1 / 32

ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc.

ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc. Presentation to NC State University College of Management: Enterprise Risk Management Round table November 18, 2005. Enterprise Risk Management “An Information Security CFO’s point of view”.

anniegutierrez
Download Presentation

ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc. Presentation to NC State University College of Management: Enterprise Risk Management Round table November 18, 2005

  2. Enterprise Risk Management“An Information Security CFO’s point of view” • Introduction • Small Company response to SOX 404 • Information Security Risks CONFIDENTIAL

  3. David Wagner, CFO Entrust, Inc. • BS Accounting, Pennsylvania State University • MBA, Finance, Pennsylvania State University • Raytheon Corporation - 1986-1991 • Nortel Networks - 1991-1995 • Entrust Inc., Controller - 1995-2003 • Entrust Inc., CFO - 2003- present CONFIDENTIAL

  4. We are Security Specialists… • Headquartered in Dallas (offices in Ottawa, Washington DC, London, Germany, China & Japan) • #12 of 600+ security software companies, with approx. $100M in annual revenues • Industry pioneer and leader, with approximately 500 employees, market leading products and over 100 patents • Best in class service and support, and integration for leading technology vendors • Strong financial position - $83M of cash- no debt. CONFIDENTIAL

  5. Known by the Customers We Keep • More than 1450 enterprises and global governments worldwidein over 50 countries have licensed Entrust’s products • Entrust has prominence with industry leaders around the globe: • 8 of the top 10 Global Telecom companies • 7 of the top 10 Global Pharmaceutical companies • 8 of the top 10 Global Aerospace and Defense Companies • 7 of the top 10 Global Commercial Savings Banks • 4 of the top 5 Global Petroleum Companies CONFIDENTIAL

  6. Enterprise Risk Management“An Information Security CFO’s point of view” • Introduction • Small Company response to SOX 404 • Information Security Risks CONFIDENTIAL

  7. Sox 404 at Entrust 1) Approach – A case study 2) Lessons learned about Sox 404 3) Lesson learned about Enterprise Risk CONFIDENTIAL

  8. Approach – Accounts & Processes Per PCAOB and COSO guidance; Risk assessment • Team identified • Significant accounts identified • Materiality • Inherent Risk • Significant processes identified • Control risk • Intersection point of all above: ‘The Matrix’ • Set priority to attack processes CONFIDENTIAL

  9. The 404 Team Documentation/Peer Reviews/Testing of low risk accounts & processes. CONFIDENTIAL

  10. Management Assertion What could go wrong? What are the key controls? CONFIDENTIAL

  11. Approach – Initial Findings • Controls Operating and Effective but not documented • Example: Finance Balance Sheet Review meetings. • Second Level reviews and sign-offs • Example: Payroll Canada; one person enters, submits, processes and reconciles. Added second level review of key reports and authorization of any ‘one-off’ payments. CONFIDENTIAL

  12. Approach – Risk & Controls Repository Use of existing portal - Entrust get Access - Lotus Domino Database CONFIDENTIAL

  13. Project Management - Status April July September CONFIDENTIAL

  14. Timeline - September CONFIDENTIAL

  15. Internal Testing Results: Individual Controls (December) THEN: • Total 116 individual controls identified to test • Green: Testing completed & passed • Yellow: Testing in progress, item to be reviewed at year end, or in Remediation. • Red: Testing resulting in significant issue, or further testing not yet resolved NOW CONFIDENTIAL

  16. Approach – IT General Controls • Information Security Governance Process • Risk assessment by business unit based on ISO17799 • Very little guidance existed for SOX IT issues before July 2004 • Compliance requirements for SOX and other legislation (SB1386, PIPEDA) incorporated in framework and process • Unacceptable risks result in action item (SOX compliance example would include missing documentation of key control is considered risk) • Focus on Finance data and application: • Confidentiality • Integrity • Availability • Mapping of ‘COBIT for SOX’ items back to framework to ensure coverage CONFIDENTIAL

  17. Entrust 404 Project Summary Entrust404 Project Scope • 42 Accounts and 66 processes identified • 41 Key processes documented • 116 key controls identified & tested in Finance • 92 IT general controls supporting 2 Key applications Entrust404 Project Cost • ~ 20% of 2004 Finance & Accounting staff hours , plus one full-time project manager • ~ 30% of 2004 IS/IT resources • + 55% additional fees for external testing (not auditor) • + 101% additional audit fees to external auditor CONFIDENTIAL

  18. 2 Questions on 404 1) Was it worth what paid for? No! $2.5 million - 2.5% of Revenue 2) Did you get anything worthwhile from 404? Yes! - Risk Based Review of the organizations; - Internal controls and processes documented - Internal control processes permeated throug the organization - Operations - HR - Legal - IT - Strengthened Ownership of Internal Controls CONFIDENTIAL

  19. Lessons Learned • Risk based - focus on significant accounts and processes, and then - key controls within those accounts and processes. • Complete documentation internally • Do not get caught up in a software implementation, but tools are important. • Establishing a common framework is fundamental - Information Security Governance - Risk Based Assessment and mitigating controls • Intellectual Property Processes • Information Systems and Controls are fundamental CONFIDENTIAL

  20. Going Forward – 2005 and Beyond • Maintain documentation as you go. • Build control documentation into everyday processes. • Continuous monitoring and project management. • Objective to reduce costs 50% - Moved 60% of 3rd party testing in-house - Continue to work with external auditor to alternatives to traditional working paper documentation • On-going risk based focus. CONFIDENTIAL

  21. Enterprise Risk Management“An Information Security CFO’s point of view” • Introduction • Small Company response to SOX 404 • Information Security Risks CONFIDENTIAL

  22. Employees Improved Productivity & Self-Service Suppliers Customers Streamlined Business Processes Access to Services & Information Enterprises & Governments are Extending Outside Corporate Regulatory Compliance Business compliance realities: Increased Legislation Compliance Anxiety Compliance CONFIDENTIAL

  23. Enterprise-wide policies required: Shift from Compliance to Risk Extended Enterprise & Govt. Governance & Regulation Employees Customers Suppliers FISMA PIPEDA EU Data Protection Act California SB 1386 Sarbanes-Oxley BASEL II GLBA HIPAA SEC Regulations Policy & AccessManagement CONFIDENTIAL

  24. Identity Theft • Not cyber terrorism, but cyber crime • Intent is to steal personal information for monetary gain • Diverse targets across different regions and sectors • Retailers (DSW, BJ Wholesaler’s) • Data brokers (Choice Point, LexisNexis) • Universities (USC, Duke, Purdue, Tufts) • Banks (BOA, Citibank, Wachovia) • Corporations (Motorola, Time Warner, SAIC) • Healthcare (Kaiser, San Jose Medical Group) CONFIDENTIAL

  25. Brand Impact Customer Implications • Cost of incident • A Gartner study found the average identity breach costs a consumer $1,500. • End User Loyalty and Preferences • A Nationwide Mutual Ins. study found that it takes approximately 81 hours for a consumer to repair the damage caused by identity theft • Business Relationships • Visa severed business relationship with CardSystems Solutions, Inc. • Drop in Stock Price • Firms that have a security breach involving credit card information suffered a stock market loss of 9.3 % the first day, increasing to 14.9% over three days. • Stagnant Market Growth • Online banking stagnant at 39% of Americans over past 12 months CONFIDENTIAL

  26. Online Identity Fraud Driving Industry Mandates • 18% of all respondentsstopped or decreased online banking in last 12 months! The guidance describes enhanced authentication methodsthat regulators expect banks to usewhen authenticating the identity of customers… Financial Institutions will be expected to achieve compliance…no later than year-end 2006 CONFIDENTIAL

  27. www.cyberpartnership.org Corporate Governance Task Force – Apr. 2004 • Info Security has become a fundamental business issue at the CEO and Board level • Balance IT investments with business risk decisions and put into a framework for implementation • Outlines accountability at various management levels, plus core elements of an information security program • Recognized the need to treat info security as a continuous improvement process Information Security Governance CONFIDENTIAL

  28. Why Enterprise Risk Management? • Information security • Headlines confirm failures produce real business impact • Regulatory compliance • Inconsistent “best” practices being self-imposed • Enterprise risk management • Help position audit findings and legal liabilities • Search for the Holy Grail • A single framework to provide focus and efficiency CONFIDENTIAL

  29. ISG – Keys to Successful Deployment • Identify key systems (NIST SP800-18) • Simple subjective risk assessment (OMB A-130 App. III) • Risk expressed in words (threat, vulnerability, impact) • Red - Yellow - Green ranking (FIPS-PUB 199) • Iterative process, progressive detail (GAO/AIMD 00-33) • Transparent process with summary reporting (GAO/AIMD 98-68) CONFIDENTIAL

  30. One Way Forward • One-hour sessions quarterly with managers to review: • Ask them what they think the risks are • Assessment of controls/residual risk per ISO17799 element • Use the session to raise awareness of threats and risks • Follow-up with groups they defer to (IT, Legal, HR) • Consolidate view across the organization • Feedback to managers where they stand relative to others • Share results up the management chain, request feedback • Let the managers do the assessment • If you can't convince them it's a risk, they won't deal with it • They can put it into business terms better than you can • Executive Sponsorship is NOT required • They are accountable, work with it CONFIDENTIAL

  31. How did ISG help our compliance efforts? • almost immediate reduction in D&O insurance • framework for internal control assessment • processes and responsibilities were already defined • it was not a separate compliance effort – SOX control assessment fit into it • provided laser focus on the compliance issues • covered all audit topics at heart of major regulations • still little guidance, poor audit standards, multiple regulations to check • ISG provided us with the list of concerned areas with very little excess • contained our audit fees • we experienced over 100% increase, and they called us “best in class” • knowing our business risks made it easy to focus on our risks & our systems, not simply “best practices” CONFIDENTIAL

  32. Conclusions • SoX 404 Impacts • changed Corporate Governance permanently • need to improve cost benefit through risk-based assessment • Enterprise Risk is increasingly important • Provides a common framework for evaluating non-ROI projects • Executive Officers are accountable • Information Security issues moving to Risk Management • Enterprises are increasingly based on information • Higher value assets are intangible; related business risk increasing • Inherent conflict between ROI focused CIOs and Information risk mitigation • Continuous Improvement – Quality Model CONFIDENTIAL

More Related