SOX, CoBIT, COSO ProjectSubra Krishnan

______

Abstract:

The grand framework of SoX, COSO, CoBIT and their future trends with some managerial caveats are introduced. Trustworthy computing usage model from Microsoft is summarized to indicate the direction where modern software development is heading. This would become a defacto standards for all software corporations. In COSO framework, ideas on Enterprise Risk management is touched upon. ERM not an end in itself, but rather an important means and helps an entity achieve its performance and profitability targets, and prevent loss of resources. It helps an entity get to where it wants to go and avoid pitfalls and surprises along the way. Under CoBIT, CRM and the Key Performance Indicators using Dashboard techniques to help top management evaluate the projects is discussed and IT is a major component of it. Some managerial intuition and how corporation are turning this new compliance into financial opportunity. In that regard the concept of Single Compliance platform will be the wave of the future.

Keywords:

Business Risk Management, Information Trust and Compliance Issues (SOX), Trustworthy Systems Development.

Cross Link keywords:

Dependable & Trustworthy Enterprises Systems, Enterprise Information Security Policy.

Executive Summary

All public companies must comply with Sarbanes-Oxley. Compliance is hard work and expensive as well, to establish effective internal controls for good corporate governance. Good governance can be good for business. By complying, some fortune 500 companies are turning the unavoidable costs of Sarbanes-Oxley into an opportunity, to improve business processes and distinguish themselves in the financial community. Whatever governance you have in place today, be ready to adapt it to make the most of future business conditions. With that in mind this project will touch upon the grand frame work of SOX and their flow from COSO to CoBIT. The pillars of Trustworthy Computing are essential to have robust internal controls and essential for good governance. A case study on Microsoft’s software security with emphasis on Security Development Lifecycle is discussed, to underscore the importance of inclusion of Security in the initial stages of software development.

Under the CoBIT umbrella, some of it’s best practices in the form of, IT governance implementation roadmap, is discussed at length. In particular the usage model for metrics measurement using Dashboard concept, will help the readers to see the big picture, using ING’s as a case study.

Under the COSO framework,Enterprise Risk Management talks about providing a framework for management, to effectively deal with uncertainty, risk and opportunity and thereby enhance its capacity to build value. Since no entity operates in a risk-free environment, enterprise risk management fills the need to enable management to operate more effectively in these environments.

No new materials are being presented here. This report is a collection of best practices and their implementation methods.

The content that follows are:

1.Overview

SOX , CoBIT, COSO

2. Trust Worthy Computing

3. Case Studies

Microsoft (Security)

ING (CoBIT)

4. Emerging Trends

SOX, CoBIT

1. Overview

Compliance is a form of standardization that different industry sectors have to adhere to when doing business, by following metrics or when implementing a process. Protocols also come under this wing. For instance when countries hosts dignitaries certain regulations are followed. As suspected there are different kinds of regulations in the business world:

  • Regulations around financial controls such as Sarbanes-Oxley, Basel II.
  • Regulations around privacy such as the EU Data Protection Act and
  • Regulations around fraud such as anti-money-laundering legislation.

IT departments generally have two different roles in compliance:

1) Making sure of the availability of technology that can enable people to adhere to compliance and

2) Ease of use of this technology.

IT needs to deal with compliance because compliance affects all businesses. Hence the pervasiveness of IT departments. Figure 1, below illustrates the broad frame work of the regulations in place.

Figure 1: Control Frameworks of SOX

Source: CIO guide to SOX Reymann Group Inc., Jan 2005

Sarbanes Oxley (SOX) Overview:

Thousands of companies face the task of ensuring their accounting operations are in compliance with the Sarbanes Oxley Act. Auditing departments typically have a comprehensive external audit (by a SOX compliance specialist) performed to identify areas of risk. Next, specialized software is installed that provides the "electronic paper trails" necessary to ensure SOX compliance. The most important Sarbanes-Oxley sections for compliance are listed below. Certification and specific public actions are now required by companies to remain in SOX compliance.

SOX Section 302 - Corporate Responsibility for Financial Reports

a) CEO and CFO must review all financial reports.
b) Financial report does not contain any misrepresentations.
c) Information in the financial report is "fairly presented".
d) CEO and CFO are responsible for the internal accounting controls.
e) CEO and CFO must report any deficiencies in internal accounting controls, or any fraud involving the management of the audit committee.
f) CEO and CFO must indicate any material changes in internal accounting controls.

SOX Section 404: Management Assessment of Internal Controls

All annual financial reports must include an Internal Control Report stating that management is responsible for "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the management’s assertion that internal accounting controls are in place, operational and effective.

SOX Section 409 - Real Time Issuer Disclosures

Companies are required to disclose on a almost real-time basis, information concerning material changes, in its financial condition or operations.

SOX Section 902 - Attempts & Conspiracies to Commit Fraud Offenses
It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding.

[]

CoBIT: Control Objectives for Information and related Technologies

CoBIT was developed in 1996 by the Information Systems Audit and Control Association (ISACA) and is now issued and maintained by the IT Governance Institute (ITGI) as a framework for providing control mechanisms over the information technology domain.

Now in its third version, CoBIT has been extended to serve as an IT governance framework by providing maturity models, critical success factors, key goal indicators, and key performance indicators for the management of IT. At the heart of CoBIT are 34 high-level control objectives. These control objectives are grouped into four main domains:

  • planning and organization,
  • acquisition and implementation,
  • delivery and support, and
  • monitoring.

More recently, CoBIT added a set of action-oriented management guidelines to providemanagement direction for monitoring achievement of organizational goals, for monitoringperformance within each IT process, and for benchmarking organizational achievement.

Overall, CoBIT represents a comprehensive framework for implementing IT governance with avery strong auditing and controls perspective, which has increasing resonance in the era of SOX and other compliance-related regulations and legislation.

[IT governance institute and CoBIT, ]

COSO: Committee of Sponsoring Organizations (of the Treadway Commission)

The underlying premise of Enterprise Risk Management(ERM) is that every entity, whether for-profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept, as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk-opportunity and thereby enhance its capacity to build value. As entities cannot operates in a risk-free environment, enterprise risk management enables management to operate more effectively in environments filled with risks.

Benefits of Enterprise Risk Management

Align risk appetite and strategy – Management considers the risk affinity by evaluating strategic alternatives, then setting objectives aligned with strategy and in developing mechanisms to manage the related risks.

Link growth, risk and return – ERM provides an enhanced ability to identify and assess risks, and establish levels of risk relative to growth and return objectives.

Enhance risk response decisions – ERM provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing and acceptance. ERM provides methodologies and techniques for making these decisions.

Minimize operational surprises and losses – Entities have enhanced capability to identify potential events, assess risk and establish responses, thereby reducing the occurrence of surprises and related costs or losses.

Identify and manage cross-enterprise risks – Every entity faces many risks affecting different parts of the organization. Management needs to not only manage individual risks, but also understand interrelated impacts.

Provide integrated responses to multiple risks – Business processes carry many inherent risks, and ERM enables integrated solutions for managing the risks.

Seize opportunities – Management considers potential events, rather than just risks, and by considering a full range of events, management gains an understanding of how certain events represent opportunities.

Rationalize capital – More robust information on an entity’s total risk allows management to more effectively assess overall capital needs and improve capital allocation.

[ER Management Framework, ]

Enterprise risk management is not an end in itself, but rather an important means. It cannot and does not operate in isolation in an entity, but rather is an enabler of the management process. Enterprise risk management is interrelated with corporate governance by providing information to the board of directors on the most significant risks and how they are being managed. And, it interrelates with performance management by providing risk-adjusted measures, and with internal control, which is an integral part of enterprise risk management.

Enterprise risk management helps an entity achieve its performance and profitability targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps ensure that the entity complies with laws and regulations, avoiding damage to its reputation and other consequences. In short, it helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.

We shall now see how Trust worthy Computing fits into the IT governance model.

2. Trust Worthy Computing (TWC)

The four pillars of TWC namely Security, Privacy, Reliability and Business Integrity as illustrated below (Table A) forms the framework of TWC. These goals form the trust in any business. All these goals raise issues related to engineering, business practices and public perceptions although not all to the same degree. These are goals from an user point of view.

Table A: The four pillars of Trust Worthy Computing

Goals / The basis for a customer's decision to trust a system
Security / The customer can expect that systems are resilient to attack, and that the confidentiality, integrity, and availability of the system and its data are protected.
Privacy / The customer is able to control data about themselves, and those using such data adhere to fair information principles
Reliability / The customer can depend on the product to fulfill its functions when required to do so.
Business Integrity / The vendor of a product behaves in a responsive and responsible manner.

Source:UIUC TWC class Lecture slide-01

The means to achieve TWC goals of Security, Privacy, Reliability and Business Integrity is shown on Table B. A white paper on Microsofts’ own TWC environment encompasses the following “Means” to meet the goals. These are perspectives from an IT point of view.

Table B: Means to achieve the Goals

Means / The business and engineering considerations that enable a system supplier to deliver on the Goals
Secure by Design, Secure by Default, Secure in Deployment / Steps have been taken to protect the confidentiality, integrity, and availability of data and systems at every phase of the software development process—from design, to delivery, to maintenance.
Fair Information Principles / End-user data is never collected and shared with people or organizations without the consent of the individual. Privacy is respected when information is collected, stored, and used consistent with Fair Information Practices.
Availability / The system is present and ready for use as required.
Manageability / The system is easy to install and manage, relative to its size and complexity. (Scalability, efficiency and cost-effectiveness are considered to be part of manageability.)
Accuracy / The system performs its functions correctly. Results of calculations are free from error, and data is protected from loss or corruption.
Usability / The software is easy to use and suitable to the user's needs.
Responsiveness / The company accepts responsibility for problems, and takes action to correct them. Help is provided to customers in planning for, installing and operating the product.
Transparency / The company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company.

Source: Trustworthy Computing White paper, Craig Mundie – Oct 2002

The execution of “Means” is based on Intent, Implementation and evidence. This must reflect in managerial practices as well to have a holistic view of the concepts. This is from an organizational point of view as is shown in Table C.

Table C: Execution of Means

Intents /
  • Company policies, directives, benchmarks, and guidelines
  • Contracts and undertakings with customers, including Service Level Agreements (SLAs)
  • Corporate, industry and regulatory standards
  • Government legislation, policies, and regulations

Implementation /
  • Risk analysis
  • Development practices, including architecture, coding, documentation, and testing
  • Training and education
  • Terms of business
  • Marketing and sales practices
  • Operations practices, including deployment, maintenance, sales & support, and risk management
  • Enforcement of intents and dispute resolution

Evidence /
  • Self-assessment
  • Accreditation by third parties
  • External audit

Source: Trustworthy Computing White paper, Craig Mundie – Oct 2002

We shall now look at some case studies from a learning perspective and how corporations have implemented them successfully to their business models. A successful integration makes it socially responsible form of business.

3. Case Studies & White Papers

Microsoft case study for TWC:

This case discusses the Trustworthy Computing Security Development Lifecycle (SDL), a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include

  • the development of threat models during software design,
  • the use of static analysis code-scanning tools during implementation,
  • the conduct of code reviews and security testing during a focused "security push" and,
  • before the software release it must undergo a final security review by a team independent from its development group.

Figure 2 represent the traditional or Base model and Figure 3 represents the SDL model currently becoming a de-facto in the software industry.

Figure 2: Standard process

Figure: 3 Newer process with built in SDL

Results: When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. The paper as shown in the italics, describes the SDL and experience with its implementation across Microsoft software [Trustworthy computing security Development white paper, Steve Lipner – Mar 2005]

Key concepts and managerial issues

  • Security must be considered from the initiation phase of a software development project.
  • Management should ALSO decide the release of the software based on security viewpoint

Key techniques, components and models

  • Secure by Design and Secure by default provide the most security benefit.
  • Threat modeling must be continued even after the release of the software
  • Difficult to measure security metrics, hence use proxy metrics to measure software security; such as threat modeling, code review, and independent Final Release Testing.

ING’s CoBIT case study (Case study on ING financial corporation):

Case Summary: ING Group is a global financial services institution of Dutchorigin offering banking, insurance and asset management to 60million private, corporate and institutional clients worldwide. INGis a multiproduct, multidistribution company, approaching the customer through their channel of choice. The companycomprises a broad spectrum of prominent businesses thatincreasingly serve their clients under the ING brand.

The ING case study indicates co-variance between ING’s business performance and the robustness of the IT governancestructure supported by innovative IT portfolio analysis(investment management approach of enterprise IT). A strong execution capability is the hidden force behind these activities.

Apart from the CoBIT requirements, the implementation of CoBIT regulations gave the management a clearer view of their weakness and what solutions could be adopted to mitigate their risks and weaknesses.The key questions that can be addressed by CoBIT are:

• Is there a framework to guide business and technology management leaders to change IT’s role within the organization and to close the gap between IT and the business? Is IT going to support and drive this initiative?