Regulatory Reality:

risk assessment


June 14, 2010  6:57 AM

An update on governance, risk and compliance



Posted by: David Schneier
Audit, compliance, governance, GRC, regulations, Regulatory Compliance, risk, risk assessment

I just had an article published in Information Security magazine on GRC titled "Demystifying governance, risk and compliance."  It's a piece...

May 21, 2010  1:55 PM

The new Senate finance bill: not what I hoped for



Posted by: David Schneier
Audit, compliance, FDIC, OCC, Regulatory Compliance, risk, risk assessment, risk assessments, SEC

I'm an optimist:  Ask anyone who knows me either personally or professionally and they'll agree.  And I've been eagerly anticipating new legislation ever since the banks spiraled out of control and needed government intervention to save themselves.  As my wife likes to tell people, when the...


May 10, 2010  4:59 AM

FDIC bank closure hits close to home



Posted by: David Schneier
compliance, FDIC, GLBA, governance, GRC, HIPAA, PCI, Regulatory Compliance, risk, risk assessment, SOX

In the past, I've made sometimes flip and irreverent comments about the weekly FDIC announcements that land in my inbox regarding bank closings.  Despite the mind-numbing number of institutions that have been closed over the past year or so and the somewhat extensive list of institutions I've...


February 23, 2010  4:17 AM

Rethinking compliance software



Posted by: David Schneier
Audit, bcp, disaster recovery, GLBA, PCI, Regulatory Compliance, risk assessment, SOX, Vendor Management

Here's me about to eat crow. After nearly a decade of railing against software as a solution to address the challenges of regulatory/industry compliance, I'm being forced to reconsider my position. I've long advocated that an institution or organization could just as easily develop manual...


February 5, 2010  3:57 AM

How security aware is your organization?



Posted by: David Schneier
Audit, GLBA, information security, NCUA, phish, phishing, Regulatory Compliance, risk, risk assessment, Security, security testing, social engineering

Consider this post to be something of a (banking) community service announcement. It's February 2010, do you know when the last time was that your organization conducted a social engineering exercise? I come across instances almost all of the time where financial institutions have obvious...


October 20, 2009  3:05 PM

Should bank examiners rely on audit and assessment reports?



Posted by: David Schneier
assessment, Audit, bcp, business continuity planning, disaster recovery, DR, GLBA, information security, IT, NCUA, Regulatory Compliance, risk, risk assessment, technology

A favorite cliché of mine is “if it wasn’t for the last minute nothing would ever get done.” Personally it’s sort of the way I’m wired and in my industry it’s an unwritten rule when it comes to many annual activities. There’s an...


October 8, 2009  8:33 PM

The COBIT framework isn’t an audit solution



Posted by: David Schneier
Audit, COBIT, GLBA, ISACA, ITGI, NCUA, Regulatory Compliance, risk, risk assessment, Risk IT, SOX, Val IT

I have an associate who has an addiction to certifications. He’s one of those “too smart for his own good” geniuses who often decides to change his career course and starts by obtaining whatever accreditation or cert is needed to do so....


September 1, 2009  3:29 PM

IT audits versus reviews



Posted by: David Schneier
Audit, compliance, general controls, GLBA, governance, GRC, IT, ITGC, NCUA, Regulatory Compliance, risk, risk assessment

I had mentioned in my last post a recent conversation with my partner regarding a proposed IT general controls (ITGC) audit. My primary role in our practice is to head up regulatory compliance services which includes audits, assessments and program development; my...


August 8, 2009  3:31 AM

How to combat the insider threat



Posted by: David Schneier
assessment, Audit, breach, insider threat, Regulatory Compliance, risk assessment, Security

I was reading an article last week about how there’s been a recent increase in the number of reported security breaches caused by internal resources.  The insider threat is not a new one as corporate espionage is as old as civilization but it certainly is getting more...


June 12, 2009  8:49 PM

Risk is at the heart of what matters most.



Posted by: David Schneier
assessment, Audit, compliance, GLBA, PCI, Regulatory Compliance, risk, risk assessment

I had two great conversations this week regarding risk assessments (jeez, does that ever sound geeky). The first conversation centered on what an associate was expecting  to accomplish via the risk assessment process and the second one was a general conversation about the proper approach to...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: