Laws and Regulations

Application Protection - Part IV

The FCPA impacts IT control requirements of U.S. publicly held enterprises. Section 78m (b), in particular, documents the legislative rules and compliance requirements of internal control evaluation reporting with regard to management’s assessment of internal controls. Section 78m (b) (2) through (5) applies to Securities Exchange Act of 1934 filers. Therefore, the FCPA can affect an organization’s internal control environment by indirectly imposing management’s assurance of an adequate IT control environment with adequate information protection. Based on the Public Company Accounting Oversight Board’s interpretation, the SOX IT control parameter, in effect, is the same as that of the FCPA. Therefore, U.S. Securities Exchange Act of 1934 filers may not be aware of FCPA legal requirements — yet, they should have been performing the necessary FCPA control self-assessments and remedial actions since 1977. Similarly, European Union, OAS, and OECD member countries should be engaging in control self-assessments and remediation of internal accounting controls as they relate to safeguarding information assets to ensure compliance with legal mandates.

“View Part I of the Application Protection series here“

Application Protection - Part III

FCPA control measures for an adequate system of internal accounting controls include maintaining appropriate segregation of duties, allowing only authorized transaction execution, controlling access to assets, and reconciling documented assets to actual assets regularly. Completeness, accuracy, authorization, and accessibility are considered key internal accounting information protection controls that fulfill FCPA legal requirements. These control measures most often interact with — or are deployed through — IT financial applications, thus justifying information security management’s involvement in assessing compliance with the FCPA.

To dispatch FCPA information reliability requirements, an information security manager should identify, understand, test, and document internal accounting security controls for information assets. Essentially, an information security manager should assume responsibility for assessing financial applications for FCPA safeguarding compliance. Technically, application safeguarding controls should be present during input, processing, and output. IT procedures are expected to provide information protection throughout the life cycle of earmarked FCPA financial application systems. Key internal accounting controls can be mapped to information security confidentiality, integrity, and availability control measures. For instance, information security application accuracy controls include input edit and validation routines that ensure information integrity.

“View Part I of the Application Protection series here“

Application Protection - Part II

The FCPA codifies bribery of foreign officials as a criminal offense for U.S. publicly held companies, requires accurate financial-transactions accounting, and amends the Securities Exchange Act of 1934. With regard to accounting, FCPA Section 78m (b) (2) documents managerial responsibility for generating and retaining financial information while presenting transactions accurately and fairly, as well as deploying a “system of internal accounting controls.” Furthermore, FCPA Section 78m (b) (5) has been interpreted as requiring U.S. businesses to create and sustain adequate internal accounting controls regardless of an organization’s cost-benefit analysis ratio. This section of the FCPA therefore decrees preventive and detective controls to avoid financial statement fraud or misrepresentation.

“View Part I of the Application Protection series here“

Application Protection - Part I

Legacy law or regulation replacement is a common occurrence within most governments when circumstances appear to discredit legal mandate enforcement. However, the U.S. Sarbanes-Oxley Act (SOX) of 2002 does not supersede the U.S. Foreign Corrupt Practices Act (FCPA) of 1977. In fact, though tagged legacy enterprise governance legislation by some officials, the FCPA has thrived as the basis for enactment of various internationally recognized legal edicts addressing internal accounting controls that indirectly impact information security management requirements.

Contextually, the FCPA applies to U.S. publicly held companies and was adopted in the 1990s by the Organization of American States (OAS), the Organisation for Economic Co-operation and Development (OECD), and the Council of Europe (COE). Concerning international relevance, the FCPA is a frame of reference for most current IT financial application security best practices. Specifically, details demonstrating this law’s influence are well documented in IT financial application assurance and internal accounting control literature.

Physical Token Protection - Part IV

Regarding provisioning physical authentication mediums, an entity’s deployed access control process should clearly define the way encoded identification is delivered to users — within the context of promoting adequate confidentiality, integrity and availability. Specifically, the process to dispense tokenized authentication attributes to users should employ a different delivery channel than the physical item. When physical items are tokenized prior to individual assignment or usage, security management should ensure the identification mechanism remains dormant and protected until the authentication verification enabler reaches the intended owner empowered with activation and usage rights.

As suggested in COBIT Security Baseline: An Information Security Survival Kit; depending on the country, state or industry, information asset usage is subject to various laws and regulations. These laws and regulations need to be known and obeyed to enable appropriate IT security. Domains covered by such rules include privacy, information retention, minimal system protection requirements as well as attestation requirements. Consequently, physical tokenized access items should receive the same protection consideration as other entity information assets.

“View Part I of the Physical Token Protection series here“

Physical Token Protection - Part III

As a corollary requirement, when considering physical tokens, functionality is directly related to capabilities. Consequently, physical token appropriateness should be evaluated based on the set of attributes applicable to the existing set of activities and their specific properties. In other words, determining physical token functionality is a characteristic association ensuring the quality of hardware and/or software products utilized for accessing objects meet intended purpose expectations throughout their life cycle. Adequate physical token functions are those that satisfy stated or implied criteria of users and management. These value drivers emanate from business and governance domain perceptions, where the former is typically focusing on functionality and delivery velocity, while the latter tends to emphasize cost-efficiency, return on investment and compliance.

“View Part I of the Physical Token Protection series here“

Physical Token Protection - Part II

Information asset usability implies availability to perform requested services as well as transparency. Determining physical token usability necessitates assessing relevant and pertinent services for the access process as well as secure user delivery in a timely, correct, and consistent manner. Whether access control is outsourced to a third party or is maintained internally, the time frame for processing of each user security administration operation should be defined and agreed to by the entity’s representatives through a service level agreement (SLA) that aligns with corresponding service objectives and goals. For example, if providing timely user provisioning is established as a goal, user resets for critical applications should be responded to within the SLA specified time period. Where a SLA does not stipulate the response time, a best practice standard should be adopted and sustained by management to monitor performance achievement.

“View Part I of the Physical Token Protection series here“

Physical Token Protection - Part I

Organizationally, information security normally is considered a program enabling and optimizing IT security services for the entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management that complies with applicable laws and regulations. Cascading from the generally accepted risk management goal of adequately addressing threats, opportunities, and weaknesses, a primary security risk assessment objective is to provide recommendations that maximize confidentiality, integrity and availability protection reflective of the operating environment; while sustaining usability and functionality. Though IT security advice generally focuses on enhancing data and information protection, equal attention should be given to physical identification credentials utilized for accessing IT objects.