The start of the new year brings new strategies and new challenges. Many employees will lobby to participate in new opportunities. The organizations’ best and brightest will frequently receive these highly sought-after assignments that provide higher training and pay. Budgets, executive management attention, and career opportunities also focus on the new and exciting; yet, the survival of the organization usually relies on the ability to continue existing business development, operations, and outstanding customer service delivery.

Although not glamorous, successful maintenance and upkeep require investment—whether time, financial resources, or executive management attention. Unfortunately, because maintaining the needed infrastructure and service delivery strategies may appear mundane, they are sometimes not prioritized and, in extreme cases, forgotten. Because these processes have already existed and served the organization, executives often assume they are running “well-oiled machines” and minimize their attention to the mundane. The following are standard maintenance and update issues that continue to challenge many organizations and their ability to manage risks effectively and achieve strategic goals. The start of the year is a great time to determine the status of these issues and manage them effectively to achieve organizational objectives.

Open Audit Report Comments

Most organizations do a pretty good job of monitoring recommendations resulting from audits. Typically, a remediation date is defined as when the recommendation is expected to be remediated. If the recommendation is no longer valid, it gets removed; if time is needed, a request for a time extension is discussed. The challenge is that the risk for which a control is required may have increased, necessitating an earlier implementation date and increased resources. Unfortunately, many organizations do not reassess the need for earlier implementation and miss the ability to mitigate an evolving threat. This is especially of concern with rapidly evolving technologies as the impact of their risk exposure becomes more fully understood.

Obsolete Policies and Procedures

Organizations use policies and procedures to help enforce governance expectations. Boards use policies to communicate the behaviors to be employed by the organization to achieve objectives. Regarding regulatory matters, the organization is highly motivated to maintain policies to avoid penalties and fines. But strategy and service delivery changes, including introducing new technologies or updating existing ones, may not result in policy review or reconsideration. Similarly, procedures provide instruction to help ensure consistent production of goods or delivery of services. As parts become stale or obsolete, justification for ignoring the procedures begins, decreasing product or service quality and eventually reducing revenue. Assigning ownership and accountability for review, including a designated “review month” (typically at a less busy time of year), is a practical solution to reducing these risks.

Outdated Insurance Coverage

Insurance serves a critical function in allowing organizations to shoulder risk. An insurance application is typically prepared and submitted to underwriters when obtaining insurance. Underwriters use the information in the application to determine whether they will issue insurance and which type of premium they will charge. Effectively, the organization pays the agreed-upon premium to transfer its risk to the insurance carrier. In some cases, this information is so critical to the underwriting and pricing decisions that the insurer will “test and review” the information provided to ensure that all representations made by the organization are correct. To ensure continued coverage and approval of claims, an organization must inform its insurance carrier of changes impacting underwriting factors, especially during renewals. Unfortunately, some organizations maintain poor controls to monitor the currency of this information. This includes the introduction of new technologies, services, products, suppliers, and even customers. This can result in insurance responsibilities being unfulfilled and coverage and claims being denied.

Irrelevant Risk Assessment

In many ways, performing a risk assessment is a gift, allowing management to better understand the organization’s threats and its current ability to manage them. As threats evolve throughout the year and situations change, the perspectives gained from a risk assessment will also change. Sometimes, difficult choices need to be made, including seeking additional funds or other concessions from various stakeholders. Unfortunately, some continue to view this assessment as a burden, using a check-list mentality that may not address the risks requiring management attention or communicating the risks that will not be addressed due to budget constraints. Continuously monitoring the environment and conducting frank discussions amongst management and the board are critical for enabling an organization to take advantage of new opportunities within its risk appetite and tolerances.

Inventory, Patches, and Vulnerability Remediation

This column frequently discusses the need to ensure organizations understand which assets they are responsible for and what is accessible through their network: patches and vulnerability remediation. Any periodic maintenance monitoring program should include these critical issues. Too often, organizations believe that they are performing these essential functions but may not achieve the intended risk mitigation, as their understanding of the current environment may be outdated. What runs in systems and networks should be reconciled as often as practically feasible. A reconciliation confirms that only approved devices, software, and other technology resources are processed. Patches and vulnerability remediations should be resolved by the organization’s policies (or industry best practices, if such policies do not exist). Although several issues are a factor, the more significant concern relates to management’s justification for not complying with the established policy.

Improper Access Privileges

Despite being a matter of concern and the topic of numerous audit report comments since the advent of computers, many organizations struggle to manage access privileges. Significant problems include the ability to circumvent organizational controls and potential confidentiality breaches. Some organizations, primarily publicly held ones that must comply with Sarbanes-Oxley (SOX) requirements, have implemented sophisticated technology to help them monitor and identify possible issues. For those organizations challenged by managing access, accountability checks comprising periodic certifications and reconciliations of access privileges by the managers who originally approved access are critical in helping to maintain a healthy posture. Another common practice is to review activity reports and suspend unused accounts.

Incorrect Application and System Parameters

The vast majority of software, especially as used by small to midsize enterprises, is off the shelf rather than customized. In the off-the-shelf model, organizations purchase or lease (e.g., on-premises or in the cloud) a software package (e.g., Quickbooks, Dynamics). In many situations, rather than modify the code, the software vendor enables the organization to better adapt the software to some of its unique requirements by allowing the organization to define parameters that the software will reference to process data and transactions (e.g., prices, interest rates, fee schedules). For many, these parameters can enforce corporate policies (e.g., write-offs, accounting rule compliance) by applying edit and validation checks through the parameter tables. Unfortunately, the tables are often set when the application is first implemented and may not be reviewed continuously. Each application owner should review their assigned parameters and ‘system rules” annually to help ensure that the system enforces organizational policies and expectations.

Insufficient Data Management

Data governance has recently emerged as a topic of great concern. Executives increasingly recognize the value of the organization’s data and the need to protect it. Many of these enterprises have attempted to map data flow throughout the organization, assign ownership and corresponding data use and protection responsibilities, and develop strategies to address regulatory concerns. Two significant challenges remain to achieving an organization’s goals. The first relates to an organization’s ability to identify data within it to be classified, prioritized for governance, appropriately used, and managed. The second is identifying all of an organization’s data, including data entrusted to it by customers and suppliers. If the organization does not manage its data by itself, regulators (or the plaintiff’s bar) will eventually step in.

New Threats

Despite the best of intentions, organizations continue to face increasingly complex and innovative attacks (e.g., attacks that utilize artificial intelligence). Many organizations continue to struggle to devote resources to something that might happen instead of addressing a current need. Others believe that partial testing, or relying on prior tests, may suffice; still others do not focus on the new attacks and recent developments in testing their plans for currency. Whether performing penetration testing, testing contingency plans, or planning for incidents, considering current realistic scenarios is critical in helping an organization benefit from its testing investments and minimize potential damages.

Pay Now … or Pay More Later

Perhaps maintenance is not as exciting as new initiatives; nevertheless, organizations should perform annual maintenance on critical risks at the start of the new year. In most situations, investments in yearly maintenance will be far less than the cost of recovering from exploits that take advantage of unkept environments.

Joel Lanz, CPA, CISA, CISM, CISSP, CFE, is a lecturer at SUNY–Old Westbury and an adjunct professor at NYU-Stern School of Business. He provides infosec advisory services through Joel Lanz, CPA, P.C., Jericho, N.Y. He is a member of The CPA Journal Editorial Advisory Board.