| ZDNet Australia: Martin Laing, chief information officer for Societe Generale's Australian branch, says CIOs should use the tactics of Fear, Uncertainty and Doubt to convince senior management to invest in security. While senior management may be aware of the risks to their information infrastructures, they often do not fully understand the damage that a breach in security can cause a business. Fear, Uncertainty and Doubt can also motivate board members to take direct action to mitigate risks. Operational risk management is too important to the bottom line to be considered a purely IT issue. | Sponsor: IT Manager Development Series | | Maximize Your IT Management Career
This collection of 10 PDF-format books is packed with real-world advice that will help you realize your full potential as an IT manager. And the bonus IT Manager Toolkit includes 80 Word and Excel tools you can use right away. > Click here to learn more. | Reuters: Universities may rival financial institutions as attractive targets for identity thieves, thanks to the huge databases they maintain. Half of the data breach incidents since the beginning of 2005 occurred at universities, according to the San Diego-based Identity Theft Resource Center. Besides the plethora of computer equipment filled with sensitive data, universities also provide a rich pool of financially naive students. Diverse technological systems and independent departments make controlling security breaches all the more challenging. The University of California at San Diego has begun educating users on the dangers of keeping unencrypted files on their computers and the need to maintain security patches. I, Cringely : The corporate scandals of the last few years have prompted governments in the United States and abroad to enact legislation designed to counter the possibility of future abuses. Many of these regulations require that companies must store increasing volumes of digital information. Storage has become cheaper, but this author posits that many companies, especially small and mid-sized enterprises, are cheap, lazy and not in compliance with these various laws. The end result could be that larger organizations will be able to acquire these non-compliant entities for a song. After all, regulations such as Sarbanes-Oxley and Gramm-Leach-Bliley have created the anomalous situation that victims of data theft become criminals themselves. Officers and directors of non-compliant organizations are more likely to hand over the keys to the executive suite if the alternative is doing hard time in prison. 0024HFPRO0016 | | Special Offer: Free White Paper Solid Approaches to Mitigate
BI & DW Project Risks
Successful BI and data warehouse projects share at least one common characteristic: explicit consideration of risk. According to this white paper, nothing addresses BI project risks as well as a Rule-Based Audit or Proof-of-Concept. Download this informative white paper today to learn about these two approaches and see how they can outshine a detailed project plan, expensive technology and costly talent. | | | | GovExec.com: Privacy groups are asking the Federal Communications Commission to reject a proposal from the Justice and Homeland Security Departments that would allow the Justice Department to eavesdrop on cell phone calls and Internet surfing by airline passengers. The Justice Department wants to record electronic activity without a court order, identify users by seat number, and automatically interrupt or shut down communications. The Center for Democracy and Technology and the Electronic Frontier Foundation argue that the FCC lacks jurisdiction to address the constitutional, privacy and civil liberties issues involved and that compliance would overburden industry. Government Technology: The nation's governors say they are committed to increasing the security of driver's licenses and state identification cards, but are concerned about the costs involved in complying with the federal Real ID Act. That law requires the states to beef up the security and integrity of the driver's licenses they issue, making them de facto national identification cards. They say the act includes unreasonable burdens and unfunded mandates that are unworkable and counterproductive. They also wonder whether the 227 million driver's licenses and ID cards already issued will need to be re-issued and what the costs for that operation will be. The National Governors Association is urging Congress to fund the changes required in the Real ID Act. Congressional Research Service: Impeding anti-terror financing is one of the components of the U.S. counterterrorism strategy. The Bush administration has implemented a three-tiered approach to the interruption of the flow of funds to terrorists based on intelligence and domestic legal and regulatory efforts, technical assistance to U.S. allies, and efforts to create international norms and guidelines. Effective implementation of this strategy requires the participation of, and coordination among, several elements of the U.S. government. This report provides an agency-by-agency survey of these efforts. | IT Marketplace | | | | Tell the IT Business Edge audience of technology decision makers about your product, service, event, or job. Click here to list it in the IT Marketplace! | | 3 QUESTIONS:
Risk Management Is Not Compliance
With Bill Sharon, CEO of Strategic Operational Risk Management Solutions. Sharon has developed operational risk management processes at JP Morgan and an Operational Risk Management practice at Price Waterhouse. Question: You have written that risk management has become increasingly incorporated into compliance functions. What's wrong with that?
Sharon: The job of compliance is to focus on Sarbanes-Oxley, Basel II and other such regulations to make sure the company is not breaking the law. I'm astonished when I see ads for senior risk managers that say part of the job is to make sure the company is in compliance with the law. Unless you're in organized crime, how can there be a risk management function that doesn't involve obeying the law? American Express took risk management and put it in audit. My question is, who is auditing risk management? The compliance function is essential to any business. But risk management needs a separate management methodology that determines whether given strategies and activities support the business. Question: What are the dangers of confusing compliance with risk management?
Sharon: The compliance function involves staying out of trouble. Risk managers are supposed to be looking at the company's business strategy, let's say, penetrating certain markets or developing alliances with certain companies, and determining what capacities the company needs to accomplish these goals, who will be responsible for making progress on these goals, and how the strategy is to be monitored. If risk management and compliance get tied together, you're going to lose your audience with senior managers. They understand the audit function and they understand about managing risk, but if you have auditors tell managers what risks to take, you're likely to take the upside out of taking risks. Focusing on the upside of risk should be at the core of what risk managers do, and it is essential for a company to remain competitive. If risk management becomes synonymous with staying out of trouble, you'll never do anything because anything you do can potentially get you into trouble. Question: What are the downsides to compliance and risk management if the two are mixed together?
Sharon: The benefit to be derived from compliance involves maintaining proper standards. But there is a difference between that and having an organized way of evaluating risk to advise on business goals. There hasn't been enough effort in the second area because it has been lumped into the first area. That's not good for compliance because you have the fox watching the henhouse. It's not good for managing risk because compliance doesn't help you attract new clients and make more money. At the end of the day, Sarbanes-Oxley compliance is about financial transparency. Maintaining internal standards and controls should be the price of doing business in the first place. That's not going to make your business competitive or profitable. Compliance processes may enable a business to cut costs. But you can't cost-cut your way into profitability. Cost cutting is just one element of the efficiency that is required to make a company truly competitive. | | Also from IT Business Edge: Voice & Data Convergence Voice & Data Convergence examines the strategic and tactical implications of emerging IP telephony technologies, from VoIP services to advanced CRM systems to security considerations. Find out what every IT decision maker should know. Click here to sign up! | By the Numbers
50 percent Americans supporting the initiation of a national identity card, versus 32 percent who oppose the idea, according to a study by TNS and TRUSTe. 82 percent Proportion of business managers surveyed by nCipher who said they would be encrypting stored data within the next 18 months. 40,000 Number of identity theft cases reported in the United Kingdom in the first half of 2005. Breaking Headlines
silicon.com: The recently enacted federal energy bill mandates that the Federal Energy Regulatory Commission create an electric reliability organization that would issue cyber security standards for power systems operations. Suspicion that cyber attacks may have already compromised energy systems has increased awareness of the potential danger. In 2003, the Slammer worm may have contributed to a number of power plant failures. The increase in remote management of power systems has made them more vulnerable to attack as they are linked into private networks and the Internet. Some power grids already follow voluntary guidelines of the North American Electric Reliability Council. FCW.com: The outgoing CIO of the Federal Aviation Administration says that government agencies must make cybersecurity the focus of IT planning. For example, the projected 15-year, multibillion-dollar FAA Telecommunication Infrastructure incorporated cybersecurity into the bidding process, says Dan Mehan. Mehan also called for a quantum leap in the structure of the network backbone, with such advancements as adaptive quarantine, situational awareness and automated recovery. The Department of Transportation, of which the FAA is a part, jumped from a D+ on its cybersecurity report card to an A-, despite concerns over the FAA's air traffic control computers. International Herald Tribune: Some of the world's best hackers networked with federal agents at a recent Las Vegas conference and exchanged ideas about making the Internet more secure. This year's hot topics included a demonstration on attacking biometric safeguards used by some banks, supermarkets and airports. National Security Agency former chief scientist Robert Morris warned of vulnerabilities in bank teller machines. He said thieves have been able to seize people's bank cards and find out their passwords by changing the software in old ATMs bought through eBay for as little as $1,000 and placing the machines in public venues.
Emerging Trends
The Register: Following a trend seen in other jurisdictions around the country, New York State has enacted a law requiring the disclosure of information breaches. Under the Information Security Breach and Notification Act, companies and government agencies are required to notify customers if personal information has been stolen or their systems have been hacked. The legislation is designed to help protect consumers by providing them with information to forestall possible identity thefts. Organizations with customers in New York are obliged to notify these people of a breach as soon as practically possible. The New York law is similar to the data security breach law enacted in California more than two years ago. FCW.com: Fifty percent of Americans favor the introduction of a national identity card, while 32 percent oppose it, according to a study by TNS and TRUSTe. Most Americans also favor adding biometrics to documents such as passports, Social Security cards and driver's licenses. Fingerprints were favored for biometric identifiers, followed by iris scans, hand geometry and DNA. Many respondents were concerned about the costs of biometrics, security, and the potential for government abuse. Respondents were less accepting of biometrics in private sector identity cards, but most favored adding the technology to credit and debit cards. A survey of Canadians yielded similar results. TechWeb: Forty-two new viruses threatening corporate computers through employee use of public instant messaging networks were discovered in July, an increase of 24 percent over June, according to the security firm Akonix Systems. April 2005 yielded the highest number of new threats at 48. The Rants virus is of particular concern, having been found on two IM networks. Akonix started seeing multi-network viruses in April; since then several more have emerged. Akonix says virus writers are broadening the number of users as potential targets. IT Business Edge: Managing Compliance Standards
| Issue 34, Vol. 2 | | DISCLAIMER: At the time of publication, all links in this e-mail functioned properly. However, since many links point to sites other than itbusinessedge.com, some links may become invalid as time passes. | | This e-mail is sent by: NarrowCast Group, LLC, 124 N.First St., Louisville, KY 40202 | Copyright ©2003-2005 NarrowCast Group, LLC. All Rights Reserved.
| | Research
Consultant Rates
Free for Subscribers! | | Don't budget IT projects in the dark! Find out what contractors are charging for the skills you need by querying our database of more than 12,000 consultants and firms. Click here to begin your research now! | | Find Related Technology Solutions | | 
About the Editor
Peter Buxbaum has been writing about business, technology, and law for 12 years. He has published over 1,000 articles in publications such as Fortune, Forbes, Chief Executive, Computerworld, InformationWeek, and dozens of others. He earned a law degree from Temple University, studied economics at Columbia University, and taught seminars in international business at Penn State University.
He can be reached at editorial@itbusinessedge.com.
| | |
0 Comments:
Post a Comment
<< Home