Educause+V4

An Auditor's Perspective on Frameworks for Information Systems

Security in Higher EducationErwin “Chris” Carrow, University System of Georgia

Brian Markham, University of Maryland, College Park

Copyright Erwin L. Carrow & Brian Markham 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires written permission from the author. Videos and specific graphics presented are not for public distribution.

Session AgendaKey Takeaways and IntroductionsWhat Makes Higher Education

DifferentBusiness Risk and Functional

Practices Internal Controls: Quick OverviewFrameworks for SecuritySpecific Guidance and StandardsAdditional Audit ConsiderationsQ&A

Key TakeawaysAt the end of this session you should be able to:

Identify business goals, functions, and associated roles and risk; Understand the critical success factors during an audit; Evaluate the internal control structure of your environment; Know the standards and frameworks available for use in your environment;

Your Session GuidesErwin “Chris” Carrow - IT Auditor,

University System of Georgia Board of Regents High levelGeneral focus

Brian Markham - IT Compliance Specialist, University of Maryland at College ParkLow levelSpecific focus

Auditing Higher Education: Challenges and Business Requirements Where are you at? Can seem like … HERDING CATS!

EDS “Cat Herding” 1:07 minutes

What Makes Higher Education Similar and Yet Different?

Universities are not Corporations, but … Herding Cats may be a common or predominate phenomena Business functions and processes are similar Objectives, rules and requirements are similar Resources, e.g., people information, infrastructure,

applications, etc.Different set of risks, challenges, and regulatory mandates

“Open System” Attitude (moving target)! “Academic Freedom” is a privilege, not a right!

Diversity of administrative operational requirements Diversity of instructional and faculty requirements Operational and Functional sides of the house not always in

agreement – leadership changes and challenges do exist!Freedom of information

Difficulties in blocking or outlawing certain risky behaviors Mandated safe guard information and information systems

Bottom-line: Environment must foster Learning and Research!

Auditors Ask the Question…What High Criticality Risks Exist?

Categories of risk that may or may not apply:Strategic : Affects the entities’ ability to

achieve goals and objectivesCompliance : Affects compliance with laws

and regulations, safety and environmental issues, litigation, conflicts of interest, etc.

Reputational : Affects reputation, public perception, political issues, etc.

Financial : Affects loss of assets, technology, etc.

Operational : Affects on-going management processes and procedures

Enterprise Risk Management -Risk Probability and Impact

Threats and the FactsPrivacy Right Clearinghouse

Chronology of Data Breaches 2,500,000 since January 2005 that have been reported [www.privacyrights.org/ar/ChronDataBreaches.htm]

Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)Self evaluation of overall performance of organization:

-- 9% gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a “D” – 5% gave a “F” [www.HRH.com/privacy]

80 % believed their organizations experienced information system data breaches and loss of customer and personal information

50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other criminal activity;

36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9 or more

Recognized Method for … Risk Prevention Assurance

Risk Prevention “IT Trunk Monkey” 1:01 minutes

Regulatory StandardsFERPA, FISMA, HIPAA, PCI DSS, SOX, NCAA,

A-21, A-133, PATRIOT, GLBA, ADA, CAA, CWA, OSHA, FLSA, FMLA, EEO, and possibly many others!

State, Local, and University System and Institution Guidelines

“Due Negligence” violations have cost institutions financially, but few if any individuals have gone to jail for lack of compliance

Reputational losses are the critical issue!Avoid FUD – Fear, Uncertainty, and Doubt

Information Security and Compliance Responsibilities

Know and comply with Federal, State, Local, and University System and Institution Regulations

Talk to auditors, colleagues, peers, and administrators about information and information system regulatory compliance and security

Make the “alphabet soup” and security a top priority when evaluating new systems and initiatives

Understand how the regulations trickle down to through policies, standards, procedures, and the people involved (in a practical method)

What should a Risk Assessment identify about our environment?

What are the risks?What are the impacts?What is the likelihood

it will happen?Who is involved?Are we willing to

accept the risk?What are we currently

doing to mitigate this risk? Is it working like we think it should?

Making the Lose/Lose Situation … a Win/WinA PERFECT information technology operational environment or

risk prevention assurance system does not exist (e.g., IT Trunk Monkey)!

Priority directed to likely threats for known vulnerabilities by:Affirming good controls and practicesUncovering unknown vulnerabilities or inappropriate

practicesFocus upon what is essential for the success of Your Institutions

“Business Functions.” Which comprise of:Business Rules or Requirements: A statement that

defines or constrains some aspect of the business. It is intended to assert business structure or to control or influence the behavior of the business.

Business Standards or Practices: A related group of business processes that support some aspects of the mission of an enterprise.

Doing Business and Dealing with the NutsThe Old Way…! Assessing Risk?

20th Century FOX “Ice Age” 1:55 min/sec

Nuts Can Be ChallengingBusiness Process – Gathering and Storing NUTS and the Big Squeeze

Tasks of Dealing with the NUTS– 1. Gather Nuts2. Store Nuts3. The Big

Squeeze? Operational versus Functional needs!

What are the Associated Risks?

20th Century FOX “Ice Age”

In Time, Nut Requirements ChangeThe New Way …! Risk Assessment?

20th Century FOX “Ice Age 2: The Meltdown” 55 sec

Different Nuts, Different MethodsHistory has a Way of Repeating Itself!

Old Ways can Influence New Ways of …,

Different Business Requirements – Use of Different Methods (Variety of NUTS)

Sometimes the NUTS get Bigger and Harder to CRACK

Risk may Change or Increase!20th Century FOX “Ice Age 2: The Meltdown”

Making Peanut Butter Out of NutsMoral: Life is Always Going to Be a Little Squirrelly

Business function Goals and Objectives can make the IT requirements a little NUTTY

Risk Implications associated with IT Implementations are NOT always CONSIDERED

Clearly Define the Task: Try making PEANUT BUTTER out of a difficult situation – it is easier to Store

WHERE DO YOU START?

20th Century FOX “Ice Age 2: The Meltdown”

Know Yourself – Know Your Enemy! The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise that was written during the 6th century BC by Sun Tzu.

Two Possible not Recommended Responses to the ChallengeFreak Out: Embrace Hopelessness, Hide, Ignore, Deny, and

Play Computer games until the Inevitable Occurs Idealistic and Unrealistic: Do the “Don Quixote (To Dream the

Impossible Dream and Fight the Impossible Fight)” - Wear yourself out Fighting Windmills by shooting at whatever pops its head out!

Third Approach “How do you Eat the Elephant standing in the corner, Instead of Avoid it?” Take ONE BITE at a time by…Strategizing a Response Create a deliberate Long term Plan Identify Short term Objectives and MilestonesGain Key Shareholder ownership of the challengesTest and Monitor the process with Identifiable Outcomes

Start with Business Functions – Gathering and Storing of NUTS

Business Functions (other Nuts)It still comes down to …, Business Needs and

Outcomes Goals or Objectives Rules and Requirements

Identifying critical business functions Finance and Accounting Financial Aid Human Resources Registration Student Services Other administrative functions

Identify the departments and who are the key personnel, e.g., Business owner, Trustees and Stewards?

Identify the systems that support these functionsHow are the people and systems integrated into

the business process?What internal controls exist to mitigate risk?

Business Function’s Objective, Requirements, Resources, and Practices

YOU MUST KNOW …

What Business Principles are in Operation?

Reasons -Why you do things a certain Way

Control Objectives for Information and related Technology (COBIT®)

Business Functions and their Characteristics

Control Objectives for Information and related Technology (COBIT®)

Business Function Information from Origin to DestinationIdentify how the information travels and is

managed throughout the business function life cycle!How packets of data are managed, provisioned,

formatted, and transferred throughout business functions

How information is handled per its classification and intended use

Assess information and information system security from various perspectives

Who are the business owners, trustees, and stewards?

“Life Cycle” of Security & Process Provisioning

Risk Assessment FlowThe methodology for auditing the information and information

systems for compliance and security is a Top Down processBusiness Goals to Standards and PracticesBusiness Function to Information System Leadership (administrator) to Technician or Staff member (end

user)Assess Requirements, Resources, and Processes

The approach will focus on key business functions and their associated Business Goals and Objectives as it relates to the audited entity e.g., Identity and Access Control Management (IAM), Perimeter and Network Security (NETSEC), etc.

Once identified and agreed upon for each business function, the key associated requirements, resources, and processes will be identified and assessed to determine if high or critical risk is being managed.

Focus on Control Practices, Responsibility / Accountability, associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes.

Principles for Consideration1st Top-down Risk Based identification of threats

and vulnerabilities for key Business processes and related IT support processes, e.g., change management, access security, operations, etc. (General Risk Assessment)

2nd Control of IT Risk that affect critical IT functionality in financially significant applications and related data (Particularized Risk Assessment)

3rd Layered Controls to mitigate risk for application program code, databases, operating systems, and the network (Operational processes that align with precedence of Risk)

4th Risk mitigation based upon Business and Control objectives (not the limitations of individual controls), have a Framework, structure, and methodology to support your risk strategy

When Assessing for Risk …Risk assessment evaluates components of

information, information system security and compliance as it relates to the business function

Assess Mitigate / Monitor Re-AssessOngoing risk management program must be

in placeBusiness owner or key shareholder must own

the processEstablish a standard for considering and

negotiating riskAnnual (periodic) risk assessment deliverable

with recommendations for corrective actionClearly define and document accepted risk –

someone needs to sign off on the responsibility

Risk MitigationOnce risks are identified, they must be mitigated via internal

controls Internal Controls: a practice approved by management to

mitigate risk or produce a desired outcome in a business process for implementing and enforcing information security and compliance

Preventive - controls to stop the problem from occurring Detective - controls to find the problem Corrective - controls to repair the problem after detection Administrative - policies, standards, guidelines, and

procedures Technical - controls using hardware or software for

processing and analysis Physical - controls to implement barriers or deterrents

Document and retain artifacts.Design Document ImplementTest the controls prior to implementation to validate

expectationsMonitor resultsRe-test controls periodically.

High Level IT Control Model

IT Services OS/Data/Telecom/Continuity/Networks

Bu

sin

ess P

rocess

P

roc

ure

me

nt

Bu

sin

ess P

rocess

A

cco

un

ts P

aya

ble

Bu

sin

ess P

rocess

A

cc

ou

nts

Re

ce

iva

ble

/C

laim

ing

Bu

sin

ess P

rocess

P

rog

ram

s a

nd

Op

era

tio

ns

Executive Management

Agency Level IT Considerations

IT General Controls

Application Controls

*End User Computing*

Re-Assess RisksRisk Assessments are an on-going exercise;Track mitigation strategies, did they work?

What “Framework(s)” are being applied?Is there an identifiable “Structure” in place e.g.,

risk management program?Is the “Methodology” recognizable, e.g.,

documented and not arbitrary?Are you using Tools to monitor, manage, and

validate the associated processes?Test, re-test controls (Design and

Effectiveness)Document test results, corrective actions,

changes in business needs/requirements.

Better Controls = Improved Security

IT Security comes down to presence and effectiveness of internal controls;

Weak controls = weak securityAudits are an evaluation of controls, audits

are FREE consulting services!All of the security practices that we utilize

are really just controls, from firewalls to IPS to virus scanning.

How these controls come together ultimately determines out overall control environment (and our control gaps).

Framework?

Frameworks for IT SecurityCOBIT - High level business objectives and

outcomesISO & NIST - Standards and checklists for

consideration Criteria - CMMICIS - ToolsITIL - Process Models Any framework is better than NO

framework!Frameworks map to structure which should

produce a consistent methodology for addressing risk

Be able to explain …!How it was derivedWhy your strategy makes senseHow it manages risk

COBITDeveloped by the ITGI (Current v4.1)Value of IT, Risk, and ControlLinks IT service delivery to business

requirements (already defined, right?)A lifecycle; constantly adapting, improving,

re-adaptingFour Responsibility Domains:

Plan and Organize (PO)Acquire and Implement (AI)Deliver and Support (DS)Monitor and Evaluate (ME)

Make a grocery list of needs and then go shopping

COBIT

Control Objectives for Information and related Technology (COBIT®)

COBIT

Control Objectives for Information and related Technology (COBIT®)

ISO 27002Code of Practice for Information Security

ManagementDivides IT Security into 11 Categories (Clauses)Defines key controls over specific sub-categoriesDefines implementation guidance for each key

control39 Control Objectives with 139 ControlsControl objectives are generic functional

requirement specifications for an organization’s information and information system security management control architecture

ISO 27002

ISO ISO 2700227002

SecuritSecurity Policyy Policy

OrganizinOrganizing IT g IT

Security Security

Physical Physical SecuritySecurity

CompliancCompliancee

HR HR SecuritSecurit

yy

Incident Incident MgmtMgmt

Comm Comm and Ops and Ops

MgmtMgmt

IS IS AcquisitioAcquisition Mgmtn Mgmt

Access Access ControlControl

Asset Asset MgmtMgmt

BCMBCM

ISO 27002Benefits:

ISO 27002 is a very hands-on control guidelineDIY Framework, no consultants requiredProactive – not reactive.CertificationLess stressful audits!

How do we get to ISO 27002?Evaluate/Implement Key Controls;This will require policies/processes/procedures;Executive level buy-in;Team effort, IT Security is EVERYONES responsibility.

NISTNIST offers security guidance in many areasSpecial PublicationsUseful high level governance standards and

practicesPractically every IT security subject is covered

hereWritten for the Feds but very useful for any

organizationCurrent government agency 2007 self

assessment average grade is “C-”, e.g., Academic probation

http://csrc.nist.gov/publications/PubsSPs.html

NIST Special PublicationsLife Cycle of Risk Consideration

Center for Internet Security (CIS)CIS Benchmarks provide guidelines for

operating systems and databases;User originated, widely accepted, and reflect

the consensus of expert users worldwide;Compliance with these benchmarks will

reduce findings and lead to more secure computing platforms

Some benchmarks include :Windows ServerSolarisOracleExchange

Center for Internet Security (CIS)Use benchmarks from CIS for standard builds

of servers, databases, and applications;A self-appraisal/audit of current systems, builds;Hardening guide to ward off attacks;CIS certifies automated tools. Some providers

include:BelarcCAConfigureSoftSymantecTenableTripwire

CMMIAn identifiable criteria by which you should

be evaluated!Capability Maturity Model Integrated created

by the Software Engineering Institute (SEI)Level 0 - 5 (Non-Existent to Optimized)

CMMIVariants of the CMMI: CMM & ISO 15504Identifies WHERE you are at in the application of IT

risk mitigation controls and HOW to get to the next level

Levels of ApplicationLevel 0: No Recognizable Process, though one is

neededLevel 1: Process is Ad-hoc and perform by key

individualsLevel 2: Process is Repeatable , but not controlledLevel 3: Process is Defined & Documented and

periodically EvaluatedLevel 4: Managed & Measurable; effective Internal

Controls with Risk ManagementLevel 5: Optimized Enterprise wide risk and

control program

CMMICapability Maturity Model Integrated created

by the Software Engineering Institute (SEI)Level 0 - 5 (Non-Existent to Optimized)Auditors need to be able to do more than “take

someone's word for it”Therefore … Level 3 is a minimum

requirementDefined processesDocumented processes to identify risk and

associate roles and responsibility to mitigate risk

Processes in place to periodically review and evaluate controls

What Does Evidence Look Like?Definition: Evidence must be Sufficient, Reliable and

RelevantThe various types of audit evidence that the IS auditor

consider using include: Observed processes and existence of physical items, e.g.,

A computer room security system in operationDocumentary audit evidence, e.g., Activity and control

logs, System development documentationRepresentations, e.g., Written policies and procedures,

System flowcharts, Written or oral statementsAnalysis, e.g., Benchmarking IS performance against

other organizations or past periods; Comparison of error rates between applications, transactions and users

Evidence gathering procedures considered are: Inquiry, Observation, Inspection, Confirmation, Re-performance, and Monitoring

Audit evidence should be useful to form an opinion or support the findings and conclusions.

Evidence gathered should be appropriately documented and organized to support the findings and conclusions.

ITIL - Process ModelingWhen you don’t have a good understanding

of “what right looks like”Models most “Industry Standard “

information and information system technology processes

When in doubt “check it out and test it out”Maps to COBITComplimentive to NIST and ISOHelps to provide a starting placeCaution - can be overtly complicated

Example of IAM - Audited Entity to be Assessed for Risk

IAM: Identity and Access Control ManagementIdentity Management; the management of user

credentials and the means by which users might log onto and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities

Access Control; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares

Users Involved in Business Functions and Types of System Information?

(Provisioning of High Risk or Critical Information)Business Functional responsibility for assigning “Rights &

Permissions” to various roles within the organization Business Owner: Responsible for the provisioning and delegation

of the processes or functions and associated privileges, e.g., Payroll, Registrar, FinAid, HR, ConEd, etc.

Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated departments that conduct day to day operations

Stewards: Responsible to service and support the business function, typically provide a technical system or infrastructure to facilitate business needs, e.g., Information Technology Services, etc.

Types of Information (Data Classification) per institution or university system standards Unrestricted / Public: No consequence typically general

information Sensitive: typically references’ legal or externally imposed

constraints that requires this restriction Confidential: highest level of restriction, applies to the risk or

harm that may result from disclosure or inappropriate use, e.g., FERPA

Example associated Key Process – Ecommerce e.g., One Card System

COBIT high level framework for controls relating to the Ecommerce systems Plan and Organize (PO) — Provides direction to solution delivery(AI)

and service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11

Acquire and Implement (AI) —Provides the solutions and passes them to be turned into services AI5 and AI4

Deliver and Support (DS) —Receives the solutions and makes them usable for end users: DS1, DS5 and DS11

Map the requirements to your preferred checklist, e.g. NIST or ISORequirements for Ecommerce Compliment other Processes

Less work required for other system implementations No duplication of effort if requirements are properly addressed

Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases

Example: Identity and Access Control Management (IAM) COBIT Slide 1COBIT 4.1 DS5.3 Identity ManagementEnsure that all users (internal, external and temporary) and

their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.

Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities.

Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person.

Maintain user identities and access rights in a central repository.

Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.

Example: Identity and Access Control Management (IAM) COBIT Slide 2

Logical Didactic Approach - DS5.3 Identity Management (How it is Evaluated)

Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents

By focusing on defining IT security policies, plans and procedures, and monitoring,

detecting, reporting and resolving security vulnerabilities and incidents Is achieved by

Understanding security requirements, vulnerabilities and threats Managing user identities and authorizations in a standardized manner Testing security regularly

And is measured by Number of incidents damaging the organization's reputation with the

public Number of systems where security requirements are not met Number of violations in segregation of duties

How to Measure Success? Maturity Model – CMMI DS5 Snapshoot (Criteria)

DS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is:

0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process.

1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT security breaches are unpredictable.

2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain.

3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed.

4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured.

5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated ….

COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk)

NIST 800-53, Revision 1 StandardsTerminology and Application

Additional ConsiderationsDevelop a strong working relationship with your

auditorsCommunicate with them even when not being

audited (typically the most lonely folks on campus)!Challenge and question their defined and

documented processes for auditing (IIA)Understand what auditors are looking for and whyAsk them where they see the risk and whyRun questions by them (VM Ware)

Some auditors are fallible, but …, NOT Brian or Chris (joke)!

Call to Action & Challenge“Birds of a Feather, Flock Together” or

“Life is For the Birds” Be Different?

PIXAR “For the Birds” 3:16 minutes

Thank you for your participation - any questions?

Higher Education is Different!Understanding Business Risk and

Functional Practices are critical Internal Controls must be defined,

documented, and reviewedChose and apply a security

Framework that provides identifiable structure and an effective methodology to address risk

Lots of Guidance Standards, tools and modeled process to emulate

Internal Auditors can be a valuable resource!

Helpful ResourcesCIS Benchmarks -

http://www.cisecurity.org/benchmarks.html IIA - www.theiia.org ISACA - www.isaca.org ISC(2) - www.isc2.org ISO - www.iso.org ITGI - www.itgi.orgNIST - csrc.nist.govNSA - www.nsa.gov IASE - iase.disa.milWeb App Consortium - www.webappsec.orgEDUCAUSE - educause.edu/securityUniv. Austin Texas Sec. - security.utexas.eduUniv. Cornell Sec. - www.cit.cornell.edu/securityVirginia Tech Sec. - security.vt.eduGa. Tech Info Sec. Center - www.gtisc.gatech.edu

Last minute additions…Thanks to the feedback of some of our

participants, we wanted to add the following:While CMMI is a maturity model, it is still primarily

aimed towards software delivery. You may want to look into CMMI for service (SVC) and acquisition. Check them out here. The maturity model in COBIT is separate from CMM but is the same basic idea.

The ISO 27000 series in it’s entirety is worth a look. Check them out here.

COBIT & ITIL are less technical/IT Security related, NIST and ISO, more so. Keep this in mind when selecting a framework.