Skip to main content

Home/ WPPS C-Suite News/ Group items tagged ethics

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
sandy ingram

Integrating Ethics and Compliance Into the Entire Organization - 0 views

tfoxlaw.wordpress.com/...e-into-the-entire-organization

Privacy Security compliance ethics integrating SMB Best Practice

shared by sandy ingram on 28 Nov 10 - No Cached
  • There’s no point investing in and implementing an ethics and compliance program unless the time is spent integrating the program into every aspect of an organization. The need for companies to develop effective ethics and compliance programs has been acknowledged by several government agencies- examples are the SEC in the US and the government in the United Kingdom. Both groups have recently passed legislation or made amendments to existing guidelines, focusing heavily on the importance of ethics and compliance at all levels of an organization- especially at the top.
  • Employees at each level contribute to the success of a company’s ethics and compliance program. Integrating ethics and compliance at each level helps ensure the message from the top makes it all the way down to the lower levels of the organization. Training, messages and other ethics and compliance initiatives must be developed to evolve with employees as they move through the company. That being said, employees at various levels need to be prepared to address different ethical issues they may encounter based on the role they play in the organization.
  • Integrating Ethics in the Middle  In many companies, employees report that the middle level is where ethics and compliance commitments break down. Since many of the lower level employees report directly to those in the middle, a commitment to ethics and compliance from middle managers is equally as important as it is at the top.
  • ...4 more annotations...
  • Top level managers can use a number of techniques to assist mid-level managers in understanding the role they play in creating an ethical workplace.
  • Integrating Ethics at Lower Levels Lower level employees are usually the ones on the frontlines acting as ambassadors for a company/brand. Ensuring the commitment to ethics and compliance is as strong at the bottom as it is at the top is critical to the success of a fully integrated ethics and compliance program.
  • One of the easiest ways to begin implementing ethics and compliance within lower levels is to provide new hires with extensive training on company expectations and ethics and compliance. During the interview process, ask questions related to ethical situations and decision making. This can be used as a way to ensure new hires are a proper fit with the existing corporate culture.
  • It’s important to remember that ethics training and implementation doesn’t stop here- this is just the beginning.
  • sandy ingram on 28 Nov 10
     
    "One of the easiest ways to begin implementing ethics and compliance within lower levels is to provide new hires with extensive training on company expectations and ethics and compliance"
sandy ingram

Spreadsheets are inadequate for risk and compliance assessment questionaires | OCEG - 0 views

oceg.org/...iance-assessment-questionaires

Security Privacy grc compliance audit assessment

shared by sandy ingram on 07 Oct 10 - No Cached
  • It gets worse . . . auditors and legal can step in and cry 'foul.' It is difficult to provide non-repudiation within spreadsheets in a scalable context. Basically, one can not go back and truly state that "this person answered this compliance (a legal process) on this date and time, and we know this is the original answer and it has not been modified." Spreadsheets do not have this level of authentication, access control and audit trail. GRC processes require a robust audit trail so that you know who answered a question and if that answer was modified - spreadsheets do not provide the functionality to cover this.
  • To replace spreadsheets I would look towards governance, risk, and compliance (GRC) management platforms. Vendors in this space include Archer Technologies, Axentis, BWise, MEGA, MetricStream, OpenPages, Paisley, and QUMAS. These vendors, and many more, have integrated content and workflow technologies to manage GRC assessment processes. They are a much better choice over the use of spreadsheets for GRC processes.
  • sandy ingram on 07 Oct 10
     
    Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?
sandy ingram

McAfee Security Insights Blog » Blog Archive » Advanced Persistent Threat (APT) - 0 views

siblog.mcafee.com/...advanced-persistent-threat-apt

security privacy cybersecurity breach Fraud Best Practice mcafee Risk

shared by sandy ingram on 01 Jul 10 - Cached
  • APT is the new way attackers are breaking into systems.
  • APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will. 
  • APT focuses on any organization, both government and non-government organizations.
  • ...11 more annotations...
  • While the threat is advanced once it gets into a network, the entry point with many attacks is focused on convincing a user to click on a link.
  • Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.
  • Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.
  • Today attacks are nonstop. The attackers are persistent and if an organization lets its guard down for any period of time, the chance of a compromise is very high.
  • Attackers want to take advantage of economy of scale and break into as many places as possible, as quickly as possible. 
  • Therefore the tool of choice of an attacker is automation. Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break in very quickly.
  • Old school attacks were about giving the victim some visible indication of a compromise. Today it is all about not getting caught.
  • the problem with the APT is that it enters a network and looks just like legitimate traffic and users.
  • Based on the new threat vectors of the APT, the following are key things organizations can do to prevent against the threat:
  • APT is only going to increase in intensity over the next year, not go away.  Ignoring this problem just means there will be harm caused to your organization.
  • The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is and, most importantly. how quickly you detected it.
  • sandy ingram on 01 Jul 10
     
    One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities. If you fix the threats of three years ago, you will lose. APT allows organizations to focus on the real threats that exist today. While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you. Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security. In APT, threat drives the risk calculation. Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities.  What is APT?
sandy ingram

Staff fraud 'on the rise'. Majority still undetected and unreportd - 0 views

www.insideretailing.com.au/...Staff-fraud-on-the-rise.aspx

Privacy security Fraud employees

shared by sandy ingram on 06 Dec 10 - No Cached
  • "The vast majority of staff in any organisation are trustworthy and honest. However, businesses are now beginning to realise and understand the scale of the threat posed by the small proportion of staff that act dishonestly and defraud their employer."
  • According to the ACFE 2010 report on occupational fraud the median length of the schemes was 18 months from the time the fraud began until the time it was detected. The median loss caused by the occupational frauds in the report was $160,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1 billion or more.
  • Historically, the most serious threat from staff fraud has been centred on relatively senior employees in management positions. However, the major threat has now shifted down the organisational hierarchy to more junior members of staff, who have access to, and responsibility for, more confidential customer and payroll data than ever before,"
  • ...3 more annotations...
  • "With as much as 30 per cent of all business failures attributable to employee theft, employers are interested in any device or technique that could detect or prevent employee theft.
  • "Given the present wave of corporate scandals and failures, it is not surprising that organisations are being expected to create strong ethical cultures and select employees who will fit into those cultures. This explains, to some extent, the growing emphasis on integrity testing in the business world.
  • Spitzer has simple advice for businesses who are concerned they may be at risk:
  • sandy ingram on 06 Dec 10
     
    "Employee theft and fraud is on the increase - and an Australian start-up company believes it has pioneered a means of early detection. According to a recent survey conducted by KPMG, the total funds lifted from organisations came to $345 million - a significant increase from the $301 million of 2008, totalling 174,914 cases. "Employee fraud is a growing concern for organisations in all business sectors both in monetary and reputational terms," says Alon Spitzer, who has founded Integrity Elements, a company specialising in the new field of ' integrity testing and valuation'."
sandy ingram

Study Finds Companies Struggle to Measure Effectiveness of the Compliance Function - 0 views

www.pwc.com/...PwC-Compliance-Week.jhtml

Privacy security compliance survey

shared by sandy ingram on 24 May 11 - No Cached
  • Senior compliance officers at more than 100 leading U.S. companies responded to 28 questions in four key areas critical for the compliance function: leadership, reporting relationships and structure; compliance function scope, focus and risk; metrics to gauge program effectiveness; and budget, staffing and resources. A major finding of the study: One of the biggest obstacles facing Chief Compliance Officers (CCOs) is measuring the effectiveness of their compliance functions - almost 40 percent of the companies surveyed said they make no attempt to measure the effectiveness of their compliance program.
  • “An effective compliance program is the cornerstone of cooperation credit allowed under the U.S. Sentencing Guidelines and stakeholders are demanding much higher transparency in how compliance risk is effectively managed,” said Miles Everson, PwC principal and global and U.S. risk and compliance leader.
  • “Without a clear measure of the compliance department’s effectiveness, much else is in jeopardy. Lacking this,
  • ...8 more annotations...
  • how does the board know that compliance risks are effectively addressed?  Let alone that the compliance function itself is effective? 
  • According to the study, a critical element to the compliance department’s success is the perceived stature of the CCO and his or her influence among other top leadership.
  • “It’s essential that the compliance function have visibility and direct access both to senior executives in the organization and to the board or one of its committees,” added Everson. “This access helps keep risk and compliance issues on the company’s agenda and lets key ethics and compliance issues surface in a timely fashion.”
  • The State of Compliance survey also provided another interesting glimpse into corporate compliance when it asked about reporting structures. Regulators have long preferred that a company’s top compliance officer report directly to the board, and just last year the U.S. Sentencing Guidelines were revised to state more clearly that CCOs should not be, nor report to, the general counsel.
  • PwC and Compliance Week also found that, over the next 18 months, CCOs anticipate significant challenges when it comes to risk - and that when issues arise, they expect the consequences to be severe.
  • When asked about several high-level categories of risk, such as compliance risk, security risk, reputational risk and others, 48 percent believed the likelihood of a compliance failure was high or very high. 
  • What's more, 65 percent of respondents felt the impact of a compliance risk event, should it occur, would be high or very high. 
  • Effective compliance programs need input and guidance from many different voices in the company (IT, internal audit, finance, security). It is in the company’s benefit for the compliance department to borrow resources from those teams to achieve its goals, rather than build its own expertise in each department.
  • sandy ingram on 24 May 11
     
    "The results of The State of Compliance: 2011, an inaugural study conducted by PwC US and Compliance Week, will be released today at the Compliance Week 2011 6th Annual Conference for corporate financial, legal, risk, audit and compliance officers in Washington, D.C. The report - the first of its kind - identifies a wide range of compliance issues confronting organizations today and will stay current as new companies participate, accurately reflecting the changing compliance landscape."
1 - 5 of 5
Showing 20 items per page