T2P Global News Feeds

HHS Publishes HITECH Act Accounting of Disclosures NPRM

2011-05-31T12:38:36Z

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in the May 31, 2011, Federal Register the Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (76(104), pp. 31426-31449). This NPRM is available online in pdf. Comments on the NPRM are requested to be submitted on or before August 1, 2011. The Summary of the NPRM with abbreviations, as noted, on p. 31426, is:

“HHS is issuing this NPRM to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. The purpose of these modifications is, in part, to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record. Pursuant to both the HITECH Act and its more general authority under HIPAA, the Department [HHS] proposes to expand the accounting provision to provide individuals with the right to receive an access report indicating who has accessed electronic protected health information in a designated record set. Under its more general authority under HIPAA, the Department also proposes changes to the existing accounting requirements to improve their workability and effectiveness.”

There are several points worth noting in the NPRM. First, HHS includes “a direct reference to business associates in the standard to make clear that the covered entity must include accounting information for all disclosures by the covered entity’s business associates that create, receive, maintain, or transmit designated record set information.” [p. 31430, emphasis added] Second, “[c]overed entities must provide individuals with notices of privacy practices that detail how the covered entity may use and disclose protected health information and individuals’ rights with respect to their own health information. Beginning on January 1, 2013, individuals would have the right to receive a report of who accessed their electronic protected health information that covers a three-year period from the date of the request. Covered entities would have to revise their privacy notices to reflect this change.” [p. 31445] HHS estimates that 669,000 health care providers would have to revise and reissue their notices of privacy practices. Next, HHS is “proposing that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication [in the Federal Register]). We are proposing that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009. ” [p. 31429]. Finally, HHS expects to review comments and publish the Accounting of Disclosures Final Rule by the end of 2011, which means that compliance with the accounting of disclosures requirement would begin sometime during the summer of 2012. [20110531]

Identity of Anonymous Wikipedia Editors Not Protected by First Amendment

2011-05-27T18:39:48Z

Jonathan D. Frieden writes:

In Faconnable USA Corporation v. John Does 1-10, 2011 WL 2015515 (D. Colo. May 24, 2011), the United States District Court for the District of Colorado rejected a ISP’s motion to quash a subpoena issued to discover the identity of anonymous editors of Wikipedia. Plaintiff alleges that the anonymous editors violated the Lanham Act and comitted trade libel and commercial disparaging by falsely posting that plaintiff is a support of Hezbollah, a Shiite Islamist militia and political party which has been designated as a terrorist organization.

Pointer: Exposure Drafts of Australian Privacy Amendment Legislation

2011-06-15T11:35:06Z

Report Part 1 – Australian Privacy Principles
15 June 2011

h/t, Daragh O’Brien

Enterprises Get New Guidance on PCI Compliance in Virtual Environments

2011-06-15T04:00:00Z

Enterprises got some much needed clarification on the implementation of PCI requirements in virtualized environments on Tuesday.

Survivability Rather Than Security Metrics

2011-03-02T19:29:32Z

(Note: this is a somewhat incomplete thought.)
There's been a lot of talk of late about security metrics, but I'm increasingly inclined to think that we're shooting at the wrong elusive target. Why do we keep chasing after measuring relatively immeasurable things? Instead, I think we should be starting with the things that we can measure. After all, security is a feeling, not a tangible outcome, right?

Instead of measuring something so squishy, let's instead look at the operational metrics that we can absolutely measure. For example:
- Uptime
- Availability
- Performance (e.g., TPS, MIPS)
- Time-to-Fix
- MTBF (for a broad definition of "failure")
- SNR (representative here - i.e., how much "background noise" do we get from scans vs. detected legit attacks)
- Visibility (into code, into environment, etc.)

These strike me as useful metrics to track, at least operationally, with an ability to then roll them up into tactical, and even strategic, reports. Thinking about this all in terms of survivability, then, we want to be able to answer these questions:
- Have operations been negatively impacted?
- Were we able to continue operations despite degraded conditions?
- What measurable impact occurred during the impact period?
- How quickly can we resolve issues once detected?

These, I think, are very useful metrics to monitor. One could rightly argue that they're primarily IT operations metrics, but they go directly toward key infosec objectives, too. In terms of survivability, they help us gain a better picture about resiliency, such as benchmarking how recoverability, as well as to a degree defensibility.

Defensibility, of course, is where we start potentially getting back into squishiness. We have a similar problem with performing a FAIR risk analysis, too, when we look at the "Vulnerability" factor, since there's no simple, reliable, consistent way to measure it (i.e., this is one of the more subjective values in the overall scheme of things).

Putting this thought into a properly framed risk management context, based around survivability as the main driver, I think that metrics developed along these lines are more useful today, while also being reasonably accurate and precise. It's time to put aside fuzzy "security" metrics in favor of something that tells the business just how reliable its systems and applications are.

Defining GRC (the discipline)

2011-03-17T17:49:54Z

What we're talking about here is "Governance, Risk, & Compliance" (GRC) as a discipline, not the product niche that seems to be the favorite catch-all for startups these days. Simply buying a license for IT UCF and throwing a UI on it does not a GRC product make, and it certainly does not address the overall discipline of GRC, which is fundamental to the successful management of organization and the risk contained therein. All organizations have a governance structure, but they're not universally integrating security and risk management practices into those structures. Moreover, compliance (aka "checkbox security") has taken far too prevalent of a roll in organizations today, rather than being a component of the overall governance and risk management strategies.

Approaching GRC as a disciple, it appears that there are five (5) main areas where organizations should invest time, energy, and resources:

1) Survivability Strategy & Legal Defensibility

First and foremost, existing governance needs to be bolstered by a change in direction and strategy. Instead of the traditional approach of building levies, it's instead imperative that executives shift to a survivability strategy that focuses on how to break in manageable ways while continuing operations and minimizing losses and disruption. At the same time, this strategy should leverage legal defensibility as part of the risk management approach to ensure that decisions are a) sound, b) documented, and c) represent meaningful and measurable change for the organization.

2) Formalized Methods

In addition to heading change on overall strategy, it is also vital to recognize the role and importance of leveraging formalized methods in providing a solid, improvable, repeatable basis for decisions. Adopting formal risk assessment, analysis, and management methods as part of an overall decision analysis and management approach will improve decision qualities while also meeting legal defensibility requirements.

Application security initiatives should be captured as integrated methods within an overall formalized software development methodology (even if an agile/rapid-style process is in use). Building security in is far better than bolting it on after the fact, and it will reduce long-term maintenance costs as well. Moreover, putting appsec tools (with appropriate training) into the hands of developers and QA testers will reduce the overall time investment necessary to ruggedize development processes and outputs.

Traditional audit and testing should be eschewed in favor of integrated and white-box methods that allow for thorough, informed assessments. While it's useful to have external "black box" style tests performed, they bring with them limited visibility that results in only partial coverage of code, whereas giving testers full access to the codebase in addition to integrating appsec tools into the dev process can provide much more thorough and complete coverage.

Finally, a premium should be placed on visibility and metrics. If you can't see into a codebase or system, then you're increasing your exposure through simple lack of informed awareness. Instead, transparency (from an internal perspective) is important, and will then allow for the development of useful measurements that can be tracked through a realistic metrics program. Developing quality metrics will help the GRC program track organizational performance and maturity, which can in turn be used to guide security investments, as well as to justify the effectiveness and benefit of investments.

3) Policies 2.0

We've all seen them: 100-page "policy" documents, for which users are responsible to know and understand some or all. How much the average person needs to know is probably unknown, and yet we treat them as hallowed tomes of wisdom. Unfortunately, nothing could be further from the truth. The simple fact is that most policies are of at least secondary importance to the business, and most people don't even need to know about them. Why, then, do we inflict these control regimes on entire organizations?

Instead of focusing on policies, it's far more useful and effective to look at practices and processes. What are people doing on a daily basis? Are they following repeatable processes? If you can't define and describe what it is that every employee does on a daily basis, then I submit that you have a bit of a problem.

The next generation of policies should leverage a few attributes:
* Lightweight: The security policies themselves should be as minimal as possible. They should define the overall structure policy and control framework structure(s), setting forth the raw requirements to which the business is subject or subjecting itself (e.g. regulatory requirements [like PCI DSS], certification regimes [like ISO 27000], roles and responsibilities). At most, we're talking 10-20 formatted pages. Note that you don't articulate the detailed requirements at this level, but provide the overall governance structure that will point into specific in-practice implementations (e.g., standards, guidelines, processes).

* Prioritized by Risk: The top-level policies should set forth a risk-based prioritization scheme. Not all requirements are created equal. It should thus be self-evident how such a determination can be made. The average user should know either how to correctly self-assess requirement priority, or at least be able to make an informed request that is answered in a timely fashion. Responsibility for making good decisions must be put squarely on the shoulders of those making the decisions, and sanctioning regimes should be linked-in at this level to let people know that not following the rules, or simply making bad decisions in violation of the rules, will have consequences with negative impacts. At the same time, users should be empowered to make legally defensible decisions that say "The cost of confirming with Requirement X are not acceptable, but we need to move forward with taking this action anyway." For example, spending $1m to meet a policy requirement in a $0.5m project does not make sense, especially if that requirement does not represent a appreciable level of risk for the organization.

* Process-Oriented: Or, simply put: practical and pragmatic. If you can't put every single requirement into practice, then it shouldn't be a requirement, plain and simple. More importantly, while it may increase the burden on your compliance-management people, it is far more worthwhile to embed requirements into existing (or new) processes, rather than to maintain them in a tome on a shelf that will never be followed. Consider the PCI DSS requirement for addressing the OWASP Top 10 in applicable applications. If you integrate testing for those weaknesses into the development process using a "build security in" approach, then you'll know that those issues are being proactive addressed. This approach is far preferable to trying to catch these weaknesses down the pipeline using pre-release security testing (which is not to say you shouldn't have pre-launch testing, but that it shouldn't be focused on the minimal requirements so much as on value-add testing).

4) HPG-based ET&A

Education, training, and awareness activities have historically been rather ineffective. Sure, you can show some short-term results where ET&A causes a down-tick in bad things happening, but overall we still have the same problems today as we did 15 years ago. Ultimately, these problem track back to one key finding: the human paradox gap was not narrowed.

The human paradox gap (HPG) is a phrase leveraged by Michael Santarcangelo in his book, Into the Breach, in which he talks about the fundamental disconnect between users' decisions+actions and the resulting consequences+impacts. That is, people generally do not feel the pain of their bad decisions, nor do they generally receive positive feedback for their good decisions (all within an infosec/IT context). To make matters worse, infosec traditionally has taken a very stick-heavy approach to this problem, flogging users for being "stupid" (e.g. ID-10-T and EBCAK errors), when at the same time all that infosec has done is enabled bad behavior and poor decisions by taking overall responsibility out of users' hands while leaving the actual decision authority in their hands.

Going forward, GRC programs should focus on how to narrow the HPG. Instead of focusing on annual CBT-based training that has become mind-numbing, repetitive, and easy to tune out, GRC programs should instead work with people on an ongoing basis, throughout the year, identifying both positive and negative impacts and directly linking people to those impacts. Additionally, users need to have security responsibilities added to their job descriptions, and have their performance measured against a handful of useful security measures. Furthermore, once users have been brought up-to-speed on these programs and completed an adjustment period, they then must be held accountable for poor security performance, just as they would be for poor performance around their normal job functions.

Cultural change will only come through changing people. Security teams cannot be held responsible for the decisions of non-security people. Why do we continue to enable these bad decisions and take the fall on their behalf? It's time to say "no" to these practices and put the responsibility back where it belongs: onto the users making bad decisions.

5) Audit & Quality: Beyond Checkboxes

Too much of the focus in GRC to date has been on checkbox security and compliance. The way most vendors talk, you'd think GRC was really CAISMGRT ("Compliance, Audit, and, I Suppose, Maybe Governance and Risk, Too"). Compliance is not security, it's not governance, and it's not even really audit. Governance is your overall umbrella structure for managing an organization, which has decision analysis and management as a key component. "Risk" in this context means risk assessment, analysis, and management. It deals with a specific component of decision analysis, and should be driven by a desired survivability objective, and underpinned by sound legal defensibility approach. Compliance, really, is just an ancillary piece that supports the G and R. Really, it's just one piece of Governance and Risk, buttressed through various audit activities.

Unfortunately, these audit activities have become worse and less effective over time. One need only look at the number of breaches of PCI DSS "compliant" organizations to realize that "compliance" has its limits. Part of the problem is in focusing almost exclusively on compliance, rather than GRC as an overall, comprehensive program. Another part of the problem is in how audits are performed, and how quality may or may not be measured.

For an excellent, amusing, and short (20-minute) webinar on audit, check out IT UCF's webinar "Creating Audit Questions." This webinar highlights very clearly what is needed in performing audits. It's not adequate to simply focus on yes/no questions in performing an audit. Instead, it's rather important to take a holistic approach, getting beyond whether or not a widget is in the right configuration, and looking at the widget's overall place in the world, and how its placement may or may not be in keeping with the spirit (purpose) of it's respective regulatory provenance.

In addition to revamping the audit complex, it's also necessary to look at adding or improving an overall quality and performance management apparatus, of which audit is merely one part. This apparatus should have responsibilities for routine assessments (beyond basic audits), as well as for defining, maintaining, tracking, and trend-analyzing key metrics. Metrics is, of course, a hot topic today in infosec, though one without much good open source material or obvious answers. Nonetheless, despite the lack of open source solutions, that does not mean that organizations cannot (or have not) define their own reasonable metrics to track program effectiveness. From the perspectives of fiscal responsibility and legal defensibility, I submit that high quality metrics are very important to the success and survival of your GRC program, and something that should be taken very seriously. Moreover, these schemas should be supported by people with a sound mathematical background that includes an understanding of sampling, statistics, and modeling (ymmv depending on org size - however, I think there's an opportunity here for vendors and niche consultancies).

GRC or GROC?

Lastly, I'm reminded of the TEAM Model that I developed for my masters thesis back in 2006 (depicted below in its v2 state). If you look at the model, one of the things missing from GRC is operations. In fact, I have to wonder if part of the reason we don't grok GRC is because it should be GROC, or maybe just GRO. Through all the descriptions above, you'll note that it is all consistent with the TEAM Model, with very little variation.

Mapping this diagram to GRC, I would argue that Governance encapsulates the entire model, whereas Risk obviously maps to the Information Risk Management competency, and Compliance maps as a sub-component of Quality & Performance Management. I would submit that the next generation of GRC should, in fact, map fully to the TEAM Model (but then, of course, I'm a bit biased). Nonetheless, I find the model to be instructive and useful as a reference point for topics like GRC as a discipline, and hope that you'll agree, too.

PwC Survey Shows Opportunity for Internal Auditors to Align With CEO Focus on ... - PR Newswire (press release)

2011-03-16T13:02:55Z

PwC Survey Shows Opportunity for Internal Auditors to Align With CEO Focus on ...
PR Newswire (press release)
"It is important that internal audit leaders stay on top of CEO business strategies," Brown said. "Emerging markets, technology and regulation are quickly evolving, and the risks associated are quickly changing as a result. If internal audits can keep ...

and more »

Data management guidelines: Four records retention issues to address

2011-03-03T15:06:19Z

These data management guidelines will help you to determine what you should keep when implementing records retention for e-discovery and litigation purposes.

Five Australian IT leaders share their experiences

2011-03-18T03:00:00Z

Learn how five Australian IT leaders, from industry, government and education, tackled projects for their organisations.

Five virtualisation management issues CIOS must manage

2011-03-27T03:00:00Z

Virtualisation is powerful and creates welcome efficiencies and savings, but can also introduce some new IT management challenges. We explain five of them â€“ and how to meet the challenge and create smarter virtual infrastructure â€“ in this tip.

Threats vs. Vulnerabilities

2011-03-23T11:34:58Z

I found this article on the difference between threats and vulnerabilities to be very interesting. I like his taxonomy.

Justice Roberts: "This Isn't Personal, and Neither Are Your Corporate Records"

2011-03-02T03:37:12Z

In a unanimous decision on March 1, 2011, the Supreme Court held in Federal Communications Commission v. AT&T Inc. that corporations do not have personal privacy rights under the Freedom of Information Act (FOIA), reversing a 2009 Third Circuit decision (which we blogged about here).

The case arose because AT&T sought to block the disclosure of documents under the FOIA that it disclosed to the Federal Communications Commission (FCC) during a 2004 investigation relating to AT&T’s alleged overbilling of public schools under a program created to enhance telecommunications and information services access for public schools and libraries. Comptel, a trade association that represented some of AT&T’s competitors, submitted an FOIA request to access these documents. The FCC complied with the request, but removed information that was considered “trade secrets and commercial or financial information” (5 U.S.C. § 552(b)(4)) and information that “could be expected to constitute an unwarranted invasion of personal privacy.” (5 U.S.C. § 552(b)(7)(C), “Exemption 7(C)”). However, the FCC did not remove information that was sensitive to AT&T.

AT&T argued that no information should be disclosed under FOIA because the word personal as used under Exemption 7(C) applies to corporations. AT&T argued that the definition of the word person includes legal entities, and therefore the definition of personal privacy should as well. The Court rejected this proposition, deferring to the ordinary meaning of the word personal and holding that the word referred only to individuals. The Court also indicated that when used together, the words personal privacy “suggests a type of privacy evocative of human concerns- not the sort associated with an entity like, say, AT&T.” To lend further support to its decision, the Court also studied the rest of the statute and concluded that the existence of other exemptions available to entities under FOIA limited the scope of Exemption 7(C).

Fittingly, Justice Roberts, who penned the opinion, closed with his hope that AT&T would not take the decision personally.

FTC Accepts Final Settlement with Twitter

2011-03-14T19:25:47Z

On March 11, 2011, the Federal Trade Commission finalized a proposed settlement with Twitter, which resolved allegations that Twitter deceived consumers and failed to safeguard their personal information. The FTC first announced the proposed settlement in June 2010. Specifically, the FTC claimed that Twitter, contrary to its privacy policy statements, did not provide reasonable and appropriate security to prevent unauthorized access to consumers’ personal information and did not honor the consumers’ privacy choices in designating certain tweets as nonpublic. Intruders exploited these failures and obtained administrative control of the Twitter system. These intruders were able to gain unauthorized access to nonpublic tweets and user information, reset any user’s password, and send unauthorized tweets from any user account.

Under the terms of the settlement, Twitter must implement a comprehensive information security program that is reasonably designed to protect the privacy and security of nonpublic consumer information, and it is prohibited from misrepresenting the extent to which it protects such information. An independent auditor must conduct biennial assessments for 10 years to determine whether Twitter’s information security program adequately protects consumer information as required by the settlement. Twitter is further required to make available to the FTC any privacy policy statements, consumer complaints, subpoenas and other documents that relate to Twitter’s activities in the FTC complaint or Twitter’s compliance in the settlement. Finally, Twitter must file a report describing its compliance with the settlement and alert the FTC to any change in the corporation that may affect its compliance obligations. Any violation of the FTC order, which is in effect for 20 years, may result in a civil penalty of up to $16,000. The order is in effect for 20 years.

What’s Next for the FTC’s Proposed Privacy Framework?

2011-03-24T13:38:52Z

Richard L. Santalesa writes:

The December 2010 release of the FTC’s much anticipated Privacy Framework (see our coverage here, here, here and the report itself here), included the typical public comment period, which ended in February. We’ve looked at the 442 separate submitted comments received by the FTC, available here, from individuals and associations, corporations and organizations to uncover what themes, trends and thoughts have been raised by the FTC’s framework, and in turn, what feedback the FTC will be weighing in future changes of the report and ultimately any resulting recommendations for additional legislation and regulation.

Experts: Data Security Paramount When Retiring Tech Assets

2011-03-27T22:54:35Z

Law Suit Filed: Google Faces Class Action over Gmail Scanning

2011-03-16T21:00:21Z

Google Faces Class Action over Gmail Scanning

BlackBerry Users Advised to Disable JavaScript

2011-03-27T22:43:39Z

RIM's BlackBerry OS was exploited at Pwn2own, leaving users potentially at risk.

New Tone at the Top: Evaluating Corporate Culture

2011-03-14T10:00:00Z

This edition of Tone at the Top explains the importance and “how-to” of evaluating an organization’s soft controls around corporate culture. It’s essential to providing management and the board assurance that the organization will not join the ranks of those that have been brought to their knees by lagging ethics and a weak corporate culture. Read the new issue at http://www.theiia.org/periodicals/newsletters/tone-at-the-top. Also, please take our Readers Survey to tell us what you think of Tone at the Top: http://www.theiia.org/tonetopsurvey. Tone at the Top provides executive management, boards of directors, and audit committees with concise, leading-edge information on such issues as ethics, internal control, governance, and the changing role of internal auditing; and guidance relative to their roles in, and responsibilities for, the internal audit function. Your colleagues and audit committee and board members are invited to receive complimentary subscriptions to Tone at the Top. Register online at http://www.theiia.org/periodicals/newsletters/tone-at-the-top/tone-at-the-top-subscription-main-page/.

COSO Releases Two Additional Thought Papers on ERM

2011-01-11T20:29:00Z

ALTAMONTE SPRINGS, Fla. - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal controls, enterprise risk management (ERM), and fraud deterrence – is releasing two additional new thought papers relating to ERM aimed at providing guidance to help organizations advance along the ERM maturity curve. The first thought paper, Embracing Enterprise Risk Management: Practical Approaches for Getting Started, developed by Mark Frigo and Richard Anderson of the Center for Strategy, Execution, and Valuation at DePaul University,describes how an organization can begin implementing an ERM process. It also examines perceived barriers to effective ERM and how to work through those barriers. “Starting an ERM process is a daunting task for many organizations” said Anderson. “The paper provides an action plan that can be used as a tangible tool in ERM implementation.” COSO’s second thought paper, Developing Key Risk Indicators to Strengthen Enterprise Risk Management, developed by the ERM Initiative at North Carolina State University, discusses the importance of developing key risk indicators to be used to monitor emerging risks that might affect the strategic success of the enterprise. “Key risk indicators can serve as leading indicators of emerging risks that senior management and the board of directors can monitor to ensure that they don’t negatively affect the achievement of strategic objectives,” according to Mark Beasley, Deloitte Professor of Enterprise Risk Management and Director of North Carolina State’s ERM Initiative and co-author of this thought paper. “There is a lot of current activity involving implementation and enhancement of ERM in organizations of all sizes” said David Landsittel, chair of COSO. “Given COSO’s dedication to providing ERM thought leadership, we are issuing these two thought papers with an objective of assisting organizations in becoming more robust in their risk management activities.” Copies of these thought papers can be downloaded free of charge from COSO’s web site, (www.coso.org). COSO also encourages organizations seeking to strengthen their ERM processes to consider its 2004 Enterprise Risk Management – Integrated Framework, and its previously issued survey reports and thought papers on ERM, all accessible through its web site. ### About COSO Originally formed in 1985 to sponsor the National Commission of Fraudulent Financial Reporting, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control and fraud deterrence. COSO’s supporting organizations are The Institute of Internal Auditors (IIA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and the Institute of Management Accountants (IMA). www.coso.org About DePaul University’s Center for Strategy, Execution, and Valuation The Strategic Risk Management Lab in the Center for Strategy, Execution, and Valuation at DePaul University is an engagement platform for thought leaders and the business community to co-create and share leading practices in Strategic Risk Management and ERM. The Strategic Risk Management Lab provides executive education, collaborative research and advising on leading practices in ERM focused on linking strategy, risk management and governance, as well as university courses which integrate ERM and Strategic Risk Management into the curriculum. http://commerce.depaul.edu/sev/ About North Carolina State’s ERM Initiative The ERM Initiative in the College of Management at North Carolina State University is pioneering thought-leadership about the emergent discipline of enterprise risk management, with a particular focus on the integration of ERM in strategy planning and governance. The ERM Initiative conducts outreach to business professionals through executive education and hands-on advising; its internet portal (www.erm.ncsu.edu); research advancing knowledge and understanding of ERM issues; and undergraduate and graduate business education for the next generation of business executives. www.erm.ncsu.edu Media Contact Scott C. McCallum Manager of Corporate Communications & PR Tel +1-407-937-1247 Email Scott.McCallum@theiia.org

New Guidance Outlines Assessing the Adequacy of Risk Managementand and Internal Audit Effectiveness and Efficiency

2011-01-12T20:35:00Z

ALTAMONTE SPRINGS, Fla. – Boards of directors and senior management of organizations worldwide are increasingly implementing enterprise-wide risk management practices in the aftermath of the financial crisis of 2007 and the economic recession of the ensuing two years. Newly published guidance from The Institute of Internal Auditors (IIA) can help organizations assess the adequacy of those practices as measured against the Geneva-based International Organization for Standardization’s (ISO’s) widely respected ISO 31000 framework. “Our research with chief audit executives (CAEs) around the globe is telling us that internal auditors are being looked to more and more to offer independent, objective opinions about whether an organization’s risk management activities are effective ,” says IIA Vice President of Standards and Guidance Beryl Davis, CIA. “The IIA guide Assessing the Adequacy of Risk Management Using ISO 31000 offers internal auditors three self-contained approaches to forming such a conclusion, each of which CAEs could tailor to meet the specific needs of their organization,” she says. Taking a process elements approach can help internal auditors determine whether each of the seven foundational elements of the risk management process identified in ISO 31000 is in place, the guide says. These elements are: communication; setting the context; risk identification; risk analysis; risk evaluation; risk treatment; and monitoring and review. The key principles approach is rooted in the concept that to be fully effective, the risk management process must satisfy a minimum set of principles or characteristics, the guide notes. Under ISO 31000, an effective risk management activity: Creates and protects organization value. Is an integral part of organizational processes. Is a key element of decision-making. Explicitly addresses uncertainty. Is systematic, structured, and timely. Is based on the best available information. Is tailored to the organization, its size, culture objectives, and risk profile. ISO 31000’s maturity model approach stems from a foundational assumption that the quality of an organization’s risk management activity will improve over time. Adopting ISO 31000’s maturity model approach, the guide says, can help CAEs assess where their organization’s risk management process lies on this continuum and, by extension, enable the board to determine whether it meets the current needs of the organization and is maturing as expected. “The IIA recognizes there are numerous reliable frameworks internal auditors can use to assess their ERM effectiveness,” Davis says. “Some of these frameworks – notably Enterprise Risk Management-Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – are used primarily in the Unites States, while others such as the ISO’s are used around the world,” she says. “The IIA’s new practice guidance based on ISO 31000 further expands The Institute’s offerings on how to leverage the advantages of the various frameworks available to organizations,” she adds. A second practice guide newly published by The IIA, Measuring Internal Audit Effectiveness and Efficiency, is grounded in the professional requirement that the effectiveness, efficiency, and level of customer service of the internal audit activity must be assessed and monitored vigorously. “Internal auditing can add immense value and support continuous improvement by identifying business risks and inefficiencies,” Davis says. “However, the internal audit department’s effectiveness and efficiency, itself, must be monitored in order to build and maintain the internal auditor’s credibility. This can be accomplished by establishing a performance measurement process, identifying key performance measures, and monitoring and reporting on the level of customer service provided to internal audit stakeholders,” she says. This 19-page guide describes how to establish performance measurement and monitoring processes and report the results effectively. The document’s extensive appendices, containing material such as sample internal audit performance metrics, dashboard reports, and stakeholder feedback surveys, should be of substantial value to CAEs. All IIA practice guides are strongly recommended elements of The IIA’s International Professional Practices Framework. Assessing the Adequacy of Risk Management Using ISO 31000 and Measuring Internal Audit Effectiveness and Efficiency are available to IIA members for free PDF download at: http://www.theiia.org/guidance/standards-and-guidance/. The International Organization for Standardization’s ISO 31000 framework is available at www.iso.org. COSO’s Enterprise Risk Management — Integrated Frameworkis available at www.coso.org. ### About The IIA Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit profession's global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. Members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security. Media Contact Scott C. McCallum Manager of Corporate Communications & PR Tel +1-407-937-1247 Email Scott.McCallum@theiia.org