Readings
- What is a compensating control? When would you use one? Why? Can you give an example?
- If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
- What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
- What do you consider to be the most important personnel hiring controls for an organization?
- How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
Your Neighborhood Grocer Case
Consider the following questions about the YNG case and post your responses. Ignore the questions at the end of the case.
- YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
- Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
- The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Rich
Heiang Cheung says
‘A compensating control is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time
You would use compensating control to satisfy an security measure, For example if the company don’t have adequate staff for SOD because of business constraints. You would provide an adequate security measure like making sure everything is logged and sign so everything is trackable.
Richard Flanagan says
Heiang -security controls are only one type of control, there are many more and all our definitions about controls apply to all of them; besides security you have compliance, regulatory, business process, etc.
Patrick DeStefano (tuc50677) says
An additional compensating control for this example could also be requiring mandatory 2-week vacations. This would be a long enough time for someone else to need to step in and would mitigate the risk of a continuing fraud scheme. It would allow the temporary fill-in to notice if anything suspicious was going on with the work.
Pascal Allison says
Compensating Control: Sometimes, some situations/risks are beyond the controls of entities, yet they cannot ignore those risks because of its impact or severity. In every entity, there must be check and balances (segregation of duties). During the event where checks and balances are not practical, the entity must create a measure (compensating controls) to mitigate the added risk.
Compensating control can be used where an entity does not have sufficient staff to separate duties for efficiency and effectiveness (risk avoidance), yet the duties must be executed. The entity will avoid all risks at hand and setup a process to make up for the shortcoming to mitigate all risk that comes with the process.
Example: At Ecobank Liberia Limited, tellers were required to process transactions then supervisors approved them for completion. On holiday eves when the branches are very crowded, tellers were given the right to initial and finish transactions. All geared towards customers satisfaction. Those transactions were treated separately. Meaning after hours, their supervisors must review those transactions for accuracies and completion.
Bring compensating control to the IT environment, setting up a user for system use must be done by two-person (initiator and finisher). If for business needs there is only one person to initiate and complete the user set up, the setup must be reviewed for accuracy or discordancy after it is done.
Richard Flanagan says
Pascal – good example but remember you can have a compensating control in many situations, not just separation of duties.
Vince Kelly says
1. What is a compensating control? When would you use one? Why? Can you give an example?
According to the text,(page 1276), a compensating control is defined as follows:
“: Compensating controls are controls that are alternative procedures designed to reduce risk. They are used to ‘counterbalance’ the effects of an internal control weakness.”
A compensating control would be used when it is more affordable alternative or when it allows specifically required business functionality.
One reason why you would use a compensating control would be if the most appropriate solution was extremely effective but prohibitively expensive. A compensating control would be used to provide a similar but less expensive solution.
One example of a compensating control would be a situation where you had a stubborn, independent mother 🙂 who insisted on maintaining her independence,(won’t move in with the family, entertain a retirement community, etc.). The best, (but most expensive) solution would be to hire a live in nurse. A compensating control (instead of the nurse) might be to purchase/subscribe to a (more cost effective) 24 x 7 x 365 personal monitoring system.
Another example would be where the company wanted to buy an expensive, proprietary version control system (like IBM Panvalet). A compensating control alternative would be to use a GNU/GPL based VCS like Git instead.
Richard Flanagan says
Vince – having taken care of my 90 year old mother and 100 year old aunt I loved you example.
Michelangelo C. Collura says
I appreciate your example of an independent mother for its uniqueness. It certainly fits the compensating control definition. To add some further creativity, I’d offer that a countermeasure in that case, to be used as an alternative to the compensating control, would be to keep all her doors locked from the outside while you are away. This would directly reduce the specific vulnerability (of her wandering out on her own and being endangered) at the expense of being an absolutely terrible child. 🙂
Lezlie Jiles says
Vince great post and your interpretation of a compensating control were on point. There are several scenarios where a compensating control can be implemented, and I believe the most popular situations is the segregation of duties. With regards to your independent mother scenario, segration of duties MUST also be a key factor for you and your family members. As some of us are aware that one person can get overwhelmed and other family members are just not equipt to handled some tasks.
Thanks for sharing, you made this topic personally relatable.
Lezlie Jiles says
Michaelangelo,
Funny… Well connected and yes we would be terrible children but it would definitely reduce risk and increase our objective in safe guarding our assets.
Pascal Allison says
Segregation of Duties (SoD) is the concept or act of separating jobs (duties) among two or more people to ensure effectiveness and efficiency. SoD is used in most cases for fraud and error mitigation (risk management). SoD helps administrative controls to be effective and efficient. It disallows a single individual from single handily managing a process, conflict of interest, error, and abuse of privilege. The process could range from training, personnel recruitment, accounting, and disaster management.
Examples: The database administrator roles must be separate from all function of the information security roles. If you are storing and organizing the data, you cannot perform security function. Example access control and security evaluation.
Computer operation (data processing) roles must be separated from application developer functionalities. If you are operating an application, you cannot be designing, building, testing, implementing, or maintaining the application.
Richard Flanagan says
Pascal – all good IT examples, can you think of any business process examples (non IT).
Pascal Allison says
Cash or payment instruments:
Handling customer payments that come through the mail must be handled by at least two person if not more. After the mail room sorts and records the mails, the person opening the envelope must be different from the person inputting the transaction. It will help control fraud or error (loss).
Richard Flanagan says
Good example. They exist throughout all manual processes. The most famous one exists in the procurement process. Any what SoP control I am referring to?
Pascal Allison says
Payment processor and Inventory receiver: Duties must be separated to avoid payments against fictitious deliveries.
Richard Flanagan says
Exactly, its the triple match. Ordered, receiver and payer, And in many cases, as you pointed out, each one of these three has some SoD involved such as a person only being about to ask for something, which then has to be approved by someone, before a purchasing agent can actually buy it.
Paul Needle says
It is important to have segregation of duties so that no one function can be performed from beginning to end just like in accounting. Having segregation of duties will minimize fraud, risks associated with errors which could be common and reoccurring over time, and sabotage. There are two important segregation of duties necessary in IT. The first is segregating the IT functions from the individual departments. Individual departments can and should have input to the IT functions but separating the two will minimize errors, risk, and fraud. The IT of an organization is a crucial business function that needs a dedicated team. There could also be conflicts of interest with the individual departments having so much access to the IT function. The other important segregation of duty is the database administrator vs the rest of the IT department. Having a dedicated DBA that oversees the entire operation will help centralize major issues. This will help with clarity and continuity throughout the organization. It is important the DBA be on top of the org chart with the individual IT department reporting up to one DBA.
Richard Flanagan says
Paul – I am not sure what you mean by “individual departments”. Are these user departments or other IT departments? What is the structure of the IT organization in your example?
Paul Needle says
The structure would be the one in provided in the reading “What Every It Auditor Should Know …”. At the top is a CIO with following direct reports: AppDev, DBA, Information Security, and Computer Operations. I guess I may be a bit confused with the term user departments. I am assuming that is the day to day business operations. I would picture myself as a production insurance underwriter separate from and IT or better yet the Actuary team. In other words I am considering myself to be in a user department as opposed to the DBA (or AppDev, Information Security, or Computer Operations). You wouldn’t want someone like myself having the capability to alter a rater developed by actuary or altering any type of technology support that was likely approved by the state regulators. There would be a conflict of interest if I had the capability to change the systems to develop cheaper premiums as I have production goals. Not to mention I do not have knowledge of what has been submitted to individual state insurance regulations for approvals. Am I correct in assuming that a user department is the day to day operations of the company? Hopefully this helps clear up my original post.
Patrick DeStefano (tuc50677) says
In my experience, the best way to explain the segregation of duties of the IT function from user departments would be if you think of a financial services company, they have a fraud department. The employees in this department can be separated into business users and IT, For instance, the business users are the people who will do research into fraud on an account and potentially be responsible for marking accounts/transactions as fraud. They will be the end users of any applications that the firm uses related to fraud. Then the Fraud IT department will be the ones developing the applications that the business users will use. The business users should not have access to develop the applications which they use just as the IT resources should not have access to go into production and mark transactions/accounts as fraud.
Vince Kelly says
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
I don’t think that one specific category of control (administrative, technical and physical) or one specific functionality of a control (preventive, detective, corrective, deterrent, recovery, etc.) *can* be ranked in order of importance, if for no other reason than (in my opinion) any control can be defeated or circumvented given the ‘right’ circumstances, enough time and resources.
I’d disagree that there is a single, *more* important control. Effective controls must be relied upon and applied in a *balanced* way. I agree with the text in that defense-in-depth – i.e., having multiple overlapping controls – is absolutely the best approach.
One reason for this is that controls should align to threats. In addition, more than one control should be layered together using a defense-in-depth strategy. The category, functionality and number of controls applied should be dictated by the value of the asset that is intended to be protected.
I think that simply ‘ranking’ one control over another (as more important) creates a dangerous affinity/tendency/predictability to the overall security strategy and this in turn effectively creates an ‘over-reliance’ vulnerability because the strategy becomes too simplistic.
But *THAT* being said, just given the sheer number of threats that exist today as well as the VASTNESS and exponential growth of the asset base that must be protected – for example; Enterprise Data Warehouses, the HADOOP Data Lakes that are needed to train machine learning algorithms, etc., etc., etc., etc. ‘OVER-layering’ controls can create the potential for a defense-in-depth strategy to become too complex – which, in and of itself creates another type of vulnerability.
The point is that a reasonably balanced control strategy is more important than one type of control over the other. But since this is a purely academic exercise, and if you twisted my arm , then I’d have to go with the category type of ‘Administrative” coupled with the control functionality of “Detection”.
The reason for this is that even though people can be nefarious, they can also be altruistic. Even though they can be deviously clever, they can also be brilliantly insightful. Even though they can be malevolently motivated, they can also act in the best interests of others. So there is no control on earth that can surpass a competent, watchful human administrator
Richard Flanagan says
Of course you need them all, but how often have you heard people complain about any number of individual administrative controls and try to find ways around them. Don’t like the procurement process, just buy whatever you want on your credit card and get it reimbursed as a T&E expense. Hiring too slow, bring people on as consultants at a higher cost. Etc,.
Vince Kelly says
great points. but isn’t circumvention of administrative controls more a function of company culture, maturity (i.e., where the company is in terms of its lifecycle) and it’s ‘tone from the top’?
In other words, (as you know) startups frequently have very few processes or controls in place – just the objective to ‘grow’. I think that gives rise to a culture of seeing everything as an obstacle that gets in the way of the objective – so circumventing administrative controls almost becomes a game as a result. Mature companies on the other hand are often process driven in order to tightly control operating expenses.
As an example, I once worked at a startup where there was no limit on how long you could wait before submitting them for payment – and very little scrutiny over what was submitted. On the other hand, the (mature) company that I currently work at requires VP approval for any expenses submitted after 30 days and *very* clear, specific guidelines about what can and cannot be expensed.
I still gotta go with Administrative controls as the most important from a security perspective 😉 If for no other reason than:
Page 386 of The Computer and Information Security Handbook describes Administrative Control as follows:
“Administrative controls are of paramount importance because technical and physical controls are manifestations of of the administrative control policies that are in place.”
Michael Gibbons says
I agree with Vince on the Administrative Controls. The argument of “it’s better to not have policies and procedures in place than to have policies and procedures and not follow them” is a sign of weak IT Governance that I have heard over the years. I would equate the administrative controls as the “tone from the top” that help dictate what level of technical and physical controls will be implemented.
Michelangelo C. Collura says
I would add to this that admin controls can also enable a robust testing policy, a drill of sorts to keep everyone and all systems on their toes. This serves the dual purpose of keeping preparedness at a high level and reinforcing the tone of seriousness for IS in the organization.
Richard Flanagan says
Vince – agree totally about startups. They are very often the poster boys of non compliance. Just look at Uber and all its current problems. Yes, the point for me is that tone is an absolute necessity or nothing else matters. After that, a strong set of administrative controls needs to be in place to guide proper behavior. Only then, in the IT case, can we start thinking about mission, aligning to business strategy, service provision and security.
Pascal Allison says
According to “The Institute of Internal Auditors. Global Technology Audit Guide”
“IT controls encompass those processes that provide assurance for information and information services and help control or mitigate the risks associated with an organization’s use of technology….”
Whether the control is administrative, physical, or technical; for prevention, correction, or detection, it can be classified into one of these categories: general or application control. Ranking controls in term of importance would expose the entity to many risks as controls are not for the same purposes or are not effective for all threats. They are equally important depending on the threat and time.
Preventive control seems the most important. As the saying goes, “prevention is better than cure,” but if the cost (financial, social, and moral) of avoidance is higher than fixing (correction), corrective control is more important and vice versa. With this being said, detective controls hold a good spot in the ranking. Once the entity detects the risk, a decision can be reached regarding prevention or correction in term of cost. All controls are on a horizontal line. If a choice must be made, detective control will be on top of the list, followed by preventive, then corrective.
https://chapters.theiia.org/montreal/ChapterDocuments/GTAG%201%20-%20Information%20technology%20controls_2nd%20ed.pdf
Vince Kelly says
TOTALLY agree Pascal! Trying to ‘pick’ one type of control (Administrative, Technical, Physical),, as more important than the other would be like trying to pick the best single type of technical control when using a defense-in-depth/layering strategy – in that case Firewalls, ACLs, NIDS, crypto, should all work *together* as a system. Administrative, Technical and physical controls should work together as well – I think it would be easier to defeat one control than it is multiple controls.
Don’t you think that Detective would be more important? If for no other reason than, its simply not possible to anticipate/prevent every possible permutation of a security breach – I’d think that immediately KNOWING that attackers are in your network would give you a lot more options; e.g., shut down the exploit immediately, track it in real time in order to understand exactly what was touched, collect forensic information, etc., etc. Don’t you think?
Michael Gibbons says
Great points Pascal and Vince. I like the thought of detective but my thought process always goes to preventive when the expectation is shutting down malicious activity immediately. I know it’s not always possible and in some instances, the exploit may not be an exploit but a misconfiguration of one of the technical controls designed to keep the attackers out. It definitely gives me alot to think about though so thank you, the conversation is greatly appreciated.
Vince Kelly says
…your absolutely right Michael, ‘playing Columbo’ while some idiot is rooting around in the center of your network is probably not a good idea;) What I was thinking there was that (as you know), breaches typically don’t start out in the middle of the network, breaches typically begin in some obscure location,(like a lab or a temporary employee laptop) and then propagate inward. Being able to watch/detect the clown in RT – before they get into a critical area – is almost a good as getting ‘free penetration testing’;) But again, that would probably depend on how good the relationship is between you and your boss;););)
Vince Kelly says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
The text defines segregation of duties (it refers to the principle as ‘separation’ of duties), as;
“A security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a risky task by themselves. It is a preventative administrative control type put into place to reduce the potential for fraud.”
An example of two IT roles that should be segregated would be the roles of SecOps and Network Engineering. Allowing a single individual to decide what applications and utilities are allowed to run, how they get run, who is authorized to run them, what they are permitted to change, what other systems they’re allowed to touch and how all those interactions get recorded, logged and documented has the potential to be a recipe for disaster.
On a somewhat related side note, in my opinion, the article; “What Every IT Auditor Should Know About Proper Segregation of Incompatible IT Activities” – is so old that it is now irrelevant and misleading.
I don’t profess to be an auditor or have any of the requisite insights or skills needed to be one, but I *am* under the impression that one of the more important tenants of auditing is that information is the most useful when it’s kept relevant and up to date.
It would also certainly not be an exaggeration or hyperbole to say that the article is *basically* correct in how it describes the need for segregation of duties but in doing so, it fails to address one of the most profound paradigm shifts in IT organizational structures since the decline of centralized computing models in favor of distributed ones – i.e., the decline of traditional Waterfall SDLC methodologies in favor of Agile software development, DevOps and Continuous Innovation/Continuous Delivery practices.
To be fair, the article correctly points out that;
“One way to mitigate the composite risk of programming is to segregate the initial AppDev from the maintenance of that application.”
But, (clearly because of its age), the article also *incorrectly* makes the following claim;
“…those responsible for duties such as data entry, support, managing the IT infrastructure and other computer operations should be segregated from those developing, writing and maintaining the programs.”
DevOps takes the exact opposite approach to what the article recommends. DevOps completely relies upon an extremely CLOSE level of collaboration and interaction between operations and development roles in order to ensure faster and more frequent software release cycles – so much so that they essentially become a single organization in some companies.
The oversight was truly glaring and annoying until I checked its original publication date.
Clearly the point of the article is that there needs to be an appropriate level of segregation of responsibilities. That is true even in today’s DevOps environments. But the article is misleading when it makes the claim that the development and operations organizations need to be kept separate.
I’d suggest the article be ‘retired from service’ 😉
Richard Flanagan says
Vince – got any better articles in mind? I’d love to have you post a link to any you know of.
Vince Kelly says
https://www.computerworld.com/article/2532680/technology-law-regulation/the-key-to-data-security–separation-of-duties.html
Richard Flanagan says
Vince – like it, next class will have a different reading.
Everyone, take a look at the article Vince pointed to, its about S0D in security so remember that it applies to all business processes as well.
Michelangelo C. Collura says
This was a valuable article, as it laid out the reasoning behind SoD in a clear way, cutting out the industry-specific jargon for plain common sense. I feel like the best option given for SoD involves outsourcing it simply because you can assume that third party is both an expert in auditing (otherwise, why did you hire them?) and and also that they can be objective in their assessment. The only problem would be the risk of sharing IP and proprietary data to achieve this audit, and I don’t know how many companies are willing to do this. I would assume it depends on the industry.
Patrick DeStefano (tuc50677) says
Vince, I completely understand how you feel about the changing methodologies. Our entire IT organization is currently undergoing the exact thing you mentioned. We are still in the process of an Agile transformation from previously working in waterfall. While Agile methodologies do heavily rely on very close collaboration between the team designing, building, and testing the applications, there is still a lot of room for proper segregation of duties, in my opinion. Some companies have taken the approach where they will still have job roles within the agile team, where some people are Business Analysts, some are Developers, and some are Quality Assurance. Other companies have gone full agile and have a team made up of all developers. Either way, you can have proper segregation of duties by having a different person work on each step of the process. One person works on the design and documentation, a different person builds the component, and a third person tests the final product.
Vince Kelly says
4. What do you consider to be the most important personnel hiring controls for an organization?
I think that resumes as a hiring control represents nothing more than the collection of as many acronyms that an applicant can find and ‘embellish’ in order to gain a potential employers attention.
At times, employment agencies and ‘head hunters’ may serve a purpose during an ‘overheated’ job market in that they can ‘run interference’ and prevent the hiring manager from being overwhelmed with applications. The downside is that this sort of hiring control is expensive – often costing tens of thousands of dollars or a percentage of the new hires first year gross salary. The other downside to using employment agencies is that the agencies performing the screening frequently lack any IT skills themselves and as a result, may have a hard time discerning subtle but important distinctions between candidates.
Programming, personality and generalized ‘aptitude’ tests as hiring controls merely serve to put an applicant under undo stress and on the defensive. ‘Tests’ also potentially leave an excellent (future) individual contributor with the impression that the organizational environment that they may want to work in is rigid, controlled and inflexible.
Background checks as a hiring control can be somewhat helpful but only in the sense that they typically paint a superficial picture between what candidates claim on their job application and reality.
Using a candidates posts on social media, (in my opinion) is potentially dangerous because it may open the door to what could be unintended but illegal questions or treatment during the interview process.
Keeping a ‘bench’ of prospective internal and external candidates – i.e., maintaining an awareness of ‘who is out there’ by developing relationships with customers, partners and other teams within the company is one effective approach.
Another effective hiring control is a combination of committee and personal face-to-face interviews. The committee interview process tasks each member of the team to identify and probe for specific characteristics, skills and/or behaviors that would be needed in the job. All of the individual perceptions by the committee members are aggregated at the end of the interview process and assembled into a single composite picture of the candidate’s skills and abilities.
In this way only a small number of the most appropriate candidates are forwarded to the hiring manager. Another advantage of this type of hiring control is that the candidate and the individual committee members become familiar with one another during the process.
Finally, and most importantly, the face to face interview with the hiring manager is the best sort of hiring control because this interaction provides the best ‘measure of a person’. The finial face to face interview should occur after a majority of committee members agree that (a small set of final) candidates have the requisite aptitude, skills and characteristics that would make them a good fit for the company in general – the hiring manager only needs to focus on the ‘finer details’ of the person from that point on. The final interview should also be the point where the candidate can decide if the company/organization is a good fit for *them* as well.
Heiang Cheung says
I personally agree with you that committee and face to face interviews are really important personnel hiring controls because that would give the company more qualified. candidates. Being able to measure candidates and having multiple people in a committee agree on a candidate is better than just one person agreeing to hire a person. For me I think the most important hiring control is a background checks because it set the foundation for the candidate you’re hiring. Knowing someone background is really important because right off the back you could find out if the person you’re hiring is a responsible individual by just going through a credit check. I’m not saying you can’t be a qualified candidate because you have bad credit but this does raise some flags. Also you could tell if the candidate is a past criminal or have done things that don’t align with the company values So having a background check is the most important to me because it’s the first thing you should do.
Also on the resume as a control I agree 100 percent that it could be fabricated and fluffed up but that’s the only way for a company to evaluate candidates if they never met them, unless it’s through recommendations or internal hiring.
Patrick DeStefano (tuc50677) says
I’m with you guys on the committee and face-to-face interviews. The best way to get to know someone, in my opinion, is through references of people you trust as well as meeting them face to face for an interview to get an idea of what they are all about and how comfortable they may be.
On another note, while I agree that background checks can sometimes be influential in hiring decisions, for example you wouldn’t want to hire someone with a criminal history of financial fraud working in a bank, companies often use this to paint a picture, per se, of the applicant which is not accurate. I am a firm believer in second chances and I’m 100% certain that every person in this class has done some things in our younger years which we may regret and/or shouldn’t have done and/or may have even been against the law. Someone who got an underage drinking conviction or even a DUI in their younger years, should not be disqualified from good jobs for the rest of their life just because they made a bad decision in their past and got caught for it. Bottom line is that, while background checks can be helpful in some circumstances, hiring policies should not be based solely on if a person has a completely clean record
Vince Kelly says
5. How are budgets handled (ie created monitored, re-forecast, etc.) in your organization?
Unfortunately, the capital and budget allocation processes are highly sensitive and proprietary information and is something that we are not permitted to share. In fact, I’d be surprised if any company would be willing share this type of information – i.e., my competitors would *love* to know how much money we intend to set aside in FY18 in order to take market share away from them. My partners would *love* to understand how much contra funding has been set aside for them to do joint marketing programs this year with us. I would * L O V E * to know how much has been targeted for overall headcount, raises and compensation this year! ;);)
That being said, from a generic, fifty-thousand foot perspective, the budgeting process, manufacturing process, and almost every other process within the company are driven by our sales forecasts. Sales forecasts in turn are driven by our overall business strategy which is defined by our solutions, which in turn gets dictated by our capabilities and driven by our mission, vision and priorities.
The budgeting process is also *influenced* by ‘nuts and bolts’ mechanisms like hurdle and IRR rate requirements, our own internal and externally shared KPI requirements (like FCF return to shareholders/payout ratios, debt to equity balance), etc., etc. etc., etc.
Richard Flanagan says
Vince -the question was more about the mechanics of how budgeting is used as an internal control. How does it get set, top down or bottom up? How often is it reforecast? Monthly, quarterly, not at all? If you don’t spend your whole budget in Q1 is the surplus gone or can you spend it later in the year?
Vince Kelly says
How does it get set, top down or bottom up?
Most definitely top down – per the original post, our business strategy drives pretty much all resource decisions/allocations.
How often is it reforecast? Monthly, quarterly, not at all?
There are quarterly adjustments (usually as reductions). Budgets have a P&L owner, typically at the area level with more discretionary funding allocation going to VP’s who ‘sign up’ for larger sales targets.
If you don’t spend your whole budget in Q1 is the surplus gone or can you spend it later in the year?
There’s no quarterly roll – you use it or lose it. In order to prevent ‘burning it to keep it’, SDA ‘agreements’ are written as internal contracts that have clear milestones and deliverables.
Richard Flanagan says
Vince – does your company run an SOP (Sales and Operations process)? If so, at what level and how often?
Vince Kelly says
yes, S&OP typically goes thru reviews every quarter – its a bit like root canal 😉 As for frequency, it really depends on the organizational level – LT (1, 3, 5 year) strategy is reviewed at least annually (our CEO conducts an offsite meeting with his direct reports expressly for this). They also do alignment reviews in preparation for the quarterly analysts call. sales and marketing pretty much revolve around quarterly reviews, engineering, manufacturing are BU timeline, forecast/demand, and contract specific (almost all manufacturing is outsourced and so there are contractual periods set aside for this).
Anonymous says
4. What do you consider to be the most important personnel hiring controls for an organization?
I apologize, I misinterpreted question 4 in the earlier post:) After re-reading the question I realize that the question was asking:
“What do you consider to be the most important personnel hiring controls for an organization – IN THE CONTEXT OF COBIT5?
With this in mind, I would consider four of the six APO07 Process practices as critical with one practice as “most” critical, the top four I think are most important are:
1) APO07.02 Identify key IT personnel. It is absolutely *critical* to identify and retain top talent within the company while also ensuring that there is no over reliance on that talent (others are being allowed to ‘grow into’ being considered key personnel. An organization that doesn’t reward its top talent and manage out its bottom talent is an organization that will ultimately stagnate and die.
2) APO07.03 Maintaining skills and competencies. There is no faster way to lose top talent in an organization than to prevent them from being able to grow both professionally and personally – ESPECIALLY in an industry that changes as quickly as the IT industry does. Being ‘penny wise but pound foolish’ when it comes to skills development will result in employee irrelevance and substandard customer service.
3) APO07.04 Evaluate job performance. This is the essence of SMART management principles in my opinion. In addition, providing timely, sincere recognition whenever possible as well as honest and direct feedback during periods of ‘Teachable Moments” helps employees know where they stand and exactly how they can leverage opportunities to grow within the company.
4) APO07.04 Maintain adequate staffing. Its important to maintain an appropriate level of staffing if for no other reason than to prevent burn out of employees. Unfortunately, there are probably fewer instances where a manger would agree that their organization is appropriately staffed than not properly staffed and *this* is where the other elements, (APO07.02, 03 and 04) can make a huge difference in terms of the organizations competence and culture.
Richard Flanagan says
Please be sure to sign in so I know who made the comment.
Vince Kelly says
sorry, I had posted then shut down before realizing I made the mistake
Heiang Cheung says
#5 How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
I currently work at a non-profit and it’s funded by the federal government and everything is a little chaotic and more of an Ad-Hoc approach to everything. The budget are done every year according to the funding we get from the federal government. I don’t really think it’s monitored and reforecast like a for-profit company because the money have to be used up any way..Most of the time if something needs funding they’ll just move funds from another fund as needed.
Richard Flanagan says
What problems do you think this could cause for the organization?
Heiang Cheung says
It could cause a lot of problems because spending is not controlled better. Possible fraud could be happening where the company is spending money a specific company and somebody is getting kick back. But I feel like municipalities/ government don’t really care about budgets because they could always borrow. Take for example the City of Philadelphia pension is only about 50% funded but they just renewed contracts with the FOP that gave raises. The US same thing there basically no budget it’s just spending and borrowing.
Richard Flanagan says
As a trained political scientist who wandered into computing 40 years ago I would love to follow up your observations but I’m not sure it fits our topic. The fact that spending is uncontrolled and fraud could easily be implemented are appropriate concerns and one would hope that someone is paying attention.
Jonathan Duani says
I also for a non profit technically. We have a lot of issues with doing less with more and budgeting. Currently, we are in a deficit of a couple million due to over spending. When a department or user needs to order something they are supposed to go submit a request and then it goes through multiple layers of approvals depending on what they want. However, if they know someone in the department they can circumvent the system and just get the item they need usually with out a charge back. The other option is they are able to purchase with in their department and it does not come through us however, we will still have to support it and configure it for them. When this happens we loose standardization which then causes a lot of other issues. I’ve noticed a lot when there are to many people that can order things go haywire.
Richard Flanagan says
Jonathan – you have my sympathies. This is a classic description of an organization with poor IT administrative controls. Can other departments order software too? Doing that really puts IT in a bind. Recognize that this is an organizational governance problem, not necessarily and IT problem although they pay the price.
Jonathan Duani says
Rich,
They are allowed to order whatever they please it seems like some days which causes a lot of confusion. A lot of the issues comes down to lack of communication between different teams and departments. Of course we have corporate pricing and special ways of ordering special software packages that they must go through the IS department to obtain but a lot of groups (especially on the research side of the things) will purchase licenses for software that might not be properly vetted for the environment or compatible. A lot of departments who have specialty software for a specific study or task they are trying to accomplish will circumvent the IS department all together and go right to vendor directly and then we will only find out when they bring the vendor in and they need admin rights on the spot cause the vendor is here and waiting to install this software that we knew nothing about so we need to start contacting the specific admins and escalate things so that the install can happen within the scope of the current policies.
Pascal Allison says
Every hiring control is necessary through the process. Each disallows or resolves a particular risk or problem specific to its purpose. In my opinion, every hiring control should be instituted based on the position.
Since the resume is not a legal document but a marketing document, it would be at the bottom of the list Let it be known that resumes are needed to determine candidacy for the hiring process, and that process cost resources. Meaning, it has its importance; thus the process must have controls.
Interviewing: a team of interviewers helps with determining weakness and strength of a person (choosing the best), disallows partiality, nepotism, or favoritism to a larger extent, it gives interviewees the chance to defend the resume or expose themselves. Controls (more than one person conducting the interview) here is vital.
Background Check: Is the background check on social media, credits, academics, or religion? The extent of the background will depend on the position, but it is a must that needs care. The individual coming on board is coming with different characters that are not explained on the resume and might not be discoverable during the interview. The background check can help with things not explained or discovered during the interview.
Testing: Is it the human resources department drawing and grading the test or the supervisor for the position? Testing gives a vivid knowledge of the intuition of applicants which help with the selection. Testing will be placed above resume on the list.
Some of the hiring controls not mentioned are training, monitoring, and evaluation which are equally important. The application and importance will depend on the position.
Richard Flanagan says
Pascal – usually when I hear “back ground check” I think of a search for a criminal record although the one’s you mention might also be used. Note that some are illegal in many countries, e.g. race, age, ethnicity, etc.
Jonathan Duani says
Rich, I actually agree with Pascal’s other mentioning under background check. I think that in this day and age our digital foot print his huge and more so on social media. I think more and more employers are looking not only at your background both criminal and financial but also how you are as a person via social media. They can learn a lot about a person just by seeing how they conduct them self online. I’ve personally read a lot of stories where people have lost jobs due to things they have said online and their employer seeing.
Richard Flanagan says
Jonathan – you are both correct that social media plays an increased role in current hiring. Easily dodged though by putting up only what potential employers want to see or having two accounts (which my nephew does) one for employers and one for friends.
Getting fired for what you post is a different issue. Its usually a question of social media policy and violations of it. Still its a troubling question when viewed from a free speech POV..
Michelangelo C. Collura says
I agree with the comments made about social media checks. If a company values the brand and its perception, they are going to be very concerned with proper social controls, if you will. I imagine a company like Disney will want to know how often a person curses on Facebook, if they’ve gained a reputation for posting nude photos on Instagram, or if they are involved in racist subreddits. All this stuff would be tremendously important to the hiring team, whereas a company like Wal-Mart may not care too much about this. Even in their case however, I would be willing to bet such social media controls exist for higher level hires.
Jonathan Duani says
To Follow up with what Michelangelo said, below is a link to an article I mentioned before. It is about a person who was actually already employee by Bank of America and due to a post she made on social media, she lost her job. I think to go a little further, I think hiring control is necessary because if you look at this user she already had a good job at a good company and lost it all do to a poor decision on a public forum that had nothing to do with her current place of employment which is why screening and making sure that people that are hired are properly vetting cause you really never know who you are going to get.
http://www.nydailynews.com/news/national/bank-america-employee-fired-racist-facebook-rant-article-1.2658891
Michael Gibbons says
Caution on the social media checks from a legal perspective. From the Society for Human Resource Management:
https://www.shrm.org/hr-today/news/hr-magazine/pages/0914-social-media-hiring.aspx
When surveyed in 2013 about why they decided not to use social networking sites for candidate screening, 74 percent of organizations said they were concerned with legal risks or discovering information about protected characteristics when perusing candidates’ social media profiles. This is a legitimate concern.
Richard Flanagan says
Michael – excellent article, looks like I will have several new reading for my next class.
Seriously everyone, I am very open to getting new, recent articles on all of our topics, whether they support what I’m saying or contradict it. One person can only read so much to stay current so please, offer anything you find that you think is good.
Michelangelo C. Collura says
This seems relevant. I quoted the most important bit and linked at the bottom. To all prospective job applicants:
Is it legal for an employer to ask for my Facebook password?
There are no specific laws to protect the social networking privacy of employees and job applicants, though lawmakers in some US states have introduced bills to prohibit employers from requesting Facebook passwords. In the UK, the Computer Misuse Act 1990 offers some protection to employees. According to the Act, it is an offence to use a computer to gain access to data you are not authorised to use.
Unfortunately, many employees are willing to fork over their passwords in order to keep their jobs, thus “authorising” the employer to access their personal information. However, this practice still constitutes a direct violation of Facebook’s Statement of Rights and Responsibilities. According to Section 4.8 of Facebook’s policy, “You will not share your password…let anyone else access your account, or do anything else that might jeopardize the security of your account.”
http://theundercoverrecruiter.com/what-if-employer-requests-my-facebook-password/
Pascal Allison says
Budgets are forecast and monitored for performance (quantitative, qualitative, and policy). If there is any change or unforeseen occurence that affects the budget, a re-forecast is implemented for conformity (local, state, or federal law).
Jonathan Duani says
A compensating control is something that is put in place to complete a safety measure that is deemed to difficult or not feasible to complete at the current time. This would be used when there is a huge problem that is happening and the solution is too costly to implement so a work around is found that will make everyone happy. A good example of this is what we are actually talking about in this chapter which is segregation of duties. Segregation of duties is important because it is a check and balance system where one person cannot complete any given task and it helps with mitigating fraud and errors. However, in smaller companies it might not be possible due to lack of bandwidth with the amount of work vs the amount of people employed. Since this is the case they could use compensating controls for going over and reviewing logs and audit reports.
Two IT roles that may be prone to segregation of duties is the one of purchasing. One person will place the orders while another one approves them. This way they are not over spending. Another person would be with change controls. There is a tech that needs to make a change on the server. A manager would sign off on the change before it happens. That way they know there will be no impact and they are able to proceed.
Richard Flanagan says
Jonathan – see my earlier reply mentioning procurement. You have two procurement duties segregated but are there more?
Duy Nguyen says
1. What is a compensating control? When would you use one? Why? Can you give an example?
• Compensating control is a device/process that is put in place to satisfy a security measure that is considered too costly or impossible to implement weather restriction in resources or just impractical. An alternative control used to mitigate this risk is segregation of duty. SoD is a method that divides up a critical task or functions into and assigns it to different groups or individuals. One example at my company is we have one group processing Invoices for payments and a different group approving and processing the Vouchers for actual payment release. In addition to processing and payment release, we also segregate the group that puts in request for materials/services.
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
• Considering that all Administrative, Physical and Technical controls work hand in hand and all have its own importance to a firm. I would have to say Administrative has a bit of an edge in importance. Having the correct IT strategies and knowing the budget would lay a solid framework or foundation for IT governance. With this in place, a company would be able to correctly implement personnel management. All controls are crucial but having a good framework would make the whole IT process structurally solid.
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
• Segregation of duty (SoD) is the process of ensuring that one person acting alone cannot compromise the company’s security in anyway. It’s the act of segregating critical tasks and assigning it to multiple individuals. It’s one way for a company to mitigate risks and not be highly depending on one individual for any high-risk function. SoD additionally is used to prevent mistakes and minimizes conflict of interest. An example of IT roles that should be segregated is application Administrator and application Users. Users can use the application and carry out their job function but should not be able to alter theirs or any other access or security profile. Another example would be application developer and application analyst. A developer should be testing their own code and approving codes for production.
4. What do you consider to be the most important personnel hiring controls for an organization?
• I would have to say criminal checks would have to be one of the most important controls for hiring. It doesn’t matter how good the employee’s skill set is, if the employee has a history of criminal behaviors, the company would be taking a huge risk. In addition to what the employee might do or not do, this employee’s history could have negative impact on the work environment and reputation of the firm.
5. How are budgets handled (ie created monitored, re-forecast, etc.) in your organization?
• Not dealing much with departmental budgets, from my understanding is that we have a Top Down budgeting style. Departmentally we have a budget and that is broken down to different capital accounts and non-capital for expense. In addition we also have special projects that can be funded by grants that are classified as non-capital funds. These special non-capital accounts are funded from other sources outside of the defined budget. Each department is responsible for monitoring and knows which funds to use for which expenditures and what is left. As far as forecasting or re-forecasting we do neither.
Your Neighborhood Grocer Case
Consider the following questions about the YNG case and post your responses. Ignore the questions at the end of the case.
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
• Based on failed implementations, business managements grew tired and demanded that the business make their own IT decisions without the involvement of YNG’s IT team. In addition to failed implementations, in-house development has incurred huge costs without any meaningful deliverables. This case seems a little bit like STARS, as the firm has no defined IT standards or procedures. There are no confident in the YNG IT team and no centralized IT governance. YGN first and far most need to establish Administrative controls. Define IT standards, IT budgeting and IT Personnel management.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
• IT purchasing controls would need to be clearly defined. In my company, all IT related purchases need approval from a category approver such as computer/telecommunication, which would be the CIO or anyone he delegates. These purchases need to be analyzed by the right people and assured before purchase that it meets the requirements of the business whether technical or functional.
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend reducing the impact of this finding?
• Because the company has so many different types of technologies over so many different types of environments there is no way to regular access. There are no centralized access or security protocols. Because of this, there is no visibility or transparency within the company. YGN would need to implement a security control such as a password control or a centralize security directory.
Richard Flanagan says
Everyone – Duy and others have mentioned capital and expense budgets. How are these different? What type of charges are applied to each of these different budgets? How does this affect IT?
Duy Nguyen says
Capital budget is budgeting for Projects and expense budget is budgeting for running of IT (ie salaries, software/hardware maintenance…)
Vince Kelly says
Agreed. As I understand it, Capital budgets are typically focused on significant capital expenditures (computers, printers, fleets of cars/trucks) – i.e. expenditures for assets that will last more than 1 year and are used to produce income.
I believe that Operating budgets are focused on short term (less than 1 year) assets needed for ‘keeping the lights on’/day-to-day operating activities.
In other words, (again as I understand it), Capital budgets focus on acquiring longer term assets while Operating budgets typically focus on,(among other things), maintaining those assets.
There’s an effect between the two – when Capital budgets increase, operating budgets need to get larger over time in order to maintain those new assets. But increasing operating budgets doesn’t necessarily mean that capital budgets will get bigger – capital budgets are often actually reduced because one ‘crowd’s out’ expenditures for the other.
Richard Flanagan says
Generally true but large software projects can, in part, be capitalized under to assumption that the software will have a multi-year life. We depreciated our SAP implementation, those parts that could be, over a seven year life span.
Vince’s point about operations budgets going up is very true, unless you are very draconian in killing legacy systems when you add new functionality.
Vince Kelly says
agreed but (as you know), SAP is a *much* different beast! Its sold as an appliance which means that you still must buy specifically defined hardware configurations just to run it, (processors, cores, memory storage, etc.) – even if its just for a ‘home grown’ TDI solution – so I can definitely see your point about the need to amortize it.
Pascal Allison says
Timing and acquisition are major differences between capital and expense budgets. Capital budget covers long time investment (infrastructure, equipment, and Assets) while expense budget covers the day-to-day expenses of an organization.
Company X buys a hardware (capital budget), the cost to maintain the hardware (expense budget).
An increase in capital budget automatically affects (increases) expense budget . An increase in expense budget has the propensity to decrease capital budget. If the day-to-day expense is high, the will to time to save or budget for large investment.
Vince Kelly says
good points Pascal. I think one of the most subtle but profound changes in the industry was when the decision was made by congress to allow software to be categorized as opex (instead of capex).
As I understand it, one of the ‘characteristics’ of capex *used* to be that if what you were buying was a long term asset ** that was intended to be used to generate income ** then you could classify it as capex (and take depreciation). Shifting software to opex – which is a classification that’s applied to something needed for day to day operations – i.e., a current expense – definitely made the finance guys happy because it could then be used to reduce company taxes immediately,(the governments intention there being to spur growth).
BUT while it basically turned into a windfall for the software industry, it really put hardware manufacturers in a bad position. The behavior (by government) definitely created innovation – but I would argue, (over a beer of course;) that hypervisors, container technology and even public/private and hybrid cloud would not have taken off like they did if there was no tax incentive behind them.
The reason for this is that,(in my opinion), the governments action created a ripple effect whereby the entire industry’s strategy shifted (almost overnight) from performance optimization to ‘stuffing more VM and container instances onto existing hardware.’
The analogy that gets used a lot to describe this effect is is ‘pets versus cattle’ – i.e., when your pet,(application) gets sick you take it to the vet. When your cow,(thousands of container based apps), gets sick, you turn it into a hamburger;)
In effect, (in my opinion), a relatively minor change in the tax code ultimately led to the industrialization of applications development – not necessarily a bad thing but congress shouldn’t be allowed to influence entire industries like that,(they should just stick to doing what they do best – which is nothing at all;););).
Michael Gibbons says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is an internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions. (ISACA) You would use one when you are unable to implement a preventive control but still need some assurance around the activity or process. This could be necessary if the organization does not have the resources to implement proper segregation of duties or if the control is cost prohibitive. An example of a compensating control would be a using a system that does not meet industry best practice or the organizations password policy requirements. Industry best practice might say a minimum of 8 characters (complex password requirements to contain letters, upper and lower case, numbers and a special character, no repeating characters). The system may only support a 6 character password with no special characters. The compensating control would be implementing mandatory password resets every 30 days along with alerting on all password failures on the same account > 3 within a 5 minute interval and account lockouts after 5 invalid attempts.
Richard Flanagan says
Michael – yes you can think of these as compensating controls or as security in depth.
Michael Gibbons says
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
From an IT Governance perspective, I would rank administrative controls first, followed by physical as second and technical as third. The administrative controls would determine who is going to have access to what and then provide training and awareness on how to handle that information. The physical controls are prevent anyone not determined to have access from getting access to that data (badge access to secure data center, security camera’s to monitor doors, security guards to check organizational issued ID cards, etc.). Finally, the technical controls are going to identify the user through an electronic means (authenication, identify validation/verification) and permit access to data across the network or to servers, files, databases through Access Control Lists (ACL’s). This order of controls relies on all three controls working together and functioning as intended.
Jonathan Duani says
Michael,
I like how you mentioned at the that the order of the controls relies on all three controls working together and functioning as intended. I do tend to agree with your initial order that administrative controls would be the most important. This would help users gain or block access. After that however i feel like your second and third option may work also the other way around. Since technical controls like you said are authentications and permits of access across a network, I think it would go first with technical controls then after with physical controls because the physical controls can only work if a user is physically on site, where the other 2 controls can be enforced no matter the location of the user.
Michael Gibbons says
Thanks Jonathan, that order makes sense as Physical controls supplement both administrative and technical or logical controls.
Michael Gibbons says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is a preventive control designed to prevent a single actor from having complete access and responsibility over an entire system or process. It plays into basic administrative controls by the principle of least privilege (only granting enough access to a user so that they can complete their tasks). An example of two IT roles that should be segregated are Information Security and Network Administration. Information Security should develop the policy framework and network administration should write procedures that reflect or tie back to those policies (I.e. Firewall Policy, Logical Access, Password Policy, Remote Access, Vulnerability Management). To test that these items are working as intended, Information Security as a second line of defense could perform vulnerability scans and the results of those scans would be provided to Network Administration for remediation. These scans can be rerun to provide assurance that the vulnerability remediation efforts are working as intended.
Richard Flanagan says
Everyone – notice Michael’s description of implementing security, its a perfect example of one of the main lessons we are trying to convey in this class.
Policy (Security) comes first, its the description of how management would like the organization to behave.
Guidelines and Procedures (Network) come second, These are meant to remove independent decision making from the employees in certain situations by telling them how the company expects them to behave.
Audit(Security again) comes last to verify that the policy has been appropriately implemented and is being followed. The later point about audit is important. The auditor’s first question is whether or not the controls that have been put in place are sufficient to reasonably assure that the policy is being observed. If they aren’t, then adherence to those that exist is meaningless. If they are, then you need to see if they are being followed.
Michael Gibbons says
4. What do you consider to be the most important personnel hiring controls for an organization?
Background and credit checks. I feel it is very important that an organization perform the proper due dilligence in the hiring process so that they have a comfort level with the people who are coming in. Some people look at the credit checks as worthless but an organization doesn’t care as much about your FICO score as it does about the fraud risk a new person may bring. In some cases, the items listed on a bad credit check could be the rational a person has to commit fraud or be persuaded by someone else to commit fraud.
Jonathan Duani says
Michael really good point about the background and credit checks however i think everything should be taken into consideration before a final decisions is made. Lets say a person has a FICO score in the low 600s. ( If anyone doesn’t know that is considerably poor) This could be due to a lot of different factors, many of which might not make them a bad employee. I think it comes down to looking at the situation as a whole and trying to figure out if the person is a correct fit for the organization given the current situation.
Michael Gibbons says
Thanks Jonathan, I agree with looking at the big picture and finding the correct person for the organization and position. I have heard managers say it is easier to go through a consulting firm for specific positions just so they can avoid going through the HR process of hiring someone because you are paying for someone who has already been vetted by a reputable firm (if not, they won’t get any recommendations or additional business).
Richard Flanagan says
Michael – Yikes, that could cost the company a fortune is a lot of people did it. Still I suspect it is often the case. Here’s where different objectives, efficiency, effectiveness, compliance and butt heads.
Michael Gibbons says
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
The budget process in my organization follows both the bottom-up and top-down approach. Each year around this time, each department prepares their budget for the following year. Each department head has each unit manager reporting up the chain prepare a budget of items that are required (examples include software maintenance, replacement pc’s and/or laptops, professional development, salaries/benefits). Any major projects that are part of the organizations strategic plan would also be factored in if they require the purchase of new software/hardware and any additional resources that may be required to implement the new system. After all departments have finalized their budgets, my understanding is the C-suite meets with the CEO and they review the high level numbers. If things are ok, the budget will go to the Board for approval. If things are not ok, the CEO will request that each department go back and review their individual budget and cut x% from it. After a second round, back to the board for approval. During the year, Finance will request quarterly updates from each department to explain any variances (items that were budgeted for a specifc quarter and the purchase was not made need to be identified and explained). Any items budgeted over a certain dollar threshold will still go through the regular purchase process requiring CEO and possibly Board approval.
Richard Flanagan says
MIchael – are you sure the board is this involved? I understand that the CEO will share the company’s outlook (revenue and expenses) in total with the board but I’ve never seen the board specifically oversee budget.
Michael Gibbons says
Surprisingly yes. There have been many years where the process has gone back and forth multiple times and the Board had specific line item questions and/or concerns with a high dollar item in the budget. While a work in progress, the risk tolerance is very low.
Michael Gibbons says
6. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
Larry can help implement a formal IT Governance framework where the acquisition of any IT related system must go through IT prior to be purchased. He could use the Center for Internet Security Top 20 security controls – Hardware and Software inventory controls as examples of how to implement this structure across his organization.
Richard Flanagan says
Michael – but if you are buying a company you get whatever IT systems they have. Fully agree that at a minimum you must inventory both the HW and SW that is coming with the acquisition. How to then rationalize the duplications is the key question. Cisco was famous for years for acquiring companies and then eliminating all of their internal software in short order. Other company’s only integrate at the external accounting layer using something like Hyperion.
Michael Gibbons says
One of my former employers had this down pretty well. I’m not sure of the specifics of how things were handled from the accounting side but once a hospital or rehab facility was acquired, they were converted to the new owners core systems and the other systems were eliminated keeping everyone on a standard platform. I still have some contacts there so I might have to dive deeper into this one as I can see the benefits of standardizing everyone on the same platform but I would have to think there is a huge cost of adding an acquired company to the main system and the sunken cost of the acquired companies legacy systems.
Richard Flanagan says
MIchael – think back to when US Air bought American airlines. It took them over a year to integrate their systems which had to be a huge expense even though they were probably (not sure) both using SABRE.
Michael Gibbons says
7. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
A formalized project management/change management process would help Larry ensure that these procurements do not continue. If a formal process is in place where each project must be presented to a steering committee made up of senior management across the organization, the risk of this situation is significantly lowered as that group would control the approval and prioritization of resources for any project that would require a new application.
Michael Gibbons says
8. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Larry should be ready to recommend centralized identity management. The business units will no longer be administrators of their systems, access control reviews will be implemented. Each system will be reviewed to ensure it is meeting password requirements and that access is following the principle of least privilege (each user only has enough access to perform that specific job). With administration out of the business unit, the risk of improper segregation of duties is lowered as well.
Pascal Allison says
“As the companies were acquired, the IT function within each company was integrated into the YNG data center….” “As a result, they utilized various database management systems…”
How much does it cost to integrate, maintain, and use all the different management systems?
Why integrate the acquired company IT function before evaluation or testing?
The institution needs a definite action plan (policy) regarding the acquisition process. There was no control. What were integrated into the main system? Were they compatible? A system test should be done before integration, which could have saved time, money, and help with system structure.
Larry needs to formulate a control plan, set up a new system integration procedure, and setup an entirely new IT team for the acquisition process for system integration (evaluation, testing, tracking, and structuring). Restructure IT controls and governance which could save money, time, and mitigate or avoid some the risk.
Richard Flanagan says
IT system integration is a major issue in acquisitions these days. Some acquisitions fail because the complexity and cost of integration was ignored. A proper due diligence investigation by an IT (person or team) should research the issues before a deal is struck.
I’ve been on three such deal teams and it is very complicated. Its not just different systems. Consider something as simple as inventory of liquid chemicals. If one firm measures everything in pounds and the other is terms of volume you have a complicated integration. Likewise, one company may sell by the pound and another by the container, again, a lot to fix. These problems will exist even if both firms are using the exact same level of HW and SW. If both use different systems, its gets much worse very quickly.
Pascal Allison says
Business and IT are working toward the same goal (corporate goals), yet their tactics and requirement toward reaching the business goal are not the same. IT is performance concentrated while business is cost focused. How can you select an individual that does not understand the functionality and importance of hardware or software to facilitate procurement? On the other hand, IT been left alone to hand the selection and purchase of business application is a recipe or trap for downhill effect on revenue. Larry needs to restructure the entire procurement process – policy to control the selection and purchasing of business application. A team of business personnel and IT professionals must discuss the need for the application, the cost (cost analysis), and implement a decision. The control here boils down again to IT control and governance. Since IT looks at performance and business looks at cost, a combination of the two idea will yield a better result.
Pascal Allison says
Larry needs to recommend an outstanding access control policy, models, and mechanism. Control should cover authentication, authorization, identification, approval, and accountability,
Access control could physical and logical.
Michelangelo C. Collura says
What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is defined by ISACA as an internal control that reduces the risk of an existing or potential control weakness resulting in errors or omissions. What this means is that, during times when some control (e.g. an antivirus program) is not performing adequately, a further control is implemented to prevent that risk. There may be a technical limitation, or perhaps an antivirus program has not had its license extended for the new calendar year, and it is temporarily inactive. To prevent that vulnerability from becoming a major crisis, a compensating control can be implemented, such as isolating the unprotected system until the antivirus has been re-instated. This prevents the risk posed by the weakened control.
Michelangelo C. Collura says
If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
To rank them, I would consider which controls are most cost-effective and can be considered more reliable. This can be done by a cost-benefit analysis or a similar analysis, with the goal being to prevent or mitigate a given risk. I assume an organization would not wish to hire new people or remove existing staff, as this would cause losses to revenue. This would imply that a proper set of policies and procedures, combined with robust technical and physical controls, could be the best solution. However, a company may have difficulty implementing effective policies, so this could mean that technical and physical controls need to implemented to sort of offset the risk from poor management. That being said, I do feel the most important is managerial, followed by technical and then physical. Without proper oversight or organizational buy-in, I don’t feel the absolute best technical and physical controls would suffice.
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
SoD is the delegating of roles and responsibilities to reduce the risk from a single individual compromising one or more critical processes. In the event of a single person having complete admin access to an organization’s systems and controls, that person can intentionally or unintentionally modify data at some point, leading to inaccurate bookkeeping, lost revenue, or many other problems. Two roles worth having SoD would be an overall system admin for payroll, and the IS team dedicated to crafting the processes for payroll IS. This enables one team to craft appropriate controls to prevent data manipulation, while the admin then makes authorizations within that framework as the organization requires. The admin can never craft and implement the controls, and the IS team can never make payroll authorizations.
What do you consider to be the most important personnel hiring controls for an organization?
I would say it depends on the organization. In a company working on government contracts with TS-SCI classification, a confidentiality/non-disclosure agreement is paramount. In a shipping company, perhaps a driving history check would be most important. As with other controls, hiring controls are going to depend on the organization, and should be modified and crafted based on needs, which can change over time.
Vince Kelly says
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
There seems to be almost a complete lack of IT governance; no standards, policies, processes or best practices in place. The philosophy seems to be; ‘let’s just slap everything together with band aids – we’re resourceful enough to fix something if it breaks.’ If this is their mindset then that typically leads to a very ad hoc, reactive type of environment. ITIL refers to these types of organizations as ‘Initial’, ad hoc driven Level 1 organizations and ‘Repeatable’ Level 2 maturity organizations.
I’ll bet their budgets are being sucked dry by leases for decrepit equipment, third party support and software maintenance expenses. I’ll also bet that, again assuming they are in this sort of purgatory, what processes and procedures that they *DO* have are based on institutional knowledge rather than defined processes and procedures. This could be a disaster if someone “gets hit by a bus”. It would also mean that they won’t be able to innovate or add value very quickly (or at all) because any kind of resources and funding needed to do so are probably being ‘crowded out’ by their maintenance expenses. It would *also* probably mean that they may be having a hard time retaining their top talent, (there are just not that many people in IT who get enthusiastically worked up about 70’s era databases or Solaris 🙂
I think a metaphor probably best describes *how* they got into the state that they are in now – i.e., basically, they like to plant things in their garden but are too lazy to weed it. Over time they spent a lot of money buying plants and shrubbery but everything in the garden is slowly strangled by the overgrowth. In other words, there was no formal system integration process in place as these systems where brought in house and apparently no effort was made over time to slowly ‘weed out’ obsolesce and incompatibility – they just kept adding more “plants”.
The case points out that IT is subordinate to marketing so clearly there is also no strategic alignment with the business, i.e., if the IT organization is subordinate to marketing then guess what type of projects and initiatives they are going to be handed? It is *critical* that IT should have senior executive representation, if for no other reason than having insight into the company’s strategic road map.
As an example, the company acquired 10 stores – does this mean that the company’s long term strategy is inorganic growth? Because if it is, then M&A is *truly* where IT can absolutely add value to the company. If the company does plan to grow through acquisition then the CIO needs to build/streamline systems integration processes, teams and automation tools that will enable the company gain competitive advantage by accelerating acquisition synergies.
In order to do all of this, IT must have a seat at the table during the company’s strategic planning and budgeting process.
Five controls that the CIO should immediately think about implementing comes straight from the COSO risk management objectives:
Objective Number 2: Objective-Setting
Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
Objective Number 3: Event Identification
Internal and external events affecting the achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.
Objective Number 6: Control Activities
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Objective Number 7: Information and Communication
Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.
Objective Number 8: Monitoring
The entire ERM process is monitored, and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.
Anthony Quitugua says
“I’ll bet their budgets are being sucked dry by leases for decrepit equipment, third party support and software maintenance expenses.”
That is a fact. They gave an example of how they have to contract RETIRED technicians from a now defunct company in order to maintain one of their systems.
You brought up a another good point that in a majority of cases IT is rarely a consideration when it comes to M&A. If it was, a lot of these mergers would not occur because of the cost of either integrating, or replacing IT systems.
The firm I work for has acquired numerous smaller institutions and for the most part merely patchwork a lot of their systems into our in house systems. This has caused a huge mess in parts of our IT structure that we have termed “Merger Hangover”. It has gotten so bad that there are some systems we have that no one is really sure what they do anymore, but we can’t get rid of them because they might have an impact on another system. The problem is nobody is really sure because the people around during the acquisitions have long since retired.
One of our solutions, at least for part of the problem, is to replace a majority of our legacy systems with a single new vendor managed system that executes the same processes.
Vince Kelly says
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
One reason is because IT has failed to establish any kind of consistent governance – they need to establish control objectives and good practice/best practice standards – like COBIT. They also need to standardize around an enterprise architecture framework.
Another reason is that there is no alignment to the strategic requirements of the business. The CIO must have control of or at least significant input into the creation of the capital and operating budgets. No IT related capex or opex expenditures with IT approval.
Anthony Quitugua says
IT definitely needs to establish any kind of Governance Model to reign in the mess that they are in.
In regards to your second point, the best way for IT to align to the strategic requirements of the business is to become an active participant. The CIO needs to have a “seat at the table” when ever business decisions are being made. He must be able to speak for the impacts of IT on the business and the impacts of the business on IT..
Vince Kelly says
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Given that SoD was a topic of discussion this week, I’ll hazard a guess that the auditors complaints about access control revolves around the lack of SoD within the organization 😉
If that’s the case,(or even if it’s not the case), then the CIO needs to do a top to bottom assessment of the IT organization. He needs, at a minimum to work with HR to understand job titles and description, salary to pay grade alignment, and ensure that *everyone* within the organization understands their role and responsibilities.
Following that, the CIO needs to assess/identify the organizations *capabilities* in terms of SoD – (this is taken from the article on segregation of duties), i.e. is there the ability within the organization for the prevention of conflict of interest, the appearance of conflict of interest, wrongful acts, fraud, abuse and errors? He must also ascertain if those capabilities also extend to the detection of control failures that include security breaches, information theft and circumvention of security controls.
Brandan Mackowsky says
A compensating control is a control that serves an alternate option in order to counterbalance the effects of an internal control deficiency. They are generally used when an issue occurs within an organization that is too costly or not feasible to work through at the current pace so it becomes the alternative option. A time to use a compensating control would be if a systems engineer realizes that it is crucial to encrypt all data in the system. The organization, however, realizes that converting data into cipher text is extremely time consuming and expensive and needs to seek alternative options. The compensating control in this case would allow the systems engineer to replace the tedious encryption with items such as database security applications or network access control to prevent all unauthorized uses.
Richard Flanagan says
Brandan – recognize the governance issue in your example. Do you think “the organization’s” senior management recognizes their potential risk and how much jeopardy they may be putting the company in by not spending the extra money. Its OK if they explicitly considered the risk/cost equation but too many companies just want to cut IT’s costs without thinking.
Brandan Mackowsky says
I would say that the most important and least important basic IT controls vary over each specific organization. In this sense, I am going to look at a company as if it is beginning to establish itself. In this sense, I would say that administrative controls are the most important while technical controls are the least. Administrative controls are extremely important for an establishing company because it completely develops the framework for the direction that the company plans to take such as defining safety policies or general rules. Technical controls would be the least important in this sense because while they will work hand in hand with administrative controls, as a company is being established they do not take too much precedent as it is more important to develop a business framework rather than focusing on each individual system.
Brandan Mackowsky says
The segregation of duties ensures that a single individual does not have complete control over a single system or process within an organization. This helps to mitigate risk for the business because it prevents one person from being able to manage a key process, discouraging sneaky or malicious behavior. It creates a checks and balances environment because it requires multiple people performing different tasks in order to complete a single process. An example would be a coding project that requires new code to be added to keep a system running. In order to have a segregation of duties, it would be crucial to have one technician who creates and writes the new code for the system while another technician will simply be validating the code. Another example would be a technician proposing a change to a firewall and rather than being able to directly change it, a manager sign off and approval is required.
Brandan Mackowsky says
I think the most important personnel hiring control is screening. Screening is a key process in hiring in order to establish that a particular person will be a stable employee who will look out for the best interest of the company. It is also crucial to screen because it allows hiring managers to filter out individuals who may not be qualified for the position. Through this process, only key individuals will be brought forward to ensure the success and growth of an organization and sets way for the other controls to be implemented towards the hiring process.
Heiang Cheung says
Just a thought for example Snowden had a pretty extensive security/background check to be able to work for the CIA but still leaked information. Do you think it’s because he was well qualified that the CIA overlooked some things? What procedures do you think could lower these threats?
Donald Hoxhaj says
Heiang – You are right. I am sure Snowden went through a very extensive security check before being placed in his position. I think a re-certification of sorts could have lowered the chances of Snowden leaking the information. If management regularly reviewed users and their access to top-secret documents, they may have realized Snowden had access to more information than was needed for his role. Additionally, I think random security checks of computer files would definitely have helped.
Brandan Mackowsky says
In the organization I work in, we typically see various types of budgets with various time frames. Working in audit, we see some budgets that were developed to expand over several years while others typically are budgeted only on a single project. Budgets are handled differently depending on the specific business unit that is handing it. If it is an IT budget, its typically monitored either weekly or monthly, depending on the duration of the project, and is re-forecasted quarterly. However, if it is a project budget related to redeveloping a business site, the budget may only be looked at quarterly and forecasted semiannually. All in all, it really depends on the particular business unit doing the job as to whether or not a budget is closely scrutinized or is set more relaxed.
Richard Flanagan says
Brandan – what does this say about the overall tone of the enterprise? Sounds like businesses are held to a lessor rigor than shared services. If so, shat problems could you foresee?
Brandan Mackowsky says
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
While YNG grew heavily through acquisition, the businesses it acquired had their own way of doing their IT. While many were converted to YNG systems, some were allowed to keep their own systems and continued to follow their methods of running IT even after using YNG systems. A key issue with this is that it creates an informal, not centralized IT team that will not better the company and will cause them to run in different directions. In order to drive the team together and prevent this in the future, it is important that Larry establish some form of IT governance by establishing administrative controls that the IT organization can generally abide by and share a similarity to each individual acquired business. It is also crucial that Larry establish technical baselines in order to unite each business as well as define how each system will be utilized by the company.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
A major cause to business procurement being a huge issue for Larry’s organization is due to the IT environment not following a centralized and untied structure. By not being united, each individual previous business will follow its own IT structure and begin and work on projects that they feel are necessary to enhance their end of the business. This results in multiple projects being open that are not widely accepted by the organization and can result in certain groups refusing to follow the outcome of specific projects. It also leads to multiple similar projects being open at once, causing a waste of the organization’s budget because it is using extra money to accomplish similar tasks. In order to prevent this from continuing in the future, Larry should implement technical baselines for the company to abide by. Through this, the business will be united via a compilation of standards that define what the company wants to accomplish and how it plans to do so. Through this, Larry can also implement a checks and balances systems that requires additional approvers to have a project authorized. This is made much easier when specific baselines are established to ensure those involved in checks and balances do not use free reign but rather reference the technical controls in place when making a decision.
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
By finding a sorry state of access controls within the organization, access can either be too easy to obtain or too complicated to utilize with different access roles in different divisions. Given the continued growth by acquisition, this essentially creates an environment with a bunch of users who will expect to have high-end access to systems and the organization but probably do not need it. When acquiring new companies, some roles will no longer be needed due to the duplication of roles or the reallocation of a person to a new position. A control that Larry can implement to prevent another poor audit result would be to review user access credentials on a periodic basis, (maybe once every 3-6 months), to ensure that every user who is assigned specific access to a system or area is warranted to have that access. Through this, strong access controls are created and unnecessary or unauthorized users can be promptly removed from the access role.
Anthony Quitugua says
Screening is the most important personnel hiring control for an organization. Considering the sensitivity of some IT work it is extremely important that a thorough background check be completed prior to brining people into your organization. If you end up brining in an “unstable” individual with a questionable background, the other controls you put in place will not be effective.
However there are a few limitations to this. Like any control, there are a few case that slip through the cracks. I agree with the example of Snowden and the NSA brought up in the lecture. He had Top Secret clearance which requires an extremely thorough Single Scope Background investigation going back (10) years from the date of application. However the major limitation of the process is that it is totally dependent on the honesty of the applicant when they will out the SF-86 (Standard form 86, used to apply for security clearances). The investigators can only adjudicate from what is written on the form, and if the applicant omits, or does not fully disclose, some information it could impact the integrity of the investigation.
Mohammed Syed says
1. What is a compensating control? When would you use one? Why? Can you give an example?
The compensating control, also called an alternative control, is a a instrument that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.In the payment card industry (PCI) compensating controls were introduced in PCI DSS1.0 to give organizations an alternative to security requirements that could not be met due to legitimate technological or business constraints. According to the PCI council, compensatory control must; Meet the intent and rigor of the original stated requirement. Provide a similar of defense as the original state requirement. Commensurate with the additional risk imposed by not adhering to the original stated requirement. Examples of compensating control for information technology security include Segregation of duties and internal control and Encryption
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
• Segregation of duties (SOD) controls can reduce the risk of internal fraud by up to 60% through early detection of internal process failures in key business systems. Existing controls may not effectively used for example when one person prepares a mall log another person process the payments, a deposit ticket can be prepared but effectiveness of segregation of duties is minimized if the log total and deposit total are never compared Example of Segregation authorizing a transaction and posting. It to general ledger. Receiving revenue funds check or cash and approving write-off or receivables.
An integral part of broader identity analytics functions, SOD risk analysis and controls monitoring is difficult to achieve without a specialized commercially supported software. Incumbent spreadsheet-based and consultant-led practices for SOD risk management fail as topology shifts to post-modern ERP with functions sourced from multiple ERP vendors. The high cost of traditional ERP platforms, combined with low perceptions of value and lack of support alternatives, makes it difficult for security and risk management leaders to justify buy-in for an SOD controls monitoring product.
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
Strategic alignment, value delivery, Risk management resource management performance management.
Mohammed Syed says
How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
The IT budgeting process is to develop a governance structure for IT. IT governance specifies the decisions, rights, and accountability framework to encourage desirable behavior in the use of IT. Also, incorporating the governing structure into the IT budgeting process can ensure that future IT investments are based on performance of past projects, help manage risks, optimize resources, and foster the exploration of possible benefits of technology investments.The IT governance structure should include a governance committee to help steer the decision-making process. The IT governance committee should include stakeholders from various departments in the agency who have been given appropriate authority to hold the IT department accountable and may include the IT Director/CIO, Finance Director, Human Resources Director, and any other stakeholders the government feels are appropriate.
Tamekia P. says
Readings
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is a control chosen to mitigate a risk presented by a control that doesn’t exist or is not designed or operating effectively. You would use one when the cost of creating a preventive or detective control outweighs the benefits. Example: A organization does not have a proper control to address unauthorized access to a specific application. The compensating controls: 1. access is revoked upon termination or period of inactivity 2. application can only be accessed on the organization’s network
2.If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
I would order the controls using a cost-benefit analysis.
I would rank detective controls first. As long as my controls are designed to detect when an error has occurred then the organization can address the error. Provided that the detective controls identify errors on a timely basis.
Corrective controls would be second. There needs to be a mechanism to address the errors identified by the detective controls. Given that preventive controls are generally the most costly. I would implement them where absolutely critical to the organization’s mission.
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties aims to prevent someone from completing a task from start to finish and circumventing established roles and procedures. I should not be able to grant someone access to the system while also having access to the same system. Example: The system administrator should not also be a user of the system. If I can modify the data within the system then I cannot also have access to the data in production.
4. What do you consider to be the most important personnel hiring controls for an organization?
The most important hiring controls include background checks in the IT recruitment process. Hiring an employee that has committed fraud at another organization should be a risk that the company is aware of depending on the role that the individual is being hired for.
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
Before an IT project is approved, there is a committee with the necessary individuals to determine if the project is necessary to the organization. This committee reviews potential costs of the project and uses that as a consider prior to funding. In addition, status of IT projects are tracked to ensure that that the project does not exceed the budget. Depending on project status, the committee may decide that is no longer necessary to continue with the project and any money spent to date is written off.
Tamekia P. says
Your Neighborhood Grocer Case
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
Larry should consider implementing and monitoring hardware and software maintenance KPIs. The systems being used are so varied across the organization that it may be good to get as sense of the systems are being maintained and the costs associated. The hardware/software requiring expensive or frequent maintenance should allow Larry to create priority of where to start making changes.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
The IT governance needs to be structured so that decisions don’t happen in these silos across the company. The business and IT both need to be involved.
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Larry should implement authentication controls to allow review of access to system. The system administrators should be the only ones allowing access to the system.
Mohammed Syed says
What do you consider to be the most important personnel hiring controls for an organization?
Hiring controls put emphasis on employee performance and behavior, on maintenance of the policies and the procedures. One of the most important control that I believe are the discipline polices. Discipline policies basically are in place to check on employee performance and behaviors. They either boost the performance of an employee or use counteractive steps to readdress employee behavior. Besides the discipline policy controls, employee evaluations are vital in monitoring employees and to see if their performance is met according to the company standards. Overall, I don’t believe there is one specific hiring control, many controls are need, and are in place to ensure that employees meet the organization standards.
Jonathan Duani says
YNG has acquired many different companies throughout its existence and because of there seems to be no standardization put into place. Due to the lack of any direction many things seem to be all over the place. I think Larry should incorporate asset and budget controls. This way when a new store is acquired and brought on line they can make sure that they are all the same across the board. This will cut out unnecessary spending to make different system work together. It will also cut down on support cost because you can do a lot of it in house when everyone is using the same system. Once a lot of the system are taken off line and only the critical system that are needed are put into place the company will save money in the long run due to decreased operating costs.
Heiang Cheung says
Question#2 If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least? For me I would say administrative controls as the most important because it lays the foundation. Administrative controls are the policies, procedures, and guidelines intended to facilitate information security. You can’t build a house top down in my opinion. The least would be the physical controls because I feel like you could in a way avoid doing as much physical control like security guards or picture ID in certain situations where the administrative and technical controls are in place.
Question#3 What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of Duties is the act of separating jobs functions, so that no one function can be performed from the beginning to the end. It is a basic administrative control because it helps mitigate the risk of fraud because it provide check and balances. For example purchasing to payment there are multiple people involved in most companies from the person who is requesting to the buyer, the warehouse receiver and than to accounts payable. This lower the risk of a person being able to make fake invoices and commit fraud.
Example. The application developer should not be the one testing the the application. If that is the case then there won’t be any check and balances.
Question#4What do you consider to be the most important personnel hiring controls for an organization?
I think screening of an employees is the most important hiring controls for an organization because I believe the employees make up the the organization. If there are bad employees it put the organization in a bad light. Also simple background and credit checks could help weed out potential risk. For example a person with bad credit/ or is in a bad financial situation are more incline to commit fraud than a person who isn’t. Also you could tell if a person is responsible or at least financially responsible.
#1 YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
There were a mess of systems because there was no IT governance. The IT department should’ve had some say in the acquisition because they should’ve considered the cost of aligning the systems in the acquisition total. I feel like Larry need every control but administrative controls definitely need to be put in place new procedure of how to handle new systems.
#2.Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
The reason why they have so many issue is because there’s no governance. The IT department didn’t align with the company goals. There definitely need to some type procedures/ planning put in place for purchasing.Better administrative controls would definitely help this company.
#3 The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Larry should be ready to recommend all the different controls. Administrative controls because it would get everyone on the same page because The IT department need to know what the business actually need to be able to meet business objectives. The hiring need to be a little better because the system developed in house were poor. The budget controls need to be handled better because there were large budget overruns and multiple substantial write-offs. They need to evaluate their project probably on a quarterly basis to avoid more budget overruns and substantial write-offs. They also need some technical controls since there are so many different application to manage and secure. Their entire system need to be overhauled to be more transparent and not all over the place, even their front of store application that is obsolete is ran by a group of retired programmers, which can’t be sustainable because the/y they actually retire no one would know the application.
Lezlie Jiles says
1.. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is implemented to satisfy a security requirement that has been identified as problematic or imposes limitations for an organization to achieve. Therefore, if an organization determines that they are limited in the ability to implement the security requirement they may use a compensating control which offers a parallel level of safety as the original requirement.
I located an interesting article by David Bisson titled “Compensating Controls: An Impermanent Solution to an IT Compliance Gap.” The article provides four criteria that the compensating controls must meet to fulfill a compliance control. It also identifies that the notion of a compensating control was introduced in PCI DSS 1, which is a standard that was introduced by the four major credit card companies (Visa, MC, Discover, and AMEX) to optimize the security of credit card processing and to shield cardholder from misuse. It was also identified that some organizations could not completely conform to the standards as they were, so the PCI Security Standard Council provided a means to uphold the requirements through documenting compensating controls. Mr. Bisson states that the four criteria that must be satisfied by the compensating controls are:
1. Meet the intent and rigor of the originally stated requirement;
2. Provide a similar level of defense as the originally stated requirement;
3. Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS
requirements); and
4. Be commensurate with the additional risk imposed by not adhering to the originally stated requirement.
Although there are several situations where a compensating control can be implemented opposed to the originating standard the most popular example is the segregation of duties. Personally, I deal with our cash handling process where the money is received, processed, deposited, replenished, and reconciled by five different employees. However, a smaller organization may find difficulties in meeting this process requirement so to compensate “an organization might maintain and review logs and audit trails instead. This checks and balance process should be completed on a quarterly basis (in my opinion) to identify misappropriation of funds in a timely manner.
https://www.tripwire.com/state-of-security/security-data-protection/compensating-controls/
Lezlie Jiles says
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
There are three categories of controls, which are administrative, technical, and physical. Embedded within these groups are additional controls as it relates to preventive, detective, and corrective. Under the administration realm, there are controls concerning monitoring, personnel management, policy and procedures, budget, and assets control, etc. According to our CISA manual “a control framework is defined as a set of fundamental controls that facilitates the discharge of business process owner responsibilities to prevent financial or informational loss in an enterprise. Therefore, it can be seen as the implementation of controls intended to support and protect business operation and preserve asset value.”
All of the controls are equally important, but in an attempt to address the question I would have to say that the ranking of these controls depends on the type of risk that the organization has identified through the examination of collected data in which they are trying to mitigate in order to gain/remain compliant. To improve “the odds with no guarantee” of eliminating/reducing risks my ranking list from most important to least of basic controls would be administrative, technical, and physical.
Lezlie Jiles says
4. What do you consider to be the most important personnel hiring controls for an organization?
This is an interesting question because my first choice would be employment contract and job descriptions. I believe it is important for an organization to ensure that the most qualified person is hired for the function needed but an organization must first understand those required functions. However, during our lecture, Professor Flanagan strongly pointed out that the most important personnel hiring control was screening, and I agree.
Our CISA Review manual addresses HR Management which encompasses organizational policies and procedures for recruiting the most effective and efficient staff. Under an organization’s hiring practices the first common control is background checks, which encompasses drug testing, criminal, and credit checks. By applying the screening control an IT organization can ensure that they’ve hired the right people for the job, and as Professor Flanagan pointed out this is important “because of the nature of the work.”
I would also follow-up by saying once the most effective and efficient candidate is chosen the next personnel hiring control is SoD.
Lezlie Jiles says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
IT utilizes SoD so that no one person has the ability to corrupt the system by implementing malicious code without going undetected. SoD is achieved by separating the functional duties of any given project into different tasks and assigning those tasks to different employees to complete the project as a whole.
The ISACA article titled “What Every IT Auditor Should Know About Proper Segregation of Incompatible IT Activities” points out a few duties that must be segregated, which includes IT Duties vs. User Departments and Database Administrator vs. Rest of IT Function. Tommie Singleton points out that the IT duties vs.User department is the most “basic” of SoD. Under this SoD, the user department can not/should not perform IT duties related to their department. such as “security, programming, and other critical IT duties”. Mr. Singleton also stresses that a Database Admin. is a “critical position that requires a high level of SoD”. The reason for this is because these positions have the “keys to the kingdom”. They know (or should know) every facet of the system which is risky within the IT functions. Therefore it is vital that SoD is implemented thereby providing the DBA only the required functions to perform their duties and nothing more.
I also gave an example of SoD in my first response.
BIlaal Williams says
A compensating control is an alternative control that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement. In the payment card industry, compensating controls are used to give organizations an alternative to security requirements that could not be met due to legitimate technologies or business constraints. According to the guideline, these controls must meet the intent and rigor of the original stated requirement; provide a similar level of defense as the original requirement, be “above and beyond” other PCI DSS requirements not simply in compliance; be commensurate with the additional risk imposed by not adhering to the original requirement.
An example of compensating controls in IT are maintaining logs and audit trails in a company whose staff is limited and is unable to perform segregation of duties (SoD).
Paul Needle says
Bllaal, Well stated and you obviously have a full understanding compensating controls. I am curious about the PCI compliance example If it is above and beyond the original intent is it actually a compensating control? This could also just be my misunderstanding of PCI regulation. Just a thought.
Michelangelo C. Collura says
YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
It seems YNG wanted to stick with applications it considered best at given tasks, but it feels like that lofty goal has been overshadowed by the bureaucratic inertia of dealing with systems everyone has gotten used to. It is unlikely that some of these applications, such as the general ledger, don’t have modern more effective iterations, so this is almost certainly costing YNG lost revenue. I think some admin controls need to be implemented to enforce this idea of “only the best” to force a transition to newer systems where applicable and settle on single apps to be streamlined for use across all locations. This would reduce errors and incompatibility issues, which would reduce the need for a likely very large pool of in-house developers who suck up a lot of overtime hours.
Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
The businesses are allowed to implement hardware/software solutions without IT involvement, so it’s essentially a free-for-all, into which the YNG IT folks come in and must valiantly fight to streamline and/or implement. One very simple policy change at the managerial level would be to require the CIO to sign off on a new application or hardware implementation after an analysis has been conducted by his team. This creates a barrier between a poor business decision and final c-suite approval and implementation. Businesses could be further required to provide compliance at quarterly intervals, so as to mitigate the risk of them trying to implement the poor infrastructure (according to the article, it seems the biz management consider this very important, so they may try to cut corners).
The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
He could implement some logical controls to require admin approval for systems access, to be implemented as systems are streamlined and combined or replaced with newer versions. This could help to prevent the free-for-all at the individual business level by requiring someone higher up in IS, perhaps even requiring Larry’s approval, in order to utilize the systems. I imagine such approval reqts would be chaotic at first due to pushback and the chaotic nature of the current ecosytem, but I believe that as things are streamlined and updated and people accept the new normal, this will lessen.
Lezlie Jiles says
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
Honestly, I am not familiar with how our budgets are exactly handled, but if I had to guess I would say both top-down and bottom-up.
Prior to the implementation of our new system, we use to have an old legacy system that was the worse, to say the least. I believe the administration viewed our budgeting system as a bottom-up process at the time because there was always something that needed to be upgraded or add-on within the old system. They were constantly identifying cost to do something that needed to be completed and creating a budget. I can recall our old CFO saying something to the effect of whatever it took/cost to implement the process that would safe guard the organization and provide the most optimal results. On the other hand with the new system in place, I believe we are now working on a top-down approach, and because of the nature of our organization and the differences in processes/needs I would imagine that we also use actual spending with quarterly forecasting. I believe this is true with regards to our increase in real estate development, and the objective to identify any fraudulent activities.
Patrick DeStefano (tuc50677) says
What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is a type of control used to compensate for a weakness or risk associated with a specific requirement not being adequately met. For example, say you are a manager in an IT organization and you have a contract driven deadline to meet for an application you are building. You run into an issue uncovered during testing which, if fixed the right way, would require a large amount of code changes which would surely not allow you to meet your deadline, however during additional analysis, you realize that a different application which your team had previously built would allow you to temporarily meet the requirements of the customer. If the customer approves to the temporary fix, this would be your compensating control.
You will find that when it comes to the complex systems and applications used in many large organizations, it is not uncommon to have a project hit a roadblock or have an issue uncovered during testing which calls for some form of redesign. When budgets and timelines are set, compensating controls are often used to offer solutions to mitigate the risk of the application not meeting requirements until a more permanent solution is available.
Patrick DeStefano (tuc50677) says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is a method of reducing risk of employee malicious intent. It is where an individual does not have access to all the duties related to a specific area. For example, segregation of duties would come into play for someone whom is a database administrator. Since this job function has such a high level of access to manipulate databases and the data they contain, SoD would remove their access to all the other functions related to the systems they work on. They may have access to the databases, however they should not have access to the applications accessing the data nor to the security measures placed to protect the data.
Security personnel should also have segregated duties. They should not have access to the databases nor applications which their measures are being used on. Another example would be on an Agile application development team. Segregation of duties would require that the person who designs and documents the application is not the one who builds and codes the application. The person who builds and codes the application should not be the one who tests and ensures the quality of the application.
These types of segregations of duties are essential to mitigate risk associated with someone rigging the system or doing special favors for someone and also help to improve the quality of the software being developed.
Paul Needle says
4. What do you consider to be the most important personnel hiring controls for an organization?
The two most important personnel hiring controls in my opinion would be reputation and face to face interviews.
A reputation is an extremely difficult thing to build and then change over time. I would research as much as possible with past employers, co-workers, clients etc. to try and get a solid understanding of the persons reputation. We recently hired someone without a college education which was difficult for me to understand considering the young talent available. The hire was based off a persons 30 year reputation in the industry as an extremely hard working and pleasant individual. She turned out to be a great hire and extremely valuable contributor to our team.
The next would be face to face interviews. In my line of work it is critical to be able to think your feet and react to customers. If someone can’t get through an interview with basic people skills than it should serve as an obvious red flag.
Patrick DeStefano (tuc50677) says
Paul, I 100% agree with you. I had previously posted about references from trusted individuals being important to the hiring process, but I think you spelled it out a bit better than I did in that you mentioned the foundation for why people would give you a reference. If you are able to build a reputation as a knowledgeable, hardworking, and trustworthy resource, then, a lot of the time, people will happily refer you to someone for a job or recommend you to an employer.
Paul Needle says
A Compensating Control is in a alternative when the desired control is either too expensive, difficult or impractical. It’s in place to address the security concern even through it may not be the ideal control. One compensating control that I come across is counter signatures on checks. Some smaller banks are not able to get a counter signature on all checks that are deposited. A compensating control would be technology platform that keeps a digital log as a back up to the designated person who is signing checks. The log is then reviewed on a regular basis to confirm there is no fraud taking place.
Paul Needle says
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
We typically utilize a combination of a bottom up approach and a planned vs actual approach to calculating our budget. We are provided a growth goal number over our planned budget from the previous year. We than break up the total budget by each broker that we deal with to determine individual goals. The total should add up to the budget including the growth goal. This is analyzed to what we accomplished last year with each individual broker. If the numbers are significantly different from what was accomplished the previous year than an explanation is to be provided. Our progress is measured on a monthly basis. After each quarter there may be an opportunity to re-forecast however that usually requires a high level of approval.
Jason M Mays says
Q1.
Compensating controls are controls that are implemented in place of specified control. A compensating control should only be put in place when it is not technically or financially feasible to implement the specified control (Payment Card Industry (PCI)). Compensating controls should meet the standards to mitigate the risk that the original control was meant to per policy standards.
Jason M Mays says
Payment Card Industry (PCI). “Payment Card Industry (PCI).” April 2016. http://www.pcisecuritystandards.org. https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf?agreement=true&time=1505351738392https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf?agreement=true&time=1505351738392.
Jason M Mays says
Q2. I rank the basic IT controls from most to least important as administrative controls, logical and physical. I think that if you are trying to implement a comprehensive level of security it must rely on strong and clear policies and procedures. To have effective policy and procedures its necessary to have stakeholders at all levels take responsibility for their share. They’re for the effective application and use of administrative controls create a culture of IT safety where preventative measures can thrive. I think logical is in the middle due to the importance of logical controls in the detective and corrective/recovery phases of IT system security. It can also be over looked easier than physical controls. Physical controls are last since they can be more visible and implemented by other business departments such as security, human resources, finance, etc.
Jason M Mays says
Q3. The segregation of duties is an administrative control implemented in policy to create a checks and balance approach to job duties. Segregation of duties works best when you separate the roles that apply to a business system or separate the duties of job roles that have too much critical access. Example; a database administrator (DBA) and application developer. Since the DBA has so much critical access it would be unwise for the DBA to have the authorization to manipulated through an application. The segregation of duties adds to the culture of IT safety, or at least takes away some of the seclusion of watchful eyes that may tempt some to do bad when they think no one is looking.
Jason M Mays says
Q4. I would argue that no one hiring control can be placed above another since there is no pure one size its all test of a person’s character. I think it’s necessary to look for patterns in no less than two controls to detect if there is a pattern of vulnerability over time. For instance, if you perform a criminal background check and a credit check and see that there is no criminal activity, but a repeated cycle of credit delinquency with significant debt amounts then the subject should waive a red flag due to the credit check. On the other hand, if they have acceptable credit, have a clean drug test, but show signs of a drug problem based on information collected from the subject’s family and friends, then it was the interview that was most effective. In both cases a pattern was the best analysis of the effectiveness of the subject and there for the combination of controls used.
Jason M Mays says
Q5. In my last organization, my budget for the office was about 70,000. It was reviewed biannually. A forecast was made annually based on the previous year’s spending. About half was for team projects and was allocated at my determination. I implemented a more frequent interval of review for individual project managers and used reforecasting methods tied to team performance to make allocation decisions. I voiced concern with there not being more focus on my reviews. While I thought, I did ok in the position, I saw vulnerabilities that a person with poor character could have took advantage.
BIlaal Williams says
2. Physical security concerns itself with threats, risk, and countermeasures to protect facilities, hardware, data, media and personnel. These controls involve controlling physical access to the facilities, contingency operations, and facility security planning. Since physical security controls the actual access to data, I feel it is the most important of the basic IT controls. If the facilities or information systems are not physically safe, no amount of technical security implementation will be effective.
3. Segregation of duties is the class of access controls that follow the common best practice for which sensitive combinations of permissions should not be held by the same individual, in order to avoid violation of business rules. The purpose of this constraint is to discourage fraud by spreading the responsibility and authority for an action or task, which increases the risk of these acts by requiring the involvement of more than one individual. An example of SoD is requiring different people to create and approve purchase orders and requiring different people to create user accounts, and define user permissions within the account
4. The pre-employment screening phase includes information on how to establish what criteria and limitations should be used for employment checks and for handling sensitive data such as personal financial information. It also attempts to cover how best to identify who is eligible to carry out such checks. Employers must get this right or they are in danger of not hiring the right kind of person for the role they are looking to fill. Since this is the first interaction between employer and employee I feel it is most important.
5. Budgets in my department are handled by management using a financial forecast of fiscal conditions which are prepared using estimated information based on past, current, and projected conditions. These forecasts take into account information from different departments which is gathered by Financial Reporting.
Lezlie Jiles says
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
I think this happened because there seems to be no guidance in IT department at all. According to the industry description, it identifies that supermarket companies are focused on marketing and the IT infrastructure is set to a lower priority, but in this case not at all.
Prior to Larry implementing any controls, he must first conduct an analyst to identify the business’s specific risk. In any event, I believe he will have to put into place administrative and technical controls. I added administrative because while reading it was apparent that there were no procedures in place to utilize (or not) the acquired company’s systems. As well as, there are definitely no technical controls.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
The purchases both by IT and the business are failures because these departments are not in line with each, nor are they in line with the company’s objective. Larry would need to implement segregation of duties. Actually, I think the SOAPSPAM list of control processes would work in this environment. During our week 2 reading’s the acronym SOAPSPAM was identified as:
1. “Segregation of duties: the Same person should not be solely involved in all aspects from start to finish.
2. Organizational controls: Policies are in place that is up to date clear and effective.
3. Authorization: Activities and actions are pre authorized by the right people at the right time.
4. Physical controls: Threats to the physical security of people and assets are controlled.
5. Supervision: Appropriate supervision is in place to keep track of tasks.
6. Personnel: Staff is appropriately supported with training and recruitment exercises ensure that the right
people are employed.
7. Arithmetic/Accounting: Checks are made on accounting records and additions/calculations are correct.
8. Managerial: The organization has clear lines of reporting and authority, targets, budgets, and
expectations.”
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
As I stated in an earlier post, which I believe works well here too. According to our CISA manual “a control framework is defined as a set of fundamental controls that facilitates the discharge of business process owner responsibilities to prevent financial or informational loss in an enterprise. Therefore, it can be seen as the implementation of controls intended to support and protect business operation and preserve asset value.” With that being said I believe Larry is going to have to work from the bottom up as it relates to corrective, detective, preventive in order to address the audit finding. He should also be prepared to implement some compensating controls until he has the adequate information needed to fully implement the control methods and groups in their entirety.
Patrick DeStefano (tuc50677) says
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
There are two reasons for this current state of their systems. One reason is because they would sometimes allow the acquired company to retain their own systems and then try to integrate it into YNG systems. I see where they were going with this. They were attempting to see if any of the acquired systems had a better system than their own. It’s a good idea IF and only if your current system has high costs and is very out dated AND once you find a better system in operation, you replace your legacy system with the improved one. Another reason for this mess of systems is that YNG applications were all developed independently over time. They have multiple different database management systems and many of their applications are being maintained by retirees and ready to be decommissioned. This legacy system has to be costing YNG a lot in overhead just to keep it running.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
There needs to be a stronger push for IT governance and a centralized approach to IT project slotting and analysis as well as the business strategy. After reading the case, it seems as if there was no standardization within the systems being built nor when they acquired a company with better software. A few things should happen here. Larry need to bring both the business users and the IT department together, sit them down, and come up with the business strategy of the organization as it relates to IT as well as a plan to centralize and standardize their platforms so they are all using the same data management system and type of coding.
This will give IT a better understanding of the planned end state and direction in which to head while planning any future projects. It will also drastically reduce overhead resulting from multiple systems. Another control which could be put in place is to rotate the IT staff every so often to a different application. This would create a culture of continuous learning, ensure employees don’t get bored, and allow increased expertise across multiple systems.
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Larry and Del need to get together and put in place several Administrative and Logical controls. They need to start with setting up policies surrounding security and access. Employees should only have a level of access which they need to perform their job duties. They should also add separation of duties and job rotation policies. These will decrease risks as well as increase systems knowledge across the employee base. Larry should also add audit logs to track any changes being made to each of the systems for traceability.
YNG need to overcome a lot of hurdles before it can begin running like a well oiled machine in terms of IT, however with a culture shift, process standardization, and a good set of controls being implemented, it can be done.
Jason M Mays says
Your Neighborhood Grocer Case
1. YNG seemed to had either no, few or poorly enforced administrative controls. In addition, there were likely no IT audits preformed prior to the current CIO. The lack of looking at business system life cycles and no centralization of IT system procurement led to a hod-podge of systems. Larry needs to find a framework that meets the needs and requirements of YNG and create strong IT policies and procedures.
2. The future IT system application development and procurement should be the owned by the IT department. Responsibility and input from the C-suite and corresponding business unit should be enforced through policy. All solutions should be financially evaluated to make sure they can achieve their purpose in reason with the budget and product life cycle.
3. Larry needs to segregate the duties of authenticating users and authorizing users. Authorization should be the responsibility of whoever oversees IT security. If no one oversees IT security specifically, then the role should simply ne separated from the person responsible or authenticating users. He will need to work with the business units to make clarify who needs access to what specific system with the goal as reducing authorized access to any system as much as possible without negatively impacting business operations as determined by financial analysis.
Donald Hoxhaj says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is used to satisfy the requirements of other controls in organizations where resources are limited. Segregation of duties is a common compensating controls, especially in smaller companies where there may only be a few IT personnel. In these instances, a compensating control would be the system log files since they record all the events that are logged by the systems.
Donald Hoxhaj says
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
Ranking in order of most important to least: Preventive, detective, corrective. I say preventive controls are the most important because it is more proactive behavior for an organization. By implementing preventive controls, an organization is actively mitigating their risks and are more aware of their vulnerabilities. Alternatively, corrective controls are the least important because they are a reactive behavior, which is an action taken by the organization after an event occurred. I always think it is better to be proactive rather than reactive.
Donald Hoxhaj says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is a form of internal administrative control that separates certain responsibilities and functions in an organization that may cause a conflict of interest in its daily operations as a way to mitigate risks. Without a proper SoD in place, an organization is likely more vulnerable, whether it is malicious risk such as an employee committing fraud, or non-malicious risk such as coding error. Two IT functions that should be segregated are initial application development and application maintenance. Programmers who wrote the code for an application should not be the same individuals responsible for the operations of the application for various reasons. First, SoD ensures processes are documented properly as multiple IT functions are working on the same application. Second, the IT organization would understand the code should the key programmer leave the organization. Third, SoD will mitigate the risks of an employee intentionally writing malicious code into the application if another IT function is responsible for reviewing and maintaining that code. Whether these errors are malicious or non-malicious in nature, SoD is a step in a larger process to mitigating risks in an IT organization.
Donald Hoxhaj says
4. What do you consider to be the most important personnel hiring controls for an organization?
I think the most important personnel hiring controls for an organization are the background checks. This ensures the candidate’s work history and background matches what was on the resume and job application, showing that the candidate is truthful. A basic foundation to ensure a candidate is right for the job is that he/she is at least being truthful about their job history and background.
Donald Hoxhaj says
5. How are budgets handled (ie created monitored, re-forecast, etc.) in your organization?
In my organization, budgets are created from the top-down. The firm’s business strategy drives all the strategic decisions and allocation of resources. We have two types of budgets, a budget we develop for client engagements and a budget that is developed for internal use to improve the current products we sell to clients. We utilize multiple metrics to measure client budgets and it flows down from the top. Associates will be assigned the most hours, followed by seniors, managers, directors, and partners. On the other hand, the internal budget does not have much associate and senior associate involvement. Internal budgets are mostly created by management.