Regulatory Reality:

Audit


July 17, 2009  1:58 PM

Does compliance equate to secure?



Posted by: David Schneier
Audit, compliance, cyber security, FFIEC, GLBA, PCI, regulations, Regulatory Compliance, Security, SOX

Despite earning a living in the space, I often question the value of regulatory compliance.

How is it that a business can be PCI-compliant but still have glaring vulnerabilities?  How is it that despite layer upon layer of controls...

July 8, 2009  3:45 PM

How’s about a federally mandated Information Security Assessment?



Posted by: David Schneier
Audit, compliance, cyber security, FERC cyber security, GLBA, NERC, Regulatory Compliance, SOX

I had a eureka moment recently that I’d like to share.

In considering the implications of the recently announced changes by MasterCard that will now require PCI Level 2 merchants to be assessed by a Qualified Security Assessor (QSA) it occurred to me...


July 2, 2009  2:53 AM

2 for 1 sale: How governance leads to compliance.



Posted by: David Schneier
Audit, compliance, GLBA, governance, GRC, PCI, Regulatory Compliance, SOX

A while back I’d written about the Unified Compliance Framework from Network Frontiers, which takes quite literally every regulation and framework within the IT domain and maps them in such a way where you can identify how a single control addresses multiple requirements. In...


June 22, 2009  3:46 PM

Financial regulations and my crystal ball.



Posted by: David Schneier
Audit, compliance, GLBA, obama, OTS, PCI, Regulatory Compliance, SOX

I had a great piece lined up for this week about a governance project I’m working on but was waylaid by all the news that hit the radar around regulatory reform.

In what may be the understatement of the year, the plans revealed last week by President...


June 12, 2009  8:49 PM

Risk is at the heart of what matters most.



Posted by: David Schneier
assessment, Audit, compliance, GLBA, PCI, Regulatory Compliance, risk, risk assessment

I had two great conversations this week regarding risk assessments (jeez, does that ever sound geeky). The first conversation centered on what an associate was expecting  to accomplish via the risk assessment process and the second one was a general conversation about the proper approach to...


May 20, 2009  7:31 PM

IT Security: Something has to give.



Posted by: David Schneier
Audit, FDIC, FFIEC, fraud, GLBA, NCUA, phishing, Regulatory Compliance

My practice has been busy lately helping a number of clients catch up on required tasks before their scheduled exams (it's a case of the old "if it wasn't for the last minute nothing would ever happen" philosophy).  And in authoring some of our reports we're identifying issues and gaps that are in...


May 14, 2009  6:38 PM

Who put the G in GRC?



Posted by: David Schneier
Audit, compliance, governance, GRC, Regulatory Compliance, risk

I’m something of an advocate for Governance, Risk and Compliance (GRC) and have been for several years.  I’ve been known to rant a bit how it’s not properly organized as an acronym because everyone who knows knows that risk comes first and so it should’ve been...


May 7, 2009  9:58 PM

PCI compliance is not the end all



Posted by: David Schneier
Audit, PCI, Regulatory Compliance, SAS 70, Security

I was sitting in on a meeting this week during which a security review was being conducted for a proposed software solution for my client. The product was designed and hosted by a third-party vendor.

At first blush I was...


April 2, 2009  4:21 PM

Keep an eye on Shared Assessments.



Posted by: David Schneier
Audit, GLBA, Regulatory Compliance, SOX, Vendor Management

About thirty seconds after I posted my last blog an item on the


March 30, 2009  6:55 PM

Why do you need policies and procedures? I’ll tell you why.



Posted by: David Schneier
Audit, GLBA, HIPAA, PCI, Regulatory Compliance, SOX

I once heard a parent say that they wished they had a dollar for every time their teen-aged child rolled their eyes at them.  I'm a parent so I get it.  But what I really wish for is to have a dollar for every time a client rolls their eyes at me when I tell them they need to have all their...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: