Information Security Management System (ISMS)

Proposal for Workiva

Introduction
An ISMS (Information Security Management System) is a planned set of
rules, policies, and processes through which an organization can
systematically administer its information safety risks and encompasses
technology and people adherence, as well as measures to ensure the
needed confidentiality, integrity, and availability of sensitive
information.
It matters: Workiva is a top-of-mind efficient ISMS in its line of business,
specifically given the company's enterprise customer base. Immediately
underneath this idea, especially within an environment responsible for
handling some of the most sensitive financial data, is the trust that has
to be assumed and then built with the clients. Workiva operates within
a complex regulatory environment and has to align with a number of
standards like the General Data Protection Regulations (GDPR) from its
different international bases. An ISMS, once thought well through,
aligns those security practices vested within Workiva to the standard of
ISO 27001, building an assurance demonstrating an alignment to the
practices of ISO 27001, wherein the data of each user is managed with
strict measures.

Organizational
Workiva is a cloud software service that has a connected and secure
platform providing solutions to the collection, compliance,
management, and reporting of complex business information. This
technology is used by over 3,100 organizations worldwide to enable
quality work with data and content to be presented to users. Workiva is
a key class of software that helps corporate and large government
organizations more easily manage and control their sensitive and
confidential financial data, mostly boiling down to Personally
Identifiable Information (PII).
Since Workiva works in a global market, the company is legally
responsible to fulfill the various data security laws. Some of them may
include:

 GDPR: Protecting the personal data of EU residents.

 Industry-Specific Regulations: HIPAA

Key Assets
 Data: Client financial information, company intellectual property.
 SaaS Platform: Workiva's core technology and infrastructure.
 Reputation: Known for accuracy, security, and meeting regulatory
requirements
 Employees: Skilled developers, compliance experts, support staff

Roles Relevant to Information Security

 Development Teams: Integrate security features from the design
stage.
 CloudOps / Security Teams: Maintain cloud security and monitor
for threats.
  Client Success & Support: Handle security incidents and client
inquiries.
 Leadership: Set ISMS strategy and allocate resources.

Why an ISMS is Important for Workiva

 Protects Client Data: Mitigates breaches and data loss.

 Maintains Regulatory Compliance: Helps avoid fines and
reputational damage.
 Competitive Advantage: Reinforces Workiva as a trusted partner.
 Systematic Approach: Prevents ad-hoc security and ensures
continuous improvement.

Risk Assessment

 Methodology: Likelihood x Impact Matrix (5x5)

Likelihood Very Low Low Medium High Very High
Impact Insignificant Minor Moderate Major Catastrophic

• Identified Risks:
o Ransomware
 o Supply Chain Risk
o Data Exfiltration
o Cloud Infrastructure Outage

Ransomware
• Description: encrypts all critical data and systems required by
Workiva, thereby core assets will be encrypted, affecting operations;
data related to clients will be destroyed, impacting operations on

• Impact:
More so, disruption to the SaaS Platform offered to
Workiva's customers is directed straight towards the client.
Such disruption can stop customers from making their ESG
reporting, attract penalties to the customers, and result in
loss of revenue.

Loss of Trust from Customers: If at all Workiva is to be back

to its operations, clients are not going to trust that Workiva
will hold sensitive ESG data against exposures. These, for a
fact, are significant risks to the reputation of Workiva.
Regulatory Fallout: If a ransomware incident at the Job Zone
encroaches upon the controlled data of any given customers,
which CSRD himself doing or through any specific standards
for an industry, this typifies the kind that would be likely to
fall into fines and reporting delays of Workiva.
  Likelihood: Medium to High: Ransomware is rampant, but
Workiva's mitigations (backups, security awareness) lower it
slightly. Workiva's GRC tools may give them better visibility into
patch status and vendor risk, further lowering their likelihood.

Supply Chain Risk

Furthermore, weaknesses in software components developed by
external parties other than Workiva may expose customers to a risk of
breach, potentially affecting the integrity of ESG-related information.

•Impact:
This would have meant that if any corrupted component were used in
one of the core ESG reporting calculations, such corruptions could easily
have propagated through client data and could almost have just
snowballed into having cascading impacts on compliance efforts.
Client Data Exposure: Any breach shakes the confidence of ordinary
people and all other stakeholders from investors to the global
community around sensitive ESG data, to be entrusted to Workiva.
Workiva really could lay out such a basis in order to quash all cynicism
and help participate competitively in the ESG space.
Loss of control: highlighting its trouble in actually controlling directly an
attack came from third-party software under the new CSRD with its
audit requirements will further ramp up the scrutiny on the supply
chain practices by Workiva.
Data Exfiltration - Enhanced
•Description: Sensitive client data, including ESG metrics, is stolen by an
external attacker or a malicious insider.

•Impact:
Major: Reputation Damage – Especially in a high-impact scenario if
Workiva is focused on integrity towards environmental, social, and
governance data. Here, not only does Workiva’s security faith come
under scrutiny, but ESG reporting can easily get lost due to
compromission, so to speak.
Regulatory Fines: Since even the exfiltrated data is covered under the
preview of CSRD or specific industry regulation, Workiva and its clients
would be liable for heavy fines and have no chance but to report such
incidences compulsorily.
This will mean not just reputational harm to a company but also
regulatory action, which will drive Workiva further down in the lineup
of key businesses operating, or wanting to operate, in the ESG reporting
market.

Likelihood: Medium
In the case of an external breach or, worse, a malicious insider, it is a
concern that Workiva's internal controls may be bypassed. Role-based
access—increased by means of Workiva's GRC tools—and monitoring
may reduce this risk.

Cloud Infrastructure Outage - Enhanced

Example: An event that happens at high frequencies, is of high severity,
and is disruptive to Workiva services—simply, the cloud provider, like
AWS or Azure, is down to where, from a customer perspective, they
both wouldn't be able to get after their ESG data, process, or report on
it.

•Impact:
Moderate to Severe: Disrupts customer access, but a softer degree—
commencement of any implications for direct data loss, since for any
outage, causes critical ESG reporting deadlines; meaning great delay,
indirectly results in exposure to reputation damage or even regulatory
matters by clients.
Example: Business Continuity Risk: Persistent outages could create
operational headwinds for the issuer, casting questions over its
dependability in the eyes of ESG Performance with time-sensitive
reporting as a crucial feature.

Key Points
ESG Impact: As noted above, either of these risks has the potential to
cascade into issues with client E-JSON reporting and adversely impact
the reputation of Workiva for things such as heightened ESG disclosure
and general security vulnerabilities.
Nuance: From the analysis, it stands out that not all outages are created
equal. A transient disruption, for example, is surely less grave than one
affecting reporting deadlines. Workiva strengths: point to the dimension
in which it is their investment in that dimension of risk control with GRC
tools to be a mitigating factor for many of these risks.

Risk ISO 27001 Specific Responsible Party

Controls Actions
Data A.12.4, * Network DLP Networking/Security
Exfiltration A.13.1, for egress Teams
A.13.2 monitoring
* Endpoint IT/Endpoint Security
DLP controls
on
workstations
* Data Compliance/Security
classification Teams
policy, role-
based
restrictions
A.14.2.5, * Access IT/Security
A.9.2 controls (Least
Privilege) on
sensitive data
A.8.1, A.8.2 * Encryption Development/Security
at rest and in
transit
A.7.2.2, * Security HR/Security
A.17.2 awareness
training
(phishing, data
 handling)
Risk ISO 27001 Specific Responsible Party
Controls Actions

Risk: Cloud Infrastructure Outage

Risk ISO 27001 Specific Responsible Party

Controls Actions
Cloud A.17.1, * Multi-region CloudOps/Security
Infra. A.17.2 or multi-cloud
Outage architecture
* Regular CloudOps/Backup
backups Team
(offsite or
different cloud
providers)
A.16.1.7, * Disaster IT/Security/CloudOps
A.17.1 Recovery Plan
including cloud
failover
procedures
A.17.1 * Business Management/Security
Continuity Plan
for
communication
and
workarounds
Risk Identification
We'll focus on enhancing the analysis of these risks:
• Ransomware (R6)
• Supply Chain Risk (R5)
• Insider Threat
• Business Email Compromise (BEC)

Enhanced Risk Analysis

Ransomware (R6)
•Impact:
Severe: Disruption of Workiva's SaaS platform impacts multiple clients,
not just their own operations.
Trust with the client gets broken, so should the operations come up, the
trust that will be laid with Workiva obviously taking its time in
protecting the information, and this ultimately churns the business.
Regulatory Fallout: Presumably, penalties or notices would have been
issued to the controller after the breach depending on any regulations
that Workiva must have abided by.

Likelihood:
Medium to High: Ransomware is rampant, but Workiva's mitigations
(backups, security awareness) lower it slightly.
Industry trends: Cite from reports to note the trend in attacks within
the financial services vertical or associated with SaaS providers.
Supply Chain Risk

•Impact:
Scope - Is it something which could be an actual risk for the vulnerable
component, or is it only a question of use in an isolated module
counting the bursts all across the core of Workiva's financial
computations? This will primarily determine in what
Client Data Exposure: If the component handles PII or other sensitive
data, the risk severity increases
Loss of Control: Highlight that this risk originates externally, limiting
Workiva's direct mitigation ability.

•Likelihood:
Medium: Vulnerabilities are common, but not always critical or easily
exploited.

Insider Threat
•Impact:
Severe: Potential for large-scale data theft, as an insider likely has
greater access than an outsider.
Detection Difficulty: Malicious insiders can cover their tracks, delaying
discovery, and increasing the impact.
•Likelihood:
Employees at large are to be trusted, not all, but a few disgruntled ones
if approached by rivals.

Business Email Compromise (BEC)

•Impact:
Severe Financial Loss: Can involve tricking executives into authorizing
fraudulent wire transfers.
Difficult to Recover Funds: Once the wire is sent, retrieving it can be
nearly impossible.

Risk Evaluation
Risk Scoring Methodology
Workiva utilizes a Likelihood x Impact matrix to determine risk scores.
Numerical values are assigned to Likelihood and Impact levels as
follows:
• Likelihood
o Very Low: 1
o Low: 2
o Medium: 3
o High: 4
o Very High: 5
• Impact
o Insignificant: 1
o Minor: 2
o Moderate: 3
o Major: 4
o Catastrophic: 5

Risk scores are calculated by multiplying Likelihood x Impact.

Risk Tolerance Levels:

• High Risk: Score > 15 (Immediate action required)

• Medium Risk: 6-15 (Mitigation plans and resource allocation

needed)

• Low Risk: < 6 (Monitor and review regularly)

Risk Treatment Plans

This section details specific actions and controls to mitigate identified

risks.
• Components:
o Risk: The specific risk being addressed (e.g., Data Exfiltration).
o ISO 27001 Controls: Relevant controls from the standard that can
be implemented (e.g., A.8.2 - Encryption at rest).
o Specific Actions: Detailed steps to implement the controls (e.g.,
Encrypt data at rest using industry-standard AES-256 encryption).
o Responsible Party: The team or individual accountable for
implementing the actions (e.g., Development Team).

Risk Descripti Likeliho Impa Scor Risk Control Specific Responsible Party
on od ct e Toleran s Actions
ce Level
Insid Malicious 1 5 5 Mediu A.5.1.1, * Principle IT/Security
er activity or m of Least
Threa sabotage (Trendin Privilege:
t g Up) Implement
strict
access
controls
based on
roles and
job
function.
by an A.5.1.2 * HR/Security
employee Backgroun
or d Checks:
contracto Conduct
r checks for
employees
with
access to
sensitive
data
(frequency
based on
regulation
 s).
A.7.2.2, * Security HR/Security
Awareness
Training:
Emphasize
data
handling,
social
engineerin
g, and
reporting
suspicious
activity.
A.8.1, * Data Development/
A.8.2 Encryption Security
: Encrypt
sensitive
data both
at rest and
in transit.
A.9.2.1, * IT/Security/HR
A.9.2.2 Terminatio
n
Procedure
s: Include
immediate
revocation
of access
and
preservati
on of data
upon
terminatio
n.
A.10.12. * Security
1 Monitorin Operations Center
g Systems:
Implement
tools to
monitor
user
behavior,
flag
anomalies
(e.g.,
unusual
activity
 outside
working
hours,
downloads
from
sensitive
locations).

Risk: Business Email Compromise (BEC)

Risk Descriptio Likelih Imp Score Risk Controls Specific Respons

n ood act Tolerance Actions ible
Level Party
Business Targeted 3 5 15 High A.7.2.2, * HR/
Email attacks Mandat Security
<br>Compr tricking ory
omise (BEC) employee Security
s into Awaren
authorizin ess
g Training
fraudulen : Train
t ALL
transactio employ
ns, ees on
imperson BEC
ating tactics
executive (phishin
s or g,
trusted spoofin
vendors. g,
urgency
,
unusual
request
s).
Conduc
t
frequen
t
simulati
ons
 with
realistic
scenari
os.
A.13. * Email IT/Security A.13.1,
1, Security
Gateway:
Implemen
t a robust
solution
for spam
filtering,
BEC
detection
(domain
spoofing,
language
analysis,
known
bad actor
lists). Flag
suspicious
emails for
review.
A.13. * Multi- IT A.13.2
2 Factor
Authentic
ation
(MFA):
Enforce
MFA for
all email
accounts
and ANY
system
handling
financial
transactio
ns.
Prevent
account
compromi
se by
attackers.
A.9.2. * Dual Finance/ A.9.2.4
4 Authoriza Management
tion:
 Mandator
y for ALL
wire
transfers,
regardless
of
amount.
Include
phone
verificatio
n with
known
parties for
high-risk
transactio
ns.
A.6.1. * Vendor Procurement/ A.6.1.5
5 Onboardi Security
ng:
Thorough
vetting of
vendor
security
posture,
including
document
ed BEC
preventio
n
processes,
before
establishi
ng
financial
relationsh
ips .
A.15. * Incident Security/IT/ A.15.2.2
2.2 Response Finance
Plan:
Dedicated
section
for BEC
incidents.
Prioritize
actions to
contain
financial
damage
 (freezing
accounts,
contacting
banks).

Monitoring & Communication: AWS & MetricStream

Focus
•Log Sources
AWS CloudTrail: Records API activity, login attempts, and any
modification to the environment that aids in auditing information
security investigation.

AWS VPC Flow Logs: VPC Flow Logs capture information about IP traffic
to and from network interfaces. This very information can help signal
anomalous data transfers, such as unauthorized access attempts or
communications to.

• AWS GuardDuty: A managed and automated security service that

looks for risky activities in your AWS account, including unusual API
calls, potential reconnaissance by attackers, and suspicious occurrences
of account-level malware.

•SIEM Integration (Splunk):

All relevant logs are centralized into Splunk for real-time analysis and
correlation of security events.
The current Workiva risk scenarios will have preconfigured alerts for:
anomaly in traffic intensiveness, data transfer to an external location,
access attempts from untypical locations, and privilege escalations.

MetricStream Integration:
It looks like raw log data and, along with that, Splunk alerts
automatically flow into the GRC platform of MetricStream.

•Centralized Risk View: Security risks are seen alongside other risk
categories within Workiva's GRC framework.
• Incident Management - Tracking ensures that all incidents are
attended to, resolved, and reported against in time.

Vulnerability Integration:
once the vulnerability scan report is in, it will integrate with the
appropriate asset within MetricStream and let the prioritization be
done.
.

•ESG Reporting:
They include the following:

- Security metrics help quantify the effect of security across

MetricStream (incident statistics, training completions).
- It will also help improve their ESG disclosures in a way

Vendor assessments within MetricStream can include ESG criteria,

enriching ESG reporting on supply chain impact.

GDPR-Compliant Incident Response Plan

Definition of a Data Breach: As defined under the GDPR, a reportable
data breach refers to a breach involving accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to
personal data transmitted, stored, or otherwise processed.

Incident Response Team:

Security Operations Lead: Coordinates containment, investigation, and
technical remediation.

Compliance Officer: Assesses severity, determines reporting

obligations, and oversees communication with authorities

Senior Management: Provides executive support and makes strategic

decisions on external communication

Containment and Investigation:

Containment: Isolate affected systems (network segmentation,
quarantine, etc.) to prevent the spread of the breach.
Investigation - Affected system forensics for breach type, data
exfiltrated, root cause, and overall scope of incident.

Assessment and Notification:

Risk assessment: Compliance is one of the considerations. The security
assesses if the breach meets the 72-hour notification threshold of
GDPR. Among the factors: kind of data, its sensitivity, and if there is any
indication of damages to individuals (like identity theft, discrimination,
etc.).

Notifications to the supervisory authority - Notify the relevant

supervisory authority, for instance, notify the ICO in the UK, of the
nature of the breach, the data, and actions being taken to limit this
within 72 hours. In some cases, where the risk is high, affected
individuals might also be notified directly.

Critical Reflection: SaaS Agility vs. Security with a Focus

on Workiva

The Core Tension: SaaS companies therefore live and die based on
unceasing innovations, matching customers' ever-changing needs. All at
once, in this business model, it is yet the level of trust that their clients
place on them in keeping their sensitive data safe. This could then be
followed through with tightened regulations, as in the case of Windows
2020, where the emphasis is on data privacy or security restrictions.

Workiva-Specific Examples: Agile velocity should be in balance with

thoroughness: Take into account that SaaS development is generally
associated with a considerably shorter release cycle. Rapid innovation
will lead to an internal developer tendency to pack as many new tools
available as possible, from automation through to services that ensure
the fastest possible functionality release. Contrast this with a GDPR-
focused ISMS, which will in part call for a very complete PIA or security
audit that at most generous, will add some time to the deployment
timeline. "What this means in the highly sensitive financial data of
customers" is the fact that any new functionality demanded by
customers takes security into account from design so as to avoid costly
retrofits in the future, or even worse, breaches of GDPR.

Conclusion
Workiva's existing certifications like SOC 2 and ISO 27001 provide a
strong foundation. However, its ISMS must specifically address the
unique challenges of balancing SaaS speed with the data protection
mandated by GDPR. Here's where my own critical reflection comes in:
 Change as an opportunity: While it may feel like GDPR adds
constraints, it can be leveraged as an opportunity to improve
processes, build stronger customer relationships, and foster
proactive risk management. By being transparent about their data
handling practices, Workiva can actually differentiate itself in the
market as a security-conscious provider.
  The Human Element: Technology and process are vital, but
equally important is fostering a culture of security awareness
across the organization. Regular training and communication will
ensure that GDPR compliance isn't just a task for security teams,
but embedded in the mindset of all employees.

Reverences :
Risk Assessment
 Overall Methodology:
o National Institute of Standards and Technology (NIST)
guidelines: NIST Special Publication 800-30 Revision 1, Guide
for Conducting Risk Assessments
(https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpubl
ication800-30r1.pdf).
 Ransomware Risk:
o Industry Reports: Look for ransomware trend reports from
security companies like CrowdStrike, Cisco, or Verizon. These
reports often provide sector-specific insights relevant to
finance.
o Ransomware-as-a-Service (RaaS): Research the economics of
RaaS to understand what makes SaaS companies particularly
vulnerable.
 Supply Chain Risk:
 o Cloud Security Alliance (CSA) Reports: The CSA has excellent
resources on cloud supply chain risks
(https://cloudsecurityalliance.org/).
o Shared Assessments Program: Useful for third-party vendor
assessments: (https://sharedassessments.org/)
 Insider Threat:
o Verizon Data Breach Investigations Report (DBIR): Regularly
analyze sections on insider threats for common tactics
(https://www.verizon.com/business/resources/reports/dbir/
).
o Studies on employee motivation: Search for academic
papers on the psychology of insider threats to understand
the human side of the risk.
 BEC:
o FBI's Internet Crime Complaint Center (IC3): Issue annual
reports with statistics and tactics used in BEC scams
(https://www.ic3.gov/).
Risk Treatment Plans
 ISO 27001:
o ISO 27001 Standard: Purchase the official text as the primary
reference for control descriptions
(https://www.iso.org/standard/75101.html).
o ISO 27002 Guidance: Offers implementation advice on the
controls in Annex A
(https://www.iso.org/standard/73906.html).
 Specific Technologies/Practices:
 o Endpoint DLP, Encryption, Security gateways, etc.: Vendor
websites or independent security product reviews for
implementation specifics.
Monitoring and Communication
 AWS Security Best Practices:
o AWS Well-Architected Framework: Focus on the Security
Pillar (https://aws.amazon.com/well-architected/).
o AWS Whitepapers on Security: ([invalid URL removed])
 SIEM (Splunk)
o Splunk Documentation: Best practices for alerts, security
dashboards, etc. (https://docs.splunk.com/)
 GRC Platforms (MetricStream)
o MetricStream Resources: Whitepapers, case studies for how
their platform supports compliance and risk management
(https://www.metricstream.com/)
GDPR-Compliant Incident Response
 Primary Source: Official GDPR text on data breaches: Articles 33
and 34 (https://gdpr-info.eu/)
 Guidance from Data Protection Authorities: Check the website of
the relevant authority (e.g., UK's ICO) for breach notification
forms, templates, etc.
 Example: The ICO has guidance specifically for small
businesses: https://ico.org.uk/for-organisations/report-a-breach/.
Critical Reflection
 DevSecOps:
 o OWASP DevSecOps Maturity Model (https://owasp.org/)
o SANS Institute: Security training and resources on
DevSecOps (https://www.sans.org/)

 International Organization for Standardization (ISO)

2022. ISO/IEC 27001:2022 Information security,
cybersecurity and privacy protection — Information
security management systems. Geneva: ISO.

 Schultz, E. 2005. The human factor in

security. Computers & Security, 24(6), pp. 425-426.

 Whitman, M. E. & Mattord, H. J. 2018. Principles of

Information Security. 6th ed. Boston: Cengage
Learning.
 Governance, Risk, and Compliance (Solution) (no
date).
https://www.workiva.com/en-in/solutions/governan
ce-risk-and-compliance
 Workiva Inc. - Financials - Annual reports (no date).
https://investor.workiva.com/financials/annual-
reports/default.aspx.\

 https://www.annualreports.com/HostedData/
AnnualReportArchive/w/NYSE_WK_2021.pdf” n.d.,
https://www.annualreports.com,