Do you have a second line of defense team? What frameworks do they cover - SOX only or more? Where does this team report in the organization (i.e. CFO, Accounting, Legal, Chief Compliance Officer, CEO, CAE, etc.)?

704 views2 Upvotes3 Comments

Sort by:

VP of Legal in Energy and Utilities2 years ago

We're in the process of scaling our Compliance team to perform second line of defense control testing; our current frameworks are OSHA, SOX, and some bespoke regulatory requirements specific to our business. Compliance reports to our Chief Growth Officer as we are in the process of building out an in-house Legal function.

Chief Financial Officer2 years ago

I have a very active and integrated second line of defense who do, ERM (including hosting a cross functional risk committee), SOX and IA. They report to CFO, accountable to Audit Committee.

They have very good connections across the whole company, they add a lot of value.

Vice President - Internal Audit and Enterprise Risk Management in Healthcare and Biotech2 years ago

Our Ethics & Compliance program reports up to our Chief Compliance Officer, who in turn reports to our Chief Legal and Risk Officer. We also have an IT-centric second line function (reporting to our CISO) that provides security and control guidance to the organization. They cover multiple frameworks, including NIST and HITRUST, as well as the controls frameworks utilized for our SOC1 and SOC2, plus any regulatory driven control requirements.

Content you might like

Has anyone created and presented a cybersecurity audit roadmap to the Audit Committee on how the Internal Audit function plans to provide value-added assurance on the effectiveness of cybersecurity controls across the spectrum of cyber security risks?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

How long does your organization retain original systems logs used to filter SOX-related actions into a system that requires review of the logs and retains the filtered logs for seven years? Does your organization consider those original system logs records subject to record retention requirements, or supporting information used to create the SOX records?

90 Days13%

365 Days41%

3 years28%

5 years9%

7 years9%

Other (share in the comments)

View Results

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

What’s your top barrier to adopting AI-driven pentesting?

Lack of mature vendor solutions45%

Trust in AI accuracy63%

Budget constraints17%

Skills to operate the tools26%

View Results

Do you have a second line of defense team? What frameworks do they cover - SOX only or more? Where does this team report in the organization (i.e. CFO, Accounting, Legal, Chief Compliance Officer, CEO, CAE, etc.)?

Sort by:

Content you might like

Has anyone created and presented a cybersecurity audit roadmap to the Audit Committee on how the Internal Audit function plans to provide value-added assurance on the effectiveness of cybersecurity controls across the spectrum of cyber security risks?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

What’s your top barrier to adopting AI-driven pentesting?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go