Professional Documents
Culture Documents
Introduction
An ISMS (Information Security Management System) is a planned set of
rules, policies, and processes through which an organization can
systematically administer its information safety risks and encompasses
technology and people adherence, as well as measures to ensure the
needed confidentiality, integrity, and availability of sensitive
information.
It matters: Workiva is a top-of-mind efficient ISMS in its line of business,
specifically given the company's enterprise customer base. Immediately
underneath this idea, especially within an environment responsible for
handling some of the most sensitive financial data, is the trust that has
to be assumed and then built with the clients. Workiva operates within
a complex regulatory environment and has to align with a number of
standards like the General Data Protection Regulations (GDPR) from its
different international bases. An ISMS, once thought well through,
aligns those security practices vested within Workiva to the standard of
ISO 27001, building an assurance demonstrating an alignment to the
practices of ISO 27001, wherein the data of each user is managed with
strict measures.
Organizational
Workiva is a cloud software service that has a connected and secure
platform providing solutions to the collection, compliance,
management, and reporting of complex business information. This
technology is used by over 3,100 organizations worldwide to enable
quality work with data and content to be presented to users. Workiva is
a key class of software that helps corporate and large government
organizations more easily manage and control their sensitive and
confidential financial data, mostly boiling down to Personally
Identifiable Information (PII).
Since Workiva works in a global market, the company is legally
responsible to fulfill the various data security laws. Some of them may
include:
Key Assets
Data: Client financial information, company intellectual property.
SaaS Platform: Workiva's core technology and infrastructure.
Reputation: Known for accuracy, security, and meeting regulatory
requirements
Employees: Skilled developers, compliance experts, support staff
Risk Assessment
• Identified Risks:
o Ransomware
o Supply Chain Risk
o Data Exfiltration
o Cloud Infrastructure Outage
Ransomware
• Description: encrypts all critical data and systems required by
Workiva, thereby core assets will be encrypted, affecting operations;
data related to clients will be destroyed, impacting operations on
• Impact:
More so, disruption to the SaaS Platform offered to
Workiva's customers is directed straight towards the client.
Such disruption can stop customers from making their ESG
reporting, attract penalties to the customers, and result in
loss of revenue.
•Impact:
This would have meant that if any corrupted component were used in
one of the core ESG reporting calculations, such corruptions could easily
have propagated through client data and could almost have just
snowballed into having cascading impacts on compliance efforts.
Client Data Exposure: Any breach shakes the confidence of ordinary
people and all other stakeholders from investors to the global
community around sensitive ESG data, to be entrusted to Workiva.
Workiva really could lay out such a basis in order to quash all cynicism
and help participate competitively in the ESG space.
Loss of control: highlighting its trouble in actually controlling directly an
attack came from third-party software under the new CSRD with its
audit requirements will further ramp up the scrutiny on the supply
chain practices by Workiva.
Data Exfiltration - Enhanced
•Description: Sensitive client data, including ESG metrics, is stolen by an
external attacker or a malicious insider.
•Impact:
Major: Reputation Damage – Especially in a high-impact scenario if
Workiva is focused on integrity towards environmental, social, and
governance data. Here, not only does Workiva’s security faith come
under scrutiny, but ESG reporting can easily get lost due to
compromission, so to speak.
Regulatory Fines: Since even the exfiltrated data is covered under the
preview of CSRD or specific industry regulation, Workiva and its clients
would be liable for heavy fines and have no chance but to report such
incidences compulsorily.
This will mean not just reputational harm to a company but also
regulatory action, which will drive Workiva further down in the lineup
of key businesses operating, or wanting to operate, in the ESG reporting
market.
Likelihood: Medium
In the case of an external breach or, worse, a malicious insider, it is a
concern that Workiva's internal controls may be bypassed. Role-based
access—increased by means of Workiva's GRC tools—and monitoring
may reduce this risk.
•Impact:
Moderate to Severe: Disrupts customer access, but a softer degree—
commencement of any implications for direct data loss, since for any
outage, causes critical ESG reporting deadlines; meaning great delay,
indirectly results in exposure to reputation damage or even regulatory
matters by clients.
Example: Business Continuity Risk: Persistent outages could create
operational headwinds for the issuer, casting questions over its
dependability in the eyes of ESG Performance with time-sensitive
reporting as a crucial feature.
Key Points
ESG Impact: As noted above, either of these risks has the potential to
cascade into issues with client E-JSON reporting and adversely impact
the reputation of Workiva for things such as heightened ESG disclosure
and general security vulnerabilities.
Nuance: From the analysis, it stands out that not all outages are created
equal. A transient disruption, for example, is surely less grave than one
affecting reporting deadlines. Workiva strengths: point to the dimension
in which it is their investment in that dimension of risk control with GRC
tools to be a mitigating factor for many of these risks.
Likelihood:
Medium to High: Ransomware is rampant, but Workiva's mitigations
(backups, security awareness) lower it slightly.
Industry trends: Cite from reports to note the trend in attacks within
the financial services vertical or associated with SaaS providers.
Supply Chain Risk
•Impact:
Scope - Is it something which could be an actual risk for the vulnerable
component, or is it only a question of use in an isolated module
counting the bursts all across the core of Workiva's financial
computations? This will primarily determine in what
Client Data Exposure: If the component handles PII or other sensitive
data, the risk severity increases
Loss of Control: Highlight that this risk originates externally, limiting
Workiva's direct mitigation ability.
•Likelihood:
Medium: Vulnerabilities are common, but not always critical or easily
exploited.
Insider Threat
•Impact:
Severe: Potential for large-scale data theft, as an insider likely has
greater access than an outsider.
Detection Difficulty: Malicious insiders can cover their tracks, delaying
discovery, and increasing the impact.
•Likelihood:
Employees at large are to be trusted, not all, but a few disgruntled ones
if approached by rivals.
Risk Evaluation
Risk Scoring Methodology
Workiva utilizes a Likelihood x Impact matrix to determine risk scores.
Numerical values are assigned to Likelihood and Impact levels as
follows:
• Likelihood
o Very Low: 1
o Low: 2
o Medium: 3
o High: 4
o Very High: 5
• Impact
o Insignificant: 1
o Minor: 2
o Moderate: 3
o Major: 4
o Catastrophic: 5
Risk Descripti Likeliho Impa Scor Risk Control Specific Responsible Party
on od ct e Toleran s Actions
ce Level
Insid Malicious 1 5 5 Mediu A.5.1.1, * Principle IT/Security
er activity or m of Least
Threa sabotage (Trendin Privilege:
t g Up) Implement
strict
access
controls
based on
roles and
job
function.
by an A.5.1.2 * HR/Security
employee Backgroun
or d Checks:
contracto Conduct
r checks for
employees
with
access to
sensitive
data
(frequency
based on
regulation
s).
A.7.2.2, * Security HR/Security
Awareness
Training:
Emphasize
data
handling,
social
engineerin
g, and
reporting
suspicious
activity.
A.8.1, * Data Development/
A.8.2 Encryption Security
: Encrypt
sensitive
data both
at rest and
in transit.
A.9.2.1, * IT/Security/HR
A.9.2.2 Terminatio
n
Procedure
s: Include
immediate
revocation
of access
and
preservati
on of data
upon
terminatio
n.
A.10.12. * Security
1 Monitorin Operations Center
g Systems:
Implement
tools to
monitor
user
behavior,
flag
anomalies
(e.g.,
unusual
activity
outside
working
hours,
downloads
from
sensitive
locations).
AWS VPC Flow Logs: VPC Flow Logs capture information about IP traffic
to and from network interfaces. This very information can help signal
anomalous data transfers, such as unauthorized access attempts or
communications to.
MetricStream Integration:
It looks like raw log data and, along with that, Splunk alerts
automatically flow into the GRC platform of MetricStream.
•Centralized Risk View: Security risks are seen alongside other risk
categories within Workiva's GRC framework.
• Incident Management - Tracking ensures that all incidents are
attended to, resolved, and reported against in time.
Vulnerability Integration:
once the vulnerability scan report is in, it will integrate with the
appropriate asset within MetricStream and let the prioritization be
done.
.
•ESG Reporting:
They include the following:
The Core Tension: SaaS companies therefore live and die based on
unceasing innovations, matching customers' ever-changing needs. All at
once, in this business model, it is yet the level of trust that their clients
place on them in keeping their sensitive data safe. This could then be
followed through with tightened regulations, as in the case of Windows
2020, where the emphasis is on data privacy or security restrictions.
Conclusion
Workiva's existing certifications like SOC 2 and ISO 27001 provide a
strong foundation. However, its ISMS must specifically address the
unique challenges of balancing SaaS speed with the data protection
mandated by GDPR. Here's where my own critical reflection comes in:
Change as an opportunity: While it may feel like GDPR adds
constraints, it can be leveraged as an opportunity to improve
processes, build stronger customer relationships, and foster
proactive risk management. By being transparent about their data
handling practices, Workiva can actually differentiate itself in the
market as a security-conscious provider.
The Human Element: Technology and process are vital, but
equally important is fostering a culture of security awareness
across the organization. Regular training and communication will
ensure that GDPR compliance isn't just a task for security teams,
but embedded in the mindset of all employees.
Reverences :
Risk Assessment
Overall Methodology:
o National Institute of Standards and Technology (NIST)
guidelines: NIST Special Publication 800-30 Revision 1, Guide
for Conducting Risk Assessments
(https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpubl
ication800-30r1.pdf).
Ransomware Risk:
o Industry Reports: Look for ransomware trend reports from
security companies like CrowdStrike, Cisco, or Verizon. These
reports often provide sector-specific insights relevant to
finance.
o Ransomware-as-a-Service (RaaS): Research the economics of
RaaS to understand what makes SaaS companies particularly
vulnerable.
Supply Chain Risk:
o Cloud Security Alliance (CSA) Reports: The CSA has excellent
resources on cloud supply chain risks
(https://cloudsecurityalliance.org/).
o Shared Assessments Program: Useful for third-party vendor
assessments: (https://sharedassessments.org/)
Insider Threat:
o Verizon Data Breach Investigations Report (DBIR): Regularly
analyze sections on insider threats for common tactics
(https://www.verizon.com/business/resources/reports/dbir/
).
o Studies on employee motivation: Search for academic
papers on the psychology of insider threats to understand
the human side of the risk.
BEC:
o FBI's Internet Crime Complaint Center (IC3): Issue annual
reports with statistics and tactics used in BEC scams
(https://www.ic3.gov/).
Risk Treatment Plans
ISO 27001:
o ISO 27001 Standard: Purchase the official text as the primary
reference for control descriptions
(https://www.iso.org/standard/75101.html).
o ISO 27002 Guidance: Offers implementation advice on the
controls in Annex A
(https://www.iso.org/standard/73906.html).
Specific Technologies/Practices:
o Endpoint DLP, Encryption, Security gateways, etc.: Vendor
websites or independent security product reviews for
implementation specifics.
Monitoring and Communication
AWS Security Best Practices:
o AWS Well-Architected Framework: Focus on the Security
Pillar (https://aws.amazon.com/well-architected/).
o AWS Whitepapers on Security: ([invalid URL removed])
SIEM (Splunk)
o Splunk Documentation: Best practices for alerts, security
dashboards, etc. (https://docs.splunk.com/)
GRC Platforms (MetricStream)
o MetricStream Resources: Whitepapers, case studies for how
their platform supports compliance and risk management
(https://www.metricstream.com/)
GDPR-Compliant Incident Response
Primary Source: Official GDPR text on data breaches: Articles 33
and 34 (https://gdpr-info.eu/)
Guidance from Data Protection Authorities: Check the website of
the relevant authority (e.g., UK's ICO) for breach notification
forms, templates, etc.
Example: The ICO has guidance specifically for small
businesses: https://ico.org.uk/for-organisations/report-a-breach/.
Critical Reflection
DevSecOps:
o OWASP DevSecOps Maturity Model (https://owasp.org/)
o SANS Institute: Security training and resources on
DevSecOps (https://www.sans.org/)
https://www.annualreports.com/HostedData/
AnnualReportArchive/w/NYSE_WK_2021.pdf” n.d.,
https://www.annualreports.com,