RSA 2008 Conference Wrap Up

Back in Atlanta after a week in San Francisco for RSA’s annual conference on security.  This being my first year in attendance I have no comparison from prior years, but have heard that the crowds were a bit lighter than usual.  I spent a great deal of time enjoying the sessions, speaking privately with the incredible roster of speakers in the “speakers lounge”, and engaging the vendors in the expo.  Overall I would definitely say it was worth the time and expense.  Anyone looking at shortlisting their conference list should include RSA next year.  Of course, you make your own conference – I actively sought and engaged experts in areas, and methodically evaluated each solution offered by the vendors.  As in any good project I attended with several objectives and action items that proved extremely valuable:

• First, I vetted the speakers and the sessions prior to arriving.  This is key to determine the type of presenter and their prior experience (i.e.  I prefer to avoid “sales” people giving presentations on areas where their product “happens” to address).  I prefer to seek out either the founders (engineers) of companies who play in a space, in-field practitioners, or those who have such a broad range of experience they can speak on a specific topic.
• Second, I set three objectives for attending – any more and you are stretching yourself to thin and won’t enjoy the experience.  Mine for RSA this year were to:
  • Identify and map each vendor solution into a solutions matrix based on architecture and core controls for the top 50 regulation / standards.
  • Seek out practitioners who have successfully established frameworks or governance structures in global corporations
  • Identify trends from the strategic perspective.

My takeaways from the conference were a disproportionate focus of vendors on DLP, a lack of comfort in practitioners dealing with multiple regulations, and a steady and unexpected level of confusion in addressing PCI.

This year RSA is posting the recordings of the sessions online for post-conference viewing.  Now other conferences in the past year have made these available for the public and hopefully they will follow suit.  In any case, be sure to watch for detailed postings on research and notes from the speakers (if you could not attend or are unable to view the archived recordings), and personal / company recaps.

Bottom line – I enjoyed tremendously being an invited speaker on a topic that engaged a capacity room and required the organizers to drag us out of our room to continue it in the halls.  My post takeaway is that I have not sufficiently communicated my research, and I hope over the coming months I can provide greater value to the industry at large.

Kind regards,

James DeLuccia

PCI DSS Teleconference Debrief and Tips

On December 6th I presented on a teleconference with Prat Moghe from Tizor. Prat presented some new analysis on the source of data loss. He considered not only the source, the intent, and the volume of data breached per category. To not steal his thunder – there were surprising findings in the results when different lenses are applied to actual breaches.

The best part of the presentation is the Q&A session of the presentation. Which when you listen to the archived version you will find them starting around 12 minutes into the slide deck. As you can tell with an hour teleconference, there is only a short bit of time spent on the introductions. I advise any retailer dealing with PCI DSS to listen to this teleconference.

Top points I want to highlight:

• Business usage of data commands appropriate controls – methods of satisfying these needs to be aligned with the company, and are raised during the teleconference
• Internal versus External attackers is not the true threat, but the threat is only who has access – applications, users, partners, etc.
• Avoid complexity through segmentation and business functions that align with access rights
• For more information on topics such as – are your encryption technologies adequate, how do you handle multiple users accessing systems, managing online interconnected systems, and more please give a listen.

Link to the Teleconference Archive HERE (Registration required, gotta cover those costs) As always – add comments or send feedback Best,

James DeLuccia IV

PCI DSS Teleconference December 6th 2007

On December 6th at 12 EST I will be co-presenting with Prat Moghe on PCI. We will focus primarily on PCI requirements 3 and 10. The teleconference is built on questions submitted by participants that will be addressed on the presentation. Listen live or check back for the future archived version.

http://www.tizor.com/News-And-Events/Hot-Topics/So-you-think-youre-compliant

“So you think you’re compliant?

So you think you’re compliant? Let’s talk PCI: An hour with the experts

Even as another PCI deadlines looms, questions are being raised about what it means to be PCI compliant. Not only is there confusion about what it takes to become compliant, there is also a lack of confidence that stored customer data will be safe from internal and external threats once PCI requirements are met.

The confusion on the subject of PCI is exacerbated by varying technologies that claim to be the silver bullet for compliance. Hoping to reverse that trend, Tizor Systems invites you to a teleconference event designed to provide straightforward answers to pressing questions about some of the grey areas of PCI compliance. Specific areas that we will be covering during the teleconference include:

• Data security and how it relates to cardholder data protection,
• PCI requirements 10 and 3, when and where to use encryption,
• Compensating controls for encryption,Today’s approach to database logging and why it doesn’t work for compliance or more importantly, for catching internal and external threats”

Best,

James DeLuccia

IIA South Eastern Regional Conference Day 2.1 – Effective Compliance Programs

The second day of the conference was excellent. Everyone I spoke with regarding the speakers, topics, and materials thought day 2 was the best and blew away the first day. I had the privilege to attend several sessions that focused on Corporate Governance, Audit Committee Oversight duties, Fraud Risk Assessments, and Effective Audit techniques. I was unable to attend the full day on Wednesday, Day 3, but was able to enjoy Ed Robinson’s presentation and a thorough breakdown on the Foreign Corrupt Practices Act (FCPA). I will post my notes from the conference in sections given the need to digest all that I heard prior to posting:

“Structuring an Effective / Comprehensive Compliance Program“, was presented as a panel discussion that included several notables on the panel to include – Ryder, OCEG, Turner, and Southern Company.

• It was noted that SOX provided several benefits – attention and resources around the existing compliance program and the motivation to mature. Second, SOX identified how weak many of the technology controls were surrounding the controls of the financial reporting systems.
• A study from the OCEG was presented with several trends and statistics (Available – Check out this post for the OCEG and many more):

• The Status Quo in organizations is the existence of SILOS (Finance, HR, IT) on the management of compliance and control requirements
• Technology solutions are trending to bridge these SILO gaps and create a central management approach
• 2/3 of companies were found to be adversely effected from redundant/duplicate controls. These included:

• Pain of reconciling disparate data
• Difficult to find the truth

• • 1/2 of all identified failures caused harm and damage to the organization (deficiencies), but these effects were short lived and the memories were quickly forgotten in the organization.
  • Only 14% of respondents had integrated their compliance programs
  • The overarching theme that resonated from the study was the need for consistency and accountability

• Compliance departments must not become the Department of NO. (A role that IT Security once held, and in some cases still holds)
• The existence of a Chief Risk or Compliance Officer is attributed to the FSG (Federal Sentencing Guidelines)
• General overview of the FSG (Mainly pulled from Chapter 8):

• • Possess good policies and procedures
  • Assign a responsible party (Compliance Officer)
  • Existence and presence of a program
  • communicate / Publish / Train on program
  • Enforce the Standards
  • React and address problems
  • “Effective” as defined by the FSG is a program that has the ability to identify and prevent criminal activity
  • Note: The government does not care how much was spent on a safeguard, but only that it is effective – business perspectives must be considered
  • FSG is not a compliance or standard for an organization, but should be incorporated to ensure that the organization is both protected and due care is taken for the personnel

• Challenge of Ethics

• • Organizations can choose to accept fines for non-compliance if only direct costs are considered
  • Ethics are decided based upon social duties, doing the right thing, and based on the maturity of the business

• When dealing with auditors, create a relationship and seek to understand the intent of the effort

• Understanding the reasons information is sought allows for the organization to provide the correct information.

• OCEG – the Red Book published in its current form has recommendations on establishing a compliance program
• The risk faced by an organization can come from a number of areas and must be centrally responsible to a core group, i.e. the Compliance group. These risks may be categorized as environmental, compliance, people, ethics, regulations, and business
• A simple method of gaining acceptance by business parties is to first identify the risks (see categories above), second vet these against a formal corporate compliance steering committee (vet and weigh the risks), third give business another pass, and finally compare these digested risks and ratings against any multinational rankings.
• Benchmarking is very important to ensure a business is not over spending or falling behind in the technology innovations. Benchmarks can be gathered through OCEG and public surveys.
• Several Studies were recommended to include:
  • The Conference Board – a Global Study
  • The Conference Board – Emerging Governance Practices in Enterprise Risk Management
• A common refrain by the panel was that compliance programs should promote the delivery of advanced information on compliance to satisfy the concern of management, the Board, and the Audit Committee
• Some takeaway tips from the session:
  • Develop an Agree Upon Procedure process for GRC
  • Define hard metrics for a framework – consider OCEG Red Book
  • Become certified – whether by ANSI, OCEG, or others
  • A tip by the OCEG spokeswoman was that everyone should join the OCEG study survey process, because all participants get a free customized report that provides benchmarks based on each survey.

Benchmark, Benchmark, Benchmark:

• There are some statistics that are not easy to locate and absorb into an organization for comparison that are timely or complete, however a great tip provided by the panel was to look after bad reports!
• Bad compliance or failed audit reports that are made public in proxy filings and by government agencies contain huge amounts of information on what was done wrong – Fannie Mae (348 page report worthy of any good flight across the pond), Boeing, CA)
• Take advantage of free webinars to learn about latest interpretations of laws and requirements

The greatest theme that resonated throughout this session, one-on-one interviews and discussions I had, and those of other sessions can be summed up in the following points:

• Seek to understand an organization’s culture – even transformational leaders must understand where the river flows before effecting change.
• Identify areas of value from the compliance program beyond avoiding fines, and contribute to the mission of the business
• Risk Assessments (of all risk categories) are a necessary starting point before any audit and monitoring is possible.
• Communicate in a language that can be understood – and gain a presence with the Directors and executive management.

A huge overview, and I hope some value to anyone seeking to hone their compliance programs. There is a tremendous amount of thought leadership in this area, and I encourage anyone to contact me to discuss these points.

Best regards,

James DeLuccia IV

Live from the IIA Regional Conference in Atlanta

This week is the IIA’s South Eastern Regional Conference in Atlanta, and has been sold out for some time. I was lucky enough to be invited and plan to post comments and insight for each day. I can only speak on the areas that jumped out, but I hope this information will be helpful to all internal auditors and those passionate about corporate governance. The materials are available to IIA members, and right now you can join for a discount joining over 130,000 worldwide members.

Day 1 – Monday 9/10/07

First day at the Westin and we start with a classic big networking morning with roughly 80% in attendance for the breakfast – hosted by Accume Partners. Paul Sobel kicked off the conference after an intro from David Bilko. Paul is known for publishing an excellent text on Enterprise Risk Management (ERM) and a recent textbook. His speech was really catered towards accelerating the profession and stirring up the ranks to aim at the horizons for improvement.

Personally I would have loved to see greater emphasis on promoting the profession at the Director level in companies, and stronger emphasis on promoting the language and depth required to really provide true value to these members. This was highlighted ever so briefly in the Corporate Governance track, but not nearly enough.

The first session I sat through was with Paul Lapides on Corporate Governance and Internal Audits role. He presented some good points regarding the lack of focus on the controls by boards, and highlighted a recent set of principles he put together this year (as a refresher to an older paper). His newly released paper is available here. An area of especial interest was Paul’s comments on how to become a Director with companies, and the benefits he has received as a result.

The second session was very enjoyable by John Montoro of Cherry, Bekaert & Holland LLP. He presented on Performance Audit Under the New Yellow Book Standards. Now unless you are a government focused auditor you have been missing this treasure. If it wasn’t for the lunch crowd I sat with today I too would have not seen the light. The Yellow book has some excellent information on how audits should be conducted, and a treasure trove of templates, metrics, and reference points. Someday I may dive into the value and nuggets found within the Yellow book, but until then it is worth a read while you fly to India or across the pond to London.

This was a very enjoyable session with take away information, and was my second favorite of the day. John had passion, gave great insight, spoke at all levels on the topic, and really boiled it down to the meat and potatoes.

The final session I had the privilege to attend was with Bob Anderson of The Home Depot on Process Improvement Reviews. This was by far the fullest session and the best of the day. Given I am biased because I was in this session, so it must be good, and I am not objective because I didn’t sit through all the sessions. That said – Bob gave excellent information and a huge amount of takeaway information. Bob focused on the process used by his company on walking through the concerns of the company and determining the best course of action. His process included:

First identifying the value the internal audit provides ranging from three degrees of value – Audit, Process Improvement, and Strategy. He emphasized the transition is necessary for companies to truly gain efficiencies in the market with this mindset.

Of particular interest of the attendees was that The Home Depot establishes a rotation program where employees work through different audit teams to allow for a near perfect cross-polonization effect.

Bob recommended a near six-sigma approach that was boiled down to five steps – Risk Assessment, Project Selection, Discovery, Execution, and Reporting

• Risk Assessment – classic examples here (nothing new): Business process identification, identify risks, measure, prioritize, graphics
• Project Selection – I loved how he broke this out and it created quite a stir in the audience with questions. He placed all the projects on risk maps and create audit plans for three years out.
• Discovery – Here he emphasizes the value roadmap process which he emphasized should go beyond simple cost cutting and meld into nearly 12 specific categories
• Execution – Here the team boils down the data pulls pure empirical evidence. This was a great point as it seems in technology specifically the measurements are more subjective and opinionated that they should be in equations that imply precision. He brought forward classics like Pareto Analysis and Fishbone diagrams. An interesting point he made was how much they rely on the classics in their analysis despite have massive resources.
• Reporting – Of course presentation to executive, and follow up are the close out loops.

Bob goes into a great deal of detail and specifics, and it is impossible fully recount. I strongly recommend you purchase a copy of the slides, video, or call colleagues that went to hear the additional value points he made.

Overall Day 1 very good. If you are not an IIA member and work within the bounds of corporate governance, technology controls, controls, or simply manage business divisions you should consider joining. The fees are reasonable and the available information is tremendously valuable to every enterprise.

Best,

James