Regulatory Reality:



March 6, 2013  5:19 PM

Security Standards: What’s in a name?

Posted by: David Schneier
assess, assessment, assessments, Audit, auditor, audits, CISO, community bank, control, controls, credit union, credit unions, data security, framework, information security, information security office, infrastructure, ISO, risk assess, risk assessment, risk assessments, risk management, risk-based

I had an interesting phone call recently with someone in a CISO-type position.  They were looking for a consultant to help them keep a seat warm working with information security risk assessments and were hoping to find a resource with practical experience using the NIST 800-53 standard.  It was...

August 8, 2012  6:21 PM

Metrics Reporting: Are pretty colors always pretty accurate?

Posted by: David Schneier
Audit, auditor, audits, bank, banking, banks, Board, Board of Directors, BoD, business, community bank, compliance, control, controls, exam, examination, examinations, examiner, examiners, exams, financial institutions, fraud, governance, regulation, regulations, regulations audit, regulatory, regulatory guidance, SOX

I have an odd relationship with management reporting.  I know it's a necessity and quite often see clear value in what's packaged for senior management and board review.  But a significant piece of the reporting content comes in the form of metrics and, well, whenever I hear the term it conjures...

April 29, 2012  7:43 PM

Internal Audit: Whose side are they on anyway?

Posted by: David Schneier
assessment, assessments, Audit, compliance, control, control owners, controls, findings, GLBA, internal audit, NCUA, regulations, regulatory, Regulatory Compliance, risk, risk assessments, risks

My first encounter with an auditor was back in the mid-90's while working as an application project manager for a Fortune 100 company.  The group responsible for change management was going through an audit of their process and one of the changes that was selected for review happened to belong to...

February 3, 2012  5:58 PM

Governance, risk and compliance – related but not the same.

Posted by: David Schneier
Audit, auditor, compliance, controls, exam, examiner, FFICE, GLBA, governance, GRC, internal controls, NCUA, regulations, regulatory, Regulatory Compliance, risk

I was sitting in a meeting this week listening to a group of very bright people talking about an initiative centered on installing a software solution and I realized something rather disturbing; somewhere along the way in our industry governance, risk and compliance has started melting together and...

November 2, 2010  2:33 PM

Risk management process demands vigilance

Posted by: David Schneier
assessment, Audit, controls, GLBA, NCUA, regulatory, Regulatory Compliance, risk assessment

I was in the midst of writing my weekly blog post focusing on threadbare thin compliance efforts when I was distracted by news of a potential terrorist incident.  As you likely know by now, it appears that Al-Qaeda was either attempting to send explosive devices onto airplanes or was conducting a...

June 25, 2010  4:08 PM

Security pros need to practice vigilance not avoidance

Posted by: David Schneier
controls, firewall, firewalls, hackers, hacking, information security, regulatory, Regulatory Compliance, Security, social network, web filters

A week or so ago, I received an invitation from a professional friend of mine to connect via Facebook.  He's someone whose brain I've picked time and again as he's one of the brightest information security people I've worked with but more importantly, he's also someone who I enjoy talking to, and...

April 23, 2010  10:14 PM

Compliance professionals need thick skins

Posted by: David Schneier
assessment, assessments, Audit, bcp, business continuity planning, controls, framework, general controls, GLBA, IT General Controls, NCUA, Regulatory Compliance, Security, security awareness, Vendor Management

I've often surprised people when it comes to conducting audit/assessment work or developing compliance programs.  Generally speaking I'm a reasonable person who typically exhibits an abundance of flexibility in my day-to-day life.  However when it comes to my career, I tend to be much more of a...

January 15, 2010  6:05 AM

The best part of audit (yes, I mean audit)

Posted by: David Schneier
Audit, controls, evidence, GLBA, Regulatory Compliance, risk

A recent jobs survey released last week indicated that less than 50% of the work force is satisfied with their job. Me, I’m a lucky guy as I genuinely like what I do for a living. It’s funny in a way because over the first decade or so of my...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: