Risk, Security & Compliance Assessments
The RSCA approach is used to evaluate the current state of Security and Compliance activities for SOx remediation within a business. RSCA is a three-step methodology designed to manage and provide oversight for business risk and compliance. But keep in mind that neither SOx nor RSCA are designed to eliminate all risk. They are designed to ensure risks are known and either corrected or accepted.
To that end, RSCA addresses your companies governance through:
- Planning and Data Collection
- Risk and Security Assessment
- Tracking and Reporting
These steps have been implemented at many large corporations facing large remediation initiatives. But it’s a method that can be easily scaled to any size business. These steps help to ensure both your business and IT processes are being adhered to, identifies gaps or risks that need to be resolved, tracks those resolution efforts and provides a method of reporting through each chain of command necessary for Governance, Risk Management and Compliance (GRC) Assessments.
See my IT Governance section for more information about IT Audit, and Governance, Risk Management & Compliance (GRC) and Risk, Security & Compliance Assessments (RSCA).
The Key To RSCA
Initial SOx assessments and management engagement at all levels sets off the process and keeps the emphasis on its importance for departments. Without the backing of upper management and their participation throughout the entire process, the lower level managers will not put the priority on these steps necessary to make RSCA and your company’s governance initiatives successful.
When I was at Freddie Mac, the importance of this process, attestations and remediation were described like this to the IT Division.
Manager and Officer Attestations are contracts between you and the Corporation. You will be held accountable for what they say and how risks are resolved. If an issue occurs as the result of an undocumented or unaccepted risk, your employment at the company is on the line. In many cases, remediation issues are not designated in the department’s budget. That doesn’t mean they don’t get resolved until the money is designated. If you have projects with deadlines and an issue of remediation, contract staff can be acquired to resolve those issues. However, in some cases, salaried department staff maybe required to work overtime, under the requirement of “other duties as assigned” until identified issues and risks are resolved.
RSCA is a methodology that engages all managers, from those at the lower level who maybe responsible for the remediation of issues, to the senior officers who are accountable for signing the companies attestations. That engagement means senior managers have to help lower managers with the resources to get things done. That could be anything from adding staff and funding, to delaying other project deadlines in order for remediation issues to be addressed. But it also means some of those salaried staff members will be putting in extra hours to address issues within RSCA that must be corrected in addition to regular every day work.
These efforts up front to correct issues will save both time and money in the long run. Don’t be afraid to bite the bullet today and get it done. You might need to spend a little up front, to save a lot over a long period of time. What’s more important, you might resolve issues that put your company and your business at risk for security breaches that can take down your entire business. Think of RSCA as an investment in your future.
Planning and Data Collection
RSCA begins with identifying processes and procedures that are captured through the creation of Process Narratives. An audit of these narratives is then performed by an internal audit person or group within your organization. This preliminary audit takes place before any external audit is performed at your company. This provides everyone within the company the opportunity to make adjustments to your processes, resolve issues and clean house as needed before the “real” audit begins. But again, remember this isn’t about removing all risk. It’s about tightening security, and being aware of any real world issues that may exist, but is an accepted risk of doing business for your company.
Issues that have been discovered can range from a high level gap analysis issues, to detailed findings that fail to meet best practice standards and security requirements. These are defined as Remediation Findings, Items, Issues or Assessments. I prefer to call them Findings as they’re not assessments to me until they’re reviewed in the Risk and Security Analysis.
Risk and Security Analysis
Findings are presented to the teams responsible for the process. Each finding is reviewed and analyzed to determine the level of risk to the business, and its IT systems. This process may determine that there’s a good underlying reason for the finding and instead of being an issue to be resolved, it’s an exception that needs to be documented so management can determine if they’re willing to take the risk of the anomaly.
Findings that need to be resolved and corrected are broken down into action plans that can be scheduled, tracked and reported on. Each action plan is identified as critical or non-critical, major or minor effort, short-range fix, or long-range resolution. The action plans are also identified as high, medium or low risk to the security of corporate financials. These action plans within an umbrella Finding, can include resolutions from a technical security or business security perspective.
Tracking and Reporting
Findings and their action plans are recorded so everyone knows what needs to be done, who is responsible for it, what the risk, priority, range, effort and final resolution date are for the effort. The information is consolidated into an executive summary report that is reviewed with management on a monthly basis. The review identifies status of the plan, issues that may have arisen and discussion of current risk; either unchanged, improved or critical.
RSCA Reporting is essential to tracking and managing efforts for remediation. But these efforts mean little if senior managers are not involved, backing or pushing remediation efforts. Let’s face it, project teams have not planned for audit findings. They’ve planned and schedule for working on projects that support the business. Adding efforts for compliance remediation add cost to the teams and departments, as well as, take away employee resources from other efforts they’ve been charged to work on. Management must understand how these efforts are impacting every day business activities. And they can’t get upset when an application plan is being effected by an effort to resolve a high risk RSCA Finding. All levels of management must be involved and engaged in the RSCA process for open communication and understanding of the tasks at hand and the projects impacted by any remediation efforts.
Each month RSCA Management Review meetings begin to gather updates from teams. These updates are summarized by the RSCA oversight group and rolled up into Divisional reports that are discussed between divisions. Update information from those meetings are then recorded and rolled up into RSCA Executive Summaries that are presented to the CEO, CFO and CTO as well as the corporations board of directors.
These reports can then be attached to Compliance Attestations to document efforts for Corporate GRC initiatives. Or they can merely be informational tools providing a comprehensive report to the senior officers and the Board of Directors about the current status of GRC at the company.
Resources
There are many tools on the market that assist with the identification, tracking and reporting of RSCA items. Corporations who have a large assessment package to manage should probably review these products and consider one for their organizations.
Small Businesses can probably find small desktop packages that help accomplish the same thing at a much lower cost. Look around and see what’s available. There’s something new coming out to manage compliance each year and you might find something to help make your efforts much easier.
But if you can’t afford extra expenses for IT tools, you can track information through a spreadsheet. It’s not as easy to create reports. But at least it’s better than nothing.
You should also review:
- RSCA Process – Procedure Document
- RSCA Tracking – Tracking The Details
© 1997-2019 Springwolf, D.D., Ph.D., Springwolf’s Creations. All Rights Reserved.