Regulatory Reality:

Regulatory Compliance

May 21, 2012  1:47 PM

Remote Deposit Capture is probably a very, very bad innovation.

Posted by: David Schneier
ACH, bank, banking, checks, compliance, identity management, identity theft, regulations, regulatory, Regulatory Compliance, remote capture, remote deposit capture

Before I even get into the nitty-gritty of the post I have to point out that in the time it took me to choose the topic and start writing I've already thought of three perfect ways to steal your money via remote deposit capture.  Seriously, this is a hugely bad idea that will lead to hundreds of...

April 29, 2012  7:43 PM

Internal Audit: Whose side are they on anyway?

Posted by: David Schneier
assessment, assessments, Audit, compliance, control, control owners, controls, findings, GLBA, internal audit, NCUA, regulations, regulatory, Regulatory Compliance, risk, risk assessments, risks

My first encounter with an auditor was back in the mid-90's while working as an application project manager for a Fortune 100 company.  The group responsible for change management was going through an audit of their process and one of the changes that was selected for review happened to belong to...

April 14, 2012  2:23 PM

Anyone remember the Heartland breach?

Posted by: David Schneier
Add new tag, ATM, Audit, compliance, GLBA, PCI, regulation, regulations, regulatory, Regulatory Compliance, Security

Two weeks ago news broke about a huge, massive leak of credit card information from a processor called Global Payments and I braced for a firestorm of media coverage that was sure to follow.  Two weeks hence and it's pretty much a non-event.  A few days ago the State of Utah reported a breach of...

March 23, 2012  3:24 PM

GRC presents a broad spectrum; is it too broad?

Posted by: David Schneier
assessment, Audit, compliance, GRC, HIPAA, PCI, regulations, regulatory, Regulatory Compliance, risk, risk assessment, SOX

In early 2004 I co-authored my first Sarbanes-Oxley (SOX) controls framework for a client.  Just about the entire thing required manual testing that, if everything worked as planned would require a full-time resource to support.  About thirty seconds after submitting the framework draft to the...

March 6, 2012  6:00 PM

My bank card was compromised.

Posted by: David Schneier
breach, compliance, data breach, data security, GLBA, PCI, regulations, regulatory, Regulatory Compliance, Security

Two weeks ago, about two hours before departing on a long weekend trip to welcome back baseball in Florida I received an email from my bank indicating that there's been suspicious activity on my Visa check card and that it's been suspended.  Considering that under normal conditions I think my...

February 16, 2012  5:49 PM

BITS Shared Assessment – No Free Lunch.

Posted by: David Schneier
BITS, COBIT, compliance, GLBA, ISACA, ITGI, NCUA, regulatory, Regulatory Compliance, Shared Assessement, SIG, Vendor Management, vendor risk, vendor risk assessment

On Monday the BITS Shared Assessment was free, on Tuesday it cost $5,000 per year (at a minimum). My first thought was that it was just like what drug dealers do - they give you free product until you're hopelessly addicted and then start making you pay to feed that addiction.  My second...

February 3, 2012  5:58 PM

Governance, risk and compliance – related but not the same.

Posted by: David Schneier
Audit, auditor, compliance, controls, exam, examiner, FFICE, GLBA, governance, GRC, internal controls, NCUA, regulations, regulatory, Regulatory Compliance, risk

I was sitting in a meeting this week listening to a group of very bright people talking about an initiative centered on installing a software solution and I realized something rather disturbing; somewhere along the way in our industry governance, risk and compliance has started melting together and...

January 8, 2012  9:27 PM

Maintaining compliance is often the Missing Link.

Posted by: David Schneier
assess, assessment, Audit, compliance, exam, examination, examiner, FDIC, GLBA, NCUA, regulations, regulatory, Regulatory Compliance, risk, risk assess, risk assessment

I've been in the solutions selling business on and off for about a decade but exclusively so over these past four years.  Up until becoming a partner in my current practice I pretty much was always only involved in helping sell the solution and usually implementing it before moving on.  Seldom...

December 22, 2011  9:44 PM

Why I don’t trust hosted or SaaS solutions.

Posted by: David Schneier
assessment, Audit, compliance, GLBA, NPPI, PCI, PII, regulatory, Regulatory Compliance, risk, risk assessment

Let me begin by sharing a story from the way back files.   In the mid 80’s when I was first starting out in my career I was working as a junior programmer in Manhattan.  Courtesy of playing on the corporate softball team I became acquainted with a fairly diverse group of...

December 5, 2011  11:54 PM

The trouble with GRC.

Posted by: David Schneier
assessments, Audit, compliance, governance, GRC, regulations, regulatory, Regulatory Compliance, regulatory guidance, risk, risk assessments

I love GRC, at least the concept.  I've gotten way more than my fair share of print time expounding on its many virtues and how it continues to make inroads into so many organizations.  It's the next and necessary step in the evolution of audit and compliance, a fact (yes, fact) of which I'm...

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: