Posts

RoseRyan VP Pat Voll recently weighed in on a recent CFO.com debate that posed the question “Is your data more secure in a data center or in the cloud?” CFO published her bylined article alongside other data-security experts in one of its monthly Square-Off virtual panels. Pat’s take: Companies need to focus on the “who” rather than the “what” when looking at where they store their information. See below for an excerpt of Pat’s article:

Ultimately, you are responsible for the protection and security of your data, regardless of where it is stored. Where your data is safest depends on your company’s own internal processes, infrastructure, controls, training, and discipline, and those of your cloud provider.

Consider this fact: The most common reason companies suffer from a data breach is because of an employee error. In a recent survey by the Association of Corporate Counsel, 24% of in-house lawyers blamed employee error for a breach at their company. That’s higher than phishing attacks (12%), third-party access (12%) and lost devices (9%).

A mishap by an employee could happen no matter where the data resides—on-premises or in the cloud. To tamp down the risk, it is essential that companies take a hard look at their internal processes, including periodic training for all employees and robust on-going monitoring of controls, to ensure policies and procedures are being followed.

CFOs can’t pass off the responsibility for data security to the IT department and hope it’s getting done. Similarly, you can’t assume the vendor has adequate controls and procedures in place. It’s not only the right thing to do—it’s increasingly becoming an expectation.

To read the article in its entirety, go here.

It is easy to see why, after Sarbanes-Oxley became law in the early 2000s and internal-control testers and reviewers became sought-after professionals, that the demand for their talents sometimes went to their heads. From being the mostly ignored internal audit department to becoming the highly noticed glamour boys and girls of their own movie called Corporate America, their first instinct was, “The power is with us and let us start policing.” I admit that happened to me, but only for a minute.

Two things happened to make me quickly snap out of it. First was a reflective process where I decided that I did not want to make a career out of solely pointing out errors that other people made — that would be too much negativity day in and day out. Then, during a chance encounter after hours with a corporate controller, she blurted out, “You know the best thing about having you on our team is that I feel more secure when I go home every night, that things are working optimally and the world will not fall apart tomorrow morning.” Viola! The statement was made by her, but the big impact was on me. In her mind, I was collaborating with her and giving her peace of mind, but in my mind, I had seen myself as the cop. I preferred her outlook and embraced it.

From that moment on, finding SOX errors became secondary to my working as a thoughtful partner who uncovers positive opportunities in the organizations I work with. Consider these real-life examples from my experiences:

  • SOX became a revenue generator when testers helped a disc drive maker realize that it had been needlessly throwing away material that was actually quite valuable. The finding began with a control test that read, “Excess inventory is classified as scrap and authorized.” Looking for authorization controls, the SOX testers wondered why the excess material from the precious metal (the inventory) used to make the disc drives was not worth anything. It was just thrown away. A group of employees, who had previously been ignored on this issue, revealed that the metal could be recycled at a fraction of the cost of discarding it, to actually make new disc drives and add new revenue to the bottom line. An outside perspective, through a SOX exercise, brought this opportunity to the forefront.
  • A company that took a conservative approach to its SOX control for the cycle counts of inventory had a monthly reconciliation process. The cautious way of doing things had an upside when management looked at the results of the reconciliation and decided to streamline the entire inventory management and supply chain process, which saved millions in costs and contributed to the closing process getting cut down by a week.
  • A retail giant was planning to implement a new system in the supply chain area and wanted to consider SOX upfront to ensure that prior to going live, the new system would pass all the relevant IT general computer controls (including user and developer access, termination, passwords and change management). This was a first for the retailer, which didn’t usually take SOX into account in the early stages of a new system. The proactive effort saved it time and money. The SOX readiness testing led to the operations side working more closely with the IT side, granting early buy-in, creating better communication between the two groups, and leading to an overall more efficient supply chain process. The net impact was a savings of $3 million, and the project went live and operational three months ahead of schedule.
  • The reach of SOX sometimes spills over to IT security and PCI compliance (the data security standard used by the payment card industry). This was evident in a retailer that was planning to break away from its publicly listed parent and go public on its own. As the team I was working with was putting the SOX controls in the various areas, we realized that although it did not having a direct impact on the company’s SOX compliance, the IT security systems did not rein in customers’ credit card information as much as it should. While this security gap sounds like a huge hole in today’s privacy-conscious environment, this finding was made back in 2007. Even then the very prudent upper management team, including the CEO and CFO, saw the need to plug the gap; they had the foresight to put in place strong IT security measures and encryption technology and prevent their customers’ credit card information from getting plastered on Times Square. If only all the retailers had followed suit! This company was not just ahead of the game in IT security; it also met PCI compliance, thanks to the initial recommendations that turned up during the SOX work.

The above is only a short list of the process improvements I have seen firsthand during my time working heavily in SOX. The point is that, if the only cap I had worn while going about my SOX testing was that of a policeman, I would never have seen past the brim to play a part in those process improvements. These are examples of positive changes from SOX that revealed new revenue opportunities or saved money. And, on a personal level, they have reinforced my profile as a “trusted partner” even in the eyes of the people being subject to SOX controls. This, as any SOX tester will testify these days, is the ultimate goal. Any feeling of being a SOX cop is long gone. All it took was a slight change in mindset and approach.

Vivek Kumar is a member of the RoseRyan dream team. He has been working in SOX since the time it became law and from both sides, in-house and as an external consultant. When not doing SOX, Vivek keeps himself busy playing tennis and making feature films, the first of which hits theaters this summer.

Keeping track of a zillion passwords and user IDs is a fact of working life, made even more complicated by all the devices we use. Because I work with different clients it’s even harder, because that almost always requires using a lot of secure applications. When I started with my current client, I received a three-page Excel spreadsheet of applications I needed logins for. I tried to make the user IDs and passwords easy to remember, but there were just too many—and each application required different user ID and password conventions. It wasn’t efficient (or particularly safe) to enter login information on the spreadsheet and keep it current and portable—I work on the client’s computer as well as a laptop, and the last thing I need was another password to secure the spreadsheet.

Most of us have probably used sticky notes—in our wallet, taped to a computer or pasted into a notebook—or virtual stickies littering our desktop or smart phone. And we all know that isn’t secure. This problem has even been in the news; one recent story is NPR’s “Prevent Your Password From Becoming Easy Pickings (Or PyPfbEp).”

I solved my problem with two simple solutions.

The first is a password manager or password wallet. These cloud-based apps store login information for all sites or applications and are accessible with one master password. Log in to the wallet app and it does the rest, bringing up the application login screen and autofilling the fields. It increases security, saves time and is easy to use. It’s also portable—because the app is cloud-based, one license covers all your devices, including cell phones.

These apps have been around for several years. There are many to choose from—check out this comparison from TopTenReviews. I use RoboForms: it’s simple and inexpensive at $9.95, and it works on all my devices.

The second solution is choosing a strong master password for my wallet app that I can remember. (Amazingly, the most commonly used password is “123456.” Avoid it.) Experts also say to avoid using actual words and birth dates, among other things. They suggest using the first letters and numbers of a phrase that you will remember. For instance, for “My #2 son’s middle name is Alex” the password would be M#2smniA.

I’m not that technically savvy, and I installed my password wallet in less than 10 minutes. It saves me a lot of time and frustration, plus saving a lot of sticky notes!