Regulatory Reality:

regulatory


December 19, 2012  1:51 PM

CFPB: Dodd-Frank at its best.



Posted by: David Schneier
bank, banking, banking crisis, banks, compliance, compliant, Dodd-Frank, economy, exam, examination, examinations, examiner, examiners, exams, Federal Reserve Bank, FFIEC, financial, financial institutions, FRB, mortgage, regulation, regulations, regulations audit, regulatory, regulatory guidance, requirements, risk, SOX, third party management, third party oversight, too big too fail, vendor, Vendor Management, vendor risk, vendor risk assessment, vendor risk rating

The campaign season that ended with last month’s presidential elections generated more debate and rhetoric than any other in my lifetime.  As I'm an outspoken person who has never shied away from a good argument I routinely found myself engaged in exchanges with a remarkably broad range of...

September 21, 2012  3:44 PM

Are self-assessments the right way to go?



Posted by: David Schneier
assess, assessment, assessments, Audit, bank, banking, CISO, CISSP, compliance, compliance officer, compliant, credit union, credit unions, CU, disaster, disaster recovery, DR, enterprise risk, enterprise risk management, ERM, exam, examination, examinations, examiner, examiners, exams, framework, governance, GRC, guidance, information security, information security office, infrastructure, ISO, oversight, policy, procedure, regulation, regulations, regulations audit, regulatory, regulatory guidance, risk assess, risk assessment, risk assessments, risk management, risk-based, risks, technology

About a decade ago a family member chastised me for having an auto repair shop do my oil changes for me.  She (yeah, you’re reading that right – “she”) pointed out how ridiculously easy it was to drain the old oil, replace it with the new stuff and check a wide variety of fluid levels,...


August 8, 2012  6:21 PM

Metrics Reporting: Are pretty colors always pretty accurate?



Posted by: David Schneier
Audit, auditor, audits, bank, banking, banks, Board, Board of Directors, BoD, business, community bank, compliance, control, controls, exam, examination, examinations, examiner, examiners, exams, financial institutions, fraud, governance, regulation, regulations, regulations audit, regulatory, regulatory guidance, SOX

I have an odd relationship with management reporting.  I know it's a necessity and quite often see clear value in what's packaged for senior management and board review.  But a significant piece of the reporting content comes in the form of metrics and, well, whenever I hear the term it conjures...


July 21, 2012  8:25 PM

CFPB: Filling the regulatory void left by Sheila Bair



Posted by: David Schneier
Add new tag, assess, assessment, assessments, bank, banking, banking crisis, banks, community bank, compliance, compliance officer, compliant, control, credit, credit card, data security, Dodd-Frank, economy, enterprise risk, enterprise risk management, ERM, exam, examination, examinations, examiner, examiners, exams, Federal Reserve Bank, FFIEC, financial, financial institutions, framework, information security office, lending, LinkedIn, mortgage, NCUA, NCUA Sheila Bair, NPPI, observations, oversight, personally identifiable informaiton, PII, policy, privacy, procedure, regulation, regulations, regulations audit, regulatory, regulatory guidance, risk assess, risk assessment, risk assessments, risk management, risk-based, risks, security PII, Sheila Bair, social security numbers, technology, third party management, third party oversight, vendor, Vendor Management, vendor risk, vendor risk assessment

I was an unabashed fan of Sheila Bair and made no secret of that fact.  She was a breath of fresh air in a line of work where everything is stale and always at least a little boring.  Not that Martin Gruenberg is any less effective running the FDIC, he's just a whole lot less interesting to pay...


May 21, 2012  1:47 PM

Remote Deposit Capture is probably a very, very bad innovation.



Posted by: David Schneier
ACH, bank, banking, checks, compliance, identity management, identity theft, regulations, regulatory, Regulatory Compliance, remote capture, remote deposit capture

Before I even get into the nitty-gritty of the post I have to point out that in the time it took me to choose the topic and start writing I've already thought of three perfect ways to steal your money via remote deposit capture.  Seriously, this is a hugely bad idea that will lead to hundreds of...


April 29, 2012  7:43 PM

Internal Audit: Whose side are they on anyway?



Posted by: David Schneier
assessment, assessments, Audit, compliance, control, control owners, controls, findings, GLBA, internal audit, NCUA, regulations, regulatory, Regulatory Compliance, risk, risk assessments, risks

My first encounter with an auditor was back in the mid-90's while working as an application project manager for a Fortune 100 company.  The group responsible for change management was going through an audit of their process and one of the changes that was selected for review happened to belong to...


April 14, 2012  2:23 PM

Anyone remember the Heartland breach?



Posted by: David Schneier
Add new tag, ATM, Audit, compliance, GLBA, PCI, regulation, regulations, regulatory, Regulatory Compliance, Security

Two weeks ago news broke about a huge, massive leak of credit card information from a processor called Global Payments and I braced for a firestorm of media coverage that was sure to follow.  Two weeks hence and it's pretty much a non-event.  A few days ago the State of Utah reported a breach of...


March 23, 2012  3:24 PM

GRC presents a broad spectrum; is it too broad?



Posted by: David Schneier
assessment, Audit, compliance, GRC, HIPAA, PCI, regulations, regulatory, Regulatory Compliance, risk, risk assessment, SOX

In early 2004 I co-authored my first Sarbanes-Oxley (SOX) controls framework for a client.  Just about the entire thing required manual testing that, if everything worked as planned would require a full-time resource to support.  About thirty seconds after submitting the framework draft to the...


March 6, 2012  6:00 PM

My bank card was compromised.



Posted by: David Schneier
breach, compliance, data breach, data security, GLBA, PCI, regulations, regulatory, Regulatory Compliance, Security

Two weeks ago, about two hours before departing on a long weekend trip to welcome back baseball in Florida I received an email from my bank indicating that there's been suspicious activity on my Visa check card and that it's been suspended.  Considering that under normal conditions I think my...


February 16, 2012  5:49 PM

BITS Shared Assessment – No Free Lunch.



Posted by: David Schneier
BITS, COBIT, compliance, GLBA, ISACA, ITGI, NCUA, regulatory, Regulatory Compliance, Shared Assessement, SIG, Vendor Management, vendor risk, vendor risk assessment

On Monday the BITS Shared Assessment was free, on Tuesday it cost $5,000 per year (at a minimum). My first thought was that it was just like what drug dealers do - they give you free product until you're hopelessly addicted and then start making you pay to feed that addiction.  My second...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: