ERM from a $100M, public company perspective David Wagner, Chief Financial Officer, Entrust, Inc.

Presentation to NC State University College of Management: Enterprise Risk Management Round table November 18, 2005

Enterprise Risk Management “An Information Security CFO’s point of view”

• Introduction • Small Company response to SOX 404 • Information Security Risks © Copyright Entrust, Inc. 2005 CONFIDENTIAL 2

David Wagner, CFO Entrust, Inc.

• BS Accounting, Pennsylvania State University • MBA, Finance, Pennsylvania State University • Raytheon Corporation - 1986-1991 • Nortel Networks - 1991-1995 • Entrust Inc., Controller - 1995-2003 • Entrust Inc., CFO - 2003- present © Copyright Entrust, Inc. 2005 CONFIDENTIAL 3

We are Security Specialists…

• Headquartered in Dallas (offices in Ottawa, Washington DC, London, Germany, China & Japan) • #12 of 600+ security software companies, with approx. $100M in annual revenues • Industry pioneer and leader, with approximately 500 employees, market leading products and over 100 patents • Best in class service and support, and integration for leading technology vendors • Strong financial position - $83M of cash- no debt.

CONFIDENTIAL © Copyright Entrust, Inc. 2005 4

Known by the Customers We Keep

• More than 1450 enterprises and global governments worldwide in over 50 countries have licensed Entrust’s products • Entrust has prominence with industry leaders around the globe: – 8 of the top 10 Global Telecom companies – 7 of the top 10 Global Pharmaceutical companies – 8 of the top 10 Global Aerospace and Defense Companies – 7 of the top 10 Global Commercial Savings Banks – 4 of the top 5 Global Petroleum Companies © Copyright Entrust, Inc. 2005 CONFIDENTIAL 5

Enterprise Risk Management “An Information Security CFO’s point of view”

• Introduction

• Small Company response to SOX 404

• Information Security Risks © Copyright Entrust, Inc. 2005 CONFIDENTIAL 6

Sox 404 at Entrust

1) Approach – A case study 2) Lessons learned about Sox 404 3) Lesson learned about Enterprise Risk © Copyright Entrust, Inc. 2005 CONFIDENTIAL 7

Approach – Accounts & Processes

Per PCAOB and COSO guidance; Risk assessment – Team identified – Significant accounts identified –

Materiality

– – Significant processes identified –

Inherent Risk Control risk

– Intersection point of all above: ‘The Matrix’ – Set priority to attack processes © Copyright Entrust, Inc. 2005 CONFIDENTIAL 8

The 404 Team

Audit Committee CFO CIO Project Manager Corporate Controller Finance Accounting Staff IT Operations Legal Third Party Audit Firm Documentation/Peer Reviews/Testing of low risk accounts & processes.

Lucky

- Project Manager on staff

Good Testing of all key controls

- Strong Accounting staff (5 CA of 9 staff in 1997) - Strong CIO with Governance Bias - Good process culture, executive support - Audit Committee support

External Auditor Attestation

© Copyright Entrust, Inc. 2005 CONFIDENTIAL 9

© Copyright Entrust, Inc. 2005

Management Assertion What could go wrong?

What are the key controls?

CONFIDENTIAL 10

Approach – Initial Findings

• Controls Operating and Effective but not documented – Example: Finance Balance Sheet Review meetings .

• Second Level reviews and sign-offs – Example: Payroll Canada; one person enters, submits,

processes and reconciles. Added second level review of key reports and authorization of any ‘one-off’ payments.

© Copyright Entrust, Inc. 2005 CONFIDENTIAL 11

Approach – Risk & Controls Repository

CONFIDENTIAL

Use of existing portal Entrust get Access - Lotus Domino Database

12 © Copyright Entrust, Inc. 2005

April Entrust Sarbanes Oxley - Status of Financial Processes

3% 3% 12% 18% 10% 4 Second Team Review 5 E&Y First Review 6 Test Plan 7 Internal Testing

Entrust Sarbanes Oxley - Status of Financial Processes

8 E&Y Formal Review 72%

Entrust SOX Process Status September 2004

10 Ongoing Monitoring 18%

September

3. Owner Rework 32% 8. GT Formal Review 8% 18% 4. Second Team Review 6. Test Plan 1 Owner Documentation 3. Owner Rework 2 First Team Review 3 Owner Rework 24% 4. Second Team 4 Second Team Review Review 5 E&Y Review 6 Test Plan 6. Test Plan 7 Internal Testing 8 GT Formal Review 7. Internal Testing 9 Formal Remediation 7. Internal Testing 18% 10 Ongoing Monitoring 8. GT Formal Review 24% © Copyright Entrust, Inc. 2005 CONFIDENTIAL 13 1 Owner Documentation 2 First Team Review 3 Owner Rework 4 Second Team Review 5 E&Y Review 6 Test Plan 7 Internal Testing 8 GT Formal Review 9 Formal Remediation 10 Ongoing Monitoring

Timeline - September

Entrust Sarbanes-Oxley Compliance Project High Level Timeline Milestones 1 Set Objectives and Team 2 Process, Risks, & Controls Documentation 3 Initial owner & team assessments 4 Ongoing Remediation of Controls 5 Formal Internal Control Test Plan & Testing 6 Interim Internal Control Enhancements/Fixes 7 Intermin Review, Test & Feedback 8 Ongoing Control Monitoring 9 Final Signoff 2004 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Original Timeline - April 2004 Updated Timeline - July 2004 Updated Timeline - Sept 2004 14 © Copyright Entrust, Inc. 2005 CONFIDENTIAL

Internal Testing Results: Individual Controls

•

(December)

Total 116 individual controls identified to test – Green : Testing completed & passed – Yellow: Testing in progress, item to be reviewed at year end, or in Remediation.

– Red : Testing resulting in significant issue, or further testing not yet resolved

THEN : NOW Entrust Control Testing Status October Entrust Control Testing Status - December Yellow:

To Start In Progress Remediation Year End Only

Total

6 8 7 2 23 Green Yellow

Yellow In Remediation In Testing Year End Only Total 5 10 2 17

© Copyright Entrust, Inc. 2005 CONFIDENTIAL 15

Approach – IT General Controls

• Information Security Governance Process – Risk assessment by business unit based on ISO17799 – Very little guidance existed for SOX IT issues before July 2004 – Compliance requirements for SOX and other legislation (SB1386, PIPEDA)

incorporated in framework and process

– Unacceptable risks result in action item (SOX compliance example would

include missing documentation of key control is considered risk)

– Focus on Finance data and application: • Confidentiality • Integrity • Availability – Mapping of ‘COBIT for SOX’ items back to framework to ensure coverage © Copyright Entrust, Inc. 2005 CONFIDENTIAL 16

Entrust 404 Project Summary

Entrust 404 Project Scope

• 42 Accounts and 66 processes identified • 41 Key processes documented • • 116 key controls identified & tested in Finance 92 IT general controls supporting 2 Key applications • • •

Entrust 404 Project Cost

• ~ 20% of 2004 Finance & Accounting staff hours , plus one full-time project manager ~ 30% of 2004 IS/IT resources + 55% additional fees for external testing (not auditor) + 101% additional audit fees to external auditor © Copyright Entrust, Inc. 2005 CONFIDENTIAL 17

2 Questions on 404 1) Was it worth what paid for?

No!

$2.5 million - 2.5% of Revenue

2) Did you get anything worthwhile from 404?

Yes!

- Risk Based Review of the organizations; - Internal controls and processes documented - Internal control processes permeated throug the organization - Operations - HR - Legal - IT - Strengthened Ownership of Internal Controls

© Copyright Entrust, Inc. 2005 CONFIDENTIAL 18

Lessons Learned

• Risk based -

focus on significant accounts and processes, and then - key controls within those accounts and processes.

• Complete documentation internally • Do not get caught up in a software implementation, but tools are important.

• Establishing a common framework is fundamental

- Information Security Governance - Risk Based Assessment and mitigating controls

• Intellectual Property Processes • Information Systems and Controls are fundamental © Copyright Entrust, Inc. 2005 CONFIDENTIAL 19

Going Forward – 2005 and Beyond

 Maintain documentation as you go.

 Build control documentation into everyday processes.

 Continuous monitoring and project management.

 Objective to reduce costs 50% Moved 60% of 3 rd party testing in-house - Continue to work with external auditor to alternatives to traditional working paper documentation  On-going risk based focus.

© Copyright Entrust, Inc. 2005 CONFIDENTIAL 20

Enterprise Risk Management “An Information Security CFO’s point of view”

• Introduction • Small Company response to SOX 404

• Information Security Risks

© Copyright Entrust, Inc. 2005 CONFIDENTIAL 21

Business compliance realities:

Increased Legislation Compliance Anxiety

Customers

Access to Services & Information

Employees

Improved Productivity & Self-Service

Suppliers

Streamlined Business Processes

Corporate

Compliance © Copyright Entrust, Inc. 2005

Enterprises & Governments are Extending Outside

CONFIDENTIAL

Regulatory

Compliance 22

Enterprise-wide policies required:

Shift from Compliance to Risk Extended Enterprise & Govt.

Employees Customers Suppliers

Governance & Regulation HIPAA FISMA EU Data Protection Act Sarbanes-Oxley GLBA BASEL II SEC Regulations Policy & Access Management

CONFIDENTIAL © Copyright Entrust, Inc. 2005 23

Identity Theft

• Not cyber terrorism, but cyber crime • Intent is to steal personal information for monetary gain • Diverse targets across different regions and sectors

– Retailers (DSW, BJ Wholesaler’s) – Data brokers (Choice Point, LexisNexis) – Universities (USC, Duke, Purdue, Tufts) – Banks (BOA, Citibank, Wachovia) – Corporations (Motorola, Time Warner, SAIC) – Healthcare (Kaiser, San Jose Medical Group) © Copyright Entrust, Inc. 2005 CONFIDENTIAL 24

Customer Implications

• Cost of incident – A Gartner study found the average identity breach costs a consumer $1,500.

• End User Loyalty and Preferences – A Nationwide Mutual Ins. study found that it takes approximately 81 hours for a consumer to repair the damage caused by identity theft • Business Relationships – Visa severed business relationship with CardSystems Solutions, Inc. • Drop in Stock Price – Firms that have a security breach involving credit card information suffered a stock market loss of 9.3 % the first day, increasing to 14.9% over three days.

• Stagnant Market Growth – Online banking stagnant at 39% of Americans over past 12 months

Brand Impact

CONFIDENTIAL © Copyright Entrust, Inc. 2005 25

Online Identity Fraud Driving Industry Mandates

18% of all respondents stopped or decreased online banking in last 12 months!

The guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers… Financial Institutions will be expected to achieve compliance… no later than year-end 2006

© Copyright Entrust, Inc. 2005 CONFIDENTIAL 26

Information Security Governance

www.cyberpartnership.org



Corporate Governance Task Force – Apr. 2004

Info Security has become a fundamental business issue at the CEO and Board level  Balance IT investments with business risk decisions and put into a framework for implementation  Outlines accountability at various management levels, plus core elements of an information security program  Recognized the need to treat info security as a continuous improvement process © Copyright Entrust, Inc. 2005 CONFIDENTIAL 27

Why Enterprise Risk Management?

• Information security – Headlines confirm failures produce real business impact • Regulatory compliance – Inconsistent “best” practices being self-imposed • Enterprise risk management – Help position audit findings and legal liabilities • Search for the Holy Grail – A single framework to provide focus and efficiency © Copyright Entrust, Inc. 2005 CONFIDENTIAL 28

ISG – Keys to Successful Deployment

• Identify key systems (NIST SP800-18) • Simple subjective risk assessment (OMB A-130 App. III) • Risk expressed in words (threat, vulnerability, impact) • Red - Yellow - Green ranking (FIPS-PUB 199) • Iterative process, progressive detail (GAO/AIMD 00-33) • Transparent process with summary reporting (GAO/AIMD 98-68) © Copyright Entrust, Inc. 2005 CONFIDENTIAL 29

One Way Forward

• One-hour sessions quarterly with managers to review: – Ask them what they think the risks are – Assessment of controls/residual risk per ISO17799 element – Use the session to raise awareness of threats and risks – Follow-up with groups they defer to (IT, Legal, HR) • Consolidate view across the organization – Feedback to managers where they stand relative to others – Share results up the management chain, request feedback • Let the managers do the assessment – If you can't convince them it's a risk, they won't deal with it – They can put it into business terms better than you can • Executive Sponsorship is NOT required – They are accountable, work with it © Copyright Entrust, Inc. 2005 CONFIDENTIAL 30

How did ISG help our compliance efforts?

• almost immediate reduction in D&O insurance • framework for internal control assessment – processes and responsibilities were already defined – it was not a separate compliance effort – SOX control assessment fit into it • provided laser focus on the compliance issues – covered all audit topics at heart of major regulations – still little guidance, poor audit standards, multiple regulations to check – ISG provided us with the list of concerned areas with very little excess • contained our audit fees – we experienced over 100% increase, and they called us “best in class” – knowing our business risks made it easy to focus on our risks & our systems, not simply “best practices” © Copyright Entrust, Inc. 2005 CONFIDENTIAL 31

Conclusions

• SoX 404 Impacts – changed Corporate Governance permanently – need to improve cost benefit through risk-based assessment • Enterprise Risk is increasingly important – Provides a common framework for evaluating non-ROI projects – Executive Officers are accountable • Information Security issues moving to Risk Management – Enterprises are increasingly based on information – Higher value assets are intangible; related business risk increasing – Inherent conflict between ROI focused CIOs and Information risk mitigation • Continuous Improvement – Quality Model © Copyright Entrust, Inc. 2005 CONFIDENTIAL 32