Just Released: Protiviti’s 2015 IT Security and Privacy Survey

Cal Slemp mugBy Cal Slemp, Global Leader of Protiviti’s IT Security and Privacy Practice




Cybersecurity is top of mind from the boardroom and C-suite to IT, Legal, Finance and more. But does that translate to effective policies and actions? That’s the focus of Protiviti’s 2015 IT Security and Privacy Survey Report, published today.

The answers are mixed.

Our 2014 report identified notable gaps between top-performing companies and other organizations in terms of best practices in IT security and privacy; it also pointed to where these organizations needed to progress to bridge these gaps.

A year later, much progress has been made – yet many gaps remain.

Bright spots in our 2015 survey: Many organizations have changed with confidence to become what we classify as top performers. These organizations are characterized by high board-level engagement in information security, and strong security frameworks with specific information security policies.

Other insights from the survey:

  • “Tone at the top” is a critical differentiator. From strong board engagement to management-driven “best practice” policies, effective security begins at the top. A strong tone at the top is as important as any policy, because even the best policies are merely words on paper. It takes people to put those words into action, and people take their cues from company leadership.

Have you communicated to the people in your organization what you expect regarding information security and privacy? Are you setting a good example?

  • A strong security foundation must include the right policies. Organizations that have in place all “core” information security policies – including acceptable use, data encryption and more – demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities.

What are your policies? Do you know them? Do your employees?

  • Many companies lack critical policies and an understanding of their “crown jewels.” One in three companies lack policies for information security, data encryption and data classification. Most lack a strong understanding of their most sensitive data and information, as well as potential exposures. Such gaps open the organization to cyberattacks and significant security issues.

What are your informational “crown jewels”? How are you protecting them?

  • There isn’t a high level of confidence in the ability to prevent an internal or external cyberattack. While two out of three organizations report being more focused on cybersecurity as a result of recent press coverage, most lack a high level of confidence that they could prevent a targeted cyberattack, either from external hackers or insiders. This mindset is not necessarily a bad thing – in fact, it may be a healthy one if the perspective drives a focus on improvement. Many in the cybersecurity community would argue that cyber breaches are inevitable and that the best risk management strategy is to focus on rapid detection and on ensuring that valuable data is encrypted and unidentifiable, rendering it worthless to an unauthorized user.

Could your security protocols detect and contain a breach in progress, or are you still just patrolling the perimeter?

This is an interesting and timely survey report and one where the results are likely to change significantly from year to year as both the cyber threat and cybersecurity landscape evolve and become more aggressive and sophisticated. For a more detailed analysis, you can view and download the entire report here.

Create IT Internal Controls as Unique as Your Startup

Steve Hobbsby Steve Hobbs
Protiviti Public Company Transformation Solution Leader and Managing Director



With all the challenges startups face just to get off the ground, is it any wonder if thoughts of compliance requirements are not top-of-mind? Nevertheless, as the board and CFO know all too well, IT controls must become a top priority as the company matures and considers an IPO. Without proper IT controls, you run the risk of hurting both the top line and the filing deadlines.

Traditional internal controls, however, can run counter to the company’s culture and competitive mindset. To satisfy control and compliance requirements without disrupting the company’s culture of independence and innovation, we suggest that startups create their own IT general controls (ITGC). Our point-of-view paper, Agile Technology Controls for Startups – a Contradiction in Terms or a Real Opportunity?, discusses these matters at length.

While setting up your unique ITGC framework, here are key items to address:IT controls graphic

  • Analyze the system environment. It’s important to focus on the necessities. Understand which systems and processes are in scope for the purpose of the compliance audit and determine if some systems can be excluded. Identify owners of each process, and eliminate unnecessary redundancies by aggregating processes under common owners when possible.
  • Identify and support key corporate data activities. Utilize existing development operations (DevOps) and agile process activities to eliminate unnecessary, unaligned and ineffective control activities. DevOps and agile process activities should be the basis for identifying and defining key ITGCs, such as test case coverage or automation of regression testing. Add additional control activities as necessary and consider alternative approaches to mitigating risk.
  • Define a future-state vision. Create a road map to envision easily how all the processes fit together. Rather than adding new manual activities, you may find that there are automated controls that can be leveraged for ITGCs to increase efficiency. Don’t forget to keep an eye on a “backlog” of improvement opportunities and initiatives that you should consider as you move toward the future.

Chip Shot: The Long-View on the EMV Short Game


Scott Laliberte, Managing Director
Leader, Protiviti’s Vulnerability Assessment and Penetration Testing practice


Chip in or shell out. That was the message from major credit card companies to U.S. merchants. Three years ago, card companies gave retailers until October 1, 2015, to install point-of-sale terminals capable of reading next-generation credit cards embedded with security chips. At that point, retailers without chip readers will be liable for purchases made with a magnetic stripe card, as well as for purchases in which a chip card was processed as a magnetic stripe card.

The deadline is fast approaching and, according to published accounts, only about one in four retailers has complied.

Over the past several months, Visa, MasterCard, American Express and others have replaced magnetic stripe cards in the United States with “EMV” versions, named for the three main owners of the chip technology: Europay, MasterCard and Visa. Chip cards are already the standard in Europe and other parts of the world, where they have proven to be far more expensive and difficult to counterfeit than magnetic strip cards.

Card companies say the change is needed because while just over a quarter of the world’s credit card transactions originate in the United States, the U.S. accounts for almost half of the world’s fraudulent transactions – a disparity many attribute to obsolete technology.

The change is being touted as the dawn of a new era in credit card fraud prevention. However, there are doubts it will make a significant difference.

For one thing, EMV security only addresses the issue of counterfeit cards, which account for around 10 to 15 percent of credit card fraud in the United States. The bigger problem, by far, is first-person fraud – cardholders refusing to pay what they rightfully owe, which accounts for roughly half of all fraudulent transactions.

It also fails to address another significant source of credit card fraud: lost or stolen cards. Other countries have addressed this by pairing the counterfeit protection of EMV with the user-verification protection of a PIN number. U.S. card issuers, reasoning that Americans would balk at being asked to do two new things, split the difference, opting for chip-and-signature instead of the more-secure chip-and-PIN.

Finally, it will have no effect on the third and fastest-growing type of card fraud – online and phone transactions, where the merchant never sees a physical card. By all accounts, card-not-present fraud has been rising exponentially as other fraud avenues become limited.

There is no mistaking that EMV is a positive step. It’s high time the United States joins the rest of the world. Yet some retailers may be reluctant to invest in what amounts to a stop-gap solution with limited protection.

Yes, under the new rules, retailers will be liable for fraudulent card purchases, but given the credit limits on most cards and the need for a fraudster to be physically present, the actual exposure is going to be relatively small – so small that it may not justify the investment in new point-of-sale technology.

Of note, we expect there may be an initial run on fraudulent activities immediately after the deadline that will likely tail off over time.

Credit card security is a moving target. Fraudsters are resourceful and persistent, which means there is no single magic bullet that will fix this problem. Merchants and card companies both need to be constantly vigilant and use a layered security approach that combines data encryption with user verification and behavioral analytics that screen every transaction against prior purchases to flag aberrant activity.

Like it or not, that’s the price of playing the game.


DOJ “Yates Memo” Reminds Us that People, Not Corporations, Commit Crimes

Scott Moritz - Protiviti NY 2013 (hi res)


Scott Moritz, Managing Director
Leader, Protiviti’s Fraud Risk Management Practice


On September 9, 2015, U.S. Department of Justice Deputy Attorney General Sally Quillian Yates distributed a memorandum across the Department of Justice, entitled “Individual Accountability for Corporate Wrongdoing,” that has far-reaching implications for government and private-sector investigations of corporate misconduct.

While the memorandum does not have the force of law, it nonetheless provides specific direction to every federal prosecutor to hold individuals accountable for corporate crimes and to make as a condition of an individual company’s cooperation the extent to which they “give up” the individuals responsible for the corporate crimes.

Holding individuals accountable for corporate crimes is a very effective way to change behaviors. While the U.S. Sarbanes-Oxley Act (SOX) has significantly changed the business landscape for U.S. publicly traded companies, perhaps its biggest effect was that by holding the CEO and CFO accountable for the accuracy of the quarterly and annual reports they sign, there have been a number of enduring changes in how these leaders behave.

First and foremost, before SOX, many internal investigations at public companies, large and small, never saw the light of day. “Big picture” issues often overrode what was right. With the CEO and CFO now held accountable, the default setting has shifted to performing internal investigations and then disclosing the results, to the extent that the findings suggest the need to do so. This is a direct result of the accountability component of SOX Section 302 and the upgrade that has occurred across audit committees in terms of financial aptitude since the inception of SOX.

The same sea change could result from the Yates memorandum, which sets out six steps that government attorneys should take to ensure individuals believed responsible for corporate crime are held accountable.

  1. Before being eligible for any cooperation credit, corporations must disclose all relevant facts about the individuals involved in corporate misconduct.

This step, perhaps more so than any other, could have the greatest long-term impact. Knowing this requirement, government investigations and internal investigations alike will have to be structured in such a way as to enable the ability to identify individual conduct. It also creates a financial incentive for companies to disclose the responsible parties within their organizations in order for them to be eligible for cooperation credit. This will, in all probability, cause individuals to “break ranks” earlier in the process and seek their own outside counsel, rather than wait for the company to deliver them on a silver platter to the government in an effort to obtain cooperation credit. It could also result in many more individuals seeking whistleblower status rather than trusting that their employers or former employers will be unbiased in their investigations.

  1. Both criminal and civil corporate investigations by DOJ attorneys should focus on individuals from the inception of the investigation.

This is really more of a reminder than it is anything radically new. By their nature, investigators must focus on the actions of individuals. What is important here is that the DOJ attorneys and investigators make it clear to companies once they know of the existence of the investigation that any internal investigation must provide meaningful information about the responsible individuals.

  1. Criminal and civil attorneys handling corporate investigations should be in routine communication with one another.

Coordination between the SEC and DOJ has improved quite significantly since 2008. That being said, civil and criminal investigations are fundamentally different and, historically, holding individuals accountable has fallen to the criminal investigators. What the Yates memorandum points out, though, is that sometimes civil investigations provide substantive information about criminal wrongdoing, and by being in routine communication with one another that information is less likely to fall through the cracks.

  1. Absent extraordinary circumstances, no corporate resolution will provide protection for any individuals from criminal or civil liability.

This step could also have long-term implications on the scope of investigations and the extent to which individuals will be held accountable for corporate crimes. By making it clear to government attorneys that corporate resolutions should not routinely provide individuals protections from criminal or civil liability, it puts the burden on individual government attorneys to make the internal argument that their proposed settlement agreement meets the criteria of “extraordinary circumstances,” increasing the likelihood that more individuals will be held accountable since the majority of such agreements will not inhibit the government’s ability to hold individuals accountable.

  1. Corporate cases should not be resolved without a clear plan to resolve individual cases before the statute of limitations expires, and declinations as to individuals in such cases must be memorialized.

This step is in recognition of the fact that individual cases often continue after the corporate cases have been settled. It will help ensure that appropriate forethought is given with regard to individuals who could be held accountable if not for mismanagement of the statute of limitations.

  1. Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.

This step, again, is a reminder of the different lenses through which civil enforcement attorneys and criminal prosecutors view their cases, as well as the importance of considering the totality of the facts regarding each individual in determining the appropriate means by which he/she is held accountable.

While each of these steps detailed in the Yates memo sends a clear message to the DOJ attorneys responsible for criminal and civil enforcement, in-house and outside counsel, chief compliance officers and senior executives should also take notice. As it has on a number of occasions since the Federal Sentencing Guidelines went into effect, the government is again putting corporations on notice that people, not companies, commit crimes.

Corporations are expected to focus their internal investigations in such a way as to identify the people responsible, not just scape goats, and that their ability to receive cooperation credit depends on it. As Ms. Yates stated in her public remarks about the memo: “We’re not going to be accepting a company’s cooperation when they just offer up the Vice President in Charge of going to jail.”

Difficult though it may be for companies to be completely transparent in their identification of the people responsible, no matter how senior and important to the company’s future they may be, management will be forced to make decisions for the good of the company that will very likely result in some of their former colleagues going to prison.

Improving SharePoint Adoption With the Right Analytics

Mike SteadmanBy Mike Steadman, Managing Director
SharePoint Consulting




To date, more than 100 million licenses of SharePoint have been sold. Companies recognize the potential of this powerful content management platform to save time, speed up processes and enhance collaboration on an enterprise level. Yet, according to a recent Protiviti white paper, less than a third deploy the platform across their entire company.

Why such poor adoption? The white paper cites data from a recent AIIM survey, according to which the biggest ongoing business challenge with SharePoint is lack of expertise in how to maximize SharePoint usefulness. Nearly half of those polled said so.

Yet lack of expertise is only half the story – lack of insight into how the platform is currently used by employees is the other. To look behind the curtain of suboptimal adoption, SharePoint managers must turn to analytics. Analytics provide tangible data that not only reveals where things fail but empowers organizations to set goals for their portal usage and track business objectives.

Analytics can answer questions such as:

  • How/when employees are failing to access the proper content
  • How/when employees are abandoning various tasks
  • How successful employees are in searching and finding the content they need
  • How engaged employees are in the portal experience
  • How well employees are collaborating inside the portal

To help its user base, SharePoint does provide some built-in analytics. In our experience, however, most users find the included reports limiting, inconvenient and bulky. The built-in analytics function also does not track usage, abandonment and content interactions, or provide comparative reporting.

To get these features and more, companies often turn to third-party analytics solutions. The most popular analytics products for SharePoint come from Google, HarePoint, Webtrends, and Intlock. All four work with SharePoint 2007, 2010, 2013, and SharePoint Online, and each has its own advantages, limitations and learning curves. To help you choose the product that’s right for you, we review the pros and cons below.

Google Analytics

PROs: Because it’s easy to use – and free – Google Analytics is the logical first choice for organizations seeking better SharePoint insights. It is continuously growing and adding functionality, and its active user base can provide answers to most questions. Some of its features include in-page analytics, tracking engagement, ability to create and track goals, multiple user access, comparison reports for specific metric or characteristic, and multiple data display modes (charts, graphs, etc.)

CONs: Google Analytics is a general web analytics tool and not unique to SharePoint, so it cannot track data that is stored only in SharePoint. Many SharePoint users are unwilling to accept Google Analytics’ terms of storing their data on Google servers. A limitation for some companies might be the need to manage all analytics accounts through a Google account, and the need for a javascript browser. Finally, in our experience, to get the most from this free resource, companies will need at least one dedicated in-house Google Analytics expert.


PROs: HarePoint is a reasonably priced option that works with SharePoint-only data and provides fully integrated reports that can be filtered by Microsoft attributes, such as Active Directory accounts, SharePoint documents, libraries, users, and more. It is easy to install, without adding code to portal pages. Customers can share reports and dashboards across the organization for increased productivity.

CONs: The interface, filtering and comparative data tools are cumbersome and visually unappealing and, unlike Google Analytics, HarePoint requires substantial technical skill to master. It lacks some basic useful features, such as the ability to set goals and track goal conversions, pivot data, and track social events (likes and shares). It also does not provide search reports for landing pages.

Intlock’s Cardiolog

PROs: Like HarePoint, Cardiolog is fully-integrated into SharePoint. Unlike HarePoint, however, the user interface is easy to use and comes with over 100 preconfigured reports. What’s more, users can setup custom dashboards for any site, list or library, share reports via email or the web, and create ad hoc reports based on the data collected in the Analysis Center. Cardiolog can be local- or cloud-based, and comes with robust social media-tracking capabilities. It also tracks document downloads, video player interactions, form submission, and more.

CONs: Cardiolog’s impressive features will cost you: It is the second most costly SharePoint analytics tool after Webtrends. It comes with a maintenance plan at 20 percent of the initial cost. The number of system users (those who can create reports and have administrative rights) is limited. The regular version allows 5 users, and the enterprise version allows up to 25.

Webtrends OnDemand

PROs: Webtrends is built for SharePoint, with a code designed specifically to collect SharePoint data. It provides heat maps for pages, which work much better than Google’s In-Page Analytics. Webtrends also lets users create custom views of data on the fly for instant insights. It has useful navigation and path analysis reports that show how users move through the site up to 20 clicks deep and can be filtered by department and SharePoint groups.

CONs: Webtrends is priced on the high end for initial cost and maintenance, with a dynamic pricing model that considers both usage and features. It has a steeper learning curve than the rest of the solutions. Webtrends offers plenty of documentation, but new users will likely need additional training and exposure before mastering the program and its powerful reports.

Whichever analytics solution you decide to go with, the insights will help your organization uncover SharePoint problems users may be experiencing and then guide you towards usage and performance improvements, leading to wider adoption of SharePoint and maximizing its benefits across the enterprise.

For other ways to improve SharePoint adoption, download Protiviti’s white paper, “Communication, Training, Engagement – The Keys to Sustainable User Adoption of SharePoint.”

Five Years of Dodd-Frank: An Internal Audit Perspective

Shaheen DilBy Shaheen Dil, Managing Director
Model Risk and Capital Management




Earlier this summer, on July 21, the financial world marked the fifth anniversary of the passage into law of the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA). After the global financial crisis hit in 2008, politicians and regulators around the world were united in ensuring future banking crises would not require taxpayers’ money to avoid economic contagion.

The DFA was not designed to prevent the next financial crisis, which is arguably inevitable; the goal was to soften the blow. Debate continues over whether it has achieved this aim, with many critics using this fifth anniversary to highlight its perceived shortcomings. The slow progress of regulators in implementing all of the regulations required by the Act has been a common complaint, but critics are also pointing out the many unintended consequences of certain provisions. For example, Republicans have commented that banks have passed the cost of compliance on to consumers in the form of higher fees, while others in the market have argued that the so-called Volcker Rule has increased volatility in the market by reducing liquidity and pushing more investors towards the shadow banking sector.

Some of the more contentious criticisms suggest that Systemically Important Financial Institutions (SIFIs) are now essentially under government control, and that the free market has been placed in the hands of political actors. Conversely, Senators Barney Frank and Chris Dodd said during the DFA anniversary week that the concept of “too big to fail” is dead and that the markets are safer now as the possibility of making mortgage loans that cannot be repaid has been decreased dramatically.

The Act will remain a political football for some years. If nothing else, the anniversary provided an opportunity for old divisions to rise to the surface, the contentions aided by two bills currently under debate by Congress that seek to repeal certain provisions in the Act. Although the White House has stated that it will veto any attempts to roll back any provisions of the DFA, the controversy nevertheless remains.

As the political debates rumble on, firms must continue to stay focused on meeting the increased compliance burden. Although many provisions of the DFA still need to be introduced, a number of regulations have already been implemented. The requirements for stress testing and capital planning, which have been in force for the past five years, are showing signs of maturing, and banks seem to be catching up. Only two foreign banks failed stress tests in 2015, compared to five in 2014.

I had the opportunity to address some of these issues, along with several of my colleagues, during a webinar hosted by the Institute of Internal Auditors (The IIA) on July 9, entitled “How the Dodd-Frank Act Has (Not) Mitigated Risks from the Financial Crisis.” For those who missed the discussion, here are the points I believe are important to keep in mind:

  • Fewer stress test failures does not mean that banks are getting safer; rather, it demonstrates that firms are becoming more accustomed to the tests and that they have a better idea of what the regulators want. In fact, internal auditors have indicated in the latest Protiviti Internal Audit Capabilities & Needs Survey that model risk, including stress testing and capital planning, is one area where they need to improve their technical knowledge.
  • The issues flagged most frequently during the most recent round of stress tests revolve around governance (effective challenge, documentation, and inadequate or ineffective internal controls). This has overtaken data constraints as the number one concern for regulators when assessing stress tests. Specific areas of concerns were: a lack of effective channels; a lack of effective documentation of the thought processes underlying the stress tests undertaken by the bank; and inadequate effective challenge of the process.
  • Finally, there is a misconception that internal auditors need only oversee the models themselves. The role of internal audit for both the Dodd-Frank Act Stress Testing (DFAST) and the Comprehensive Capital Analysis and Review (CCAR) is wide-ranging and goes beyond simply looking at the models. Internal auditors need to ensure that they review the governance that overlays the entire structure.

Carol Beaumier, Steven Altier, Meghan Jankelow and Steven Stachowicz also presented during the IIA webinar, covering other areas of the DFA, including consumer protection and mortgage reform, risk management and culture, and investor protection. To access a recording of the webinar, click here.