The importance of COSO and COBIT and some thoughts on implementation

The US Securities and Exchange Commission in its final rule relating to "Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports" available at: http://www.sec.gov/rules/final/33-8238.htm#iib3a states:

"The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States,67 and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors"

 In May 2013 COSO updated the COSO Framework with the SEC recognising this and subsequently advising at http://www.thecaq.org/docs/reports-and-publications/2013septembe25jointmeetinghls.pdf?sfvrsn=0:

"The staff indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC's requirement to use a suitable, recognised framework"

This guidance essentially states that users of the 1992 version of the framework will have to justify why they are using this instead of the 2013 Framework. This guidance also establishes COSO as the most recognised framework for internal control hence the reason why this framework has been adopted by most SEC filers.

The 2013 COSO Framework was developed in combination with ISACA as a member of the COSO Advisory Council. ISACA maintain and publish the COBIT Framework (Control Objectives for IT) and have also published guidance that links the new May 2013 COSO Framework covering enterprise control to the new COBIT5 Framework covering IT control.

So what does this mean? It means that for SEC filers internal and external auditors will likely use COSO and COBIT guidance to assess the adequacy of the filer's control environment and effectiveness of its controls. In my experience and the experience of a number of audit, risk and regulatory compliance professionals I have found this to be the case in practice.

In practice I have not seen an organisation try and adopt the whole COSO or COBIT framework as it is, but rather I have seen that organisations have used these frameworks to undertake gap analyses of their respective current control environments and looked to COSO and COBIT for guidance as to how to fill these gaps.

I have seen internal and external assurance professionals use COSO and COBIT as the basis for their assessments of the adequacy and effectiveness of organsisations' internal controls.

Any control implementation or assurance activity based on these frameworks needs to be mindful that these frameworks are guidance and are purposely built to be generic. The key is understanding your organisation's value chain to your customer, regulatory environment and the risks to delivering this value or not complying with regulations and cultural norms and mores, then implementing a control framework that responds to these risks.

ICO Report: Protecting personal data in online services

A useful report from the ICO on data breaches drawn from their experience:

"The Information Commissioner’s Office (ICO) has published a new security report highlighting eight of the most common IT security vulnerabilities that have resulted in organisations failing to keep people’s information secure."

The ICO have highlighted the key eight areas that they have found result in data leakage:

• Software updates 
• SQL injection 
• Unnecessary services 
• Decommissioning of software or services 
• Password storage 
• Configuration of SSL and TLS 
• Inappropriate locations for processing data 
• Default credentials

Appendix B also contains some interesting information on how long it takes to crack varying length and complexity passwords.

An extract is:

Risk Management: Finding agreement on risk and controls

One of the primary activities of a risk management professional is to have conversations with organisation stakeholders to understand risks and what needs to be done to manage these risks.

These conversations can involve trying to reach agreement on the existence of risks and then subsequent risk management activity required. Recognising a risk and working out what to do about it requires, at times, considerable effort that could otherwise go into delivery of mission critical projects and business as usual activity that stakeholders' performance is measured against. Why would a stakeholder spend time on activities they are not measured against?

As a risk management professional, you need to answer this "Why?" question in a compelling way. To answer this question you need to understand the organisation's objectives. You then need to couch your risk analysis and articulation of the risk and impact in terms of how these will impact the organisation's objectives. When I talk about organisation objectives, these may be top level or lower level objectives from the top level organisation or a single department within the organisation. Selection of the appropriate objectives depends on your stakeholder. You need to identify an objective as close as possible to your stakeholder. This is easier if you have a mandatory policy framework that has been approved at the highest levels and that all staff must comply with, but becomes challenging where this doesn't exist or is evolving. If you have a mandatory policy it will generally have an objective that everyone must support. If this doesn't exist or is evolving you need to outline what the objective is and link it to the stakeholder's objective in a clear, compelling and self evident way. This is where good risk articulation is important and understanding that risk is the effect of uncertainty on objectives, comes into play.

Understanding this, the conversation needs be be preceded with youself understanding the relevant objectives, articulating a baseline risk that makes it very clear what the effect on the objectives might be; and as much as possible quantify this with relevant facts such as estimated loss or frequency of similar risks materialising in the organisation or industry. This helps to paint the picture for the stakeholder.

One thing you need to remember is not to ne wedded to your initial risk articulation. Your conversations with stakeholders will provide you with valuable insights that need to be incorporated into your risk analysis and associated risk articulation. Your stakeholders will also likely have pragmatic and valuable suggestions for controlling the risks they deal with day to day. You need to seriously consider this. One of the biggest causes of disagreement I have seen in my experience is risk professionals swooping in with theoretical notions of risk and controls without considering what happens on the ground already to address risks or suggesting best practice controls while not considering pragmatism and sizing.

You need to work side by side with your stakeholders to understand their objectives and how these tie into the objective of the organisation to manage risks. You need to understand their business and how they may already be managing their risks and try to leverage this where feasible. And finally, keep the conversations going to identify any gaps as they arise and opportunities to make risk management more efficient and effective, alongside your stakeholders.

Failing all of the above, if you find yourself dealing with an intransigent stakeholder, sometimes the best way to advance is to escalate your case and follow the same approach with the next level up. If you have the support of a broader risk management function then use this also as good working relationships may already exist at your management's level.

Review of Wealth of Nations - Part 1

Title: Wealth of Nations (Wordsworth Classics of World Literature)

Author: Adam Smith

Pages: 1008 pages

Publisher: Wordsworth Editions Ltd.; Classic World Literature edition (5 July 2012)

Language: English

ISBN-10: 1840226889

ISBN-13: 978-1840226881

The Wealth of Nations is composed of five books each with a number of chapters. I figured I'd share what I've learned from my reading of the book as I go. So here it is for the first 7 chapters which set the scene before some of the more detailed text.

Overall, Smith has a fairly easy turn of phrase and the language used in the book is not archaic even though it was published in the 1700s. It is easy enough to follow and dwells on the fundamentals to ensure that the reader has fully grasped these prior to moving on in the book. I thought I'd try to summarise what each chapter is trying to say in this review to give an idea of how Smith has developed this work.

Book 1 - Introduction and Chapter 1:

Smith establishes labour as the fundamental basis of national economic output (commodities). Smith advises that the national economic output will be regulated by a) the way in labour is applied, and b) the level of employment. Smith highlights how specialisation and the division of labour has enabled the production of many of the commodities of life (such as glazed windows) which would not have been possible for any one person to produce for themselves within their lifetime to the same standard.

Book 1 - Chapter 2:

Smith recognises people's "almost constant occasion for the help of his bretheren". He recognises that people's ability to "truck, barter and exchange" goods and services to satisfy their needs and wants, enables the division of labour described in the first chapter to be useful to those specialising in the production of one sort of good or service.

Book 1 - Chapter 3:

Smith draws the conclusion that the division of labour is limited by the extent of the market for goods and services. He highlights that denser population centres will give rise to greater specialisation and division of labour than less dense centres. For example, the market for nails for building work in a dense population centre is greater in that centre and would give rise to specialised nail-makers mass producing nails. In a remote rural region with very low population density and difficulty or prohibitive expense in importing mass produced nails, making nails may be done by a blacksmith who also makes all manner of other metal objects (less specialisation and division of labour).

Book 1 - Chapter 4: 

This chapter looks at money and how this evolved as a way to usefully and conveniently facilitate trade. It talks about trade was initially facilitated through exchange of weights of precious metals such as gold and silver for goods and services. Smith goes on to describe how the uniform goodness of precious metals was attested through stamping a quality mark on it with this giving rise to coinage. Smith also recognises that coinage was debased at the expense of national subjects by sovereign states and princes by gradually reducing the amount of gold and silver in the coin over time in order to create more money from this skimmed precious metal. This chapter introduces the concept of "value in exchange" and outlines how the "real" value of exchanged commodities is composed. 

Book 1 - Chapter 5:

Smith expands upon the concept of "real" value and compares it to "nominal" value. Real value is that which is given up to produce a commodity and nominal value is the money price of that commodity. These values are not always that same with a tendency for a commodity with a nominal value under or over its real value to move towards the real value. This chapter revisits the topic of the value of money in terms of the quantity of gold and silver in coins. Interestingly, he suggests that government regulation making silver and gold the legal tender except for small change would stop the "discreditable" conduct of banks in counting out pennies to depositors calling for their deposits in a bank run. He adds that this regulation would require banks to hold more cash in reserve which would be a considerable security to the banks creditors (including depositors). This suggestion of government regulation and reserve requirements is a feature of the banking system today. 

Book 1 - Chapter 6:

 In this chapter Smith breaks down the price of any good or service into either one or more of three parts:

    - The wages of labour

    - The profits of stock

    - The rent of land

A common thread with all of this, as outlined in the introduction to his book, is that the stock cannot turn a profit and rent cannot be provided without labour. Another interesting anecdote Smith makes in this chapter is that of Smith likening the charging of rent by landlords who annexed the commons as "reaping where they never sowed".

Book 1 - Chapter 7:

This chapter essentially introduces the basic economic concepts of demand, supply and equilibrium price. It also talks on the spectrum of perfect competition and oligopolies and monopolies and the effect of this on the price that is charged versus the "natural" price. An insightful quote from this chapter is:

"The exclusive privileges of corporations, statutes of apprenticeship, and all those laws which restrain, in particular employments, the competition to a smaller number than might otherwise go into them, have the same tendency, though in a less degree. They are a sort of enlarged monopolies, and may frequently, for ages together, and in whole classes of employments, keep up the market price of particular commodities above the natural price, and maintain both the wages of the labour and the profits of the stock employed about them somewhat above their natural rate.

Such enhancements of the market price may last as long as the regulations of policy which give occasion to them."

My conclusion ... so far

My main takeaways from this are that Smith has done a good job at linking economic prosperity to "useful" employment of labour. He also logically and systematically creates a basis for his economic principles based on empirical evidence available to him at the time and from his experiences. He makes it clear that the economic principles are subject to reality and that they may not always hold depending on other factors. Importantly Smith recognises the importance of society and everyone contributing what they are able to progress it. Through induction and a couple of statements Smith also recognises the role of regulation in the economy to ensure it operates in the best interests of society (e.g. reserve requirements and anti-trust / monopoly regulation). There are two ways to read an interesting quote Smith made in Chapter 7  as reproduced above. One is to infer that the exclusive privileges relates to preferential treatment of certain corporations by governments and sovereigns such as the East India Compony while the other is more general and relates to the general privileges enjoyed by corporations, namely, limited liability and a higher barrier to entry into this structure by those with greater resources than those without such resources.

Overall, my own reading of the text has changed the way in which I have thought of Adam Smith. I see in the words of the author and the ideas espoused, someone trying to create a model by which to better understand economics. The economics espoused in this text is that based on hard work (labour) being the prime mover in economic performance with the real value of things being that which is given up by those who perform the labour. He does include stock and land as secondary elements but these can only be utilised through labour. Sounds to me so far that true capitalism is based on "useful labour" rather than playing around with the money supply or having hoards of unused stock and land.

More to come in Part 2 (just need to finish reading more chapters).

Money : whence it came, where it went: A review

Title: Money : whence it came, where it went

Author: John Kenneth Galbraith

Pages: 335 pages

Publisher: Bantam (1976)

Language: English

ISBN-10: 0553026887

ISBN-13: 978-0553026887

Review

In terms of content, Galbraith has done good job of providing a fairly representative round-up of the early days of money and the various ways in which is was managed or abused, He then continues into a more US focused history of money and looks at the effectiveness of monetary policy in dealing with periods of recession. He provides a very candid account of his and his contemporaries and near contemporaries role in economic policy making. He concludes with six points which essentially point out the failings of monetary policy as a sole lever in the economy and highlights the importance of combining monetary policy with fiscal policy to effect desired outcomes in the economy. Galbraith made the point that monetary policy may make available more money through banks by reducing official interest rates and loosening reserve requirements but fiscal policy was needed to encourage people to actually use this extra money made available.

In terms of style, Galbraith has used a conversational style with amusing anecdotes and opinions interspersed. sometimes though, you find yourself back tracking to get some of his points due to some of the sidelines and witty quips. Overall not impenetrable.

I would recommend reading this book. Textbooks I studied while studying various economics subjects lack the same colour and courage in discussing the subject matter and for the most part take monetary policy as gospel. This book gives a more balanced view.

What is privileged access? - A definition of privileged access from review of US financial institution regulation and ISO 27002

Why is it important to understand what privileged access is? Highlighting some examples of what can happen when privileged access is not managed appropriately demonstrates it is something that needs to be understood:

• March 2002 – It was reported that Roger Duronio brought down 2,000 business critical servers, including trading servers, with a logic bomb in UBS costing $3.1m in restoration costs and unknown business loses during the downtimeⁱ.
• January 2008 - It was reported that Jérôme Kerviel lost Société Générale €4.9bn in trades purportedly utilising privileged access accumulated from his previous and last roles in the bankⁱⁱ.
• January 2009 - It was reported that Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb that could have lost Fannie Mae “many millions of dollars” with his privileged accessⁱⁱⁱ.

From this, the impacts of not understanding and appropriately controlling privileged access are significant. The primary challenge with implementing privileged access policies and controls is a lack of a clear definition of what privileged access is.

Fortunately, US financial institutions regulation and the International Standards Organisation provide a starting point.

US Financial Institutions Regulation

The Board of Governors of the Federal Reserve System (the Board) implements the Federal Reserve Act and other laws pertaining to banking and financial activities. The Board implements those laws, in part, through its regulations A through to YY, which are codified in Title 12, Chapter II, of the Code of Federal Regulations within the US Code (USC)^iv.

Section 6801 and section 6805 in Title 15 of the USC applies the Gramm-Leach-Bliley Act of 1999 (GLBA) to financial institutions including Bank holding companies. Section 501(b) of the GLBA introduced the “Financial Institutions Safeguards” requirement that requires financial institutions implement administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information^v.

Further guidance as to how to establish these safeguards is provided by CFR Regulation Y - Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards. These guidelines were developed by the Member agencies of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC published examination handbooks that apply to the examination of a financial institution's operations and all related data, and serves as a supplement to the agencies' GLBA 501(b) expectations.

Page 19 of the Federal Financial Institution Examination Council (FFIEC) Information Security Examination Handbook defines privileged access as^vi:

“the ability to override system or application controls”

A key point to note in this definition is the distinction between systems and applications. This distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

International Standards Organisation

The FFIEC Information Security Examination Handbook definition is aligned to the international standard ISO 27002 Information technology - Security techniques - Code of practice for information security management (ISO 27002).

Specifically, page 61 of ISO 27002 defines privileged access rights, as those^vii:

“access rights which allow users to override system controls”

How this definition differs from the FFIEC definition is that is refers to access rights and these applying only to system controls rather than both system and application controls. This ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of their “access rights”.

Additionally page 62 of ISO 27002 defines system administration privileges as^viii:

“any feature or facility of an information system that enables the user to override system or application controls”

The last part of this definition is identical to the FFIEC wording “override system or application controls”. This additional ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of “any feature or facility of an information system”. As per the FFIEC definition, a key point to note in this definition is the distinction between systems and applications. As with the FFIEC definition, this distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

Finally, further guidance is available at page 56 of ISO 27002 which defines privileged operations as^ix:

“use of privileged accounts, e.g. supervisor, root, administrator; system start-up and stop; [and] I/O device attachment/detachment”

While not a definition of privileged access it does provide useful interpretation guidance in what is commonly considered to be the operations of those with privileged access, and from this, what constitutes privileged access. In this case, operating system or database system administrator accounts such as “root”, “administrator” and “supervisor”. By extension, similar access to the access level of these accounts would be considered privileged access. This definition also describes the ability to execute system start-up; and stop and I/O device attachment/detachment, system level services generally accessible via service or system accounts.

Conclusion - A Working Definition of Privileged Access

From these sources we can develop a working definition of privileged access that is aligned to US regulatory requirements and international standards.

From the FFIEC definition, the working definition needs to cover both applications and systems. Expanding the FFIEC definition’s use of the term “ability” using ISO guidance, would result in the following definition:

“Privileged access is the ability to override system or application controls, conferred to a user by virtue of their access rights or any feature or facility of an information system. This includes the ability to use system administration and service accounts.”

From this working definition, we can better understand what ability is considered privileged and that a user with this access would be considered to have privileged access. Policy making and controls based on this definition will ensure alignment with the US regulators and international standards hopefully resulting in better risk and control assessments to implement the necessary administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information.

Endnotes

i Gaudin, S., Ex-UBS Systems Admin Sentenced To 97 Months In Jail, United States of America, 2006. Available at: http://www.informationweek.com/ex-ubs-systems-admin-sentenced-to-97-months-in-jail/d/d-id/1049873? (Accessed 6 March 2014).

ii Tarzy, B., Revoke legacy privileged accounts – or pay the consequences, United Kingdom, 2012. Available at: http://www.computing.co.uk/ctg/the-big-picture-blog/2157940/revoke-legacy-privileged-accounts-pay-consequences# (Accessed 6 March 2014).

iii Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb charge, United States of America, 2009. Available at: http://www.computerworld.com/s/article/9127157/Ex_Fannie_Mae_engineer_pleads_innocent_to_server_bomb_charge (Accessed 6 March 2014).

iv Government Printing Office, Electronic Code of Federal Regulations, United States of America, 2012. Available at: http://www.ecfr.gov/cgi-bin/ECFR?page=browse (Accessed 6 March 2014).

v Government Printing Office, GRAMM–LEACH–BLILEY ACT, United States of America, 1999. Available at: http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf (Accessed 6 March 2014).

vi Federal Financial Institution Examination Council, The FFIEC Information Security IT Examination Handbook, United States of America, 2006. Available at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf (Accessed 6 March 2014).

vii International Organisation for Standardization (ISO), ISO 27002:2005, Information technology - Security techniques - Code of practice for information security management, Switzerland, 2005

viii Ibid

ix Ibid

PS: This is also published in the IT Risk Practitioner

Would Recommend Code::Blocks IDE for C++ Development

I normally use a Linux host for my development work (Eclipse and Netbeans) but have today decided to look at Windows again. I was looking around for a no-nonsense IDE with version control, syntax highlighting, compiling and running of programs in the one intuitive interface. I finally found a good IDE that fits the bill: Code::Blocks (see home page at http://www.codeblocks.org). This IDE installs easily and without any issues from a single downloaded binary (albeit 100mb in size. Download the one at: http://sourceforge.net/projects/codeblocks/files/Binaries/13.12/Windows/codeblocks-13.12mingw-setup-TDM-GCC-481.exe) and can build and run C++ application code straight out of the box. I was very impressed. I didn't have to setup cygwin or MinGW it set this up for me (i.e MinGW was installed alongside the IDE and GCC).

It's looking good so far but we'll see how it goes when I start to exercise it a bit more.