Regulatory Reality:

GRC


September 21, 2012  3:44 PM

Are self-assessments the right way to go?



Posted by: David Schneier
assess, assessment, assessments, Audit, bank, banking, CISO, CISSP, compliance, compliance officer, compliant, credit union, credit unions, CU, disaster, disaster recovery, DR, enterprise risk, enterprise risk management, ERM, exam, examination, examinations, examiner, examiners, exams, framework, governance, GRC, guidance, information security, information security office, infrastructure, ISO, oversight, policy, procedure, regulation, regulations, regulations audit, regulatory, regulatory guidance, risk assess, risk assessment, risk assessments, risk management, risk-based, risks, technology

About a decade ago a family member chastised me for having an auto repair shop do my oil changes for me.  She (yeah, you’re reading that right – “she”) pointed out how ridiculously easy it was to drain the old oil, replace it with the new stuff and check a wide variety of fluid levels,...

July 6, 2012  3:18 AM

Risk: The core issue behind regulatory requirements



Posted by: David Schneier
assess, assessment, assessments, Audit, audits, bank, banking, banks, compliance, compliant, control, credit union, credit unions, CU, enterprise risk, enterprise risk management, ERM, exam, examination, examinations, examiner, exams, FDIC, Federal Reserve Bank, FFIEC, financial institutions, framework, FRB, general controls, GLBA, governance, GRC, guidance, information security, information security office, infrastructure, NCUA, PII, policy, procedure, regulation, regulations, regulations audit, risk assessment, risk assessments, Risk IT, risk management, risk rating, risk-based, risks, threats, vendor, Vendor Management, vendor risk, vendor risk assessment

There's a joke of sorts within my personal circle of family and friends regarding what it is that I do these days.  Ask me and I'll tell you that I'm a regulatory compliance expert who advises financial institutions on how to comply with the myriad rules and regulations governing information...


March 23, 2012  3:24 PM

GRC presents a broad spectrum; is it too broad?



Posted by: David Schneier
assessment, Audit, compliance, GRC, HIPAA, PCI, regulations, regulatory, Regulatory Compliance, risk, risk assessment, SOX

In early 2004 I co-authored my first Sarbanes-Oxley (SOX) controls framework for a client.  Just about the entire thing required manual testing that, if everything worked as planned would require a full-time resource to support.  About thirty seconds after submitting the framework draft to the...


February 3, 2012  5:58 PM

Governance, risk and compliance – related but not the same.



Posted by: David Schneier
Audit, auditor, compliance, controls, exam, examiner, FFICE, GLBA, governance, GRC, internal controls, NCUA, regulations, regulatory, Regulatory Compliance, risk

I was sitting in a meeting this week listening to a group of very bright people talking about an initiative centered on installing a software solution and I realized something rather disturbing; somewhere along the way in our industry governance, risk and compliance has started melting together and...


December 5, 2011  11:54 PM

The trouble with GRC.



Posted by: David Schneier
assessments, Audit, compliance, governance, GRC, regulations, regulatory, Regulatory Compliance, regulatory guidance, risk, risk assessments

I love GRC, at least the concept.  I've gotten way more than my fair share of print time expounding on its many virtues and how it continues to make inroads into so many organizations.  It's the next and necessary step in the evolution of audit and compliance, a fact (yes, fact) of which I'm...


April 26, 2011  6:00 AM

Is compliance moving too fast?



Posted by: David Schneier
assessment, Audit, compliance, exam, examiner, exams, GLBA, governance, GRC, NCUA, oversight, regulations, regulatory, Regulatory Compliance, risk

I joined a new group last week on LinkedIn focusing on compliance within the banking space and during my first visit answered a forum question that started with "How do you manage the flow of compliance information"?  It was a relevant question and I was happy enough to offer my two cents (never a...


April 8, 2011  10:45 AM

GRC is about to see its future.



Posted by: David Schneier
Audit, compliance, GLBA, governance, GRC, HIPAA, PCI, regulations, regulatory, Regulatory Compliance, risk, SOX, UCF

After nearly a quarter century of working in and around the corporate IT domain I have a grand total of four bold predictions I've made that stand out.  Three of them I had nailed dead on and the fourth never panned out a fact that confounds me still to this day. The...


March 8, 2011  4:58 PM

Does GRC scale to size?



Posted by: David Schneier
assessment, Audit, bank, banking, compliance, credit union, CU, exam, examination, examiner, exams, governance, GRC, regulation, regulatory, Regulatory Compliance, risk, risk assessment

We were having an internal conversation this past week about governance, risk, and compliance (GRC) and I was asked about its role in the small and...

Bookmark and Share     0 Comments     RSS Feed     Email a friend


June 14, 2010  6:57 AM

An update on governance, risk and compliance



Posted by: David Schneier
Audit, compliance, governance, GRC, regulations, Regulatory Compliance, risk, risk assessment

I just had an article published in Information Security magazine on GRC titled "Demystifying governance, risk and compliance."  It's a piece...


May 10, 2010  4:59 AM

FDIC bank closure hits close to home



Posted by: David Schneier
compliance, FDIC, GLBA, governance, GRC, HIPAA, PCI, Regulatory Compliance, risk, risk assessment, SOX

In the past, I've made sometimes flip and irreverent comments about the weekly FDIC announcements that land in my inbox regarding bank closings.  Despite the mind-numbing number of institutions that have been closed over the past year or so and the somewhat extensive list of institutions I've...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: