In light of the onslaught of major security breaches over the last few years of the world?s largest organization?s, businesses of all sizes and scope are being forced to look at the internal controls of their business partners in a new way.? It is no longer a matter of ?if? an organization may be compromised, but a more realistic view is that when they are compromised what does that mean to the business and their partners? While managing and containing risk is an obvious objective of internal controls, the real business driver is the continued ability to operate and deliver products or business services.? The products and services are the life blood of organization.? Their ability to thrive and grow as well as sustain operations is on the line.
The use of service providers and third-party vendors is the norm for most organization?s today as the business landscape is more interconnected than any other time in history. Small businesses in middle America are leveraging providers in Europe and Asia on a daily basis now.? Breaches of systems and private data is only part of the problem because fraud has also risen to new highs, not to mention the risk of unauthorized disclosure of intellectual property.
There are a number of business-related benefits when outsourcing or using third-party vendors, however the risks are greater today than ever before for the user entity organization?s. ? I?ve personally witnessed a significant rise in user entity organization?s requiring a more comprehensive disclosure and validation of internal controls of their service providers.? In fact, I have cited visibility of third party risks in my trends article as I personally see this as one of the greatest risks to organization?s today.? Service organization?s are being tasked with a growing wave of requests for reverse audits and review of their internal controls and associated processes.? This is one reason why more organization?s are adopting universal frameworks such as the ISO 27001 for the information security programs and SSAE No 16 for their internal controls as it relates to business partners.? The ISO 27001 and SSAE 16 can be leveraged as a single authoritative framework if designed by knowledgeable subject matter experts.
Today?s service organization?s must:
- provide evidence that relevant risks are addressed in the presence of prevailing threats and vulnerabilities.
- have a formal risk assessment process for identifying and reducing risks in their environment or scope of the system.
- employ a full lifecycle approach for risk identification through treatment of risks.
- employ a process for monitoring of controls and relevant risks.
- have deployed a program that includes continuous improvement.
- identify and select appropriate controls for the relevant risks.
- have a documented and fully disclosed method of identifying and reducing risks for any sub-service organization?s they utilize in their business processes.
- fully account for all applicable legal and regulatory requirements in addition to business requirements.
- develop and document detailed assertions that address the effectiveness of controls and their objectives.
?
Tim Layton
Follow Tim on Twitter at http://twitter.com/timlaytongrc
Read New Articles at http://www.timlayton.com
Connect with Tim on LinkedIn at http://www.linkedin.com/in/timlayton
?
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.