPAs

Example #2 OutcomeAnnual Plan Development


Focus Area Identification

(Primary Inputs)

Risk Ranking(Primary Inputs)

IA/S&P Annual Plan

What are Focus Areas?

Areas IA/S&P is targeting to support through assurance and consulting activities.

Spend time evaluating if a primary input would be an auditable/ reviewable area.

American Institute of CPAs

Mission Critical Teams

Meetings with Senior Leadership

Annual Plan: Strategic


Approved IT Projects

Knowledge of Environment

ERM Risk Evaluation



IA/S&P Annual Plan

Initiated annually; updated quarterly.

Identify Focus Areas

& Risk Rank


Recurring Projects &

Internal Team Ini