IT Governance, Risk, and Compliance


June 19, 2009  1:09 PM

Application Protection – Part III

Robert Davis Robert Davis Profile: Robert Davis

FCPA control measures for an adequate system of internal accounting controls include maintaining appropriate segregation of duties, allowing only authorized transaction execution, controlling access to assets, and reconciling documented assets to actual assets regularly. Completeness, accuracy, authorization, and accessibility are considered key internal accounting information protection controls that fulfill FCPA legal requirements. These control measures most often interact with — or are deployed through — IT financial applications, thus justifying information security management’s involvement in assessing compliance with the FCPA.

To dispatch FCPA information reliability requirements, an information security manager should identify, understand, test, and document internal accounting security controls for information assets. Essentially, an information security manager should assume responsibility for assessing financial applications for FCPA safeguarding compliance. Technically, application safeguarding controls should be present during input, processing, and output. IT procedures are expected to provide information protection throughout the life cycle of earmarked FCPA financial application systems. Key internal accounting controls can be mapped to information security confidentiality, integrity, and availability control measures. For instance, information security application accuracy controls include input edit and validation routines that ensure information integrity.

“View Part I of the Application Protection series here

June 16, 2009  7:06 PM

Application Protection – Part II

Robert Davis Robert Davis Profile: Robert Davis

The FCPA codifies bribery of foreign officials as a criminal offense for U.S. publicly held companies, requires accurate financial-transactions accounting, and amends the Securities Exchange Act of 1934. With regard to accounting, FCPA Section 78m (b) (2) documents managerial responsibility for generating and retaining financial information while presenting transactions accurately and fairly, as well as deploying a “system of internal accounting controls.” Furthermore, FCPA Section 78m (b) (5) has been interpreted as requiring U.S. businesses to create and sustain adequate internal accounting controls regardless of an organization’s cost-benefit analysis ratio. This section of the FCPA therefore decrees preventive and detective controls to avoid financial statement fraud or misrepresentation.

“View Part I of the Application Protection series here


June 12, 2009  6:36 PM

Application Protection – Part I

Robert Davis Robert Davis Profile: Robert Davis

Legacy law or regulation replacement is a common occurrence within most governments when circumstances appear to discredit legal mandate enforcement. However, the U.S. Sarbanes-Oxley Act (SOX) of 2002 does not supersede the U.S. Foreign Corrupt Practices Act (FCPA) of 1977. In fact, though tagged legacy enterprise governance legislation by some officials, the FCPA has thrived as the basis for enactment of various internationally recognized legal edicts addressing internal accounting controls that indirectly impact information security management requirements.

Contextually, the FCPA applies to U.S. publicly held companies and was adopted in the 1990s by the Organization of American States (OAS), the Organisation for Economic Co-operation and Development (OECD), and the Council of Europe (COE). Concerning international relevance, the FCPA is a frame of reference for most current IT financial application security best practices. Specifically, details demonstrating this law’s influence are well documented in IT financial application assurance and internal accounting control literature.


June 9, 2009  9:33 PM

Digital Rights Management – Part IV

Robert Davis Robert Davis Profile: Robert Davis

IPR protection requirements shape complex and challenging management issues. Audio and visual material protection is especially problematic due to the existence of the various known vulnerabilities, and there are even suggestions that effective DRM is logically impossible. Common techniques for audio and video file infringement include unlawful interception, decryption, reverse engineering, authentication manipulation, and analog format capture. Therefore, additional information asset protection mechanisms are required to ensure adequate safeguarding controls, such as instituting continuous security improvement plans for IPR information.

“View Part I of the Digital Rights Management series here


June 5, 2009  8:40 PM

Digital Rights Management – Part III

Robert Davis Robert Davis Profile: Robert Davis

DRM software is generally considered an access control technology deployed to limit unauthorized usage. However, arguably, a technology cannot in principle, know what legal restrictions and rights apply in a specific jurisdiction, allowable usage context, contractual conditions, or the individual author, owner, or publisher without human intervention. Therefore, as with other information assets protection related software, vulnerabilities may exist that can be exploited by unscrupulous or curious individuals.

Even if adequate IPR security protection is deployed, based on the laws of judgmental probability, widely-used DRM systems eventually yield to hackers and crackers intent on defeating or circumventing deployed access controls. Supporting this projected outcome is Internet advertised software allowing DRM circumvention. Nevertheless, those with an interest in preserving DRM systems have attempted to initiate proceeding restricting the distribution and development of information piracy enabled software.

“View Part I of the Digital Rights Management series here


June 2, 2009  3:44 PM

Digital Rights Management – Part II

Robert Davis Robert Davis Profile: Robert Davis

Intellectual property protection has ushered in an era of technological solutions that attempt to prevent asserted rights infringement. Digital Rights Management (DRM) can be considered a response to legal requirements which criminalize the production and dissemination of technology that allows individuals to circumvent technical copy-restriction methods. Specifically, as a preventive control, DRM software usually manages the downloading of sound files, movies, and other copyrighted materials through diverse security features. Globally, DRM systems have received international legal reinforcement through the World Intellectual Property Organization (WIPO) Copyright Treaty (WCT) and the World Trade Organization (WTO) Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) national implementations.

“View Part I of the Digital Rights Management series here


May 29, 2009  7:40 PM

Digital Rights Management – Part I

Robert Davis Robert Davis Profile: Robert Davis

Intellectual property right (IPR) issues affect Information Security Governance as well as Internet Governance deployments through a direct impact on ‘ Trust Management ‘. Since knowledge and ideas are an important part of cultural heritage, social interaction and business transactions, they retain a special value for many societies. Logically, if the associated electronically formatted information is valued, preventive and detective measures are necessary to ensure minimum organizational impact from an IPR security breach.


May 26, 2009  6:14 PM

Electronic Commerce – Part IV

Robert Davis Robert Davis Profile: Robert Davis

EDI is commonly defined as the transfer of data between different companies utilizing networks. For the vast majority of entities, enhanced transactional traceability, reliability, and accessibility are derived EDI benefits; but without appropriate controls, communication interdependency can elevate legal, security and operational risks. As an accepted remedial risk measure, public key infrastructure (PKI) is the primary technological resource permitting E-commerce portable trust. However, to achieve E-commerce security transparency requires an appropriate trading partner compatibility solution that addresses various entity-centric encryption and digital signature techniques.

“View Part I of the Electronic Commerce series here


May 22, 2009  7:00 PM

Electronic Commerce – Part III

Robert Davis Robert Davis Profile: Robert Davis

EDI between trading partners can be interpreted as legally binding contracts. For instance, when a transaction is initiated by one of the trading partners, such as a purchase order, it constitutes an “offer”. In turn, if a trading partner agrees to supply the merchandise requested, it normally is considered “acceptance” of the offer. Thus, interpretively, under the U.S. Uniform Commercial Code a contract between buyer and seller is established.

Regarding effective security, two topics have gained notoriety: managerial ease and portable trust. Managerial ease focuses on making the security infrastructure’s integration and utilization with various applications transparent to enable adoption by trading parties. Portable trust supports telecommunication links with external parties through faith in resource authorizations and reliable message delivery. Inadvertent data loss during transmission reduces the cost savings generally associated with EDI deployment. Furthermore, message integrity issues can jeopardize connectivity status.

“View Part I of the Electronic Commerce series here


May 19, 2009  7:52 PM

Electronic Commerce – Part II

Robert Davis Robert Davis Profile: Robert Davis

Delineated, B2B is E-commerce between discernibly distinct entities. B2B links enable the exchange of products, services, or information between entities. Cascading down, Electronic Data Interchange (EDI) methodologies are the precursors and pillars of Internet integrated B2B relationships. Depending on activity frequency and application, EDI control risk can become material. Where EDI is implemented, lack of direction, reliance on third parties, and system dependencies potentially expose an entity to additional legal, security, and operational risks.

“View Part I of the Electronic Commerce series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: