|
|
RSCA Process
~ Services | Tips
& Tricks | Compliance | Helpful
Links | Home ~
- The RSCA process
- The Risk Assessment approach is used to evaluate the current
state of security and compliance activities for Sox remediations.
The RSCA approach is a three-step methodology that has been implemented
at many large corporations, such as Freddie Mac, Fannie Mae,
Nextel and Verizon.
-
- Accountability
- Internal and External Assessment agencies:
- Internal Audit, SOx Oversight, IT Organizations and Process
Owners
-
- Process Overview
- Deficiency Identification:
- Control deficiencies are identified by IT internal and external
assessment agencies. They may also be self identified by IT organizations
through process gap analysis. Once a deficiency has been identified
it maybe assigned 2 reference numbers. The first is assigned
by the Assessment Agency and labeled as the Key Control Reference.
The second is assigned by the IT Compliance oversight group (ITC),
and is labeled as the ITC Deficiency Number. All deficiencies
will be assigned an ITC number; however, self identified items
may not have a Key Control Reference number.
-
- Deficiencies are tracked and managed through the Risk, Security
and Control Assessment (RSCA) process, by ITC.
-
- Deficiency Ownership:
- Deficiencies should be identified with a Process Contact
and an IT Contact. At the deficiency level, these should be managers.
These are the identified owners of the deficiency. An IT Manager
maybe both the Process and IT contact for a deficiency.
-
- Deficiency Action Plans:
- All deficiencies are broken down into action plans. All deficiencies
must have at least 1 action plan to remediate the identified
issue. Action plans can be assigned to team members who have
been assigned to work on or resolve the issue identified by that
action item. These individuals are not the owners of the deficiency,
but can be identified as subject matter experts for the assigned
action plan.
-
- The identified Deficiency Owners have ultimate accountability
for planning, implementing solutions by the specified remediation
date and reporting of the action through RSCA reporting.
-
- An individual deficiency item may contain multiple action
plans that are assigned to various groups for remediation. In
these cases, accountability for the remediation of the deficiency
is shared between senior directors of each group.
-
- Deficiency Closure and Testing
- Deficiencies must be owner tested to verify the remediation
plan has met the identified gap effectively and accurately. When
the owner is satisfied with testing, a Deficiency Closure package
is prepared.
-
- Approval signatures are acquired from the IT Manager and
their Director. If owner is a director, or if a senior manager
is not available, a VP signature is required.
-
- Closure packages maybe created for a single action plan,
a fully complete deficiency, or multiple deficiencies assigned
to the same process or IT owner that are common or address an
overall aspect of the IT environment.
- Ex: Two deficiencies may be created for a single application.
A periodic review of user access for an application; and another
for password reset. Both deficiencies can be addressed and reported
in a single closure package.
-
- Closure packages are then delivered to ITC for initial review
and testing. Once the remediation closure has been ITC verified,
ITC will deliver a copy of the closure package to the assessing
body final review and testing. ONLY the assessing body can close
a deficiency. Once the assessing body has tested, verified and
approved the remediation; they notify ITC that the deficiency
can be closed and removed from RSCA.
-
- Deficiencies are closed after they have been verified, approved
and reported on the next RSCA reporting cycle.
-
- Procedures:
- Deficiency Identification:
- The IT General Deficiency number is a unique identifier that
will act as the parent for this task and will retire when the
task is complete. These numbers are not reused once the deficiency
has been remediated.
-
- There are 4 formats to this number.
- ITGC-999 : Identifies the item as an IT General Control deficiency.
These items affect a broad range of IT services or applications.
They are not unit or application specific.
- SIC-999 : Identifies the item as a Self Identified deficiency,
which can affect IT Services as a whole, or are more likely unit
or application specific.
- IA-999 : Identifies the item as an Internal Audit identified
deficiency.
- AA-999 : Identifies the item as an external assessment agency
deficiency.
-
- Deficiency Closures:
- Once a deficiency has been remediated it must be reported
to ITC through a Remediation Closure Package. Closure packages
identify the deficiency being remediated, the actual completion
date, a detailed description of the remediation solution and
the attached evidence for that solution.
-
- Evidence must be complete and comprehensive. Evidence supports
(or proves) the process is effective and working. Each evidentiary
specimen should come with a description of the item, how it is
utilized and where it is stored or maintained for historical
review. Evidence can be security request, emails, forms, or reports.
(A closure package without evidentiary documentation will not
be accepted by ITC).
-
- Reporting:
- RSCA meetings are held monthly with owners and IT Senior
management to review the current status of assigned deficiencies.
Managers are accountable for providing a written status to ITC
prior to the RSCA meeting. IT Senior managers are required to
attend RSCA meetings to review the risks and issues of remediation
efforts. Without this participation, the RSCA process is not
effective.
-
- Risk Acceptance:
- In the event that an item cannot be remediated, the assigned
IT manager can request a Risk Acceptance.
-
- Deficiency Escalation:
- Failure to report status to ITC through the RSCA process,
failure to meet an assigned target date, or failure to remediate
a deficiency will result in an escalation to senior management.
-
- ITC will attempt to contact owners for status or assessment
of the failure. Items will be escalated to the Director of IT
Risk. Additional escalation can be made to the CIO and CFO, and/or
the Board Audit Committee as deemed appropriate.
|
|
