Page 395 - Board Member Onboardin August 2019

P. 395

C32-Segregation of duties. On-line access to bank accounts is limited
to some personnel: CSCS – Controller and CFO; InfoSync –
Accountants – for reconciliation purposes, payroll and accounts
payable processes and recording bank activity; On-line Access
Administrator is the CFO;
R11-Fraudulent activities which are subject of public Preventive Bank statements and
BP 80 Bank Account Management Administration R9 C23 & C33 (B)-Secured website by Commerce Bank – Commerce Periodic P2
scrutiny and investigation reconciliation
issues FOBs with numbers that change every minute that must be Detective
entered before any wire information can be processed using their on-
line banking application in addition to SSL encryption. FOBs are in
physical possession of CSCS users listed above. Segregation of
duties for initiating transfers, approving them and booking journal
entries and reconciling accounts.
Asset
Management C33-All machines have a strong password policy in place, security
access Group Policies enabled & managed by Dine Brands, CSCS
owned antivirus/malware software installed, and reside on Dine
Brand's secured network, which maintains a high security baseline
with 3rd party periodic auditors CSCS asset management
R21-Loss of Data Preventive spreadsheet
BP 85 Computers (Laptops, Desktops, & Mobile Devices) Administration R9, R18-2 C38-All devices with a CSCS email account on an Exchange server Periodic P1 Equipment Tags
R22-Leak of confidential information are forced to have a device password, remote wiping enabled, and Detective
come with the Admin ability to remotely sign out of all devices
CSCS IT Management Policy
C43-Equipment tags are put on all assets for tracking unique
IDs. CSCS IT Management Policy signed by all associates upon new
hire
C25 & C56 & C57 & C58-Continuous review of third party internal
control systems, Data Contingency Program, Periodic backup/purging
of system data.
C33-Microsoft data centers are protected by strict physical and
Administration, R21-Loss of data R3, R6, R9, systems security measures, plus fire suppression and redundant
Brand R11, R12, power and geo-replication systems
Office 365 (Microsoft Exchange, SharePoint, Power BI, Programs R22-Leak of confidential information R14-1, R14-2,
Management,
Office Suite) R16, R18-1, C59-Two Factor Authentication enabled for all Administrators. All
Procurement, R23-Relationship with Members R18-2, R19, passwords are automatically hashed
Logistics, Data
Analytics R24-Relationship Issues with Brands R20
C38 & C60 - Our 3rd Party IT is an Official Microsoft Partner to help
communicate Microsoft's industry security standards before they hit
the general population. OneDrive for Business and SharePoint
documents maintain a TLS 256bit encryption at rest and transit
SSAE16 SOC 1 and SOC2
Letter of Agreement
Administration, R19-Inaccurate information and data C25-Review their internal control processes
Brand Data Retention and Storage (HAVI
Programs R21-Loss of data C59-User Account Management program manages user names and
HAVI - Web-based Integrated Supply Chain Management Management, R3, R6, R18- passwords for internal and external users of HAVI. and CSCS)
System Procurement, R22-Leak of confidential information 1, R18-2
System Logistics, Data C33C & C60-Ensure ingestion environment is secured end-to-end Preventive
Management BP 90 Analytics R20-Untimeley received data and HAVI meets security industry standards Continuous Detective P1
C25 & C33 & C60-Assess WPEngine, Core WordPress functions,
and 3rd party plugin functionality by reviewing internal control
Administration, processes
Brand
Programs R21-Loss of Data C38-Company Bylaws- states Member website access
Website, Newsletter, CSCS Mobile App Management Management, R10, R14-
2,R23, R24
Procurement, R22-Leak of confidential information C43 & C27-Terms & Conditions and our Privacy Statement User
Logistics, Data Acknowledgement
Analytics
C59-Wordpress encrypts passwords through hashing while all
Administrators must abide by a strong password policy
R9-Damage to Brand and company reputation by C33C & C60 - Continuous review Microsoft Azure security standards
unethical behavior or incompetence
and implement all necessary security protocols to prevent disaster
Administration, R19-Inaccurate information and data from reaching the public or failing to provide accurate information to
Brand R3, R6, R11, team members
Programs R15, R16,
Azure Data Processing Management, R21-Loss of data R20, R18-1, C56 & C57-A retention schedule set for SQL Database, Tables,
Procurement, R22-Leak of confidential information R18-2, R17, documents at rest
Logistics, Data R15
Analytics C25 & C61 - Review DBA's data factory process weekly to ensure
R23-Relationship with Members
accurate data reports
R24-Relationship with Brands
C60 & C33-(A) Physical Protection of data, (B) Security Protection for
Administration, R19-Inaccurate information and data electronic data, (C) Manage system using inbound/outbound IP
Brand Confidential data are protected
Data Programs R20-Untimely received data R3, R6, R18- based port access, TLS SSL 128/256bit encrypted objects at rest & Preventive physically and electronically
transit, and configured manual/automated backup & restore points
Management BP 95 Data Management Management, R21-Loss of data 1, R18-2, R19 Continuous Detective P1 CSCS Record Retention and
Procurement,
Logistics, Data C57-CSCS Record Retention and Disposition Schedule Disposition Schedule and Policy
Analytics R22-Leak of confidential information C58-Data Stewards from all departments
R3, R20, C45-System Control Corrective Correspondence between CSCS
BP 15 (A) Data Integrity Audits Administration R19-Inaccurate information and data R21, R22, Continuous Preventive P1 and suppliers, DCs, Brands, and
R23, R24 C56-Data Audits Detective System admin.
C32-Segregation of duties
Procurement/
BP 15 (B) Price Index (Commodity pricing tracking and forecasting) Administration/ R19-Inaccurate information and data R21, R22, C20-All CSCS Associates have access to the price index Continuous Preventive P1 The index outputs are published to
Logistics R23, R24 Detective Members and Brands.
C43-Protection of confidential information
C32-Segregation of duties
Analytics Procurement/ R19, R21, Preventive The report shared with the Audit
BP 15 (C) Modified PPI or Performance Tracking of the Co-ops R23-Relationship issues with Members C20-All CSCS Associates have access to the price index Periodic P1 and Finance Committee for each
Administration R22, R24 Detective
brand.
C43-Protection of confidential information
Procurement/ R21, R22, C32-Segregation of duties Preventive The tracking output is published to
BP 15 (D) Commodity Quintile Tracking Administration R19-Inaccurate information and data R23, R24 C20-All CSCS Associates have access to the tracking sheet Continuous Detective P1 the Oversight Committee
The tracking sheet is on CSCS
BP 15 (E) RPM Savings Tracking Procurement/ R19-Inaccurate information and data R21, R22, C32-Segregation of duties Continuous Preventive P1 SharePoint accessed by all
Administration
Detective
C20-All CSCS Associates have access to the tracking sheet
R23, R24
associates
ADMINISTRATION: COMMUNICATION & MEMBERSHIP
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Control Primary 1-Critical Control (P1) Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Primary 2-Significant Control (P2)
monthly, periodic) Nature Secondary (S)
C42-Multi-tiered internal approval process. Approval by Directors and
CFO required prior to distribution of information. Preventive Email approvals from CFO and
BP 1 Member Communication Management Administration R19-Inaccurate information and data R22, R23 Periodic P2 Directors
C43-Protection of confidential information. Information deemed
confidential and proprietary is only published on secured websites.
Communication
Management C27-Terms & Conditions and our Privacy Statement User User name and password are
Acknowledgement
required to access the Associate
BP 2 Website Management Administration R22-Leak of confidential information R19, R23 C38-Company Bylaws- states Member website access Periodic Preventive P1 and Member websites
Passwords are auto-generated by
C43-Protection of confidential information. Information deemed the system
confidential and proprietary is only published on secured websites.
C41-Managing Members' data through Membership Subscription
Agreement.
Membership Subscription
C32-Segregation of duties - Includes CFO signature on Membership Agreement (physical copies &
Havi)
Subscription Agreement, CEO and Concept Co-op Secretary
signatures on Stock Certificate, notification by Brand of store and Member Stock Certificate (physical
franchisee ownership and status changes to Analyst, Controller,
Member Data R9, R18-2, which dictate onboarding/offboarding activities, including stock share copies & Havi)
Management BP 3 Membership Management Administration R22-Leak of confidential information R19, R22, fee received and redeemed. Continuous Preventive P1 Annual Financial Audit
R23, R24
C45-System control - Franchise and store information provided via Brand communication regarding
data feed from Applebee's system of record (SDMS) and IHOP store/franchisee changes
system of record (FRED). Any updates related to stores or operators
provided to CSCS via Dine Brands' emails.
Weekly data quality control audits
C25 & C33 & C60-Assess WPEngine, Core WordPress functions, for store information by Havi
and 3rd party plugin functionality by reviewing internal control
ADMINISTRATION: BOARD GOVERNANCE
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Control Primary 1-Critical Control (P1) Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Primary 2-Significant Control (P2)
monthly, periodic) Nature Secondary (S)
Documentation of review of
C44-Legal review of completed proxies to ensure all votes are valid by
BP 4 Annual Election Process Administration R14-2-Non-compliance with Bylaws R19, R23 Periodic Preventive P2 completed proxies by third party
third party legal counsel
legal counsel

390 391 392 393 394 395 396 397 398 399 400