Presentation is loading. Please wait.

Presentation is loading. Please wait.

ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc. Presentation to NC State University College of Management:

Similar presentations

Presentation on theme: "ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc. Presentation to NC State University College of Management:"— Presentation transcript:

1 ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc. Presentation to NC State University College of Management: Enterprise Risk Management Round table November 18, 2005

2 © Copyright Entrust, Inc. 2005CONFIDENTIAL2 Enterprise Risk Management “An Information Security CFO’s point of view” Introduction Small Company response to SOX 404 Information Security Risks

3 © Copyright Entrust, Inc. 2005CONFIDENTIAL3 David Wagner, CFO Entrust, Inc. BS Accounting, Pennsylvania State University MBA, Finance, Pennsylvania State University Raytheon Corporation - 1986-1991 Nortel Networks - 1991-1995 Entrust Inc., Controller - 1995-2003 Entrust Inc., CFO - 2003- present

4 © Copyright Entrust, Inc. 2005CONFIDENTIAL4 We are Security Specialists… Headquartered in Dallas (offices in Ottawa, Washington DC, London, Germany, China & Japan) #12 of 600+ security software companies, with approx. $100M in annual revenues Industry pioneer and leader, with approximately 500 employees, market leading products and over 100 patents Best in class service and support, and integration for leading technology vendors Strong financial position - $83M of cash- no debt.

5 © Copyright Entrust, Inc. 2005CONFIDENTIAL5 Known by the Customers We Keep More than 1450 enterprises and global governments worldwide in over 50 countries have licensed Entrust’s products Entrust has prominence with industry leaders around the globe: – 8 of the top 10 Global Telecom companies – 7 of the top 10 Global Pharmaceutical companies – 8 of the top 10 Global Aerospace and Defense Companies – 7 of the top 10 Global Commercial Savings Banks – 4 of the top 5 Global Petroleum Companies

6 © Copyright Entrust, Inc. 2005CONFIDENTIAL6 Enterprise Risk Management “An Information Security CFO’s point of view” Introduction Small Company response to SOX 404 Information Security Risks

7 © Copyright Entrust, Inc. 2005CONFIDENTIAL7 Sox 404 at Entrust 1) Approach – A case study 2) Lessons learned about Sox 404 3) Lesson learned about Enterprise Risk

8 © Copyright Entrust, Inc. 2005CONFIDENTIAL8 Approach – Accounts & Processes Per PCAOB and COSO guidance; Risk assessment – Team identified – Significant accounts identified –Materiality –Inherent Risk – Significant processes identified –Control risk – Intersection point of all above: ‘The Matrix’ – Set priority to attack processes

9 © Copyright Entrust, Inc. 2005CONFIDENTIAL9 The 404 Team LuckyGood - Project Manager on staff - Strong Accounting staff (5 CA of 9 staff in 1997) - Strong CIO with Governance Bias - Good process culture, executive support - Audit Committee support ----------------- Testing of all key controls Attestation Documentation/Peer Reviews/Testing of low risk accounts & processes.

10 © Copyright Entrust, Inc. 2005CONFIDENTIAL10 Management Assertion What could go wrong? What are the key controls?

11 © Copyright Entrust, Inc. 2005CONFIDENTIAL11 Approach – Initial Findings Controls Operating and Effective but not documented – Example: Finance Balance Sheet Review meetings. Second Level reviews and sign-offs – Example: Payroll Canada; one person enters, submits, processes and reconciles. Added second level review of key reports and authorization of any ‘one-off’ payments.

12 © Copyright Entrust, Inc. 2005CONFIDENTIAL12 Approach – Risk & Controls Repository Use of existing portal - Entrust get Access - Lotus Domino Database

13 © Copyright Entrust, Inc. 2005CONFIDENTIAL13 April July September Project Management - Status

14 © Copyright Entrust, Inc. 2005CONFIDENTIAL14 Timeline - September

15 © Copyright Entrust, Inc. 2005CONFIDENTIAL15 Internal Testing Results: Individual Controls (December) Total 116 individual controls identified to test – Green : Testing completed & passed – Yellow : Testing in progress, item to be reviewed at year end, or in Remediation. – Red : Testing resulting in significant issue, or further testing not yet resolved THEN : NOW

16 © Copyright Entrust, Inc. 2005CONFIDENTIAL16 Approach – IT General Controls Information Security Governance Process – Risk assessment by business unit based on ISO17799 – Very little guidance existed for SOX IT issues before July 2004 – Compliance requirements for SOX and other legislation (SB1386, PIPEDA) incorporated in framework and process – Unacceptable risks result in action item (SOX compliance example would include missing documentation of key control is considered risk) – Focus on Finance data and application: Confidentiality Integrity Availability – Mapping of ‘COBIT for SOX’ items back to framework to ensure coverage

17 © Copyright Entrust, Inc. 2005CONFIDENTIAL17 Entrust 404 Project Summary 42 Accounts and 66 processes identified 41 Key processes documented 116 key controls identified & tested in Finance 92 IT general controls supporting 2 Key applications Entrust 404 Project Cost ~ 20% of 2004 Finance & Accounting staff hours, plus one full-time project manager ~ 30% of 2004 IS/IT resources + 55% additional fees for external testing (not auditor) + 101% additional audit fees to external auditor Entrust 404 Project Scope

18 © Copyright Entrust, Inc. 2005CONFIDENTIAL18 2 Questions on 404 1) Was it worth what paid for? No!$2.5 million - 2.5% of Revenue 2) Did you get anything worthwhile from 404? Yes! - Risk Based Review of the organizations; - Internal controls and processes documented - Internal control processes permeated throug the organization - Operations - HR - Legal - IT - Strengthened Ownership of Internal Controls

19 © Copyright Entrust, Inc. 2005CONFIDENTIAL19 Lessons Learned Risk based - focus on significant accounts and processes, and then - key controls within those accounts and processes. Complete documentation internally Do not get caught up in a software implementation, but tools are important. Establishing a common framework is fundamental - Information Security Governance - Risk Based Assessment and mitigating controls Intellectual Property Processes Information Systems and Controls are fundamental

20 © Copyright Entrust, Inc. 2005CONFIDENTIAL20 Going Forward – 2005 and Beyond  Maintain documentation as you go.  Build control documentation into everyday processes.  Continuous monitoring and project management.  Objective to reduce costs 50% - Moved 60% of 3 rd party testing in-house - Continue to work with external auditor to alternatives to traditional working paper documentation  On-going risk based focus.

21 © Copyright Entrust, Inc. 2005CONFIDENTIAL21 Enterprise Risk Management “An Information Security CFO’s point of view” Introduction Small Company response to SOX 404 Information Security Risks

22 © Copyright Entrust, Inc. 2005CONFIDENTIAL22 Business compliance realities: Access to Services & Information Customers Streamlined Business Processes Suppliers Employees Improved Productivity & Self-Service Corporate Compliance Regulatory Compliance Enterprises & Governments are Extending Outside Increased Legislation Compliance Anxiety

23 © Copyright Entrust, Inc. 2005CONFIDENTIAL23 Governance & RegulationExtended Enterprise & Govt. HIPAA GLBA SEC Regulations BASEL II Sarbanes-Oxley EU Data Protection Act California SB 1386 FISMA PIPEDA Employees SuppliersCustomers Enterprise-wide policies required: Policy & Access Management Shift from Compliance to Risk

24 © Copyright Entrust, Inc. 2005CONFIDENTIAL24 Not cyber terrorism, but cyber crime Intent is to steal personal information for monetary gain Diverse targets across different regions and sectors –Retailers (DSW, BJ Wholesaler’s) –Data brokers (Choice Point, LexisNexis) –Universities (USC, Duke, Purdue, Tufts) –Banks (BOA, Citibank, Wachovia) –Corporations (Motorola, Time Warner, SAIC) –Healthcare (Kaiser, San Jose Medical Group) Identity Theft

25 © Copyright Entrust, Inc. 2005CONFIDENTIAL25 Customer Implications Cost of incident –A Gartner study found the average identity breach costs a consumer $1,500. End User Loyalty and Preferences –A Nationwide Mutual Ins. study found that it takes approximately 81 hours for a consumer to repair the damage caused by identity theft Business Relationships –Visa severed business relationship with CardSystems Solutions, Inc. Drop in Stock Price –Firms that have a security breach involving credit card information suffered a stock market loss of 9.3 % the first day, increasing to 14.9% over three days. Stagnant Market Growth –Online banking stagnant at 39% of Americans over past 12 months Brand Impact

26 © Copyright Entrust, Inc. 2005CONFIDENTIAL26 Online Identity Fraud Driving Industry Mandates Financial Institutions will be expected to achieve compliance… no later than year-end 2006 The guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers… 18% of all respondents stopped or decreased online banking in last 12 months!

27 © Copyright Entrust, Inc. 2005CONFIDENTIAL27 Information Security Governance Info Security has become a fundamental business issue at the CEO and Board level Balance IT investments with business risk decisions and put into a framework for implementation Outlines accountability at various management levels, plus core elements of an information security program Recognized the need to treat info security as a continuous improvement process Corporate Governance Task Force – Apr. 2004

28 © Copyright Entrust, Inc. 2005CONFIDENTIAL28 Why Enterprise Risk Management? Information security –Headlines confirm failures produce real business impact Regulatory compliance –Inconsistent “best” practices being self-imposed Enterprise risk management –Help position audit findings and legal liabilities Search for the Holy Grail –A single framework to provide focus and efficiency

29 © Copyright Entrust, Inc. 2005CONFIDENTIAL29 ISG – Keys to Successful Deployment Identify key systems (NIST SP800-18) Simple subjective risk assessment (OMB A-130 App. III) Risk expressed in words (threat, vulnerability, impact) Red - Yellow - Green ranking (FIPS-PUB 199) Iterative process, progressive detail (GAO/AIMD 00-33) Transparent process with summary reporting (GAO/AIMD 98-68)

30 © Copyright Entrust, Inc. 2005CONFIDENTIAL30 One Way Forward One-hour sessions quarterly with managers to review: –Ask them what they think the risks are –Assessment of controls/residual risk per ISO17799 element –Use the session to raise awareness of threats and risks –Follow-up with groups they defer to (IT, Legal, HR) Consolidate view across the organization –Feedback to managers where they stand relative to others –Share results up the management chain, request feedback Let the managers do the assessment –If you can't convince them it's a risk, they won't deal with it –They can put it into business terms better than you can Executive Sponsorship is NOT required –They are accountable, work with it

31 © Copyright Entrust, Inc. 2005CONFIDENTIAL31 How did ISG help our compliance efforts? almost immediate reduction in D&O insurance framework for internal control assessment –processes and responsibilities were already defined –it was not a separate compliance effort – SOX control assessment fit into it provided laser focus on the compliance issues –covered all audit topics at heart of major regulations –still little guidance, poor audit standards, multiple regulations to check –ISG provided us with the list of concerned areas with very little excess contained our audit fees –we experienced over 100% increase, and they called us “best in class” –knowing our business risks made it easy to focus on our risks & our systems, not simply “best practices”

32 © Copyright Entrust, Inc. 2005CONFIDENTIAL32 Conclusions SoX 404 Impacts –changed Corporate Governance permanently –need to improve cost benefit through risk-based assessment Enterprise Risk is increasingly important –Provides a common framework for evaluating non-ROI projects –Executive Officers are accountable Information Security issues moving to Risk Management –Enterprises are increasingly based on information –Higher value assets are intangible; related business risk increasing –Inherent conflict between ROI focused CIOs and Information risk mitigation Continuous Improvement – Quality Model

Download ppt "ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc. Presentation to NC State University College of Management:"

Similar presentations

Ads by Google