Measurement is indispensable to a successful governance, risk, and compliance program, said Scott Mitchell, chief executive officer of the nonprofit Open Compliance and Ethics Group, who spoke Wednesday at the Compliance Week 2007 conference in Washington D.C. “If you want people to pay attention to something, measure them on it,” Mitchell said. “It sends a […]
Todd Neff
Posted inData Privacy
Effective Access Control: Communication, Simplicity
The need for a fancy identity-management system to control access to IT systems depends on how big and complex you are and how much pain your company can take. Linda DiPaola, with less than 500 employees to track, does just fine without any system at all. DiPaola, director of internal audit at Empire Resorts, a […]
Posted inData Privacy
Battling The Wide World Of Data Breaches
There is no “typical” data breach and, unfortunately, no simple set of steps exists to secure an organization’s critical information, according to a study of 345 U.S. data breaches reported in the year ended April 1. Schmidt But companies that pay attention to technology, process and people—“the proverbial whole matrix of security,” as Howard Schmidt, […]
Posted inTechnology
Could IT Spot Backdating? Experts Say No
With hundreds of companies under investigation in the ongoing stock option backdating scandal and billions in shareholder wealth up in smoke as a result, one would think the seemingly straightforward, inexpensive solution of time servers—computers to track and confirm when an option is granted—would catch on. It isn’t, say auditors, attorneys, and even time-server makers […]
Posted inTechnology
Retailers Feel Pressure For PCI Compliance
It’s amazing what the carrot of $20 million in incentives—or the stick of millions in potential fines—can do for an IT-security standard. On Dec. 12, 2005, Visa USA announced that it would either handsomely reward or seriously punish scores of major banks and card processors, depending on how well they prodded 1,200 U.S. retailers to […]
Posted inTechnology
GAAP For IT? Conflicting Standards Abound
If compliance is from Mars, then IT security is from Venus. Take Sarbanes-Oxley compliance as an example. The law makes clear that a corporation’s financial information shall be secure, but it says nothing about exactly how a company is supposed to achieve security in the IT realm. At the other, far more verbose end of […]
Posted inTechnology
Who Are You? ID Management Under SOX
Once upon a time, managing identities was a snap. Corporate IT infrastructure consisted of a single, hulking IBM mainframe with a relatively specialized group of back-office users who were either logged on or not. If line employees or managers had computers at all, they were used for word processing and spreadsheets, and people “networked” machines […]
Posted inTechnology
Battling The Online Threats To SOX Compliance
Once upon a time, compliance executives didn’t need to worry about the big bad Internet all that much. In the old days, protecting corporate data meant not losing floppy disks or reels of tape. And as corporate networks cropped up in the 1990s, IT security went medieval, erecting the digital equivalent of ramparts and moats […]
Posted inRegulatory Enforcement
Taking A Total View Of Records Retention
As with many things Sarbanes-Oxley, barrels of ink were used to describe the law’s effect on records management until about 2003. Then there was relative silence—as if Sarbanes-Oxley somehow went away, or was revised with a giant “never mind” with respect to record retention. The impression is misleading. SOX is far from the only compliance […]