Group items tagged

"The results of The State of Compliance: 2011, an inaugural study conducted by PwC US and Compliance Week, will be released today at the Compliance Week 2011 6th Annual Conference for corporate financial, legal, risk, audit and compliance officers in Washington, D.C. The report - the first of its kind - identifies a wide range of compliance issues confronting organizations today and will stay current as new companies participate, accurately reflecting the changing compliance landscape."

Vendor Risk Management and Cloud Security Standards Another important consideration when mapping out your cloud GRC strategy is to ensure your vendor risk management program accounts for the new risks that come with moving to the cloud.

"The Need for Risk-Based FCPA Compliance Assessments How To Deal With Increasing FCPA Risks In a Time of Shrinking Budgets In a time of dwindling funds, growing risks, and increased government targeting of companies that cut compliance budgets, a proper anti-corruption assessment is a vital first step in creating a cost-effective compliance program When a warning comes straight from the mouth of the U.S. Government's lead prosecutor in a field directly affecting their bottom line, it is wise for businesses to pay heed. In an interview earlier this year with PBS's investigative journal, "Frontline," Mark Mendelsohn, the Deputy Chief of the U.S. Department of Justice's Fraud Section, which is charged with enforcing the Foreign Corrupt Practices Act ("FCPA"), offered advice to all American businesses dealing with the current global recession. "I think that companies need to be especially vigilant in this economic climate to not cut back [on FCPA compliance]," Mendelsohn said. "Our law enforcement efforts are not going to be scaled back, and so it would be, I think, a grave mistake for a company to take that path.""

Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?

Global risk managers are challenged by new boardroom demands of insurer security, balance sheet transparency, and heightened accountability.

MOUNTAIN VIEW, Calif. - August 4, 2010 - Symantec Corp. (Nasdaq: SYMC) today released the findings of its 2010 Information Management Health Check Survey, which highlights that a majority of enterprises are not following their own advice when it comes to information management. Eighty-seven percent of respondents believe in the value of a formal information retention plan, but only 46 percent actually have one. Survey results also found that too many enterprises save information indefinitely instead of implementing policies that allow them to confidently delete unimportant data or records, and therefore suffer from rampant storage growth, unsustainable backup windows, increased litigation risk and expensive and inefficient discovery processes.

The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents. If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should: The requirement for a mandatory incident-specific risk assessment for every incident The fact that HITECH notification provisions do not pre-empt state notification laws Encryption of data does not necessarily alleviate the risk of data breach If your business associate exposes your protected health information (PHI), you are responsible

Hospitals Are Not Protecting Patient Data; Healthcare Industry Lagging Behind HITECH Standards TRAVERSE CITY, Mich. and PORTLAND, Ore., Nov. 9, 2010 /PRNewswire/ -- The latest benchmark study by Ponemon Institute, sponsored by ID Experts®, finds that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected.  The research indicates that protecting patient data is a low priority for hospitals and that organizations have little confidence in their ability to secure patient records, putting individuals at great risk for medical identity theft, financial theft and embarrassment of exposure of private information.

Outsourcing business and IT functions often means outsourcing compliance and liability risks as well. When a service contract involves protected categories of personal information, both parties need to understand the security requirements and risks. The contract should allocate responsibilities to prevent and respond to security breaches. The contract may also set expectations more precisely by incorporating a written security policy or referring to a widely accepted information security standard, sometimes accompanied by a requirement for a third-party security audit or assessment

"As the volume of electronically stored information (ESI) rises rapidly, improving the understanding among the C-suite, legal and IT functions is key to controlling costs and better managing e-discovery risks."

In today's economic climate, many organizations outsource parts of their business to take advantage of cost savings and solution-expertise. However, as vendor relationships increase, it becomes more difficult to manage them. The risks assumed by outsourcing can be significant without a vendor management program. According to the Ponemon Institute Study - 2009 Security Mega Trends, an average of 50.5% of organizations who outsourced sensitive and confidential data to third parties experienced a security incident or data breach as a result of outsourcing. In this 1-hour live webcast, Michael Rasmussen, President at Corporate Integrity, will share his insights on the importance of vendor management, as well as his recommendations of best practices for defining and executing an effective strategy. Chris Noell, EVP of Product management of TruArx, will then provide a brief overview of how GRC tools such as TruComply can automate key vendor management activities and enable these best practices. In this session, you will learn about: *The importance of vendor management and how it applies to your business *Best practices for defining and executing an effective vendor management strategy *How you can quickly and cost-effectively establish a mature vendor management program

survey also said that cybersecurity issues need to be seen as an enterprise risk management problem rather than an IT issue.

Computerworld - Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute.

A survey of high-risk organisations has found that more than three quarters fail to perform quarterly security and compliance training. According to a survey by enterprise key and certificate management solutions provider Venafi and IT security research provider Echelon One, 77 per cent of respondents failed to perform quarterly security and compliance training while 64 per cent failed to encrypt all of its data in the cloud. However 90 per cent did use encryption throughout the organisation. The survey of 420 enterprises and government agencies also found that almost 100 per cent of respondents had some degree of unquantified or unmanaged risk. When asked if their organisations encrypted data stored in public clouds such as Google Apps, Salesforce.com and Dropbox, 40 per cent said they did not know.

One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities. If you fix the threats of three years ago, you will lose. APT allows organizations to focus on the real threats that exist today. While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you. Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security. In APT, threat drives the risk calculation. Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities.  What is APT?

"Research finds while most employees believe they understand their company's security policies, a large number have never received any formal policy education or training. How can an organization really ensure people understand risk?"

CERT'S PODCASTS: SECURITY FOR BUSINESS LEADERS: SHOW NOTES Tackling Tough Challenges: Insights from CERT's Director Rich Pethia Key Message: Rich Pethia reflects on CERT's 20-year history and discusses how he is positioning the program to tackle future IT and security challenges. Executive Summary CERT's vision is a securely connected world. CERT's mission is to enable informed trust and confidence in the use of information technology. To achieve this vision and mission, CERT has broadened its perspective to include the full system/software engineering and operations life cycle and is reaching out to thought leaders in the global IT and security community. In this podcast, Rich Pethia, director of the CERT Program at Carnegie Mellon University's Software Engineering Institute, discusses the past, current, and future state of Internet security and CERT's role in tackling future challenges as CERT celebrates its 20th anniversary. PART 1: LOOKING BACK, LOOKING FORWARD: THE GOOD, THE BAD, AND THE UGLY CERT's Vantage Point CERT's vision is a securely connected world, supported by CERT's mission of enabling informed trust and confidence in the use of information technology. As the director of CERT, Pethia has unique access to government, commercial, and industry leaders. The Good News Internet use continues to grow, not just in size (number of people, volume of traffic) but also in utility, for example: * the increasing amount of real government and business operations * the introduction of new applications * the growing use of new mobile appliances User awareness of the need to address security is increasing along with increasing attention from service providers (firewalls, virus protection, anti-spyware, data backup). Developers are paying more attention to building security into their products. Vendors have more mature processes for providing cost-effective, timely updates for software vulnerabilities. Users are more willing

notifying employees of clear rules on what is acceptable and what is not, balancing the need to monitor with the employees' reasonable expectations of privacy and weighing the overall benefits of allowing personal usage against the risks of doing so, are all issues with which managers will be familiar.

For employers, the temptation to utilise sites such as Facebook and MySpace may also lead them into trouble. Some employers view the scanning of such sites for information on prospective employees as legitimate; others view it as distasteful and intrusive (the equivalent of rummaging through a candidate's personal items). Whatever the view, employers adopting this approach would do well to heed the warning of the TUC's guidance on online social networking. This guidance reminds employers that only a minority of potential staff will have a public profile on a social network, so using information from this source can give either an unfair advantage or disadvantage to certain candidates, as well as leaving the employer open to the accusation of discrimination.

Employers have had to grapple with the issues raised by employee use of the Internet for some years and the rise of online social networking presents another challenge. There is no obvious conclusion here; employers will have to do what they consider to be correct in the light of their business concerns, their employee relations and their business culture. The dilemma posed by the heightened risks surrounding online social networking, whether to trust or restrict employees, does not lead to one "right" answer, but there is certainly a "wrong" answer. Given the ever-growing popularity of such sites and the potential consequences for employers of employee misuse, simply ignoring the issue can only lead to problems for the unwary employer.

Defense contractors are under consistent attack by foreign intelligence services attempting to gather intelligence related information, according to a report by the Defense Security Service. Instances of cyber espionage place the U.S.'s competitive advantage, technical lead and military advantage at risk, as well as potentially compromising national security interests.

According to The Wilson Organisation, insurers and underwriters are predicting a rise in white collar extortion as the recession continues to bite and unemployment figures increase. Worryingly many businesses do not have insurance cover for data or business loss. "According to a DTI Information Security Breaches Survey, a third of UK businesses think general business insurance provides full cover for damage to the business arising from data loss," comments Wilsons' Simon Hoare, "but the reality is quite different, with very few businesses likely to be insured against the result of cyber attacks on its most crucial management and business tool - corporate and customer information, most of which is today held on corporate IT systems. "For public company directors, this is in fact in breach of their duties under the Turnbull Report, which requires them to identify, manage and take an informed opinion on the transfer of risks for the business."