Psoenen's Blog

Cloud computing : Governance and security?

psoenen — Fri, 01 Oct 2010 22:36:34 +0000

Do you consider moving into the cloud? Cloud customers need assurance that providers are following sound security practices. The importance of the governance and risk management issues related with the move of assets into the cloud computing should be clearly understood.

The promise of the Cloud

Cloud computing is a on-demand service model for IT provision, often based on virtualisation and distributed computing technologies.

The attractiveness of Cloud Computing

By moving IT services to the Cloud, enterprises can take advantage of using services in an on demand-model. The infrastructure costs are reduced and services are paid on an subscription or pay-per-use basis. The Cloud offers a way to extend IT’s existing capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software.

The Cloud service delivery models

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

1. SaaS – Software as a Service

SaaS delivers provider’s applications through the browser to thousands of customers using a multitenant architecture, i.e. a single instance of the software runs on a server, serving multiple client organisations. The service providers maintain and govern the software, data, and underlying infrastructure. Examples include online word processing and spreadsheet tools, CRM services and web content delivery services.

Sample offerings are Salesforce CRM, Google Docs, etc.

2. PaaS – Platform as a Service

PaaS offers the capability to deploy on the cloud infrastructure customer-created or acquired applications using tools supported by the provider. The service providers maintain and govern the application environments, server instances, as well as the underlying infrastructure.

Examples are Microsoft Azure, Force and Google App engine.

3. IaaS – Infrastructure as a Service

IaaS offers the ability to deploy operating systems and applications on computing resources (processing, storage and networks) provided by a third party. The customers deploy and manage assets, including operating systems and applications, on leased or rented server instances, while the service providers own and govern the underlying infrastructure.

Examples include Amazon EC2 and S3, Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud.

Cloud Computing Deployment Models

There are three primary cloud deployment models and a hybrid model:

Deployment Model	Description of the Cloud Infrastructure
Private Cloud	An internal cloud emulates cloud computing on private networks: Operated solely for an organisation; May be managed by the organisation or a third party; May exist on-premise or off-premise; End-to-end control; Dedicated resources.
Community Cloud	A community cloud may be established where several organisations have similar requirements and seek to share infrastructure so as to realise benefits of cloud computing: Shared by several organisations; Supports a specific community that has shared mission or interest; May be managed by the organisations or a third party; May reside on-premise or off-premise.
Public Cloud	External or multi-tenant cloud describes the cloud computing in the traditional mainstream sense, whereby resources are dynamically provisioned over the Internet, via web services: Made available to the general public or a large industry group; Owned by an organisation selling cloud services; Common policies; Shared resources and multi-tenant .
Hybrid Cloud	A composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability.

Benefits

Although financial savings may be attractive, the real opportunities are to streamline the business processes and to increase the innovation. Instead of managing and scaling infrastructures, the organisations can focus on their core business.

Key benefits	Description
Cost	The cloud offers enterprises the option of scalability without the serious financial commitments required for infrastructure purchase and maintenance. The upfront capital expenditure with cloud services is low. Services and storage are available on demand and are priced as a pay-as-you-go service.
Immediacy	The provision and utilisation of services may be achieved in days compared to the weeks or months required for traditional IT projects.
Availability	Cloud providers have the infrastructure and bandwidth to accommodate business requirements for high speed access, storage and applications.
Scalability	Cloud services offer increased flexibility and scalability for evolving IT needs. Provisioning and implementation are done on demand, allowing for traffic spikes.
Business focus	The reallocation of information management operational activities to the cloud offers businesses a unique opportunity to focus efforts on innovation and research and development.
Resiliency	Cloud providers have mirrored solutions that can be utilised in a disaster scenario as well as for load-balancing traffic.
Mobility	Employees can access information wherever they are, rather than having to remain at their desks.

Governance and security

Security in the Cloud ?

When switching to the cloud, the creation of a security plan should be a first consideration. Security breaches can be the direct cause of service interruptions and can contribute to lower service levels. Also, data theft resulting from a security breach could result in a real or perceived breach of customers’ trust in your organisation.

The customers should make buying their choices on the basis of the reputation for confidentiality, integrity and resilience, and the security services offered by a provider. This will drive the cloud providers to improve their security practices and also compete on security.

The following table gives an overview of the major control objectives and highlight some potential risks and issues related to the use of cloud solutions.

Criteria	Objectives	Risks and issues
Governance	Governance functions are established to ensure effective and sustainable management processes that result in transparency of business decisions, clear lines of responsibility, information security in alignment with regulatory and customer organisation standards and accountability.	How to govern the cloud: which management and monitoring processes should be implemented, which roles and responsibilities, which KPI’s?
Risk management	Risk management procedures are implemented to evaluate inherent risks within the cloud computing model, identify appropriate control mechanisms, and ensure that residual risk is within acceptable levels. The information risk management is integrated into the organisations Enterprise Risk Management (ERM) framework.	How to govern and manage enterprise risk: how can the user assess risks of a cloud provider?
Compliance	Contractual obligations: Establish agreements and procedures to ensure contractual obligations are satisfied, and these obligations address the compliance requirements. The use of cloud computing should not violate customer compliance agreements.	What is the legal, financial and information security in the contractual agreements?
	Legal issues relating to financial, jurisdictional and contractual requirements are addressed to protect both parties.	Regulatory and legislative compliance: how will the cloud affect your ability to comply with regulatory requirements such as SOX, GLBA, HPPA, PCI?
	The storage of personal data in the cloud should be compliant with the data privacy regulations.	Disclosure laws: Physical location dictates jurisdiction and legal obligation. Country laws governing personally identifiable information (PII) vary greatly.
	The right to audit is clearly defined and satisfies the assurance requirements of the customer’s board of directors, audit charter, external auditors and any regulators jurisdiction over the customer	Auditability: who can investigate data?
		If a legal investigation is required, namely because of illegal activity, can the provider support the customer to do the investigation?
Application requirements	For SaaS implementations, the applications should contain the appropriate functionality and processing controls required by the business.	Do the applications satisfy the functional, financial and operational requirements?
Application requirements		Do the applications contain the processing controls required by the control policies?
Asset management	Applications are developed with an understanding of the interdependencies inherent in cloud applications, based on risk analysis and design of configuration management and provisioning process that will withstand changing application architectures.	Difficulty to integrate multiple applications, namely with in-house IT
Asset management	Planning for migration of data is required to reduce operational and financial risks at the end of contract.	Provider dependency: loss of control over systems and eventually data; how to ensure data portability and interoperability?
Service management	Ensure that services provided by third parties meet business requirements through effective third-party management processes.	Does the service provider align its operations with the customer service requirements?
Confidentiality	Data are securely transmitted and maintained to prevent unauthorised access and modification.	User access: how is data access ensured and controlled; who at the provider has access to data?
	Data are securely protected against unauthorised access, eventually through encryption, and separation of duties exists between key managers and the hosting organisation.	Data segregation: how to ensure that customers and competition don’t access data? How to ensure intrusion detection?
	The customers remains the only owner of his data.	Data ownership: who owns the data in the cloud?
Integrity	Identity processes assure only authorised users and processes has access to the data and the resources, user activities can be audited and the customer has control over access management.	Data corruption: who can modify the data?
Integrity	Cross-contamination with other customer environments has to be avoided.	How to prevent against malware and security vulnerabilities?
Availability	An effective continuous service process minimises the probability and impact of a major IT service interruption on key business functions and processes.	Service reliability: What about the availability issues of Internet connectivity or system outages?
		Long term viability: And what in case the provider fails?
		Recovery: Is data safeguarded?
Incident management	Incident notifications, responses, remediation are documented, address the risk, are escalated as necessary and are formally closed.	Are incident detection, response, notification and remediation adequately managed?

Governance

A port of the cost savings must be invested into increased scrutiny of the security capabilities of the provider, the application of security controls and ongoing detailed assessments and audits, to ensure requirements are continuously met.

Organisations should view cloud services and security as supply chain security issues. This means examining and assessing the provider’s supply chain (service provider relationships and dependencies), to the extent possible.

Information security governance should rely on cooperation between customers and providers to achieve agreed-upon goals which support the business mission and the information security requirements. The service model should adjust the defined roles and responsibilities in collaborative information security governance and risk management, while the deployment model should define the accountabilities and expectations.

User organisations should include review of specific information security governance structures and processes, as well as specific security controls, as part of their due diligence for prospective provider organisations. The provider’s security governance processes and capabilities should be assessed for sufficiency, maturity, and consistency with the user’s information security management processes. The assessment of the provider’s information security, risk management and compliance structures and processes should cover:

Request clear documentation on how the facility and services are assessed for risk and audited for control weaknesses, the frequency of assessments, and how control weaknesses are mitigated in a timely manner.
Require definition of what the provider considers critical service and information security success factors, key performance indicators, and how these are measured relative to IT Service and Information Security Management.
Review the provider’s legal, regulatory, industry, and contractual requirements capture, assessment, and communication processes for comprehensiveness.
Perform full contract or terms-of-use due diligence to determine roles, responsibilities, and accountability. Ensure legal review, including an assessment of the enforceability of local contract provisions and laws in foreign or out-of-state jurisdictions.
Determine whether due diligence requirements encompass all material aspects of the cloud provider relationship, such as the provider’s financial condition, reputation (e.g., reference checks), controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities, and use of subcontractors.

The Service Level Agreement (SLA) is one of the most effective tools the organisation can use to ensure adequate protection of information entrusted to the cloud. The customers can specify which control frameworks will be utilised and describe the expectation of an external, third-party audit. Clear expectations regarding the handling, usage, storage and availability of information must be articulated in the SLA. Additionally, requirements for business continuity and disaster recovery should also be communicated in the agreement.

Metrics and standards for measuring performance and effectiveness of information security management should be established prior to moving into the cloud. Security metrics and standards, especially those relating to legal and compliance requirements, should be included in any Service Level Agreements and contracts.

The use of standards and frameworks will help businesses gain assurance around their cloud computing supplier’s internal controls and security. These standards and metrics should be documented, demonstrable and auditable.

Patrick Soenen | p.soenen[at]qap.eu ♦ Jean-Pierre Palante | jp.palante[at]qap.eu

Protecting the privacy of personal information

psoenen — Fri, 01 Oct 2010 22:34:26 +0000

One of the many challenging risk management issues faced by organisations today is protecting the privacy of customers’ and employees’ personal information. When privacy is well managed, organisations earn the trust of their customers, employees, and other stakeholders. When it’s poorly managed, trust and confidence can quickly erode. And today, boards and audit committees want assurance around the organisation’s processes that protect private information.

Many countries have adopted nationwide privacy legislation governing the use of personal information, as well as the export of this information across borders. For businesses to operate effectively in this environment, they need to understand and comply with these privacy laws. Recent incidents of identity theft, mismanagement of personal information, and violation of privacy principles have increased regulatory and consumer pressure on organisations to develop appropriate controls in relation to privacy, data management, and information security.

What is privacy

The American Institute of Certified Public Accountants (AICPA) defines privacy as “the rights and obligations of individuals and organisations with respect to the collection, use, disclosure, and retention of personal information”.

The European Data Directive 95/46/EC requests that “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.” .

In today’s business context, privacy often refers to the privacy of personal information about an individual and the individual’s ability to:

Know how his or her personal information is handled;
Control the information collected;
Control what the information is used for;
Control who has access to the information;
Amend, change, and delete the information.

Personal information

Personal information is data that can be linked to or used to identify an individual either directly or indirectly. Examples of personal information are:

Person’s name;
Home address;
Pictures;
Telephone numbers (even a professional telephone number);
Identifiers such as Social Security, social insurance, passport, or account numbers;
Bank account numbers;
e-mail addresses;
Fingerprints;
Physical characteristics;
Credit records;
Consumer purchase history;
Employee files.

Sensitive information

Sensitive personal information requires an extra level of protection and a higher duty of care:

Medical records;
Financial information;
Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs;
Trade union membership;
Information related to offenses or criminal.

Non-personal information

Anonymised information about people cannot be associated with specific individuals. This includes statistical or summarised personal information for which the identity of the individual is unknown or linkage to the individual has been removed.

The benefits of good privacy management

Good privacy governance involves identifying significant risks to the organisation, such as a potential misuse, leak, or loss of personal information. It also implies ensuring appropriate controls are in place to mitigate the privacy risks.

For businesses, the benefits of good privacy controls include:

Protecting the organisation’s public image and brand;
Protecting valuable data on the organisation’s customers and employees;
Complying with applicable privacy laws and regulations;
Enhancing credibility and promoting confidence.

For public-sector and non-profit organisations, the additional benefits of good privacy controls include:

Maintaining trust with citizens and noncitizens;
Sustaining relationships with donors of non-profit organisations by respecting the privacy of their activities.

The Privacy Challenge

Normally organisations recognise the need for implementing good privacy practices. However, the challenge is sustaining the privacy program. With the proliferation of data management technology, organisations have difficulty identifying where this data is stored, how it is protected, who has access to it, and how it is securely disposed. In addition, accountability and responsibility for maintaining the privacy practices is not always clearly assigned within the organisation.

Privacy regulations

Multiple regulations have been developed by various countries and organisations.

Year	Regulation
1980	The OECD Council’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data was created to establish a common ground for free transborder data flow among the 24 OECD members
1984/1998	The UK Data Protection Acts
1990	The UN General Assembly issued its human rights based Guidelines Concerning Computerised Personal Data Files, which member states should take into account when implementing national data protection legislation
1995	The European Data Protection Directive 95/46/CE, on the Protection of Individuals with Regard to the Processing of Personal Data, has been translated in Belgian law
1996	The Canadian Standards Association Model Code for the Protection of Personal Information, now incorporated into national law (PIPEDA)
1997	The European Distance selling Directive 97/7/CE
1997	The Framework Data Protection Directive 97/66/CE, protecting privacy in telecommunications
2000	Standards Australia has developed AS 2805.9-2000: Electronic Funds Transfer – Privacy of Communications, which specifies methods of protecting from disclosure the information contained in electronic messages
2002	The European ePrivacy Directive 2002/58/CE, establishing rules for online marketing
2004	The APEC Privacy Framework (consistent with the core values of the OECD guidelines) was developed and intended to provide guidance and direction to businesses in APEC economies on common privacy issues and the impact these issues have on the way businesses are conducted
2006	The European Data Retention Directive 2006/24/CE, extending data privacy to Internet and e-Mail

The Commission for the Protection of Privacy (CPP)

The Commission for the Protection of Privacy (CPP), known as Belgian Privacy Commission, is an independent authority ensuring the protection of privacy during the processing of personal data. The Commission recognises the information society’s need to collect and process personal data for societal and economic developments and compares societal and economic needs with this fundamental right in order to come to decisions and privacy safeguards reconciling both elements. The Commission realises that any personal data processing operation implies risks for privacy protection. It consequently stresses the importance of informing data subjects as well as processors about these risks, and of integrating safeguards, particularly relating to information security. Moreover, it focuses on the importance of the use of technologies in personal data processing for more well-being and welfare for citizens in our current society.

Processing of privacy data

Personal data

A data processing operation starts with the collection of data. Before the data is collected, however, the controller has to notify the processing to the Commission. The data has to be collected fairly and therefore transparently. The controller collecting personal data has to inform the person about the processing. The controller has to:

clarify why he wishes to obtain your personal data;
transmit his contact details to you;
let you know who your data will be disclosed to;
inform you about your right to access and rectify your data;
mention that you may object free of charge to the use of your data for direct marketing, e.g. commercial actions.

Sensitive data

Some data are so delicate that they may only be processed in specific cases. Sensitive data covers race, health, political opinions, philosophical beliefs (religious or atheist, etc.), sexual preferences or judicial past. The Privacy Law most strictly regulates registration and use of those data.

The controller may process sensitive data relating to you (except for judicial data) if:

he has the person’s consent in writing;
if it is needed to provide the person with a necessary treatment;
it is compulsory under employment law.

Controller’s data commitments

The controller has to ensure:

the good quality of the data, in other words the data has to be precise;
the confidentiality of the data. He must ensure that not just anybody can access and disclose the data;
the security of the data. He must ensure that the data is not lost or stolen. The more sensitive the data, the higher the level of security has to be;
that he does not keep the data any longer than necessary to achieve his purpose. At the end of the processing operation, he therefore has to delete the data.

Privacy control framework

Basic privacy control framework activities include setting objectives, establishing policies and procedures, and establishing monitoring and improvement mechanisms. Many organisations use control frameworks such as COSO (The Committee of Sponsoring Organisations of the Treadway Commission’s 1992 Internal Control — Integrated Framework) or its 2004 ERM (Enterprise Risk Management — Integrated Framework) enhancement.

Qualified Audit Partners’ governance risk management framework can be applied to privacy management and control:

Principle	Description
Context	The privacy culture and tone of an organisation, closely linked with its customer and social responsibility, is critical for the internal privacy risk and control environment.The internal environment includes the privacy code, implicit and explicit privacy policies, and organisational privacy culture, as established and communicated by senior management, all of which have to be aligned with applicable laws and regulations.
Strategy	Management needs to establish an organisational mission and vision from which privacy objectives and privacy policy can be derived, directly or indirectly.
Risk	Identifying potential internal and external privacy threats is mainly part of periodic and ongoing operational and information technology risk assessment. Appropriate business processes, collection limitation, data security, contingency management, and data management measures mitigate privacy related risks.
Resources	Adequate resources ensure that organisational policies, procedures, and structures, such as data security, access controls, integrity and contingency controls, privacy reviews, a privacy or security officer, are carried out.
Communication	Stakeholders are made aware of the privacy issues and actins. Relevant information needs to be expedited timely to allow effective control.
Monitoring	A data register is maintained, requests to access personal information records are evaluated, and privacy audits are conducted. Privacy metrics and reporting on issues and their mitigation are developed.

Data privacy implementation

The implementation of a data privacy approach in the organisation is based on several steps:

Data has to be inventoried and classified according its sensitivity;
The information security attributes should be applied;
Privacy practices have to be implemented within the organisation.

Data inventory and classification

The organisation’s private data is one of the most vital corporate assets A corporate classification program for privacy-protected data will assist in prioritising the data. Assigning a sensitivity level, such as secret, confidential, proprietary or public, to data assists in evaluating the appropriateness of the controls over the technology and business processes that handle it.

Information security

The CPP commission requires information security to be checked against seven security attributes:

Confidentiality: only persons having authorisation can access the information;
Integrity: the information cannot be altered intentionally or unintentionally;
Availability: the information is accessible and usable whenever an authorised person has requested it;
Accountability: there is always a trace of the author and of how the information was edited;
Non-repudiation: proof that an operation or event actually took place, meaning that it cannot be denied now or at a later time;
Authenticity: it is certain that a person really is who he claims to be;
Reliability: the characteristic of achieving the expected result.

Implementation of privacy practices

To implement and manage an effective privacy program, the organisation should clearly define its privacy policies, communicate those policies, and document the procedures and controls relating to the collection, use, retention, and disclosure of personal information to ensure compliance with laws, regulations, and the organisation’s policies. Specific criteria that are relevant, objective, complete, and measurable should be established for evaluating each of the effectiveness of these practices.

The Commission for the Protection of Privacy (CPP) proposed the introduction of 10 security measures:

Measure	Description of the security measure
Security Policy	Any organisation processing personal data should draw up a security policy giving a precise description of security strategies and protection features selected for data security, consisting of: the risk management approach of personal data; the priorities set and the mechanisms introduced, as a result of the risk assessment; a planning for the policy’s taking effect; a description of the various responsibilities and organisational rules; a description of how to manage security incidents; a description of the awareness-raising process within the organisation; the measures to keep the security system up-to-date.
Security officer	Within the organisation a security officer must be appointed, who is to be in charge of the implementation of the security policy.Reporting directly to the organisation’s management, he shall ensure that the various responsibilities with regard to security have been clearly defined and that the persons in charge of security can operate autonomously and independently.
Security organisation	The organisation must clearly define the responsibilities and the management processes regarding personal data security and properly integrate them in its general organisational structure and functioning.The organisation should ensure hat information classification procedures are elaborated, so that an inventory can be drawn up and all personal data being processed can be localised. The persons participating in the processing of personal information should to be sufficiently and constantly informed, as well as adequately trained, about their duties and responsibilities during processing operations.
Physical security	The organisation should take the necessary measures to guarantee physical security of personal data.The organisation must also provide the necessary safeguards in order to avoid the loss or accidental modification of personal data, and ensure continuity of the business activities.
Network security	The organisation must make sure that the confidentiality and integrity of personal data are guaranteed if the equipment is connected to networks while processing the data.
Access security	The organisation must ensure that personal data, according to their classification, are only accessible to persons and application programmes explicitly having the necessary authorisations.
Audit trail	The organisation should implement logging and audit trail mechanisms.
Monitoring and auditing	The organisation must assure that the technical or organisational measures have been validated and that they are regularly checked.
Incident respons	The organisation must have a security incident management plan.
Mobility	The organisation should have complete centralised documentation relating to security, which is updated on a regular basis.

Cross-Border Transfers of Personal Data

Personal data can move freely within the European Union, as long as the European Data Privacy Directive (95/46/EC) is observed. Indeed, all Member States apply the same level of protection when processing personal data.

Outside the European Union, only transfers to countries ensuring a level of protection equal to that which is offered on EU territory are authorised. The European Commission has recognised an adequate level of protection for the following countries: Switzerland, Canada, Argentina, the United States (if the recipient has accepted the “Safe Harbor Principles”), Guernesey and the Isle of Man.

If the country of final destination of the data is not included in the European Commission’s list, the controller may ensure adequate protection through a contract. This contract is binding for the individual transferring the data and for the one receiving it, and that contains sufficient safeguards with respect to data protection. In Belgium such a contract has to be authorised by Royal Decree, following the opinion of the Commission for the Protection of Privacy. To help the controller in this process, the European Commission has drawn up standard contractual clauses, which are automatically considered as sufficient safeguards for data protection.

A multinational may establish rules for the international transfer of data within its corporate group. All entities of the enterprise have to observe these rules. Binding Corporate Rules are considered as adequate safeguards for personal data protection after approval by the national data protection authorities.

Patrick Soenen | p.soenen[at]qap.eu ♦ Jean-Pierre Palante | jp.palante[at]qap.eu

IT Governance, an integral part of Corporate Governance

psoenen — Mon, 22 Mar 2010 00:31:33 +0000

Article published in the Guberna Newsletter of September 2009

Carte Blanche / Leden aan het woord

IT Governance, an integral part of Corporate Governance

Organisations rely heavily on Information Technology (IT) for the daily running of their operational business processes and for meeting their strategic objectives. IT should sustain their business development and improve their competitiveness. They are faced with the challenge of adapting to dynamic business demands while handling complex technology-related risks and controls. Moreover, significant amounts of money and resources are invested in information systems.

Why is IT governance so crucial?

Most organisations are currently facing 7 IT challenges:

Keeping IT running is the need to guarantee the continuity of IT services for business-critical services. The discontinuity of IT services may result in lost business, reduced profits, and serious damage to the organisation’s reputation.
Creating value by identifying the right IT projects and carrying them out within time and budget to deliver the expected value. In IT projects which exceed budgetary expectations or deadlines, business requirements are often poorly defined, project management is weak, and the effort required is underestimated.
Managing IT costs as carefully as the other significant business costs. Typically, costs associated with IT assets are not well understood, skilled resources are lacking and IT spending is not coordinated.
Mastering complexity by organising and managing the IT function, to ensure that applications are delivered and updated within the managed cost and deadlines. Typical issues are the management of technical infrastructures, the adaptation to changes and the management of external relationships.
Aligning with the business to ensure that IT works in partnership with the business to deliver value. The inability to set priorities and poor communication between business and IT creates a gap between what users expect and what IT provides.
Complying with the legal and contractual requirements of service providers and trading partners. Regulations that govern business operations impact IT systems. The IT function needs to be aware of legal and regulatory requirements that relate to financial reporting, privacy and security.
Ensuring information security in order to protect information adequately. Internet, external communications, the increasing misuse of information and the technical complexity all amplify the risk of information disclosure.

What is IT Governance?

IT Governance consists of the organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. The goal is to ensure that organisation’s goals are achieved by generating added value, while balancing risk versus return over IT and its processes. IT Governance is the responsibility of the board and the management to implement the appropriate structures and processes for business involvement in IT decisions.

What IT Governance should deliver?

The 7 IT Governance principles to be considered:

The governance context implies leadership and commitment. The management puts into place clear and precise organisational structures by establishing IT’s roles and responsibilities. The management ensures that standards, policies and procedures are created, and a code of conduct is implemented.
The IT strategy defines the mission and the vision through which information systems contribute to the achievement of the enterprise strategy. Strategic alignment might imply reducing costs, supporting innovation, enhancing simplification, meeting service requirements, enabling expansion, improving business processes, etc.
The value creation is accomplished by controlling IT investments and projects. Among the numerous investment proposals, the judicious choice is based on the return on investment (ROI) and strategic contribution. The focus is placed on the projects with the highest added value. IT and the business are jointly responsible for the achievements.
Risk management protects against threats through the identification, the analysis and the treatment of the IT risks. Security entails management and user awareness, regarding their responsibilities and the possible risks. Information security, data confidentiality and asset protection are ensured, while the continuity of the business activities is guaranteed in the case of a disaster.
Resource optimisation implies efficient and effective processes and optimal resource allocation such as people, systems, infrastructure and information. The efficient and effective use of resources will be balanced against achievements.
Communication methods are put into place to provide the stakeholders with correct information at the right moment. Communication is implemented through adequate relational mechanisms, e.g., IT steering committees.
The monitoring evaluates the IT achievements through performance indicators and balanced scorecards. IT audits provide independent assessments of the IT governance implementation.

IT Governance: a major driver of business value

Governance requires a balance between the performance and conformance goals, directed and controlled by the board. Performance tends to enhance profitability, efficiency, effectiveness and to ensure business growth. Conformance involves the management of the adequate level of control for the IT risk taking approach. Implementing IT Governance is challenging, but the outcome is rewarding.

Monique Garsoux & Patrick Soenen, Qualified Audit Partners

A Global approach to Risk and Control (GRC)

psoenen — Mon, 22 Mar 2010 00:19:35 +0000

Article published in The Internal Auditor Compass of November 2009 (IIABEL)

A Global approach to Risk and Control (GRC)

• • • • • • • • • • • • • • • • • • • • •

This article proposes a Global Risk and Control (GRC) model, which moves away from a silo approach toward a holistic view of risk and control across the organisation. Organisations able to effectively align risk management, control and compliance initiatives with their strategic objectives can reduce their risks and make more valuable decisions regarding their strategy.

Corporate boards, CEOs, CFOs and other members of the senior leadership team are facing unprecedented levels of business complexity, changing geopolitical threats, new legislation and regulations, and increasing shareholder demands. Achieving maximum performance and ensuring full conformance in today’s complex environment require organisations more than ever to combine risk, control and compliance management in a unique view. The present crisis illustrates that organisations did insufficiently integrate risk management and internal control into their business management. While oversight requirements have significantly grown over the years, boards and audit committees receive repeatedly different reporting with dissimilar views on risks from their stakeholders: executive management, risk and control functions, and audit.

• • • • • • • • • • • • • • • • • • • • •

The established defence lines

A set of common control, risk and compliance activities are executed across business units and control functions, and are organised as defence lines.

The primary goal is to organise these functions within the organisation to strengthen its defence.

Within the inner circle, the staff applies the policies and the procedures issued by the management, to ensure the regularity, the security and the validity of the operations. The internal control mechanisms are an essential component of the successful direction and control of the organisation. The senior executive management should focus on creating organisational transparency by defining the mechanisms an organisation uses to ensure that its constituents follow established processes and policies.

The second line of defence is composed of those functions responsible for an area of control expertise.

Internal control is a process, performed to provide reasonable assurance regarding the achievement of objectives in the following areas:

Effectiveness of operations and efficient use of the resources;
Reliability of financial and operational reporting;
Compliance with applicable laws, regulations and internal policies.

Risk management brings a comprehensive, systematic approach for helping the organisation identify events and respond to the risks challenging its most critical objectives and related projects, initiatives, and day-to-day operating practices. Risk management deals with determining the organisation’s risk appetite, and then identifying and mitigating risks to appropriately balance the risk portfolio.Compliance is the set of practices that deals with adhering to mandated requirements such as laws, regulations, and voluntary requirements resulting from standards, policies, procedures and contractual arrangements. The legal and compliance departments play a major role to protect the organisation against the risk of non compliance.

“The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.”IIA Assurance Maps Practice Advisory 2050-2

Resilience ensures the ongoing business continuity, while security ensures the confidentiality, the integrity and the availability of the operations, the systems and the information.

Quality management has the responsibility to establish a Quality Management System (QMS) based on an operational framework, composed of processes and procedures, compliant with the ISO standards.

The third line of defence consists of audit and assurance functions, which are performed by internal audit, the external audit and the regulators. Internal audit provides reasonable assurance that the required controls to mitigate risks are effectively designed and operated. Internal audit should report to the highest level within the organisation to strengthen its objectivity and confirm its independence. A close and continuous link should be established with the Audit Committee.

• • • • • • • • • • • • • • • • • • • • •

Risk, Control and reporting fragmentation

The multiplication of the internal control actors increases complexity, creates a duplication of effort and may reduce the effectiveness of the internal control. At a given moment, the key players may be confident someone else takes care of a specific risk or control, without investing the required level of expertise to mitigate the risks. Consequently, the control, risk, and compliance activities should be coordinated.

Organisational fragmentation: As different policies, risks events, measurements are defined, the organisation ends up with different policies, duplication of effort, difficulty of predicting risk, and lack of transparency.

Information fragmentation: Local process implementation and optimisation of specific solutions further isolate information within systems, resulting in a lack of information integrity and a limited integrating view of enterprise risks.

Entity fragmentation: Policies and risks are generally defined and measured at the local level, without proper consideration of their impact on the global, multinational, national, or regional decision making levels. The interdependencies of the risks associated with the multitude of jurisdictions, countries, and markets are usually not considered.

Initiative fragmentation: The multiplication of the risk and control key players within the organisation increases the number of separate and non coordinated initiatives concerning financial reporting, security issues, information privacy, record retention, business regulations, environmental standards, occupational safety, etc.

Each player is developing analogous risk and control models customised to their specific needs and reporting axes. Organisations finally end up with several similar approaches which are delivering managing reports, providing diverse or even conflicting recommendations. Like in Babylon, management and board members get confused due to these different risk languages.

Integration does not mean unification. Integration means applying a common vocabulary, approach and infrastructure to the GRC processes. All the risk, control and assurance functions are updating a common information system, the GRC repository, while keeping their unique contribution. The GRC repository is key for a coordinated and holistic risk and control management and reporting.

• • • • • • • • • • • • • • • • • • • • •

The integrated GRC model as a solution

GRC is a system of people, processes and technology that enables an organisation to:

Understand and prioritise stakeholder expectations;
Set business objectives congruent with the risks;
Operate within internal, social, ethical, legal and contractual boundaries;
Provide relevant, reliable, transparent and timely information to the stakeholders;
Enable the measurement of the performance and the conformance of the organisation.

The GRC model consists of several interrelated components:

The model starts with the identification and the description of the business universe. The organisation’s main products and services, customer groups and distribution channels are defined. The major business processes representing the core value-chain processes and the support processes are represented. And finally the strategic objectives are established.
The foundation of the GRC model is based on risk and controls categories also called assurance map. It lists universally accepted risks and controls which serve as the base for the establishment of the organisation’s risks and controls. Risks categories are those universally accepted risks which are critical to the organisation’s business objectives. For these risks, impact and likelihood are estimated. The universally accepted controls used to mitigate the risk categories are defined as controls categories.

Risk management identifies, analyses, evaluates and mitigates risk by applying the risk categories to the business universe. Risk and control self-assessment may be performed at management level to identify the key risks. An event database keeps track of all risk events which have occurred within the organisation. The monitoring and the review of the risk management generate improvement action which is integrated into the action plan.
Internal control management applies the control categories to the specific business processes to manage the above identified process risks. Adequate control activities are designed and implemented. The assessment of the design and operational effectiveness of these implemented controls results in corrective and improvement action, which is also integrated into the global action plan.
The audit department uses the risk and control categories to build up the audit plan. The different audit assignments will independently assess the adequacy and the effectiveness of the implemented controls to mitigate the identified risks. An audit opinion will be rendered and recommendations are formulated. The accepted action is included in the global action plan.

Subsequently, the GRC action plan contains the whole action set which corrects and enhances the global risk and control management within the organisation. Appropriate action selection, prioritisation and follow-up are required to ensure that the action contributing most to the improvement of the control and risk environment is executed first.

• • • • • • • • • • • • • • • • • • • • •

Implementing the GRC model

A set of requirements condition the successful implementation of the GRC model:

Support of the top management, which is directly interested by the benefits of a global risk and control approach;

Cooperation between the different management, control, risk and audit functions within the organisation;

A definition of the business universe consisting of the strategic objectives, the business products/services definition, and the description of the enterprise business model in terms of core and support processes;

A stepwise implementation ensuring a phased roll out of the model;

Adequate project management to attain the defined goals.

“The board will use multiple sources to gain reliable assurance. Assurance from management is fundamental and should be complemented by the provision of objective assurance from internal audit and other third parties”IIA Assurance Maps Practice Advisory 2050-2

• • • • • • • • • • • • • • • • • • • • •

Key roles and accountabilities

The board has the oversight of the GRC system and should

Set business objectives and ensure they are congruent with values and risks;
Be knowledgeable about the design and the operation of the GRC model;
Obtain regular assurance the system is effective;

The management must undertake the implementation and the follow-up of the GRC system.

Design, implement and operate an efficient GRC system;
Communicate transparently with stakeholders about the GRC’s efficiency;
Evaluate and optimise the effectiveness and the efficiency of the GRC system.

Audit should provide assurance to the board and the management that

Risks are appropriately identified, evaluated, managed and monitored;
The GRC system is effectively designed to mitigate risks;
The GRC system is operating effectively.
The other risk and assurance providers are functioning effectively.

As a best practice, a GRC steering committee is set up to manage the GRC global structure and to coordinate the different key players.

• • • • • • • • • • • • • • • • • • • • •

Impact of the GRC model

The Global Risk and Control approach impacts the organisation and implies good coordination through:

The integration of the GRC disciplines which act as a backbone for the management of enterprise risks and controls;
The integration of the GRC activities ensuring common action to achieve the strategic objectives;
The GRC integration with the business, by aligning the risk and control activities on common business processes;
The distribution of adequate GRC information to all levels of the organisation;
The adjustment of the mechanism to the exposed risks, the costs of the controls and the size of the organisation.

“Organizations will benefit from a streamlined approach, which ensures the information is available to management about the risks they face and how the risks are being addressed. The mapping is done across the organization to understand where the overall risk and assurance roles and accountabilities reside. The aim is to ensure that there is a comprehensive risk and assurance process with no duplicated effort or potential gaps”.IIA Assurance Maps Practice Advisory 2050-2

• • • • • • • • • • • • • • • • • • • • •

Benefits of the GRC model

GRC brings multiple benefits to the organisation:

Reducing costs as redundant activities are streamlined;
Reducing the impact of risk events due to the global risk and control approach;
More effective improvement action through an integrated and coordinated risk and control action plan;

Optimising competencies and scarce resources;

Increased quality of risk based information for strategic planning;

Enhanced board and management trust resulting from an integrated oversight and reporting on risks and controls, increasing stakeholder’s confidence.

Monique Garsoux & Patrick Soenen, Qualified Audit Partners

The implementation of agile management in organisations

psoenen — Mon, 22 Mar 2010 00:14:37 +0000

The success of an agile organisation is its ability to develop methods and structures through which organisations can adapt quickly to changed environmental circumstances. Agile methods, developed at the point of departure in the IT sector, become widespread in the service sector, health and engineering.

The implementation of agile management in organisations

We live in a world in constant change. New technologies, new client expectations, environmental changes are constantly disrupting the requirements on products and services. In traditional project management, a project is identified, evaluated, divided into tasks and precisely planned. Then it is realised by executing the tasks sequentially. But when results are available, the requirements may have changed considerably. How to manage projects effectively in such an environment?

Over the past decade, agile methods have completely changed the technical software development. But the project management methods, which remained very traditional, aren’t any more adapted to these very agile development techniques. Agile management both at executive and at project level provides innovative and new solutions. The agile principles were already applied in the famous Deming PDCA circle where at each iteration, action is planned and executed, the results are checked and the approach is adjusted.

The benefits

The success of an agile organisation lies in its ability to develop methods and structures through which the organisation can adapt quickly to changed environmental circumstances. Agility is different from agitation, the hustle, and requires a very strict methodology, far away from the chaotic image that is sometimes linked to the concept of agility.

The agile management methods were originally developed in the computer industry in parallel with agile programming methods. Today they tend to spread in the field of services and affect even areas traditionally hostile to this type of approach, such as engineering. This sector is indeed under pressure from its customers, who want to adapt their projects underway, with the changing economic and financial context. This impacts even the industrial and energy infrastructure, enforcing a cultural revolution to the engineering teams to adjust projects with dynamic boundaries.

Even the health sector is interested in the agile approach, as both financial and socio-economic conditions change very quickly. The numerous mergers of hospital institutions, the crisis of public finances, the aging population, the computerisation of patient records and the e-health developments are all events that have compelled the non-profit sector to adapt to rapidly evolving situations, requiring new management approaches.

The principles of agile management

Agile management structures the interactions between the main operational components of an organisation: human resources, processes and technology systems. An agile organisation is functionally operational when its components interact to capture and integrate change.

The agile organisation is based on 3 vectors:

The rational motivation of human resources brings the collective intelligence that maximises the human potential. The proactive involvement of human resources promotes systematic improvement. Skills, attitude and mindset are the most important factors in agility.
The formalised control of continuous process improvement allows optimisation of resources used. Continuous process optimisation projects represent powerful means to obtain competitive advantages at the best price.
The optimal use of new technologies allows economical mass customisation of products and services and reduces time to market. An agile information system is characterised by its ability to provide optimum response to changes in the organisation.

The agile management therefore incorporates the concept of “lean management” which seeks to maximise efficiency through the elimination of waste by removing processes that add no value. Agile management implies process control and a search for continuous process improvement (through Business Process Management – BPM). It also requires optimal use of new information and communication technologies (ICTs). However, only the combination of these three dimensions enables agility.

Today, a successful company is “service oriented”. And its tools are performance and quality of its processes. To be agile, the company must simultaneously master the dynamic evolution of human resources, business processes and information system.

The characteristics of the agile management compared to traditional management

In the traditional approach, the ultimate goal is translated early in a scope, a planning and (financial, human and technical) resources. In the agile management, the emphasis is on achieving goals, broken down into sub goals of affordable size per iteration. Over the iterations, the scope becomes dynamic.

The traditional planning involves initially considerable preparation with subsequent minor updates throughout the project. Agile planning is divided into multiple levels ranging from a high-level planning (macro-planning) up to detailed planning, established at the beginning of each iteration. The initial planning should be flexible to allow changes in customer demand throughout the project.

While the traditional approach breaks down the project by cascading a series of sequential tasks, the achievement in agile is iterative and incremental, making sure to deliver a tangible result to the client at each iteration.

The management role is in coaching teams to remove barriers to advancement. Decision making is decentralised to the teams. The roles and responsibilities aren’t based any more on titles and functions, but organised according to the expertise of the people.

Work organisation is decentralised and focused on results and on a watch of the constantly changing market environment. Confidence in the team, composed of individuals mastering the processes, improves the efficiency and effectiveness of the work performed.

Traditional risk management is descriptive, identifying the starting point of the potential risks along with mitigation actions. In the agile approach, risk management is based on experimentation. Learning takes place over the iterations. And within the iterations, the impact of failures is limited.

The agile methodology in project management

The diagram below shows the methodology applied to agile project management.

The agile methodology is broken down into 5 steps

In the “Version Scope” phase, the requirements are identified. Even if the scope can evolve throughout the project, the scope is clearly defined at the start. The project terms of reference detail the project costs and benefits, taking into account the implications of identified risks. This first step is important for the specification of the requirements and for setting priorities.
Based on the initial plan and the achievements from the previous iterations, the cycle plan describes activities for the next iteration accurately and in detail. Each new iteration begins with a planning stage.
The Build cycle is realised in an iterative way, making sure that each iteration delivers a concrete and usable result for the user.
The Client checkpoint includes a quality review at the end of each iteration. The work done during the iteration is validated.
The Post-Version review generates feedback resulting into improvement plans. The effective realisation of initial expectations is evaluated.

The criteria

Agile management is based on 7 criteria:

sharing the goal by emphasising cooperation at all company levels;
a cooperative decision making process;
leadership, combined with a collaborative work team;
performance assessmen, ensuring control is replaced by result measurements and individual performance by group performance;
adaptive resources depending on the context and the environment;
value creation in order to innovate for greater customer satisfaction;
stimulation of horizontal and vertical cooperation between departments, individuals and disciplines.

The implementation at the management level

The agile approach covers the main operational components of the company, i.e. human resources, process and technology. To avoid to destabilise the organisation, agility must be implemented in steps and in a iterative manner.

The first step is to readjust the organisation by establishing the roles and responsibilities across the organisation. Afterwards, human resources skills are adjusted in relation to this new organisational structure. During the next step, the processes are formalised and improved. Finally, the introduction of new technologies allows the process optimisation. And the changes made require a new realignment of the organisation, thus launching a new iteration.

An agile approach to dashboards

The agile approach is perfectly suited to scorecard methodologies (Balanced Scorecards), which like agile management methods put the focus on performance. To achieve the financial and collective performance and satisfy customers or users, organisations must optimise their resources and their internal processes. The learning and growth perspective incorporates the concept of the learning organisation and the collective intelligence.

Jean-Pierre Palante | jp.palante[at]qap.eu ♦ Patrick Soenen | p.soenen[at]qap.eu