Avoid Capital One’s $80 Million Dollar Mistake

Read about the OCC’s recent actions taken against Capital One and learn how to avoid a mistake like this. A combination of technical, operational and personnel weaknesses enabled a data breach in July 2019 allowing a hacker to access the private information of more than 100 million customers.

The US Government’s recent actions taken against Capital One for their July 2019 data breach, in which a hacker accessed private data of more than 100 million US Capital One customers, should not come as a surprise even though Capital One is viewed as one of the most technologically advanced banks in the United States.

The question is, if one of the most technologically advanced banks failed to establish an effective risk assessment program, how are other banks effectively managing their enterprise risk management?

As a result of the data breach, the OCC (Office of the Comptroller of the Currency) has imposed an $80 million dollar civil penalty and a cease and desist order that lays out the steps that Capital One must take to improve its risk management program, as well as internal controls related to cyber security and information security. This plan must include an internal governance framework that, amongst other measures, has clearly defined operational risk roles and responsibilities. While a combination of technical, operational and personnel weaknesses likely contributed to the vulnerability that enabled the data breach to occur; an effective controls framework may have prevented the attack.

At Alyne, we have been vocal about the importance of effective control frameworks in managing enterprise risk. Technology can certainly serve as a key component to a successful controls framework. However, technology must be able to deliver needed information to the right people at the right time in order to drive appropriate behaviour. The combination of the right technology coupled with the right content is key to a successful control framework. At its core, an effective controls framework acts as the single source of truth for information that allows everyone in an organisation to clearly understand their responsibilities and specific steps needed to be both undertaken and continuously monitored in order to sustain a successful risk management profile.

Alyne believes that controls need to be more than a check the box exercise. History has shown that those firms who implement control frameworks to guide and support their organisations objectives are positioned for long term success. Today’s heightened regulatory environment, coupled with the reality that information is now distributed instantly across the digital landscape, makes it imperative that organisations have control frameworks in place that are specially tailored to their organisational structure – saving both time and money by creating operational efficiencies, all the while providing true transparency into your risk profile.

An effective control framework is made up of individual controls. If the individual controls in a controls framework are ineffective, then the framework itself is going to be ineffective. It’s that simple. To ensure control success, Alyne has designed everyone of our 1100+ Controls in our Content Library according to the SAMC3 principle – a term coined by Alyne. Following this process for control creation will help you create an effective control framework and reduce risk.

SAMC3 Principle

  • Specific - each Control describes a specific action or practice that prevents harm to the organisation and its assets.

  • Atomic - each Control only defines one specific aspect. Some poor examples of Controls try to cover multiple aspects and end up covering half a page of text. If one answer cannot describe the current maturity or effectiveness, the Control is not atomic. This also means that every Control shall be meaningful by itself without the context of other Controls.

  • Measurable - the effectiveness and design of each Control shall be measurable. In Alyne, criteria and data points relevant to measuring the design and effectiveness of each Control is always defined with the Control to ensure this attribute.

  • Consistent in Structure - while this is not always perfect, we strive to keep the sentence structure of each Control consistent. Convoluted syntax such as double negatives or starting with subordinate clauses makes it much more difficult for the reader, assessor, recipient or other stakeholder to consume. This should be avoided at all costs.

  • Comprehensible - simply copying the text from a standard or law is not helpful. Wording in Controls should be as simple and meaningful as possible to the audience within the organisation. Laws and standards need to be deliberately broad as to be generally applicable. Controls on the other hand shall only be focussed on your own internal organisation - and therefore use wording that is familiar and meaningful in that context.

  • Contextual - a Control should provide a link to a standard, law or regulation and to risks it may mitigate. This context provides meaning to Control deficiencies and enables more automated analytics.

 

Whether you are in operational risk, information security, compliance or audit, our recommendation is that you review your enterprise controls to measure their alignment with the above principles. Doing so may save your organisation.

We invite you to pair this article with our ‘Enterprise Controls: The Need, Evolution & Future’ webinar or our ‘Controls as a Service’ white paper; both of which take a deeper dive into how we structure our Controls at Alyne.

WATCH WEBINAR OR DOWNLOAD WHITEPAPER

ZurückWeiter
Tyler Gowen

Related Posts

Tackling The Surge In Information Security Incidents

Ransomware attacks in 2021 have become more sophisticated and disruptive than they have ever been. With this increase, it is imperative for business leaders to build up comprehensive defense against information security attacks by leveraging both mandatory and voluntary standards. In this article, Alyne Senior Consultant, Maximilian Millitzer elaborates on what business leaders should do to enable a quicker response, in the event of an information security incident.
Weiterlesen

Gearing Towards Greater Cyber Security Maturity in the Automotive Sector

The automotive industry is moving full speed ahead towards the software defined car and regulations and standards such as UN R155 and ISO/SAE 21434 have made it mandatory for businesses in the automotive industry to be compliant with cyber security management. Learn about Product Security Organisation Framework (PROOF), developed by Escrypt ad KPMG in partnership with Alyne's technology, and get the details on the upcoming workshop at escar (The world's leading automotive cyber security conference).
Weiterlesen

Tightened Cyber Security Awareness Training To Combat Heightened Attempts

October is Cybersecurity Awareness Month. This 2021, Co-founder of Alyne, Stefan Sulistyo shares how Alyne goes beyond the notion of being in compliance with various security awareness requirements to strengthen our collective digital ecosystem – especially during remote working, and the recent acquisition of Alyne by Mitratech – two events which have heightened cyber and phishing attempts across the business.
Weiterlesen