Group items tagged

"The Need for Risk-Based FCPA Compliance Assessments How To Deal With Increasing FCPA Risks In a Time of Shrinking Budgets In a time of dwindling funds, growing risks, and increased government targeting of companies that cut compliance budgets, a proper anti-corruption assessment is a vital first step in creating a cost-effective compliance program When a warning comes straight from the mouth of the U.S. Government's lead prosecutor in a field directly affecting their bottom line, it is wise for businesses to pay heed. In an interview earlier this year with PBS's investigative journal, "Frontline," Mark Mendelsohn, the Deputy Chief of the U.S. Department of Justice's Fraud Section, which is charged with enforcing the Foreign Corrupt Practices Act ("FCPA"), offered advice to all American businesses dealing with the current global recession. "I think that companies need to be especially vigilant in this economic climate to not cut back [on FCPA compliance]," Mendelsohn said. "Our law enforcement efforts are not going to be scaled back, and so it would be, I think, a grave mistake for a company to take that path.""

Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?

The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents. If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should: The requirement for a mandatory incident-specific risk assessment for every incident The fact that HITECH notification provisions do not pre-empt state notification laws Encryption of data does not necessarily alleviate the risk of data breach If your business associate exposes your protected health information (PHI), you are responsible

Outsourcing business and IT functions often means outsourcing compliance and liability risks as well. When a service contract involves protected categories of personal information, both parties need to understand the security requirements and risks. The contract should allocate responsibilities to prevent and respond to security breaches. The contract may also set expectations more precisely by incorporating a written security policy or referring to a widely accepted information security standard, sometimes accompanied by a requirement for a third-party security audit or assessment

A survey of high-risk organisations has found that more than three quarters fail to perform quarterly security and compliance training. According to a survey by enterprise key and certificate management solutions provider Venafi and IT security research provider Echelon One, 77 per cent of respondents failed to perform quarterly security and compliance training while 64 per cent failed to encrypt all of its data in the cloud. However 90 per cent did use encryption throughout the organisation. The survey of 420 enterprises and government agencies also found that almost 100 per cent of respondents had some degree of unquantified or unmanaged risk. When asked if their organisations encrypted data stored in public clouds such as Google Apps, Salesforce.com and Dropbox, 40 per cent said they did not know.

I found that the agencies generally saw between 25 and 50 percent savings in moving to the cloud. For the federal government as a whole, this translates into billions in cost savings, depending on the scope of the transition. Many factors go into such assessments, such as the nature of the migration, a reliance on public versus private clouds, the need for privacy and security, the number of file servers before and after migration, the extent of labor savings, and file server storage utilization rates. Based on this analysis, I recommend five steps be undertaken in order to improve efficiency and operations in the public sector: the government needs to redirect greater resources to cloud computing in order to reap efficiencies represented by that approach, the General Services Administration should compile data on cloud computing applications, information storage, and cost savings in order to determine possible economies of scale generated by cloud computing, officials should clarify procurement rules to facilitate purchasing through measured or subscription cloud services and cloud solutions appropriate for low, medium, and high-risk applications, countries need to harmonize their laws on cloud computing to avoid a "Tower of Babel" and reduce current inconsistencies in regard to privacy, data storage, security processes, and personnel training, and lawmakers need to examine rules relating to privacy and security to make sure agencies have safeguards appropriate to their mission.

More enforcement coming SOX 404(b) will matter FCPA compliance Focus on risk management

Existing cloud users are satisfied. Security is not considered to be an issue

The White House proposal, which is a comprehensive cybersecurity plan, includes a provision directing the Department of Homeland Security (DHS) "to exercise primary responsibility within the executive branch for information security. This includes implementation of information security policies and directives and compliance" with FISMA, except for national security systems.