Group items matching

in title, tags, annotations or url

Has your management team asked the following four questions about your organization's internal controls? 1) Have we identified the meaningful risks to our objectives? 2) Which controls are "key controls" that will best support a conclusion regarding the effectiveness of internal control in a particular process? 3) What information will be persuasive in assessing whether the controls are continuing to operate effectively? 4) Are we presently performing effective monitoring that is not unnecessary and costly testing? These questions appear in a white paper, "Effective Internal Control Systems for Rapidly Changing Markets: A New Opportunity," packed with answers for GRC professionals wondering if there is a better way to operate. The paper, authored by the GRC experts at advisory firm SMART Group, clearly lays out how controls monitoring processes can and should align with the "Guidance on Monitoring" COSO published earlier this year to help organizations strengthen the effectiveness and efficiency of their internal controls frameworks. Among other useful how-to information, the 12-page paper includes a five-step "Implementation Guide" for creating a better controls-monitoring program.

Health IT industry leaders and privacy advocates are watching carefully to see how the federal government will enforce expanded health data breach notification rules set to take effect this week, Federal Computer Week reports. HHS' breach-notification rule, which applies to HIPAA-covered entities and business associates, is scheduled to take effect tomorrow. The Federal Trade Commission's companion rule, which applies to personal health record vendors and other non-HIPAA-covered entities, is scheduled to take effect Thursday. The federal economic stimulus package mandated the creation of both rules.

Supercharging the HVA Engineering and Maintenance Risk Assessment in the Healthcare Setting Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess Health Systems Engineering and Maintenance team on how they partnered with Virtual Corporation to execute an effective risk assessment methodology and toolkit across the DHS enterprise. Participants will see examples of innovative risk mapping and reporting methods that yield high information density in simple, understandable format. Presenters: Mark Merrill, Facility Engineer, Deaconess Health System Tom Barnett, Manager, Engineering and Maintenance, Deaconess Health System Scott Ream, President, Virtual Corporation Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess H

Two companies that collect, analyze and sell prescription information are mounting a Supreme Court challenge to New Hampshire's first-in-the-nation law making doctors' prescription writing habits confidential. In an appeal filed March 27, IMS Health Inc. of Norwalk, Conn., and Verispan LLC of Yardley, Pa., tell the high court that the law violates their First Amendment right to free speech in pursuit of their business. The law, aimed at thwarting hard-sell tactics by drug companies to doctors, makes it a crime for pharmacies and others to transfer information disclosing a doctor's prescribing history if the information could be used for marketing of prescription drugs in New Hampshire. Patients' names are not included in the data. The companies say that the ruling by the 1st U.S. Circuit Court of Appeals in Boston that upheld the law's constitutionality could be broadly applied to newspaper publication of stock market information and many other services that gather large amounts of information. The money made by selling the information to drug makers, the companies say, allows them to provide the same material to researchers and humanitarian organizations at little or no cost. The law first took effect in 2006. The following year, U.S. District Judge Paul Barbadoro in Concord ruled in the companies' favor and said the law violated the First Amendment. Another federal judge subsequently ruled against a similar law in Maine, relying heavily on the New Hampshire decision. But the 1st Circuit overruled Barbadoro, calling the law a valid step to promote the delivery of cost-effective health care. "Even if the Prescription Information Law amounts to a regulation of protected speech - a proposition with which we disagree - it passes constitutional muster," the court said. "In combating this novel threat to cost-effective delivery of health care, New Hampshire has acted with as much forethought and precision as the circumstances permit and the

Beyond PCI: Other Regulations to Look For in 2009 Just a few days ago, the Federal Reserve, the Office of Thrift Supervision and the National Credit Union Administration announced the enactment of comprehensive new rules regarding card practices. These rules, which will not take effect until July 1, 2010, impose restrictions on a number of controversial issuer practices, including interest rate increases, late fees and double-cycle billing. Many industry observers predict that the rules will result in less credit being made available, and on stricter terms, than has been the case over the last several years. These rules may not be the end of the matter. Rep. Carolyn Maloney (D-NY), who in 2008 introduced the Credit Cardholders' Bill of Rights Act of 2008 (which sought to regulate many of the same practices as the then-proposed Fed rules), stated that she was disappointed in the delayed effectiveness of the Fed rules and promised to revive the Credit Cardholders' Bill of Rights in 2009 to, as she put it, "bridge the gap" between now and the effective date of the Fed rules.

April 13, 2009 (Computerworld) The PCI standard, long touted as one of the private sector's strongest attempts to regulate itself on IT security, is increasingly being slammed by critics who claim that the rules aren't doing enough to protect credit and debit card data. And amid all the complaints, Visa Inc. - the standard's biggest proponent - is working one-on-one with banks and retailers to test new security measures that go beyond the controls currently mandated by PCI. What it all adds up to is a new sense of uncertainty about the future of the specification, which is formally known as the Payment Card Industry Data Security Standard, or PCI DSS. Created by Visa and other credit card companies, the PCI rules will have been in effect for four years as of June 30. But with breaches of card data continuing and questions about the standard's effectiveness on the rise, PCI DSS is showing signs of coming apart at the seams.

www.killdo.de.gg Most quality online stores. Know whether you are a trusted online retailer in the world. Whatever we can buy very good quality. and do not hesitate. Everything is very high quality. Including clothes, accessories, bags, cups. Highly recommended. This is one of the trusted online store in the world. View now www.retrostyler.com

The reality of any new technology, security or otherwise, rarely lives up to its promise. Once you move past the bright sheen of the product brochures and top-level user interfaces, only the practicalities of implementing the product in the real world remain. This is especially true of newer technologies we have little prior experience with, where our product expectations are defined by marketing, the press, and the rare peer reference. It's only after these tools are tested in the real world, under full production conditions, that we really start learning how to either best implement them, or kick them back to the vendor for a little more polish (and a compelling business use). Data loss prevention (DLP) is one of the most promising, and least understood, security technologies to emerge during the last few years. It dangles promises of ubiquitous content protection before our eyes, with shadows of complexity and costs glooming over its shoulder. As with everything, the reality is somewhere in-between. We've interviewed dozens of DLP users (including our own contacts, random volunteers and vendor references) to find out how DLP works in the trenches of the real world. The result is a collection of lessons learned and use cases to help you avoid common pitfalls while deriving maximum value. Lesson 1: Users are confused by a confusing market Lesson 2: Full DLP solutions take more effort to deploy, but are more effective and easier to manage Lesson 3: Set the right expectations and workflow early Lesson 4: Poor identity management hinders good DLP Lesson 5: False positives are a manageable concern Lesson 6: Progressive deployments are most effective Lesson 7: Endpoint DLP is still more limited than network or discovery Lesson 8: Content discovery is hot

www.killdo.de.gg Most quality online stores. Know whether you are a trusted online retailer in the world. Whatever we can buy very good quality. and do not hesitate. Everything is very high quality. Including clothes, accessories, bags, cups. Highly recommended. This is one of the trusted online store in the world. View now www.retrostyler.com

Those who are superstitious may believe that bad things happen on Friday the 13th, but we will leave it to each individual and entity to formulate conclusions regarding the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which Congress passed late on Friday, February 13, 2009, and President Obama officially signed into effect on February 17, 2009. The HITECH Act addresses various aspects relating to the use of health information technology (H.I.T.), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation. This Alert focuses, however, on Subtitle D of the HITECH Act, which includes important, new and far-reaching provisions concerning the privacy and security of health information that will materially and directly affect more entities, businesses and individuals in more diverse ways than ever before. These changes are further elaborated upon below, but this Alert can only highlight certain prominent issues under the HITECH Act and is by no means a comprehensive review of this lengthy and complex Act. For questions and additional guidance on the HITECH Act, contact your Fox Rothschild attorney or the authors of this Alert. New Privacy and Security Requirements * Security Breach Notification Requirements: Security breach notification requirements under the HITECH Act go into effect 30 days after the date that interim final regulations are promulgated, which will be no later than 180 days after the date of enactment of the HITECH Act (August 16, 2009). Covered entities, business associates and vendors who handle personal health records are required to abide by breach notification requirements. Violations of this requirement by vendors would be treated as an unfair and deceptive act or practice in violation of the Federal Trade Commission Act. If a breach affects more than 500 individuals of a particular state, notice also must be provided to prominent media outl

The Federal Trade Commission (FTC) is planning to regulate online viral marketing that uses blogs and social networking sites. Marketers are spending billions worldwide to get the endorsements of key bloggers and groups on social networking sites. One tactic, used by Microsoft and others, is to send products to bloggers on 'long-term loans' on the understanding that they will comment about them on their sites. AdvertisementUnder the new regulations being proposed, such bloggers would be legally liable if they make untrue statements about the products or services. The companies too would face sanctions. "This impacts every industry and almost every single brand in our economy, and that trickles down into social media," Anthony DiResta, an attorney representing several advertising associations, told The Financial Times. This is the first revision of the rules on this kind of advertising by the FTC since 1980 and is needed, according to the organisation, because new forms of communication have opened up new fields to marketing. "The guides needed to be updated to address not only the changes in technology, but the consequences of new marketing practices," said Richard Cleland, assistant director for the FTC's division of advertising practices. " Word-of-mouth marketing is not exempt from the laws of truthful advertising." Advertisers are resisting the changes, however, which threaten a highly effective form of marketing new products and services. "Regulating these developing media too soon may have a chilling effect on blogs and other forms of viral marketing, as bloggers and other viral marketers will be discouraged from publishing content for fear of being held liable for any potentially misleading claim," Richard O'Brien, vice president of the American Association of Advertising Agencies, said in an advisory to the FTC.

In belt-tightening times, making the case for security investment is more difficult than ever. Security Catalyst founder Michael Santarcangelo details five steps risk professionals can use to communicate value effectively. The biggest challenge security teams face in their organization is one of perception, according to Michael Santarcangelo, founder of Security Catalyst, a New York-based consultancy focused on changing the way people protect information. Santarcangelo, who was recently a keynote speaker at the CSO Perspectives conference, said professionals focused on security are practiced at looking at risks and reducing them. Unfortunately, the rest of society often doesn't see risks the same way, making communication difficult (See also: Security and Business: Communication 101). "They lack relevant context," said Santarcangelo. "So security people get wrapped up in thinking: 'The CFO wants an ROI. We better work on ROI.' But what the CFO is really saying is:' I don't understand what you do. So you have to justify it to me.' Santarcangelo outlined his strategies for making the case for security investments at the three-day event held in Clearwater, Florida. He gave an audience of security professionals the details of his five step process for getting executives and boards to understand, and even approve, spending decisions in tough economic times. Create Santarcangelo believes one of the most effective ways to communicate value is to place focus back on the person to whom you are trying to make your pitch (See also: A CEO and CSO Who Actually Communicate). "The reason why someone changes a behavior or takes an action is because there is an inherent benefit to the person," said Santarcangelo. "But when many people start to create, they forget that. They tend to fall into the trap of thinking: 'I'm really smart and I know a lot of stuff. So I'm just going to say it and hope they will understand the value of it.'" Instead, Santarcangelo recommends creating

DESPITE SIGNIFICANT IMPROVEMENTS since the U.S. Sarbanes-Oxley Act of 2002 became effective, the continuing cost of compliance with the act's Section 404 requirements remains a concern for board members and management. A periodic operational audit of the Section 404 program can provide valuable information to executive management and the audit committee, and potentially identify areas where significant costsavings can be realized. Whether the Section 404 program is managed by the finance department, internal auditing, or another organization, it's an excellent candidate for this type of review, particularly if the focus remains on program efficiency. Several questions, based on The IIA's publication Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners, can be used as the basis for the audit. The questions cover issues ranging from ensuring that operating management takes ownership of its processes, to achieving fewer and more effective key controls, to determining whether the external auditor's reliance on management testing has been optimized.

I. INTRODUCTION The globalization revolution is undeniably well underway. Some of the primary leaders of the revolution are the off-shoring outsourcers of the world in search of readily available talent at prices below what is available in the traditional geographical outsourcing centers. Certainly, U.S. companies seeking information technology resources--as well as those looking for human resources to support the ever-growing customer care requirements of their business--are at the forefront of the movement. Some of those companies are seeking their own solutions, but many have turned to business process outsourcing companies for assistance. Business process outsourcing is, generally speaking, the contracting of a specific business task to a third party service provider. Processes that are best suited to be outsourced are those that a company requires but does not depend upon to maintain its position in the marketplace. There are two primary categories of business process outsourcing. One category is commonly referred to as "back office outsourcing" which includes internal business functions such as billing or purchasing. The other category is commonly referred to as "front office outsourcing" which includes customer-related services such as marketing, customer contact management, and technical support. The globalization of business in general has resulted in the need for companies to be able to provide support to their customers in many different languages. At the same time, developments in technology have provided the ability for business process outsourcers to provide a cost effective global delivery platform. The convergence of the need for a portfolio of services to be sourced globally with the ability of business process outsourcers to do so on a cost effective basis has driven the outsourcers to geographic locations previously ignored by most business sectors. By many estimates, there are currently off-shore outsourcing vendors in more than 175 different

Even as the Canadian government is fighting against "Buy American" policies that discriminate against Canadian firms, the federal government appears to be quietly continuing with policies that effectively block U.S. firms from winning some kinds of federal contracts. Case in point: a contract worth $150 million to help relocate nearly more than 18,000 public servants every year was awarded to the only Canadian bidder in mid-August. American firms were interested in the contract but say they were essentially blocked from the bidding because of a provision that personal information about Canadians cannot be stored on computerized databases outside of Canada. Canada Post, a Crown corporation, is about to award its own multimillion-dollar relocation services contract and it, too, has effectively blocked U.S. companies from bidding with a requirement that personal information be stored only on computers in Canada.

Securing our Nation against cyber attacks has become one of the Nation's highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against external attacks. Furthermore, for those external attacks that are successful, defenses must be capable of thwarting, detecting, and responding to follow-on attacks on internal networks as attackers spread inside a compromised network. A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that 'offense must inform defense'. In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008.

A new report from the Progress & Freedom Foundation says that officials in some states want to pass legislation that would extend the Children Online Privacy Protection Act (COPPA) from covering children under 13 to covering teens until they're 18. COPPA, which became law in 1998, requires verifiable parental consent before a child under 13 can provide personally identifiable information to a Web site that caters to children. Expanding the law to cover teens till they're 18, according to the report, would "require Web sites to obtain more information about both minors and their parents, which runs counter to the original goal of the Act: protecting the privacy of minors." Ultimately, say the authors, "this would actually make minors less 'safe online.'" In this podcast, the report's co-author, PFF Senior Fellow Adam Thierer, explains the original COPPA law and why, in his opinion, the expanded law could have a chilling effect on the free speech rights of minors. The podcast runs 11:30

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

A rule requiring healthcare providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals of a breach of their unsecured protected health information will become effective September 23, 2009. The "breach notification" regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA). The new "breach notification" regulations apply to HIPAA-covered entities and their business associates. HIPAA covered-entities include health plans, healthcare clearinghouses, and healthcare providers. A business associate is a person or entity (such as a healthcare benefits broker) who, on behalf of the covered entity, performs a function involving the use or disclosure of individually identifiable health information.

"In a case that could prove to be one of the most important privacy rights battles of the modern era, the 3rd U.S. Circuit Court of Appeals will hear argument this week on the proper legal standard to apply when prosecutors demand cell phone location data. The data, which are recorded about once every seven seconds whenever a cell phone is turned on, effectively track the whereabouts and the comings and goings of every cell phone user. Justice Department lawyers argue that, by statute, they need only show "reasonable grounds" to believe that such records are "relevant and material to an ongoing criminal investigation." But a federal magistrate judge in Pittsburgh strongly disagreed in February 2008, issuing a 52-page opinion that said the prosecutors must meet the "probable cause" standard. "This court believes that citizens continue to hold a reasonable expectation of privacy in the information the government seeks regarding their physical movements/locations -- even now that such information is routinely produced by their cell phones -- and that, therefore, the government's investigatory search of such information continues to be protected by the Fourth Amendment's warrant requirement," U.S. Magistrate Judge Lisa Pupo Lenihan wrote."

Turn the cell phone off and put on your tin foil hat so the government and aliens can't track you!

"Consumers are often oblivious to the fact that some businesses share a great deal of their personal information with other businesses who deliver targeted behavioral advertising, says Anzen analysts Megan Brister and Jordan Prokopy. In an e-mail interview with IT Business Edge editor Lora Bentley, Brister and Prokopy say most consumers are just not aware of the business practices of companies that use personal information for profit. The Federal Trade Commission recently held meetings with consumer and privacy advocates, business and government leaders to discuss privacy, regulatory, and business issues of online behavioral advertising. It plans plan to ramp up efforts to protect consumers and possibly push for tougher legislation to protect consumers. One issue, Brister and Prokopy say, is the lack of transparency by companies that engage in behavioral advertising. These companies have been slow to adopt clear data-management policies and even when they do have policies, they are often written in language that is difficult to understand. Fortunately for consumers, some type of regulation appears to be on the way. The FTC appears eager to penalize businesses who lack transparency regardless of whether the consumer actually experienced any real negative effects as a result, Brister and Prokopy say."