conference

Compliance officers discuss business, IT alignment at ISACA conference

This guest post is from Joe Hewitt, an IT compliance specialist for American Honda Finance Corporation.  His views do not represent those of Honda, any of its divisions, or employees.

The 2009 ISACA International Conference held in Los Angeles had a much different feel than those of the past.  While IT controls were consistently a primary talking point, the emphasis was on how to better align business and IT goals.  Even though theoretical concepts like risk and value information technology were discussed at length, many of the presenters addressed real-world issues with respect to advancing along the compliance spectrum.

Oracle representatives Mark Sunday, CIO and SVP, and Gail Coury, VP of risk management, kicked off the festivities with a detailed and insightful keynote address that outlined the challenges of compliance amid heavy acquisition periods.  Attendees then proceeded to presentations along one of four tracks:

1. IT governance
2. IT compliance audit practices
3. Information security management
4. IT risk management and compliance

While useful information was abundant and widespread, here are some of the more interesting discussion points:

• Risk is often counter-intuitive
• Privacy regulations are here to stay…and will only become more strict
• Reputation risk is increasing for all businesses
• Financial return and value of governance is realized across silos, not from within them
• IT should be used to reduce business costs, not IT costs
• Acceptance of authority in younger generations has gone down, increasing the need for control automation
• The current economic environment emphasizes the need for controls over fraud at every level
• Business = Demand; IT = Supply
• ACCOUNTABILITY IS KEY!

If controls are the key, governance is the lock

Much discussion was held about progression beyond creating a control environment and moving towards overall governance.  With compliance budgets decreasing at a record pace, governance is the only way that auditors will be able to show value of audit activities.

Risk was the real elephant in the room.  Discussions concluded that, while we cannot fully eliminate risk in a cost effective manner, the process of implementing a monitoring or review process provides an eye opening set of data for many businesses.

Even though attendance appeared to be down, the group was very diverse and included representatives from all over the globe.  ISACA members from international companies enlightened the group with unique and challenging regional issues.

Overall, the conference delivered as promised.  It had legacy theory, risk management theory, international diversity, and real-world solutions for almost any IT compliance issue.  ISACA continues to be on the cutting edge of IT governance.

Coming: State privacy laws run amok

As business owners are preparing for the new Massachusetts data protection law, also known as 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth, due next year, a potential quagmire is building.

Speaking at the TechTarget Compliance Decisions Summit March 12, Laurence Anker, engagement manager, technology risk management for Jefferson Wells International, said the coming influx of state privacy laws will create “a mess.”

Only about half of the states have laws governing personally identifiable information, but several more, including Massachusetts, are crafting tough laws that will put new burdens on businesses, especially SMBs, and businesses outside of the state that employ Massachusetts residents.

These laws will cover areas such as secure storage of data, encryption of data and access controls, as well as require businesses to create written, comprehensive security and privacy policies for personal data.

Such tasks are formidable, but not impossible, but multiply the Massachusetts law by 50 and it’s easy to see how difficult it will become for some businesses to make sure they are in compliance with every state’s privacy law.

Anker said that he does not foresee new state laws as they come on the books to be in direct conflict with one another. Rather, business entities will have to make decisions on how to manage compliance with state privacy laws with different degrees of requirements. Most likely businesses with a widespread employee base will standardize and comply with the state with the toughest privacy policy.

Or, Anker said, there could be a day when state privacy regulators will join an organization similar to the National Association of Insurance Commissioners, which will seek to normalize the state privacy laws and help the states enforce them.

Risk-based approach to information governance at Compliance Decisions

As I wrote yesterday, the Compliance Decisions Summit got off to a great start when Eric Holmquist and Richard Mackey considered the future of compliance in their talks before a crowded hall of auditors, compliance officers, CIOs and information security professionals.

The second half of the day featured Holmquist again, this time exploring a risk-based approach to information security governance, and Laurence Anker, speaking about managing the cost and complexity of compliance through governance.

We posted the following Twitter on our ITCompliance account over the course of the afternoon. The #CSD09 you see below is a hashtag we chose to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s digest of compliance headlines from Twitter.

All four seminars from Compliance Decisions will be available soon from SearchSecurity.com and SearchCompliance.com, along with an exclusive interview with Mackey exploring the ramifications of virtualization to compliance management.

A Risk-Based Approach to Information Security Governance

Lunch over, video recorded w/Mackey on #virtualization & #compliance. Next: Holmquist on a risk-based approach to infosec governance. #CSD09

Information security must be approached as a business issue, not an IT issue. Then we can consider risk mgmt practices.” -Holmquist | #CSD09

“You can’t buy your way out of a data breach.” -Holmquist | #CSD09 | #riskmanagement

RT @ scotpe Adding: “chief security officer does not belong in IT.” Where does s/he belong? [ <-- Good question. Any answers? ]

Lundquist recommends forming a #security council. Give it authority, include senior execs, make cross-disciplinary, safe & visible. #CSD09

Key insight for creating a culture of cooperation vs. risk: “Make it safe to fail” -Holmquist | Don’t underestimate “gut feelings” #CSD09

Back to #compliance basics: “Everything starts with a risk assessment, not controls. Manage to assessed risk, not perceived risk.” | #CSD09

“Insiders are exponentially more of a threat than outsiders. The ability to respond quickly & effectively is critical” -Holmquist | #CSD09

“You can approach assessing risk in 4 ways: IT systems, electronic data, physical files & third parties. Focus on accountability.” #CSD09

“Risk is quantified in 4 broad categories: What’s at risk? What would be the impact? What could be the source? What can we mitigate?” #CSD09

RT @ scotpe Scare the CEO: Statistically speaking, “someone is planning to steal your data right now, thinking about it or doing it” #CSD09

Paused for another message from another sponsor of #CSD09 & a networking break. Door prize drawing up next for a Flip, iPod & a GPS unit.

Managing the Cost and Complexity of Compliance through Governance

Now up at #CSD09: Anker on managing the cost & complexity of #compliance through #governance. Session info: http://bit.ly/J9OP

Anker began his seminar at #CSD09 talking about the importance of IT governance. @ rlebeaux just reported on that: | #TTGT

@ rlebeaux that reported on aligning IT governance & corporate governance in an economic #recession -> http://bit.ly/PDfkk

Insurance for IT risk? Anker notes standard policies may not address IT exposures like a data breach or reputational damage. #CSD09

“An organization’s info & other intangible assets account for 80%+ of its market value.” -IT Governance Institute (ITGI) | #CSD09

In discussing key requirements of the new MA data protection law, Anker notes WISP: written information security policy | #CSD09 | #acronym

Great Q&A on provisions of the MA data protection law w/Anker to end. @rwestervelt reported on its extension: http://bit.ly/yMBgP #CSD09

Conclusions from Compliance Decisions

You’ll be reading, hearing more and seeing more of Holmquist, Anker and Mackey on SearchCompliance.com. All three men will be contributing experts in upcoming articles, podcasts or video.

Writers from both SearchSecurity.com and SearchCompliance.com will continue reporting on the Massachusetts data protection law and its ramifications for IT professionals and businesses nationwide. Clearly, many questions remain about the regulatory impact of the law on IT operations.

As Robert Westervelt reported, the deadline for the Massachusetts data protection and encryption law was extended to Jan. 1.

“We understand the impact of the current business environment and feel this is an appropriate time frame for companies to implement the necessary protections,” Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation, said in a statement.

Westervelt noted a key change in the updated version of the regulation: “The extension includes a revision to the rules relaxing a requirement holding third parties accountable to the security rules. Under the original law, companies had to attest that a third-party provider was compliant with the regulations.”

As noted to the audience during the question-and-answer session with Anker, SearchCompliance.com recorded a podcast last month with Gerry Young and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation. The CIO and general counsel, respectively, discuss the details of the new data protection rules:

Massachusetts data protection law mandates IT compliance [Download the MP3]

The provision of third-party compliance as proven by a “WISP” came up during the course the interview, if not under that name. Regardless of the documentation requirements, small businesses and enterprises alike considering outsourcing data protection and encryption compliance will need to make sure that service providers, VARs and consultants certify and appropriately explain where and how their work brings an organization into compliance with the Massachusetts statute.

On a final note, we picked up dozens of followers on Twitter yesterday and earned two kind endorsements of our coverage from PrivacyProf and DanPhilpott. Thank you, Dan and Rebecca!

Considering the future of compliance at Compliance Decisions

The Compliance Decisions Summit taking place in Newton, Mass., got off to a great start this morning. Eric Holmquist and Richard Mackey both provided deep, engaging presentations on “future-proofing” an organization against compliance challenges and managing third-party risk.

Over the course of the morning, we posted to Twitter on our ITCompliance account more than 40 times, in lieu of a single blog post. As we noted to @cmneedles, #CSD09 is the hashtag we’ve chosen to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s weekly digest of compliance headlines from Twitter.

Introductions

Breakfast & registration in Newton, MA at Compliance Decisions. We’ll be live-tweeting the talks, starting at 9AM. http://twitpic.com/20yxx

Kelley Damore, Ed. Dir for the #TTGT Security Media Group, kicks off #CSD09 by noting recent data breaches at Hannaford, TJX & Heartland.

Damore notes the breadth of compliance challenges: health, financial & proprietary data must all be secured with auditable processes.

Future-Proof Your Compliance Session

Eric Holmquist is up, explaining how to future-proof a compliance program vs. new regulations, including mitigating risk & GRC best practices.

“Compliance management is one aspect of risk management. It’s about risk alignment. It’s never about checklists.” -Eric Holmquist | #CSD09

“Every version of regulatory guidance around risk management boils down to three things: awareness, accountability & actionability.” #CDS09

Risk management boiled down to a continuum: Inherent Risk -> Controls -> Residual Risks | Compliance doesn’t just rest in controls. | #CSD09

“The 4 most important words for improving a compliance program: What could go wrong?” -Eric Holmquist | #CDS09

RT @scotpe 99% of compliance failures are because “somebody did something stupid” | #CSD09 [Key to plan for people being people]

Key elements of an effective compliance program: subject matter expert, compliance committee (real or virtual), control library | #CSD09

More key elements of an effective compliance program: documentation, risk-aware culture, incident response team, wrap-around analysis #CSD09

Eric Holmquist is reflecting on the details of how Advanta implemented an effective compliance program. Gap analysis & visibility key #CSD09

“No regulation is only relevant to IT. There is a business component to every single one.” -Eric Holmquist | #CSD09

“We set the bar at a risk management & governance level. Regulatory guidance, frameworks & standards are a test.” -Eric Holmquist | #CSD09

#GRC best practices: leverage existing processes & map them, focus on risk, secure executive sponsorship, use control libraries | #CSD09

“The costs of #ediscovery are staggering. Get a data retention program for email done. Now.” -Holmquist | #CSD09

PrivacyProf: A related issue is retention of full email threads; possibility of changes in early thread msgs likely creates ediscovery issues (Reply from contributing expert Rebecca Herold)

What does Holmquist see in the future for compliance? More infosec & BCP challenges, updates to PCI & state data protection laws. | #CSD09

Good question from the audience on email retention: What’s too much, too little? Establishing which emails = official documents is key. #CSD09

Sponsored Session from Symantec

Ethan Kelleher up from #Symantec to speak to their approach & notes support for an online resource: http://ITpolicycompliance.com | #CSD09

We’re listening to a live “message from our sponsor” ( #Symantec) regarding version 9.0 of their Control Compliance Suite (CCS). | #CSD09

Managing Third-Party Risk

Richard Mackey now up at #CSD09 on managing third party risk. #Video on building a framework-based#compliance program: http://bit.ly/PqXcd

An IT guy here at #CSD09 is especially interested in the MA data protection law. Our podcast w/state: http://bit.ly/105L3E (free reg. req.)

Mackey talking about impact of regulatory project requirements on service providers. If they handle regulated info, compliance is key #CSD09

Mackey notes that “standards like ISO 27002 & #COBIT describe lifecycles that can be applied to service providers” | #CSD09

“The first step in understanding risk is understanding the information shared.” -Richard Mackey | Data mapping & tools help. | #CSD09

“FFIEC, PCI & GLB all require due diligence in assessing provider controls. Depth should correspond to risk.” -Richard Mackey | #CSD09

“When evaluating service providers for compliance, establish rules for evaluations. View them as a partnership.” -Richard Mackey | #CSD09

“Most regulations require YOU to be the regulator of service providers.” PCI, HIPAA & GLB all require co.’s to ensure compliance. #CSD09

“Standards-based assessments, like ISO 27002, are useful tools. Consumers of the reports, however, must understand what results mean” #CSD09

Key questions when a #CIO receives a compliance report (SAS 70, ISO, etc): Scope of assessment? Metrics used? Control objectives? | #CSD09

When conducting #compliance assessments, concentrate on risk, avoid generic assessments & focus on consistency/operational #security. #CSD09

Mackey continues to focus on associate, partner & service provider #compliance; frequently mandatory but potentially overlooked. #CSD09

IT is critical to service provider #compliance: firewalls, VPNs, intrusion detection, encryption, scanners & data loss prevention | #CSD09

Excellent seminar on third-party risk management for meeting compliance by Richard Mackey. Video will be available later this month. #CSD09

We’ll be posting more to Twitter this afternoon when Holmquist presents again, this time on a “Risk-Based Approach to Information Security Governance,” and Laurence Anker talks about “Managing the Cost and Complexity of Compliance through Governance.”

Weekly Digest: Compliance headlines from Twitter for March 5, 2009

As those of you who have followed the launch of SearchCompliance.com know, we’ve been using our @ITCompliance account on Twitter to share news, find our audience, get the freshest compliance news and pass on information about what’s happening on our site. Like Marshall Kirkpatrick and Richard MacManus at ReadWriteWeb, I see considerable applications for journalism there. (Here’s how they use Twitter for journalism.)

I was reminded recently, however, that many CIOs and compliance professionals are not on the microblogging platform yet.

It makes sense to share compliance-related news and resources that we’ve found on Twitter with you all in the form of a weekly digest. If you haven’t followed us on Twitter, here’s what you’ve missed:

RT @ jhalamka Google Health quietly launched a disruptive technology: social networking for personal health records http://bit.ly/hjDQ [#PHI]

OGC endorsed a #compliance framework to audit vendor products, documentation & processes against #ITIL best practices: http://bit.ly/19eEfQ

PRT @ MarieADomingo Congrats to Scot Petersen (@scotpe ), former eWeek editor; new exec editor of http://SearchCompliance.com at #TechTarget

RT @ sarahebourne Thoughts by Candi Harrison, former HUD web mgr, on top-level Federal web governance http://tinyurl.com/d9l4g3 via @ levyj413

#SEC Investigation into #optionsfraud of former #RIM execs illustrates need for email management: http://tinyurl.com/djt26t (via @ ONSITE3)

RT @ CCI_Compliance Beware of CorporateCompliance Form Hoax Circulating in #Ohio –> http://tinyurl.com/aqs4ge

RT @ CAInfoGov Pete Pepiton ponders the shift in how #eDiscovery is practiced today: http://bit.ly/gTmFK | #CA | (via @ complexd)

Will the latest HIPAA rule changes force healthcare IT security pros to better understand data flow? http://bit.ly/10KfWY (via @ rwestervelt)

New #screencast on leveraging IT infrastructure for #compliance with Brian Babineau & Mark Schlack: http://bit.ly/Tg0Z2

The #Compliance Decisions Summit is next Thursday (3.12.2009) in #Boston, MA: http://bit.ly/dJ1GW | We’ll be there. Will you? | #CDS09

NOTE: “RT” means “retweet” and “PRT” means that the retweeted content has been modified. If you need a quick primer on Twitter, try the post I wrote for WhatIs.com last year, “What is Twitter? Is this distributed microblogging platform ready for the enterprise?“

My colleague Kristen Caretta has also been exploring the platform. She’s written about finding the business benefits of Twitter and using Twitter as a business tool.

I will post digests more frequently if the volume of microblog posts (or “tweets”) merits it. You’ll certainly be able to follow our coverage of the Compliance Decisions Summit next week here and on Twitter. I’ll have a video camera and digital voice recorder, so expect to hear and see more from CIOs, security and compliance professionals.

We’re always looking for a way to feature our audience. If you’d like to write a case study of a difficult compliance-related business decision, technology implementation or user education opportunity, please write to editor@searchcompliance.com and let us know.

UPDATE: Rebecca Herold suggested via her Twitter account (@PrivacyProf) that I explain what the pound signs (#) above are and what their significance is to those unfamiliar with Twitter. (You may remember her as the compliance expert whose work on Windows compliance was the subject of a previous post.)

Here’s how hashtags.org puts it:

Hashtags are a community-driven convention for adding additional context and metadata to your tweets. They’re like tags on Flickr, only added inline to your post. You create a hashtag simply by prefixing a word with a hash symbol: #hashtag.

You can learn more about them at the Twitter Fan Wiki page for hashtag. Here’s the history:

Hashtags were developed as a means to create ”groupings” on Twitter, without having to change the basic service. The hash symbol is a convention borrowed primarily from IRC channels, and later from Jaiku’s channels.

hashtags.org provides real-time tracking of Twitter hashtags. Opt-in by following @hashtags to have your hashtags tracked.  Similarly, Twemes offers real-time tracking without the necessity of following a specific Twitter account.  Also, with their purchase of Summize, Twitter itself now offers some support of hashtags at their search engine: http://search.twitter.com

How does that extend to compliance? Simple. Just go to http://search.twitter.com and enter compliance. You’ll see a real-time reflection of the news, commentary and resources being exchanged on Twitter. You can subscribe to the compliance hashtag using RSS. If you prefer email alerts, you can also use TweetBeep to get an hourly update of whenever someone uses compliance in a tweet.