IT Compliance Advisor

April 28, 2011  7:16 PM

Don’t become a victim of your corporate compliance program

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

For many executives, corporate compliance programs can be a double-edged sword. Take, for example, the recent resignation of Gary D. Henley, president and CEO of orthopedic device maker Wright Medical Group Inc.

Henley tendered his resignation as president and chief executive just prior to the board of directors reviewing an ongoing corporate compliance program at the company. Wright Medical said the board accepted Henley’s resignation but deemed it to be without “good reason,” and thus Henley isn’t entitled to severance pay. The board also fired another executive for issues related to the company’s corporate compliance program.

The Arlington, Tenn., company didn’t describe the specific compliance issues being reviewed. However, as part of a deferred prosecution agreement with the U.S. government over allegations that Wright Medical improperly paid doctors to use its devices, the company agreed to meet certain compliance obligations. This included subjecting its physician consulting arrangements to review by a federally appointed monitor.

In addition to the CEO resignation, the board fired Frank S. Bono, senior vice president and chief technology officer (CTO), for “failing to exhibit appropriate regard for the company’s ongoing compliance program.”

The Wright Medical story — and others like it — highlights how severe an impact compliance problems can have on an organization. That should prompt CTOs and other executives to consider the impact of compliance problems and if their jobs are indeed on the line.

The key here is not to minimize the importance of corporate compliance programs or think that others may take the fall if a compliance initiative fails. Use the example above to plan for the worst and to make sure the appropriate budget and resources are in place to prevent compliance problems from taking your job.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

April 22, 2011  8:21 PM

Increased regulations keep regulatory compliance atop list of concerns

Ben Cole Ben Cole Profile: Ben Cole

It’s no secret that compliance regulations have expanded in scope and multiplied in the last few years. New survey results from the Information Systems Audit and Control Association (ISACA) show IT and the rest of the business may be paying attention.

Regulatory compliance was predicted to be the top business issue affecting enterprise information technology in the next 12 months, according to ISACA’s Top Business/Technology Issues Survey Results 2011 report.

“The increase in regulations, data breaches and new technologies such as cloud computing and the rise of personal technology in the workplace are accelerating complexity and risk,” according to an ISACA statement. The problem is exacerbated as enterprises try to manage growth while dealing with the growing number of compliance regulations and standards.

The key business issues affecting IT, according to the survey’s findings, are:

  • Regulatory compliance
  • Enterprise-based IT management and governance
  • Information security management
  • Disaster recovery/business continuity
  • Challenges of managing IT risks
  • Vulnerability management
  • Continuous process improvement and business agility

ISACA also noted that new or changed regulations expected to impact enterprise IT in the next 12 to 18 months include the Basel standard for internationally active banks; the Dodd-Frank Wall Street Reform and Consumer Protection Act; regulations related to personally identifiable information; Do Not Track mechanisms for consumers; Solvency II regulatory requirements for insurance firms; and meaningful use standards established by the Health Information Technology for Economic and Clinical Health Act. The report also pointed to “an overall tightening of tax and privacy regulations worldwide.”

The key technology areas that respondents felt would be most important to regulatory compliance include the implementation of technology to support segregation of duties, privileged access monitoring and management of the compliance process.

As enterprises face the need to comply with multiple regulations and standards, they implement automated solutions to track and report upon the varying compliance controls in an attempt to make the compliance process more efficient, according to ISACA. This can cause headaches: The costs associated with managing and implementing systems to protect companies from the loss of personally identifiable information were among the top concerns mentioned by survey respondents.

And the concerns don’t end there: Technology trends such as cloud computing, mobile devices and social media will also impact the issues discussed above. As ISACA noted, these technologies will increasingly become part of an enterprise’s architecture and surely impact areas such as business continuity, IT risk, regulatory compliance and information security.

The number of data breaches still in the news shows that, despite the increase in regulations, not enough is being done. The slew of new regulations is ultimately aimed at trying to help protect companies and their customers — and having a sound compliance management strategy in place would benefit both of these groups.

April 1, 2011  6:20 PM

BP, Google keep corporate privacy policies in the limelight

Ben Cole Ben Cole Profile: Ben Cole

It’s been an eventful week in IT compliance, as the privacy policies at two high-profile companies came under the microscope.

Google Inc. agreed to settle Federal Trade Commission charges that it used “deceptive tactics and violated its own privacy promises” to consumers when it launched social network Google Buzz in 2010. The proposed settlement would require Google to implement a comprehensive privacy program and calls for regular, independent privacy audits for the next 20 years.

Also this week, BP admitted that a laptop computer containing the private information of about 13,000 individuals who filed oil-related claims after the 2010 oil spill has been lost. The names, addresses, phone numbers, birthdates and Social Security numbers for those who filed claims were stored on the laptop, which a BP spokesman said was password-protected but not encrypted. BP notified the individuals and provided them with free credit monitoring services.

So does this mean enterprises aren’t getting the message? Did Google not consider the scrutiny Facebook and other social networks face for their corporate privacy policies? Are the endless amount of rules and regulations not enough? And, really, who are the people losing these laptops? I have a work-issued laptop myself, and I’m pretty careful with it. This despite the fact that mine doesn’t include legal files and personal information for claimants in a multibillion dollar case.

Maybe these recent news stories will help get the message across to other companies that handle customers’ personal information that corporate privacy policy concerns aren’t going away. Maybe they will see it can be costly, too: The Ponemon Institute‘s latest “U.S. Cost of a Data Breach” report, released in March, found that costs for data breaches reached $214 per compromised record and averaged $7.2 million per data breach event.

But probably not. BP and Google Inc. have household names, huge customer bases and countless resources (and money). If they aren’t taking privacy seriously, it doesn’t look good for the rest.

March 25, 2011  5:25 PM

How is compliance hurt if software development projects are ‘doomed’?

Ben Cole Ben Cole Profile: Ben Cole

You’ve seen it before, no doubt: Your organization develops a software project, with both business executives and IT careful when outlining its objectives, developing a plan and making sure it adheres to compliance regulations. Then, after countless hours of work, the project falls apart.

Trying to answer why this happens so often was the goal of a recent Geneca study, “Doomed from the Start? Why a Majority of business and IT Teams Anticipate Their Software Development Projects Will Fail.” The study examined why IT teams struggle to meet business expectations for their projects, and asked participants questions on topics such as requirements, accountability and measuring project success. A high number of respondents showed a lack of confidence in their projects’ success, with 75% of respondents saying that their projects are either always or usually “doomed right from the start.”

Geneca cited several problems causing the lack of confidence in the projects’ overall success. Key study findings include:

  • 80% of respondents said they spend at least half their time on rework.
  • 78% said the business is usually or always out of sync with project requirements and business stakeholders need to be more involved and engaged in the requirements process.
  • 55% said that the business objectives of their projects are clear to them.
  • 23% stated that they are always in agreement when a project is truly done.

Another interesting finding was that 76% of IT respondents and 72% of business respondents agree that IT is a “trusted partner and critical to the company’s success.” However, IT people assume that their business colleagues believe that “IT doesn’t build what the business asks for” (42%), “projects are always over budget and take too long” (33%), and that “IT needs to provide more warning when a project is going to be over budget or late” (28%).

A Geneca report accompanying the survey stated that the responses from IT professionals and their business counterparts were fairly similar. In addition, each side had many of the same issues and concerns with regard to their projects.

“The perception is that challenges start at the beginning of a project and reflect difficulty in defining project success,” according to the Geneca report. “This carries forward to IT and has impact throughout the rest of the project.”

Geneca representatives advised professionals to examine their processes and try to facilitate the following to alleviate obstacles outlined in the study:

  • Communication of clear business objectives.
  • Measurement of project results against business objectives.
  • Ownership of the project goals vs. design of the solution.
  • Collaboration between the business and IT to drive alignment.
  • A common vision across every part of the organization involved.

All sound advice. As the report notes, the project management problems outlined above are interconnected and compound each other when left unchecked. And what about when a project is designed to create a compliance solution or related to meeting compliance regulations? With the number of compliance regulations out there, and many more likely to come, a project’s success could make or break your company’s adherence to the rules. As a result, getting it right the first time is more important than ever.

March 18, 2011  4:04 PM

Survey: Burden of Sarbanes-Oxley compliance not enough for repeal

Ben Cole Ben Cole Profile: Ben Cole

It has been almost nine years since the Sarbanes-Oxley Act made its debut, forcing new or enhanced accounting standards for all public U.S. companies. SOX is designed to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, but it has been a source of controversy since its implementation.

Lawsuits have been filed questioning SOX’s constitutionality, with opponents (including Newt Gingrich, who has lobbied for SOX’s repeal) saying it created overly complex regulations for U.S. financial markets that reduced the United States’ competitive edge against foreign financial institutions.

But a national survey of chief audit executives by Grant Thornton LLP found that while almost half said a shifting regulatory landscape poses the greatest threat to their business, 88% do not believe SOX should be repealed for all companies.

“Whether this outlook reflects resistance to additional regulatory change in the form of repeal or, alternatively, recognition that SOX provides value to some organizations is unclear,” according to a Grant Thornton report accompanying the survey’s findings. “Based on discussions with various CAEs during the survey process, many believe that SOX brings a continued focus by management on financial and governance-related controls.”

For the chief audit executives who believe that SOX should be repealed, the cost of SOX compliance was their main reason, the survey found.

In addition, maintaining SOX compliance was just the tip of the iceberg when it comes to the number of regulations introduced in the past decade. The Grant Thornton report notes that since the passage of SOX, organizations have had to dedicate significant resources to comply with a host of new laws and regulations, including the Red Flags Rule as mandated by the Fair and Accurate Credit Transactions Act of 2003; Payment Card Industry security standards; the HIPAA Privacy Rule; and the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The chief audit executives surveyed said there are additional risks beyond potential noncompliance with these new laws, including risks involved with global expansion into new regions or culturally different locations (22%), new initiatives as the economic recovery takes hold (13%), and the launch of new products or services (12%).

It’s probably good (although moot) that the chief audit executives do not believe SOX should be repealed, mainly because it does not look like the act is going anywhere. The U.S. is still in the throes of a financial crisis, and it’s unlikely the country will repeal a law that creates checks and balances to protect consumers from another crisis.

Even if SOX is repealed at some point, regulations mandated by the other laws mentioned above will keep chief audit executives and compliance officers on their toes. If nothing else, these regulations provide the “continued focus by management on financial and governance-related controls” that the survey respondents cited as one of the benefits of SOX compliance.

March 11, 2011  8:33 PM

Survey: Cloud computing puts IT at the forefront of business strategy

Ben Cole Ben Cole Profile: Ben Cole

There is no doubt that cloud use is expanding, and its influence is starting to rear its head across several industries. For example, at a recent energy conference Microsoft CEO Steve Ballmer said a partnership with Baker Hughes using cloud computing has enabled the oil firm to reduce oil well flows from nine months to 30 days.

Now, a CA Inc.-sponsored survey of 200 IT managers in the U.S. and Europe indicates that cloud computing may also be elevating IT’s role in business strategy. More than half (54%) of the respondents said that while the current value of IT is largely defined by its role as owner and operator of the IT infrastructure, they believe that within two years the primary value of IT will come from managing the IT supply chain. Fifty percent of those surveyed said that an increase in cloud-based services, particularly those that were formerly managed in-house, has contributed to this evolution.

Survey results also showed that IT professionals believe cloud computing accelerates agility (63%), innovation (58%) and collaboration with the business (57%). Respondents also predicted cloud computing will boost IT productivity (55%) and decrease the level of staff time/resources dedicated to IT support (40%).

Additional findings from the study include:

  • 60% of respondents said demand for personnel with expertise in cloud computing has increased in the last five years, and 63% expect demand to grow over the next two years.
  • 72% said their IT organizations are focusing more time on managing outsourced IT or cloud services providers now versus five years ago, including more time spent on vendor management.
  • Nearly 70% of respondents agree that an increasing number of CIOs and senior IT staff will have a business (as opposed to a technology) background in the future.

Respondents also anticipated new IT titles dedicated to cloud computing and cloud vendor management will emerge due to these trends. Predictions of what these new titles might be included cloud architect, cloud service manager, cloud integration specialist/expert, cloud security manager/engineer, director of cloud infrastructure and executive vice president of cloud technologies.

If these predictions about the expanding influence of cloud computing come to fruition, these positions will be needed to ensure a sound cloud strategy. Staying compliant in the cloud is another concern. But as we’ve examined in recent weeks, by taking an active interest and doing your homework on vendors, applying effective security solutions and being aware of public cloud risks, it is possible to stay prepared for being more active in the cloud. The proactive approach will pay off in the end, especially if the cloud continues its expansion — and influence on IT operations.

February 25, 2011  3:36 PM

Are information security professionals prepared for security threats?

Ben Cole Ben Cole Profile: Ben Cole

It’s no secret that the threat of cyberattack is more potent than ever. Companies need to be on guard to maintain online security for their employees and customers — but are IT staffs prepared for the increased threat potential?

A new study says maybe not.

The study, from Frost & Sullivan, is based on a survey of more than 10,000 information security professionals. It found that new threats — created by the increased use of mobile devices, cloud computing, social networking and insecure applications, as well as by added responsibilities, such as addressing the security concerns of customers — have led to “information security professionals being stretched thin.”

The information security professionals surveyed said they need better training and that many technologies already are being deployed without security in mind. In addition, nearly two-thirds of the respondents did not expect to see any increase in their budget for information security personnel and cybersecurity training in 2011.

Other key findings from the study include:

  • As of 2010, there are an estimated 2.28 million information security professionals worldwide. Demand for professionals is expected to increase to nearly 4.2 million by 2015.
  • Application vulnerabilities are ranked by 72% of respondents as the No. 1 threat to organizations.
  • Nearly 70% of respondents reported having policies and technology in place to meet the security challenges of mobile devices, yet respondents still ranked mobile devices second on the list of highest concerns.
  • More than 50% of respondents reported having private clouds in place, while more than 70% reported a need for new skills to secure cloud-based technologies properly.
  • Respondents reported inconsistent policies and protections for end users visiting social media sites, and slightly less than 30% have no social media security policies whatsoever.

Companies can reduce risk by investing in attracting entrants to the field and making investments in professional development, said Robert Ayoub, global program director for network security at Frost & Sullivan. Although information security professionals are being relied on for the security of organizations’ most mission-critical data and systems, they are being asked to do too much, he added.

A paradigm shift in global cybersecurity training and strategy is needed to address the skills gaps revealed by the study, experts said. They suggest a combined effort of industry, government, academia and the profession to attract and educate information security personnel and equip current professionals to address the latest threats.

Even if this combined effort results in an influx of cybersecurity professionals, will there be enough of them, and will they be in time to prevent the growing threat of cybercrime? There is no doubt that proper steps must be taken by individual organizations, as well as by the IT industry as a whole, to ensure proper cybersecurity training for cybercrime prevention.

So governance, risk and compliance managers take heed: Staff on the front line of cybersecurity need to be confident that they have adequate tools. The protection of your company’s sensitive information could depend on it.

February 18, 2011  2:25 PM

Potential card fraud victims say it’s the response that matters

Ben Cole Ben Cole Profile: Ben Cole recently wrote about how victims of cybercrime are often consumers targeted via their personal-use technology, such as handheld devices. Now, another report is reinforcing that cybercrime is on the rise and highlighting the importance of customer service and response when online fraud occurs.

ACI Worldwide’s “2010 Global Card Fraud Survey,” which polled 4,200 consumers in 14 countries, shows that 29% of consumers across eight major economies have been victims of credit card fraud in the past five years. However, there’s good news in there for the breached establishments: 79% of these victims were satisfied with the response from their financial institutions.

To be sure, credit card fraud might push some customers to seek greener pastures. As a result of being a card fraud victim or knowing someone who was, 41% of survey respondents say they would change or consider changing their financial institution.

But 45% of respondents say their decision would depend on the quality of service they received in the wake of the incident. The main indicator for customer satisfaction is the speed at which money was refunded following fraud (34%), followed by the ability of financial institutions to identify the fraud before account holders (27%) become aware of it. For American consumers, their banks’ ability to identify the fraud before they do (40%) is more important than its success in actually getting the money back quickly (32%).

Even with the most innovative, cutting-edge cybercrime-prevention strategies in place, cunning criminals often find a workaround. Luckily for the financial institutions, it appears that consumers trust their banks to protect their assets and truly appreciate their banks’ swift responses when unfortunate circumstances strike: Of those surveyed, 81% have confidence in their financial institution to protect them from online card fraud, and only 19% of consumers feel that their banks could do more to protect them.

When fraud hits, timely notification on the part of the bank is probably the best way to placate customers: More than half of the survey’s respondents say they want their bank to contact them if they notice suspicious activity on their card.

Jasbir Anand, lead solutions consultant at ACI Worldwide, said in a statement that it is clear that financial institutions and processors are working to combat card fraud and protect potential fraud victims — and this is paying dividends in terms of customer satisfaction.

“However, fraud is constantly changing and, looking forward, the industry will need to increase focus on identifying identity theft and assisting victims to maintain this improvement in customer experience,” Anand said.

It seems that a quick, honest response when your system has been breached is the most appropriate way to keep your customers happy (or as happy as they can be when confronted with cybercrime). If customer communication isn’t your financial institution’s strong point, you could lose more than money: Your customers’ hard-earned trust could walk out the door with it.

February 14, 2011  8:48 PM

Security solutions can take the worry out of cloud compliance

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Many compliance officers look at the cloud with suspicion, concerned with just how much data they can move there and still maintain cloud compliance. The central issue here is exposing critical data to interception, as well as preventing the loss of data.

This poses a difficult challenge: data in motion, either on a local area network (LAN) or the Internet, needs the same rock-solid protection regardless of the transport mechanism being used. This, in itself, is difficult because the security solutions used with LANs are more robust and controllable than those available over the Internet. The security imbalance prevents compliance-bound data from traveling over the Internet and so prevents the use of low-cost cloud services.

The answer to this imbalance lies in applying effective security solutions to each element involved in the storage and transmission of data. This is relatively simple for compliance officers to accomplish on the local level, but much more difficult to accomplish in the cloud.

Simply put, if the level of protection for data is consistently enforced throughout its journey, then cloud compliance shouldn’t be a problem. The key element becomes the creation, application, enforcement and secure the cloud for compliance purposes, it is important for compliance officers to make sure a security solution offers scalability, automation and auditing, and has adequate speed to meet traffic needs. It is the cloud, ironically, that creates the security problems, but it takes a cloud service to solve them.

When looking to secure the cloud for compliance purposes, it is important for compliance officers to make sure a security solution offers scalability, automation and auditing, and has adequate speed to meet traffic needs. It is the cloud, ironically, that creates the security problems, but it takes a cloud service to solve them.

All is not lost. Security technology, working hand-in-hand with policy-driven enforcement, is starting to transform into cloud-based services. For example, Cloud Passage, a cloud services company, has ambitions to transform how security is accomplished across a broad, multi-connected enterprise using commonly accepted concepts.

CloudPassage’s approach to the problem is an interesting one compared to those of its competitors. It uses SaaS to secure public and private clouds, which allows its product to serve as a virtualized firewall, but also to enforce security policies to servers anchoring both private and public clouds. This hybrid approach will enable delivery of security solutions that meet cloud compliance needs, while still allowing businesses access to clouds.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

February 7, 2011  7:23 PM

SOX compliance possible for smaller companies with proper preparation

Ben Cole Ben Cole Profile: Ben Cole

A few months ago, wrote about the difficulties smaller firms sometimes have with SOX compliance. But Abiomed, a Massachusetts medical device manufacturer with approximately 350 employees, says there are reasonably priced GRC systems on the market to help a small company meet requirements — you just have to do your homework.

During a webcast last week, Abiomed CIO Sharon Kaiser suggested using a GRC tool for configuring compliance changes from request, development, testing and approval stages, and right through movement into production. Tools that capture audit reporting information and support your business processes with automated workflows can help too.

Kaiser suggested seven key points to remember when seeking SOX compliance:

  • Don’t tolerate energy-sapping manual processes.
  • Understand management’s need for GRC data.
  • Look for a solution that meets your needs and is manageable for your company.
  • Seek to “embed compliance” — automate capture of audit data at the time of execution.
  • Enable ad hoc, on-demand audit reporting.
  • Look for tools that will streamline routine IT operations.
  • Embrace GRC — view it as a tool for innovation.

Kaiser went so far as to say that SOX audits do not have to be quite so time consuming, and deployment for Abiomed was “quick and painless.” However, she added that it is necessary to be prepared and plan the transition, to understand what you are getting, and to determine what functionality you will use and how.

This is all good advice. In a previous article, contributor Adrian Bowles wrote that “it is still too difficult for small shops to deal with separation/segregation of duties, which require that different people have access to applications and data throughout the lifecycle to provide adequate controls against fraud.” Bowles added that in smaller companies, one person may have multiple roles at different times, making compliance “a thorny issue.”

But Abiomed shows that it is possible for a smaller company to achieve compliance by using proper planning and distribution of duties. After the company decided to re-evaluate how it wanted to define and manage SOX compliance, it hired an outside auditing company for an initial SOX assessment. The company then put together a project plan to conduct a business and financial risk assessment, identify key controls for each major risk area, and create a control matrix for only the key controls and develop the associated test plan.

Abiomed decided that business and IT needed to organize and manage to defined policies, new processes needed to be defined to handle things like personnel role changes and impact to authorizations, and training was important for people to understand their role in SOX compliance. Abiomed also identified challenges such as a limited IT staff that has to be knowledgeable of IT SOX controls, and the company reduced the time, expense, and distractions associated with manual audits.

Abiomed’s experience shows that SOX compliance for smaller companies does not have to be time-consuming or expensive — if companies do their homework and adequately prepare.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: