IT Compliance Advisor


February 18, 2011  2:25 PM

Potential card fraud victims say it’s the response that matters

Ben Cole Ben Cole Profile: Ben Cole

SearchCompliance.com recently wrote about how victims of cybercrime are often consumers targeted via their personal-use technology, such as handheld devices. Now, another report is reinforcing that cybercrime is on the rise and highlighting the importance of customer service and response when online fraud occurs.

ACI Worldwide’s “2010 Global Card Fraud Survey,” which polled 4,200 consumers in 14 countries, shows that 29% of consumers across eight major economies have been victims of credit card fraud in the past five years. However, there’s good news in there for the breached establishments: 79% of these victims were satisfied with the response from their financial institutions.

To be sure, credit card fraud might push some customers to seek greener pastures. As a result of being a card fraud victim or knowing someone who was, 41% of survey respondents say they would change or consider changing their financial institution.

But 45% of respondents say their decision would depend on the quality of service they received in the wake of the incident. The main indicator for customer satisfaction is the speed at which money was refunded following fraud (34%), followed by the ability of financial institutions to identify the fraud before account holders (27%) become aware of it. For American consumers, their banks’ ability to identify the fraud before they do (40%) is more important than its success in actually getting the money back quickly (32%).

Even with the most innovative, cutting-edge cybercrime-prevention strategies in place, cunning criminals often find a workaround. Luckily for the financial institutions, it appears that consumers trust their banks to protect their assets and truly appreciate their banks’ swift responses when unfortunate circumstances strike: Of those surveyed, 81% have confidence in their financial institution to protect them from online card fraud, and only 19% of consumers feel that their banks could do more to protect them.

When fraud hits, timely notification on the part of the bank is probably the best way to placate customers: More than half of the survey’s respondents say they want their bank to contact them if they notice suspicious activity on their card.

Jasbir Anand, lead solutions consultant at ACI Worldwide, said in a statement that it is clear that financial institutions and processors are working to combat card fraud and protect potential fraud victims — and this is paying dividends in terms of customer satisfaction.

“However, fraud is constantly changing and, looking forward, the industry will need to increase focus on identifying identity theft and assisting victims to maintain this improvement in customer experience,” Anand said.

It seems that a quick, honest response when your system has been breached is the most appropriate way to keep your customers happy (or as happy as they can be when confronted with cybercrime). If customer communication isn’t your financial institution’s strong point, you could lose more than money: Your customers’ hard-earned trust could walk out the door with it.

February 14, 2011  8:48 PM

Security solutions can take the worry out of cloud compliance

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Many compliance officers look at the cloud with suspicion, concerned with just how much data they can move there and still maintain cloud compliance. The central issue here is exposing critical data to interception, as well as preventing the loss of data.

This poses a difficult challenge: data in motion, either on a local area network (LAN) or the Internet, needs the same rock-solid protection regardless of the transport mechanism being used. This, in itself, is difficult because the security solutions used with LANs are more robust and controllable than those available over the Internet. The security imbalance prevents compliance-bound data from traveling over the Internet and so prevents the use of low-cost cloud services.

The answer to this imbalance lies in applying effective security solutions to each element involved in the storage and transmission of data. This is relatively simple for compliance officers to accomplish on the local level, but much more difficult to accomplish in the cloud.

Simply put, if the level of protection for data is consistently enforced throughout its journey, then cloud compliance shouldn’t be a problem. The key element becomes the creation, application, enforcement and secure the cloud for compliance purposes, it is important for compliance officers to make sure a security solution offers scalability, automation and auditing, and has adequate speed to meet traffic needs. It is the cloud, ironically, that creates the security problems, but it takes a cloud service to solve them.

When looking to secure the cloud for compliance purposes, it is important for compliance officers to make sure a security solution offers scalability, automation and auditing, and has adequate speed to meet traffic needs. It is the cloud, ironically, that creates the security problems, but it takes a cloud service to solve them.

All is not lost. Security technology, working hand-in-hand with policy-driven enforcement, is starting to transform into cloud-based services. For example, Cloud Passage, a cloud services company, has ambitions to transform how security is accomplished across a broad, multi-connected enterprise using commonly accepted concepts.

CloudPassage’s approach to the problem is an interesting one compared to those of its competitors. It uses SaaS to secure public and private clouds, which allows its product to serve as a virtualized firewall, but also to enforce security policies to servers anchoring both private and public clouds. This hybrid approach will enable delivery of security solutions that meet cloud compliance needs, while still allowing businesses access to clouds.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


February 7, 2011  7:23 PM

SOX compliance possible for smaller companies with proper preparation

Ben Cole Ben Cole Profile: Ben Cole

A few months ago, SearchCompliance.com wrote about the difficulties smaller firms sometimes have with SOX compliance. But Abiomed, a Massachusetts medical device manufacturer with approximately 350 employees, says there are reasonably priced GRC systems on the market to help a small company meet requirements — you just have to do your homework.

During a webcast last week, Abiomed CIO Sharon Kaiser suggested using a GRC tool for configuring compliance changes from request, development, testing and approval stages, and right through movement into production. Tools that capture audit reporting information and support your business processes with automated workflows can help too.

Kaiser suggested seven key points to remember when seeking SOX compliance:

  • Don’t tolerate energy-sapping manual processes.
  • Understand management’s need for GRC data.
  • Look for a solution that meets your needs and is manageable for your company.
  • Seek to “embed compliance” — automate capture of audit data at the time of execution.
  • Enable ad hoc, on-demand audit reporting.
  • Look for tools that will streamline routine IT operations.
  • Embrace GRC — view it as a tool for innovation.

Kaiser went so far as to say that SOX audits do not have to be quite so time consuming, and deployment for Abiomed was “quick and painless.” However, she added that it is necessary to be prepared and plan the transition, to understand what you are getting, and to determine what functionality you will use and how.

This is all good advice. In a previous article, contributor Adrian Bowles wrote that “it is still too difficult for small shops to deal with separation/segregation of duties, which require that different people have access to applications and data throughout the lifecycle to provide adequate controls against fraud.” Bowles added that in smaller companies, one person may have multiple roles at different times, making compliance “a thorny issue.”

But Abiomed shows that it is possible for a smaller company to achieve compliance by using proper planning and distribution of duties. After the company decided to re-evaluate how it wanted to define and manage SOX compliance, it hired an outside auditing company for an initial SOX assessment. The company then put together a project plan to conduct a business and financial risk assessment, identify key controls for each major risk area, and create a control matrix for only the key controls and develop the associated test plan.

Abiomed decided that business and IT needed to organize and manage to defined policies, new processes needed to be defined to handle things like personnel role changes and impact to authorizations, and training was important for people to understand their role in SOX compliance. Abiomed also identified challenges such as a limited IT staff that has to be knowledgeable of IT SOX controls, and the company reduced the time, expense, and distractions associated with manual audits.

Abiomed’s experience shows that SOX compliance for smaller companies does not have to be time-consuming or expensive — if companies do their homework and adequately prepare.


February 2, 2011  6:10 PM

Compliance solutions must be tied to IT management solutions

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

If you look closely at the software specifically designed for compliance officers, it all shares the same set of functions: helps define policies, carries out auditing and reporting functions, and remediates. This clean, three-step process looks like a sensible way to deal with regulatory compliance.

But in the real world, things are never this straightforward. In fact, I’m beginning to think that IT-enforced compliance has to be approached in a whole new way. Instead of compliance solutions being bolted on top of IT management solutions, compliance software needs to become part of IT management’s DNA.

This approach would signal a paradigm shift in how compliance becomes interwoven with desktop management, security and IT policy enforcement. The problem is that so few solutions offer a foundation that integrates compliance with traditional day-to-day IT operations.

Even with this foundation available, it raises questions for harried compliance officers: Can IT management solutions deliver relief? Can policy generation tools enforce remediation? Do audits have to deliver only bad news?

Answers to these questions (and many others) could come from thinking about compliance as part of the infrastructure and resource management at the platform level. In other words, a unified approach that weaves the DNA of compliance with that of IT asset management, patch management, provisioning and auditing.

I can’t think of a solution today that offers all of this, as well as the ability to grow and keep pace with ever-changing enterprise-class infrastructures. But there may be hope. Recently I came across a startup, Puppet Labs, which is transforming itself from a services provider to a software company.

The company’s new product, called Puppet Enterprise, is an open source data center automation and configuration management framework. While not a compliance solution per se, it can serve as a policy-driven IT management platform which IT shops can use to incorporate compliance auditing and remediation at the provisioning level.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


January 25, 2011  6:51 PM

Cloud computing services can turn compliance pain into compliance gain

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Bound by what they feel are overly strict compliance regulations, many companies are shying away from cloud computing services. On the surface, their reasons for this may appear to be sound. But when you drill down a little deeper, they may not prove so sound.

Organizations saying no to cloud computing services do so either based on misinformation or unverified assumptions. Put bluntly, these companies use compliance as an excuse to rationalize their fear of change. These irrational fears will likely come back to bite them, however, because surviving in today’s dog-eat-dog environment depends on embracing, not running from, new technologies.

The bigger issue here involves the word cloud. Once uttered, most compliance officers automatically associate the word with publicly available services routed across the Internet. But cloud does not need a concrete description to define it as an entity that can be accessed publicly. This is where many organizations are making a mistake. The fact is, cloud computing services can turn compliance pain to gain, although there are a few caveats.

First, going to the cloud doesn’t mean putting your databases into the ether. Cloud is just a catchall term for services that can be delivered other than through the traditional client/server model. For example, businesses can call something a private cloud that has no connectivity to the Internet, that can be used to create Web-based applications that replace their legacy apps and allows organizations to produce additional layers of auditable security.

Local, or private cloud-based applications can be designed to keep all data off PCs’ local hard drives. Taking this one step further, organizations can virtualize desktop systems and then deliver those systems to users on an internal network, still maintaining control over data flowing from the internal Web server to the user.

This trend bodes well for compliance officers because the user’s ability to toy with the data is severely limited. Companies such as Oracle, IBM and Microsoft are all beginning to tout the security advantages offered by private clouds for consolidating databases. preventing breaches and improving management of data.

The moral of this story is to not close the door on the cloud. Not until you have carried out due diligence by evaluating your current levels of security and thought through how a private cloud can actually give you better control of your data.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


January 14, 2011  5:42 PM

PCI DSS 2.0 changes ‘virtually’ improve IT compliance ROI and TCO

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Most compliance officers know the change in calendar years brings with it operational changes driven by new legislation. And with the broad assortment of new rules and regulations kicking in this month, 2011 will be no different than any other year.

But it is not the expected regulatory changes by themselves that will have the biggest impact on how compliance strategies evolve this year. Rather, it will be the impact of their hidden changes that hit the hardest.

For example, take the Payment Card Industry Data Security Standard (PCI DSS) 2.0 standard, which brings with it several changes to how credit card transactions should be processed. Arguably, the most significant of these changes is the acknowledgement of virtualization.

With PCI 1.2.1, it was necessary to keep distinct functions physically separate to satisfy auditors. Simply put, each function needed to have its own dedicated processor, storage and memory, thereby creating a tangible separation of functions. PCI 2.0 changes all of that with the recognition of virtualization, because now that functional segregation can take place using virtual machines.

This may not seem like a big deal for many compliance officers. They may feel it is merely an acknowledgement of technology that has become entrenched in the data center. In practice, however, PCI 2.0 proves to be one of the biggest advances for those bound by version 1.2.1’s archaic rules.

With PCI 2.0, all of the money saving capabilities of virtualization can now be realized. Implementers can now reduce server footprints; require fewer physical machines; and can lower electrical and management costs.

The lesson this story teaches is you need to look closely at the true impact of compliance rule changes. These new technologies and accompanying rule changes can significantly improve ROI and lower the total cost of ownership (TCO) compared to many compliance regulations of the past.

And, as such, an expensive burden can actually become the pathway to savings.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


December 21, 2010  3:06 PM

Complex technologies complicate compliance officers’ role in 2011

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

The task chief compliance officers face in routinely crafting multifaceted solutions involving complex technologies doesn’t figure to get simpler any time soon.

Complexity is usually the enemy of any working process. The more complex a technology or environment, the more likely the process will fail. Nowhere is this more evident than in the compliance arena, where the rules and regulations change as frequently as the technology it must work hand in glove with.

So the question compliance officers need to ask is: How do I deal with the complexities of IT change? As a number of complex technologies take deeper root over the course of 2011, it will be an important question to answer.

For instance, many companies are piloting virtual desktop infrastructure (VDI) projects, setting the stage for a future world where PC operations take place back in the data center and rendering desktop PCs to little more than dumb terminals. Because the promise of VDI is multifaceted, including the hope that it will solve many security and support problems, many are predicting that VDI will become prevalent in 2011.

But if you ask most VDI projects leaders how VDI affects compliance, you will get a blank stare. While there is plenty of finger pointing to go around in cases like this, it all comes down to simple communication. However, nothing is simple with compliance, even communications. The very nature of compliance leads to secrecy, and that secrecy is both the enemy and ally of IT projects.

Similar issues are bound to arise as virtualized applications, Software as a Service solutions and even cloud computing initiatives take hold in the enterprise, all of which will continue to be hot technologies well into 2011 and beyond.

Meeting the challenge of new IT implementations will take more than a little finesse on the part of the harried compliance officer, as he or she becomes enveloped in network security, technology planning, human resources and executive management.

Happily, many vendors have recognized the dilemma facing compliance officers and are launching services to help with compliance. EMC, for instance, has announced expanded consulting services to help organizations meet the Payment Card Industry Data Security Standard 2.0, which becomes effective Jan. 1. Other vendors are sure to follow with services and solutions aimed to accelerate compliance. It would be nice if these vendors decide not to wait until just a month before a new standard hits the streets to announce plans to help.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


December 13, 2010  4:05 PM

WikiLeaks shows how better compliance technology can protect data

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

The latest WikiLeaks debacle hopefully pounds home the point to corporate IT shops why implementing sound compliance technology can better protect data, and what the consequences can be if they do not.

Whether or not people take heed, compliance issues are certainly coming to the forefront in most analyses of the latest WikiLeaks flap. But in most of these analyses, it is unmistakable how ineffective technology was at enforcing compliance.

Consider this: There is an abundance of compliance requirements, including regulation for credit card holders (FCRA), for merchants (PCI DSS), for public entities (Sarbanes-Oxley), for privacy (HIPAA/HHS) and for children (COPPA), as well as regulations for insurance, securities trading, telecom and many more.

Most, if not all, of these requirements rely on technology to enforce compliance. WikiLeaks teaches us that it is the human factor and not technology that leads to the most damaging of breaches. All it takes is one disgruntled employee to destroy the security around intellectual property, private data or corporate secrets. But how can one build technology to prevent that?

There is no simple answer. Perhaps the only way to handle these situations is with the threat of severe penalties, and therein lays the secret to compliance technology. The enforcement of severe penalties requires incontrovertible evidence. In this particular case, technology that monitors activity and audit usage can become the key to plugging leaks.

If users are properly educated on the implications and penalties involved in disseminating unauthorized information, and are informed that access is tracked in numerous ways, perhaps technology can prevent the issues now plaguing the U.S. Defense and State Departments.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


December 10, 2010  1:56 PM

Microsoft unveils online privacy features for Internet Explorer 9

Ben Cole Ben Cole Profile: Ben Cole

On the heels of the Federal Trade Commission report encouraging the creation of an online “Do Not Track” mechanism, Microsoft has announced that its upcoming release of Internet Explorer will include Tracking Protection, a feature designed to give users more online privacy protection.

Tracking Protection, which will debut in Internet Explorer 9 (IE9), will identify and block multiple forms of undesired tracking, according to a Microsoft blog post announcing the feature. In addition, “tracking protection lists” will let consumers control what third-party site content can track when they are online.

“We believe that the combination of consumer opt-in, an open platform for publishing Tracking Protection Lists, and the underlying technology mechanism for Tracking Protection, offer new options and a good balance between empowering consumers and online industry needs,” said Microsoft corporate vice president Dean Hachamovitch.

Anyone can author and publish the tracking protection lists, and consumers can install more than one. By default, there are no lists included in IE9, which Microsoft says is consistent with previous IE releases with respect to privacy.

The lists include Web addresses for IE to treat as “Do Not Call” unless the consumer visits the address directly. The lists also include “OK to Call” addresses to make sure that the user can get to these addresses even if one of his lists has it as “Do Not Call.” Once the consumer has turned on tracking protection, it remains on until the person turns it off.

Microsoft representatives said they designed the feature so users can have a clear opt-in mechanism that enables more control over sharing their browsing information. There has been speculation that the FTC’s proposed “Do Not Track” mechanism could harm companies that rely on advertisements geared towards users based on Internet activity.

In response, Microsoft said the enhanced privacy settings in IE9 simply represent an evolution in privacy and security tools that are available to users in Internet Explorer 8.

“IE9’s privacy settings, like those contained in IE8, will not be on by default, but they will allow users to create lists of sites they wish to share information with, as well as sites they do not wish to share information with,” wrote Rik van der Kooi, corporate vice president of Microsoft’s advertiser and publisher solutions group, on the Microsoft Advertising Blog. “The settings do not take a position on managing information; instead, they provide an improved platform for consumers to exercise choice.”

Currently available in beta, IE9 is scheduled for final release in 2011.


December 7, 2010  4:38 PM

Can you help us predict the IT compliance future?

Ben Cole Ben Cole Profile: Ben Cole

What will be the issues, trends and developments that will have the biggest impact on the IT compliance world in 2011? We here at SearchCompliance.com have our own thoughts about that, but we would like to know what you think.

Will the proposed national cybersecurity bill give the government too much control over the Internet? Will this be the year that most companies get serious about formulating comprehensive e-discovery programs that properly harness the power of social media tools? Will proposed online consumer protection efforts, such as the recent “Do Not Track” option outlined by the FTC, result in new standards for the industry? Which new technologies do you think have the potential to change IT compliance as we know it?

So after you have spent some quality time with your crystal ball, let us know what you think by emailing Executive Editor Ed Scannell at escannell@techtarget.com or me, Associate Editor Ben Cole, at bjcole@techtarget.com. We’ll incorporate these ideas, along with our own humble opinions, in an upcoming article next month. We will also use some of your ideas to develop stories that will be included in our 2011 SearchCompliance.com editorial calendar.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: