IT Compliance Advisor

March 22, 2013  5:42 PM

Alleged Microsoft FCPA violations prove anti-corruption controls vital

Ben Cole Ben Cole Profile: Ben Cole

Microsoft this week became the latest big-name U.S. company to be investigated for bribing foreign officials and violating the Foreign Corrupt Practices Act. The U.S. Department of Justice and the SEC are investigating a whistleblower’s allegations that Microsoft illegally offered kickbacks to Chinese officials to secure software contracts, according to a report first disclosed by the Wall Street Journal.

The importance of global anti-corruption programs was the topic of a presentation at the sixth annual Marcus Evans Enterprise Risk Management Conference held in Chicago earlier this week. Presenters noted that bribery and corruption investigations have increased dramatically in recent years, with companies such as Wal-Mart and Tyson Foods being charged with FCPA violations.

With more companies expanding global operations, sweeping controls are necessary to prevent bribery and maintain ethical business practices — and avoid FCPA violations in the process, ERM conference presenters said. This can be difficult, however, especially for large corporations with numerous foreign partners.

Microsoft Vice President and Deputy General Counsel John Frank referred to this difficulty in a blogged response to Microsoft’s alleged FCPA violations. Although Frank did not comment specifically on the allegations, he said that as Microsoft continues its business expansion throughout the globe, “legal and ethical standards” are a huge priority for the company.

“Compliance is the job of every employee at the company, but we also have a group of professionals focused directly on ensuring compliance,” Frank wrote in the blog post. “We have more than 50 people whose primary role is investigating potential breaches of company policy, and an additional 120 people whose primary role is compliance.”

As Frank notes in the blog, it’s impossible to say that there will never be any wrongdoing in a company as large as Microsoft. The company’s proactive approach, however, provides a great example for other companies. Presenters at the ERM conference in Chicago said companies can at least demonstrate good faith by having an ethics and compliance program in place that allows the business to pounce on such allegations quickly with their own internal investigations. This proactive approach, as well as a cooperative and transparent relationship with regulators, proves to investigators that high-ranking members of the organization know what is going on and are taking steps to fix the problem.

In addition to potentially garnering at least some sympathy from investigators when it comes to doling out punishment, the proactive, “we will not stand for this” approach could offset reputation damage stemming from these and similar allegations. This is increasingly important as more companies expand global operations — especially when these operations are in regions with lax corruption and anti-bribery controls.

Unsavory employees, rogue third party agents and corrupt officials will always have the potential to create legal concerns for companies all over the world. As the Microsoft case shows, it’s better to be prepared rather than hoping it doesn’t happen. Your bottom line — and business reputation — could depend on it.

February 22, 2013  6:05 PM

China hacking allegations puts lack of U.S. cybersecurity in spotlight

Ben Cole Ben Cole Profile: Ben Cole

U.S. cybersecurity — or the lack of it — was big news this week, as President Barack Obama’s recent issuance of cybersecurity-related executive orders coincided with reports that China has systematically made cyberattacks against American interests.

Since 2006, a Chinese military unit within the People’s Liberation Army has been using cyber-espionage to steal “confidential data from at least 141 organizations across multiple industries,” according to a report from Alexandria, Va.-based security firm Mandiant Corp. Mandiant’s findings, first reported in the New York Times, allege the Chinese hackers targeted wide-ranging sectors — many with operations in the United States — including information technology, military contractors, aerospace, chemical plants, telecommunications and scientific research. The Chinese government denies the reports.

The China hacking allegations came shortly after President Obama issued an executive order titled “Improving Critical Infrastructure Cybersecurity.” The cybersecurity executive order stated that “repeated cyber intrusions” requires operators of critical U.S. infrastructure to improve cybersecurity information sharing and the implementation of risk-based standards. Following the Chinese hacking allegations, the Obama administration also announced new efforts to protect against U.S. intellectual property theft.

But is the executive order enough to protect U.S. interests? Part of the reason the order was necessary is due to several failed attempts in recent years to pass a sweeping piece of cybersecurity legislation. Past U.S. cybersecurity bills have been thwarted by privacy groups and those representing businesses — including the very vocal U.S. Chamber of Commerce that argued the bills would put undue costs and regulations on industry.

Both the privacy and bottom line-related arguments could be perilous in the face of the Chinese hacking allegations, as well as other recent high-profile hacks of Apple, Facebook and the New York Times itself. It’s just common sense that hackers are usually seeking trade secrets, business information and personally identifiable information. This is all information that would ultimately degrade online privacy and business interests for those organizations and individuals that are being hacked.

If businesses and privacy groups don’t realize the need for U.S. cybersecurity after recent attacks against the country’s interests, the entire nation will continue to face these threats. As hackers and their targets get more sophisticated, a comprehensive, cooperative approach to the nation’s cybersecurity will be necessary. Of course, privacy and costs will have to be considered when developing the rules. But until at least some cybersecurity rules are outlined, online security for all Americans remains vulnerable.

January 18, 2013  4:25 PM

Considering a career in compliance? Heed these warnings first

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

So you want to pursue a career in compliance? I can’t really blame you. With a median salary of more than $60,000, it can certainly pay off — and the sky’s the limit moving forward. Of course, money’s not everything. Sure, it ranks up there with oxygen — but there’s certainly more to a career in compliance than the financial aspects alone, right?

In my past 11 years working as a consultant, I’ve had the opportunity to work with a number of compliance officers and managers. These roles have evolved from policy pushers to gain a much more respectable seat at the table when critical IT and business decisions are being made. Many businesses even have their own lawyers that serve in a compliance oversight role. There’s no doubt that compliance, and the need for intelligent people to manage it, has certainly gained traction in the last decade.

There are, however, still some potential issues you need to be aware of before running down the compliance career path at full tilt. Here are some aspects about the role compliance plays in organizations I’ve seen time and again:

  1. It can be overwhelming. With government and industry rules expanding all over the world, IT compliance regulations seem to change every week. Add to that the complexity and verbosity of the lawyer-speak you’ll be subjected to, and you have to keep up with a lot of information.
  2. Compliance is not sexy. It’s important, no doubt, and one of the most important roles in business today. But working with policies, procedures and audit processes may not be the most elegant and appealing work. And don’t forget the endless number of meetings.
  3. If they need a scapegoat, expect peers and management to throw you under the bus during and after a data breach. After all, you’re the person who wrote the policies and oversaw the security assessments and controls leading up to the event, right?
  4. IT staff will think you’re out to get them. There can be continual paranoia — even if they need to be called out for their oversights. It’s not normally all that terrible — just know that it can be. Admit it: Those of us working in IT can be hard-headed.
  5. Staying on top of what’s happening in and around IT can require more technical skills than many people assume. You don’t necessarily need a technical degree or certifications to get by — just some sharp insight and well-placed questions (periodically and consistently, of course) to ensure no one is pulling the wool over your eyes.

In the end, you have to ask yourself if you have the right personality, level of patience and raw ability to put up with a lot of nonsense necessary for a career in compliance. If your organization’s culture and leadership embrace compliance and your role in it, however, you can definitely go places in the business — all while making vital decisions that determine its success.

December 14, 2012  5:10 PM

Facebook privacy policy receives a major overhaul

Ben Cole Ben Cole Profile: Ben Cole

Facebook rolled out a completely revamped privacy policy this week that promises users simplified tools to protect their personal information.  In a Dec. 12 blog post announcing the changes, Facebook’s director of product management Samuel W. Lessin said the updates are designed to help users control what they share on the site and provide tools to help them act on content they don’t want shared.

Some of the changes include:

Privacy shortcuts and apps permissions. Under the Facebook privacy policy revamp, key settings such as privacy and timeline controls are available on the site’s main toolbar, rather than forcing users to navigate separate pages. The changes also alter application permission settings, providing users more control over what they share on their Facebook page.

Updated user education and activity logs. Under the new privacy policy, Facebook will provide in-context notices to users throughout the site. “We’ve created a series of messages to help you understand, in context, that the content you hide from your timeline may still appear in news feed, search and other places,” Lessin wrote. Facebook’s “activity log” will feature new navigation interfaces as well, designed to ease users’ ability to review their Facebook activity and to help them decide what they want made public on the site.

New tools to manage content. In Facebook’s updated activity log, there will be a new “request and removal tool” that allows users to take action on photos they are tagged in. “If you spot things you don’t want on Facebook, now it’s even easier to ask the people who posted them to remove them,” Lessin wrote.

The Facebook policy updates are scheduled to roll out before the end of the year, and come as online
remains a hot topic in the IT world. Earlier this month, Delta Air Lines Inc. became the first organization to be sued for potential violations of California’s Internet privacy law. The suit claims the mobile phone application “Fly Delta” violates the law because it does not adequately disclose what personal information is being collected from users and how that information will be distributed.

The U.S. government is paying attention to online and mobile privacy as well: This week, the Senate Judiciary Committee voted in favor of the Location Privacy Protection Act, which would require companies to get customers’ consent before collecting or sharing mobile location data. The move came just weeks after the same committee approved a bill to update privacy safeguards for email and other electronic communications.

As the quest for consumer privacy online continues, the federal government will likely keep seeking regulatory requirements to protect personal information. After being criticized for their privacy rules in the past, perhaps the new privacy policy is a sign that Facebook is trying to take the initiative and revamp consumer protection policies before regulatory compliance rules become the norm.

November 15, 2012  5:11 PM

Will 2012 election results help push Dodd-Frank regulations forward?

Ben Cole Ben Cole Profile: Ben Cole

The Internet — and Wall Street — was abuzz this past week after the reelection of President Barack Obama and the election of newcomer Elizabeth Warren as the U.S. Senator in Massachusetts. Wall Street, in all likelihood, was hoping that Mitt Romney would unseat Obama -– as well as dismantle the Dodd-Frank Act regulations and cut back financial reform. Warren has also been outspoken in her disdain for Wall Street’s treatment of consumers, and can now cast financial regulation votes from her Senate seat.

Several bloggers and major newspapers speculated that Obama would target financial reform in his second term. The Washington Post stated that with the election behind him, Obama no longer needs to cater to special interests and can be more tenacious in attacking changes in the financial system. Bloomberg Businessweek reported that Warren’s Senate seat gives her “powerful tools” in the debate over whether and how to regulate the finance industry.

Some, however, remain skeptical that the new regime will have much of an influence on financial reform, especially when it comes to Dodd-Frank regulations. After all, the U.S. is still way behind in implementing most parts of the law. Only a third of the rules have been finalized, noted ProPublica reporter Jesse Eisinger in an article published in the New York Times online, and Eisinger is not sure Obama’s reelection will speed the process.

“The core problems with the financial system and its regulators are deeper than personnel and sadly impervious to which party occupies the White House,” Eisinger wrote. “They are bipartisan and structural.”

The question is: How much of the anti-Wall Street campaign talk was just that — campaign talk? After spouting “sticking up for the little guy” rhetoric on the campaign trails, both Warren and Obama may scale back to more moderate viewpoints after the election. It’s also going to take more than two people to overhaul the financial system — it requires a sea change in the political stance toward Wall Street, and the attitudes of Wall Streeters themselves.

What do you think? Will the 2012 election, particularly the victories by Obama and Warren, have an impact on Dodd-Frank regulations and financial reform? Or will it be business as usual on Wall Street?

October 5, 2012  5:01 PM

As user numbers increase, cloud security issues at the forefront

Ben Cole Ben Cole Profile: Ben Cole

Many companies are now seeing the benefits of cloud computing: cost savings, increased network accessibility and improved scalability, to name just a few. But cloud security issues, compliance and privacy are increasing concerns.

The Cloud Market Maturity study, a joint survey released by the Cloud Security Alliance and ISACA last month, revealed that government regulations, legal issues and international data privacy are among the top 10 areas ranked by respondents as “low confidence” when it comes to the cloud.

These concerns were echoed during the recent “Cloud 2.0” panel discussion held in Waltham, Mass., last week. Among the panelists was Judy Klickstein, CIO at Cambridge Health Alliance, who said that, ideally, the cloud provides the means to offer services to her company’s users in a very cost-competitive, secure environment. It’s that “secure environment” part that creates concern for organizations currently moving to the cloud — especially those in the health care field, Klickstein said.

“We have an obligation, and a duty, a judiciary responsibility at our organization to make sure that somebody’s personal information does not get hacked, stolen, shared or sent to the wrong place,” Klickstein said. “As part of that, there’s an enormous array of federal and state regulations guiding everything about what happens to you if you really screw it up.”

When these regulations are violated, it triggers a loss of patient trust, as well as severe financial penalties, Klickstein said. As a result, Cambridge Health Alliance is very conscious of these cloud security issues when working with providers, and looks closely to see how reliable and secure the platform is.

And, of course, alleviating these data security, privacy and compliance concerns more than likely will not come cheap. Even with the numerous benefits of the cloud, choosing which platform is best is still, ultimately, a business decision — and is treated as such.

“If the cloud was providing me with all the things that I feel we have to have for controlling my data center and my environment and they can do it more cheaply, that would be a terrific thing,” Klickstein said. “If there is a risk of doing that and it’s going to cost me three times as much, then do the math.”

Speaking of cloud-related business, a recent blog post from examined the possible investing possibilities when it comes to the cloud. While the bloggers state that there are many investment opportunities, there are still many questions around cloud security issues. Successful investing in cloud computing will require a thorough understanding of the technology and any potential regulatory issues that may surface, they added.

The phrase “potential regulatory issues” is interesting. One has to wonder, with increased cloud use, if we’re one major cloud security breach away from government-induced, cloud-specific regulations. After all, these regulations are usually not on the horizon until something goes wrong. It’s good that at least some companies are paying attention, and being proactive about the potential cloud security issues before they arise.

August 30, 2012  5:00 PM

White House releases directives for Obama record management initiative

Ben Cole Ben Cole Profile: Ben Cole

We’ve been talking a lot about records management here at this summer … perhaps President Barack Obama is a fan? Probably not, but last week the White House announced key dates and directives regarding his “Presidential Memorandum — Managing Government Records“, first unveiled in December 2011.

The directives were released in an Aug. 24 memo from Jeffrey D. Zients, acting director of the Office of Management and Budget, and David S. Ferriero, archivist at the United States National Archives and Records Administration.

“This Directive requires that to the fullest extent possible, agencies eliminate paper and use electronic recordkeeping,” Ferriero and Zients wrote in the memo. “It is applicable to all executive agencies and to all records, without regard to security classification or any other restriction.”

The goal of President Obama’s record management initiative is to “develop a 21st-century framework for the management of Government records.” Under the initiative, by the end of 2019, all federal agencies’ permanent records will be managed electronically to the “fullest extent possible.” The president has said the framework will ultimately reduce government costs and help agencies operate more efficiently, as well as improve federal transparency by better documenting actions and decisions.

Some other key dates that federal officials should mark on their calendars:

  • By Nov. 15 of this year, each agency should name its “senior agency official” who will oversee their records management program.
  • Although federal agencies have until 2019 to move records to an electronic format, they must have plans for how they will do so completed by Dec. 31, 2013.
  • Agencies must have records management training in place for appropriate staff by Dec. 31, 2014.

In a blog post following the memo’s release, Ferriero called President Obama’s record management strategy a “historic moment” that will “allow current and future generations to hold their government accountable and to learn from the past.”

Ferriero is correct — President Obama’s records management initiative is a step in the right direction for modernizing the federal government’s data management processes (although one does wonder why it took this long). As we have explored here recently at, sound records management can have many positive implications for entities: When done correctly, it can help boost the bottom line and aid adherence to compliance standards.

There no doubt will be, however, many data governance challenges to overcome as the initiative moves forward. The sheer complexity of federal records, coupled with their sensitive nature that necessitates proper security protocol, will no doubt cause hiccups for at least some agencies along the way. While 2019 sounds far off, it’s probably a good thing the fed has until the end of the decade to complete this initiative.

August 10, 2012  6:36 PM

As IT reliance expands, data management and security lapses loom

Ben Cole Ben Cole Profile: Ben Cole

Data management and security could create huge problems in our increasingly-connected world, as two recent events have made evident: Earlier this month, a Knight Capital computer program unleashed a series of erroneous stock orders that resulted in a $440 million loss for the trading firm. Last week, journalist Mat Honan described in length how hackers, taking advantage of security flaws at Apple, Amazon and Gmail, completely wiped several of his Apple devices and commandeered two of his Twitter accounts.

The two events show that data management and security is taking a backseat as businesses and consumers strive to stay connected. The New York Times reported that Knight Capital rushed to develop the faulty software to take advantage of computer-driven market and failed to work out problems with the system. In his frank, detailed description of the events that led to his “epic hacking,” Honan admits he is very much to blame for his inattention to security. But he also notes the apparent IT security disconnect that people — and corporations — often forget when technology is used across developers and platforms.

“Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information,” Honan wrote. “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.”

At least some are paying attention to the potential risks: Apple announced it had stopped allowing over the phone password resets, and Amazon announced fixes to its security policies after Honan’s hacking went public. In response to the Knight Capital debacle, SEC officials are pushing for new regulations around trading technology.

But more consumers and businesses need to realize these data management and security concerns are not going anywhere — and will likely get worse unless they take the necessary steps to protect themselves. In the struggle to stay ahead of the next guy when it comes to the latest IT gadgets and tools, security should stay a primary concern or, as Honan and Knight Capital can attest, more will suffer the personal and financial consequences.

June 22, 2012  4:24 PM

Prepare for the inevitable: Developing a data breach response plan

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Are you prepared for the inevitable? Odds are it’s merely a matter of time before your business experiences a computer security-related breach and you need a solid data breach response plan. How are you going to handle the situation? Especially if you’re a smaller business, your IT resources probably are minimal. But even your outside resources might not have the expertise to help when you’re in a data security bind. In today’s connected world, there’s a lot that can go wrong when it comes to technology.

Before the bits hit the fan, you need to understand what a breach really means to your business. What it means depends on the industry you’re in and the contracts and compliance regulations you’re held accountable for. Regardless of the type of sensitive information that’s exposed (credit cards, Social Security numbers or intellectual property, for example), you need to define what a “breach” means for your company so you’ll know when to enact your incident response plan. It might be a malware infection, a defaced website or a lost laptop. You also need to remain aware: Data breach statistics show that someone else probably will notify you before you even know about the breach.

Once you do discover a breach, your data breach response plan should allow you to respond quickly and wisely. You can’t just restore a system from backup, or sweep a loss or theft under the rug. You’re going to have to dig in deeper to see what actually happened (by hiring a forensics expert, for example, or calling law enforcement or hiring a technical resource to help), and determine any additional steps you might need to take. These include the way you will pursue the culprit and notify the affected parties based on what the data breach notification laws require.

Going forward, be smart about how you address the breach. That’s what regulators, business partners and customers (and their lawyers) are going to be looking at. Don’t expect perfection — but you do need to keep good notes on what has been done already, what you plan to do to remediate the problem and how you’ll prevent it from reoccurring.

Perhaps most importantly, get your lawyer involved. Even if he’s not tech-savvy, he needs to know about the data breach laws, the compliance regulations you face and how the breach affects your existing contracts.

In other words, don’t just react — respond. Being prepared is the best way to not drop the ball on incident response. When it comes to computers, business applications and sensitive information, something is bound to happen — eventually. This is true regardless of the size of your business. Even if you think you’re not a target or at risk, you are.

An employee is going to lose an unsecured smartphone — even though policy mandates that all smartphones are to be password-protected and that no business information should be stored on them. A contractor is going to lose an unencrypted backup tape — even though your contract says that all media shall be encrypted and transported securely via a third-party service. A cloud provider is going to overlook a SQL injection hole in their system — even though they passed their SAS 70 or SSAE 16 audit with flying colors.

When you prepare for the inevitable with a data breach response plan, you can respond to these problems and more in a professional way, and minimize the impact on your information systems. This should be your ultimate goal.

May 29, 2012  3:47 PM

Planning, foresight needed to address long-term compliance strategy

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Remember the law of inertia from physics class? It says that a body at rest tends to remain at rest unless acted upon by an outside force. Well, compliance is the law of inertia-type catalyst when it comes to information security strategy. Over the past decade, I’ve seen many businesses remain complacent when it comes to information security until they’re forced to pay more attention in the name of compliance. They end up spending a few months documenting policies, tightening passwords, creating antivirus processes and, voila, the business is compliant. And secure, right? Well, not really.

A question in the recent Ponemon Institute State of Global IT Security survey asked nearly 1,900 participants in 12 countries, “Are you taking appropriate steps to improve your organization’s information security posture…If no, why?” The No. 1 answer was “insufficient resources” (39%), followed by “not a priority issue” and “lack of clear leadership.” This begs the question: If information security strategy is being undervalued and overlooked, then how can these businesses possibly be compliant? There’s hardly any business I’ve seen that’s not required to comply with an information security-related regulation either directly or indirectly. I’m confident you could ask most executives how their IT governance program is working and they’ll proudly say “we’re compliant.” But compliant with what?

To me, there’s the good, the bad and the ugly side of compliance strategy:

  • The good: Solid control, visibility and automation are present. These traits facilitate not only compliance but also help manage information risk.
  • The bad: Duplicated technical controls, multiple sets of policies/procedures and overlapping security evaluations that only make it appear that work is getting done.
  • The ugly: When management and other key players assume that compliance strategy has created a strong, impenetrable infrastructure.

With compliance, you don’t need to spend a ton of money completely revamping the way you do business, but you do need to be mindful of what’s at stake so you don’t end up at the back of the herd. Speaking of which, there’s the spirit of the law and the letter of the law, and savvy executives and their legal counsel will likely focus on the former. Odds are the businesses that strive for perfection will end up wasting time, money and resources on compliance strategy. Still, there are many businesses in operation today that have yet to even acknowledge they have a problem, much less have developed a plan for how they’re going to move towards any semblance of reasonable IT governance.

Most importantly, make sure you’re addressing compliance for the long-term benefit of the business rather than to simply complete a one-time checkbox and move on. Sadly, too many people are doing the latter, and the long-term consequences will eventually be evident. Don’t fall into this trap.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: