Regulatory Reality:

Security


November 29, 2010  3:19 PM

You can’t have partial regulatory compliance



Posted by: David Schneier
assessment, Audit, CISO, compliance, compliance officer, HIPAA, ISO, PII, regulatory, Regulatory Compliance

I recently decided to establish an automatic link between my personal checking account and a mutual fund account that was established for my son years ago when he was a baby.  The account was originally funded with a gift from a family member and while it's grown reasonably well percentage-wise,...

November 16, 2010  6:07 PM

What is the practical value of compliance policies?



Posted by: David Schneier
Audit, bcp, compliance, general controls, GLBA, NCUA, regulatory, Regulatory Compliance, risk, risk assessment, Security

My practice recently wrapped up an engagement in which we conducted a tabletop test of a client's business continuity plan.  As always with such exercises, it's interesting to find out how much distance exists between what's documented in an institution's policy/program and how business is...


November 2, 2010  2:33 PM

Risk management process demands vigilance



Posted by: David Schneier
assessment, Audit, controls, GLBA, NCUA, regulatory, Regulatory Compliance, risk assessment

I was in the midst of writing my weekly blog post focusing on threadbare thin compliance efforts when I was distracted by news of a potential terrorist incident.  As you likely know by now, it appears that Al-Qaeda was either attempting to send explosive devices onto airplanes or was conducting a...


October 22, 2010  3:20 AM

After a data security breach, who’s to blame?



Posted by: David Schneier
anti-malware, anti-virus, assessment, Audit, hack, HIPAA, regulations, regulatory, Regulatory Compliance, scanning, vulnerability

I read a blog post last week from my friend Ed Moyle in which he discussed a story about how a professor at the University of North Carolina-Chapel Hill was demoted because a server used in her research project was hacked.  A committee had concluded that it was the professor's fault that the...


October 11, 2010  3:56 PM

Vendor management program efforts still fall (way) short



Posted by: David Schneier
assess, examination, examiner, GLBA, NCUA, periodic review, regulations, regulatory, Regulatory Compliance, risk, risk rating, third party management, third party oversight, vendor, Vendor Management, vendor risk rating

Early last week I downloaded some fresh content covering vendor management.  It turned out that the new information wasn't really new, it's guidance that's been circulating in one form or another for years and tracks closely with guidance ripped from the pages of the Sante Fe Group/BITS Shared...


October 1, 2010  7:41 PM

Hidden information security threats are still threats



Posted by: David Schneier
Audit, bank, banking, compliance, credit union, CU, FDIC, FFIEC, financial, financial institutions, personally identifiable informaiton, regulations, regulatory, Regulatory Compliance, security PII

Growing up I was a huge fan of the sitcom "The Odd Couple."  Some of my favorite catch phrases have in some part been influenced by lines of dialogue that I memorized.  One in particular serves as the best pure definition for a phenomenon I encounter frequently enough in my audit/compliance...


September 20, 2010  8:28 PM

Regulatory compliance management lacking common sense



Posted by: David Schneier
Audit, compliance, exam, examination, GLBA, HIPAA, NCUA, NERC, PCI, regulatory, Regulatory Compliance, risk, risk assessment, SOX

I stumbled upon an old nemesis of mine recently and the bad taste it left in my mouth continues to offend my senses. In an industry where there are standards that define how standards should be written and websites dedicated to dissecting each standard so that everyone can understand what the...


September 5, 2010  5:17 AM

Managing today’s privacy threats and security risks



Posted by: David Schneier
CISO, compliance, Facebook, GLBA, information security, ISO, LinkedIn, NCUA, PII, regulatory, Regulatory Compliance, Security, social network

A few months back, the big blinking light in the middle of the information security radar was a story about how someone had harvested all sorts of personal...

Bookmark and Share     0 Comments     RSS Feed     Email a friend


August 25, 2010  4:07 PM

Are you GLBA compliant and ready for year-end?



Posted by: David Schneier
Audit, business continuity, business continuity planning, compliance, FDIC, GLBA, NCUA, penetration test, penetration testing, regulatory, Regulatory Compliance, risk, risk assessment, Security, security awareness, social engineering, Vendor Management, vulnerability test

Summer at home officially ended this morning as my children returned to school.  Beyond the fact that I consider it cruel and inhuman punishment to resume academic activities before Labor Day, it also serves as a wake-up call that we're well past mid-year on the traditional calendar and eying the...


August 16, 2010  2:43 PM

Data security risks in the new age of banking



Posted by: David Schneier
Audit, bank, banking, cloud, cloud computing, credit union, FDIC, GLBA, merger, NCUA, NPPI, PII, regulatory, Regulatory Compliance, risk, risk assessment

Earlier this month, I blogged about my concerns regarding a drop-off in information security oversight by banking regulators. In this age of safety and soundness first, everything else is second, if at all.  It's more than a week later and I'm not feeling any better about things; as a matter of...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: