Tag Archives: governance

Implementing PCI-DSS: The top five issues to consider – Print Article – SC Magazine US

Implementing PCI-DSS: The top five issues to consider

John Linkous, IT governance, risk and compliance evangelist, eIQnetworksDecember 22 2008

Talk to anyone who works for an organization that accepts, processes or even looks at a credit card, and the three letters “PCI” strike a chord of fear that is rarely seen in the IT world. While it’s true that the PCI standards – and specifically the Data Security Standard (DSS) – are rigorous mandates that require experienced security professionals to implement and maintain, achieving PCI compliance is not really rocket science. The following is a list of specific issues to consider related to PCI-DSS. This should help ensure that organizations can not only meet the letter of PCI, but actually make their systems more secure:


Implement a security program. Achieving and maintaining compliance with PCI-DSS are two different things. While most of the controls defined in the PCI-DSS standard are technical configurations for hosts and infrastructure devices, organizations are required to maintain these configurations once they are in place. To make that happen, organizations need at least rudimentary security processes in place to ensure that access controls are maintained, anti-malware and other countermeasures are kept up-to-date, and vulnerability assessments are conducted on a regular basis. Without a series of information security processes in place to manage security controls, it’s very easy to fall out of compliance.

Know your assets. The chain of custody around credit card data is one of the most common examples of the lowest common denominator approach to security – the weakest link dictates the likely vector of a malicious attacker. Because a typical credit card payment process can involve many different systems, it is critical to know the information systems that are part of that process, their role, and to what degree (if any) they are exposed to any part of credit card data. If an organization doesn’t have adequate security controls in place on all of these systems, they are at a higher risk of compromise.

Build and maintain a documentation library. Hand-in-hand with knowing what you have is knowing how you manage it. Documentation of all kinds – product and vendor-provided documentation, device configuration worksheets, security processes and procedures, and lists of personnel who have access to PCI data – will all be required as part of the audit process. Having up-to-date information available both for your security program personnel and your external auditors is critical to ensuring that you both maintain security and maintain compliance (which are two separate disciplines).

Awareness and training are crucial. Unfortunately, all of the technical controls in the world cannot stop an employee from inappropriately disclosing or handling cardholder data. While it’s important for organizations to implement technical controls per the PCI-DSS standard, it’s also vital that everyone who has access to cardholder data understand their roles and responsibilities related to the security of data. This includes everyone from point-of-sale personnel who physically touch the card, to DBAs and application developers who manage PCI processing systems, to third-party vendors who have access to limited cardholder information. This requires periodic training, and holding employees, contractors and vendors responsible for their exposure to the chain of custody of PCI data.

Your auditor is your friend. PCI-DSS auditors – both qualified security assessors (QSAs) and approved scanning vendors (ASVs) – exist primarily to ensure that your systems are reasonably secure. While the idea of an external auditor coming on-site to your organization to probe your IT assets and question your personnel may seem like a stress-inducing event, the fact is that even if findings are discovered in your environment, addressing these findings will make you more secure. It is important to challenge your QSA or ASV if they discover findings that you believe are incorrect, but similarly, it is equally important to listen to your auditor and address legitimate security gaps.

via Implementing PCI-DSS: The top five issues to consider – Print Article – SC Magazine US.

The Forrester Blog For Security & Risk Professionals


Thomson Reuters Gets A Jump On Holiday Shopping, Acquires Paisley


Keep an eye out in the next week for Forrester’s GRC Trends 2009 report, which will take a look at how a decidedly rocky end of 2008 will impact those responsible for various aspects of corporate governance, risk management, compliance, audit, and finance… as well as the product and service firms that serve them.

One trend that we call out in the report is the impending consolidation of the GRC technology landscape, which is a top-of mind issue for many leading vendors in the space.

Wednesday, Thomson Reuters got an early start on this trend with a definitive agreement to purchase Paisley. A leader in the GRC platform and audit management markets, Paisley will be a strong addition to the company’s Tax and Accounting group.

Concern among businesses about their risk management practices and impending regulatory actions will be a major driver for growth in the GRC market, and considering this significant potential, we expect other attractive acquisition targets in the space to be scooped up over the next 12 months.

The Forrester Blog For Security & Risk Professionals

NextGov.com – Melding Security

With computers now controlling critical assets, it’s more important than ever for cyber and physical security managers to work together.

Comment on this article in The Forum.Linda Wilbanks can’t fire a gun, but as chief information officer at the Energy Department’s National Nuclear Security Administration, she’s working with executives to ensure nuclear materials don’t fall into the wrong hands. Why is the CIO involved in keeping nuclear materials secure? “Somewhere along the line, there’s going to be IT controls” involved, Wilbanks says.

The distinctions are disappearing between securing physical assets like radioactive material and securing information stored on laptops and in networks. Computers have become the de facto mechanism for controlling critical infrastructure. Networks manage not only sensitive data but also the operations of everything from generators to water pumps to nuclear reactors. Many of these systems are accessible through the Internet, which means agencies run the risk of a hacker shutting down operations or a catastrophic failure.

“There are many overlapping components in IT security, cybersecurity and physical security,” says Pat Howard, chief information security officer at the Nuclear Regulatory Commission. “More recent is the desire of our opponents to exploit those [overlapping components] and use them against us by bringing down our critical infrastructure remotely.”

In March 2007, researchers at the Idaho National Laboratory demonstrated to the Homeland Security Department how they could go online to hack into the programs that control the operations of a generator and manipulate settings so it would self-destruct. The scene of a generator shaking, spewing steam and then breaking down sent shock waves through governments and corporations.

DHS later developed the National Infrastructure Protection Plan and strategies for each economic segment to provide a coordinated approach to protect networks that operate critical infrastructures in the areas of finance, transportation and utilities.

The U.S. Computer Emergency Readiness Team’s Control Systems Security Program coordinates infrastructure network protection, offering resources such as a control system cybersecurity self-assessment tool, a curriculum for security training and recommended practices. But agency needs vary, influenced largely by the type and sensitivity of assets. Best practices focus on comprehensive risk assessment, collaboration between those responsible for the security of physical assets and IT, and a governance structure that ensures the managers in charge aren’t the weak link.

“[Physical] access restrictions to a particular asset are not good enough if you’re also giving all employees access to its networked control system,” says Robert Jamison, undersecretary for DHS’ National Protection and Programs Directorate. “Agencies have to understand that if they have control systems or physical assets that are connected to a network that is connected to the Internet, there is inherent risk.”

In theory, if CIOs conduct risk assessments, as required under the 2002 Federal Information Security Management Act, then protecting physical assets shouldn’t add much work, if any. FISMA requires agencies to determine the risk if a hacker gained access to its information systems. Each is assigned a level of risk – low, medium or high – and then the agency determines which security controls to apply.

If an agency deems an asset high risk, it should do as much as possible to shield the system from access. At the National Nuclear Security Administration, IT systems that link to sensitive control systems are housed on the agency’s highly classified red network, which is not connected to the Internet. NNSA has classified one of its two other networks as yellow, because it connects semiclassified IT systems and includes extensive access controls. The agency has classified the third system as green, because it connects nonclassified systems and manages information delivered to the public Web site.

To provide guidance on how to assign risk to systems, the National Institute of Standards and Technology released Special Publication 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories.”

“The NIST process is absolutely superb,” says Marian Cody, senior information security officer at the Environmental Protection Agency. “What I don’t see, however, is the same bible for those who handle physical security. . . . You have to know what you have, and then you have to know the associated risk so you can figure out how to protect it.”

NNSA launched its network infrastructure classification this spring, almost a year after an employee at Los Alamos National Laboratory entered a protected vault and saved on a flash drive information on underground nuclear weapons tests that was stored on a classified computer server. The employee printed more than 200 pages of documents to work on them at home.

“In that case, it was shortcomings in physical and cybersecurity,” Wilbanks says. Access to the server was not protected properly, allowing the thumb drive to be attached and data to be downloaded, and gates that block access to computer servers were not locked. Now cybersecurity managers work with managers in charge of physical security to conduct inspections of the labs and infrastructure. The team spends four hours a week walking through facilities to check security.

Physical security has long been isolated from IT at federal agencies, and changing that can be hard. But some agencies like NNSA have changed their reporting structure to ease collaboration between the physical and cyber worlds. Wilbanks reports to the deputy administrator of NNSA, whose office collects data on new assets that facilities commission. At NRC, the CIO also carries the title of deputy executive director for corporate management, which oversees physical assets.

“There’s alignment that allows closer coordination and cross fertilization,” Howard says. “It’s new, but it’s clear that it will be advantageous to have that level of integration that provides both sides a seat at the same table. We can learn to speak a common language.”

NextGov.com –.

ITWeb :PCI standards must be adopted

PCI standards must be adopted


[ Johannesburg, 26 November 2008 ] – Symantec has called on South African businesses to widely adopt the Payment Card Industry (PCI) Data Security Standard as a way of improving card security.

Compliance is an essential part of risk management, says Errol Rhoden, IT governance, risk and compliance solutions manager for Symantec emerging region.

“The reality is that companies lose out if they don’t prioritise governance and compliance. The financial implications are huge, with companies which don’t comply with standards receiving tremendous fines. There are also general financial losses which should be considered.”

Currently, organisations which deal with credit card payments have to show compliance with the standard, while finding solutions to challenges such as data breaches and the growing impact of cyber crime.

“The underground criminal activity is growing and becoming more effective. There are also activities, such as corporate warfare, where there are attempts to damage companies’ reputations by other companies or individuals,” explains Rhoden.

He believes the data security standard needs to be willingly adopted by companies to ensure it works effectively, saying: “The standards which guide companies on governance policies need to be accepted by industry. It is a business standard and not a government standard. So it cannot be forced on anyone. Companies need to see the benefits of adopting this.”

Firms that adopt the standard and fail to comply will face fines, to be determined and enforced by banks or similar bodies.

“The South African situation is different as regulations are different, and this has impacted on the slow adoption of the standard. Something like the fact that banks are not required to send notifications to customers if there is a security breach in their account, will definitely be impacted by the standards.”

The standard will be adopted in SA in February 2009, with plans to ensure all industries involved in card payments are fully compliant in September 2010.

ITWeb :PCI standards must be adopted.

IT Management Building an IT Governance Foundation – Baseline

While organizations have similar goals such as controlling costs and achieving data consistency, IT departments across government, corporations and nonprofits operate differently. IT management needs an overarching governance model like CobiT, ITIL, CMM and Six Sigma to ensure that investments in technology generate business value and mitigate risks.

Information technology governance defines the overall structure, policies, processes and relationships necessary to provide the desired level of standardization and consistency across an IT organization. It encompasses systems, performance measures and risk management procedures, helping organizations make informed decisions about their operations and investments. While organizations have similar goals—such as controlling costs and achieving data consistency—IT departments across government, corporations and nonprofits operate differently.

Even after a rigorous focus on compliance initiatives—and the widespread acknowledgment that large-scale, complex, strategic IT projects commonly progress beyond scope and budget without due attention—standardization around IT governance models is still being sought.

When organizations are examined and the use of best-practice disciplines are polled, a number of frameworks and standards for varying aspects of IT operations are found. These frameworks typically include:

* IT Infrastructure Library (ITIL), developed by the United Kingdom’s Office of Government Commerce, focuses on service support and service delivery.

* ISO/IEC 27001 (ISO 27001) consists of a set of best practices to implement and maintain an information security program.

* AS8015-2005 is the Australian Standard for Corporate Governance of Information and Communication Technology.

* Capability Maturity Model Integration focuses on software engineering, people and implementation.

* Balanced Scorecard is a strategic planning and management system used to align business activities to the organization’s vision and strategy.

* Six Sigma is a manufacturing-based system focusing on quality assurance.

IT management needs an overarching governance model to ensure that investments in technology generate business value and mitigate associated risks. The model should also provide a common language for IT and users, enable more focused planning, and create a level of standardization, consistency and predictability.

First published in 1996, Control Objectives for Information and Related Technology (CobiT) provides a set of generally accepted best-practice objectives to help maximize the benefits derived through IT use. It further aids in developing appropriate IT governance and control in an organization. Managed by the Information Systems Audit and Control Association and its research body, the IT Governance Institute (ITGI), CobiT became the IT governance standard against which auditors measured process and control maturity in support of compliance with the Sarbanes-Oxley Act of 2002.

CobiT provides a control- and objective-based foundation upon which decisions and investments can be based. These include defining a strategic plan; defining the information architecture; acquiring the necessary hardware and software to execute a strategy; managing projects; ensuring continuous service; and monitoring the performance of the IT system.

This is achieved by providing tools to assess and measure the performance of 34 high-level processes that cover 214 control objectives, which are categorized in four domains: Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate. By implementing processes and procedures supporting the CobiT objectives and identifying and monitoring associated controls, users and auditors will recognize greater reliability and performance throughout the enterprise.

Building IT Governance: Overcoming Challenges

Throughout IT organizations, common themes are described as areas of opportunity: improve project planning and investment; increase collaboration and information sharing; facilitate effective communication and transition across the lifecycle; control cost while providing efficient operations and support; enhance service delivery; and improve security. These themes are usually approached as individual programs or are carefully orchestrated as an overarching organizational transformation related to technology operations.

Certain areas, such as security and managing data across an enterprise, require heavy investment and monitoring. These are also areas that auditors commonly spend time scrutinizing and directing change for heightened control.

When remediation is essential, reactive solutions are typically implemented. Though necessary, these solutions can be costly and inefficient. Once a baseline is set, however, and the auditors leave, it is far more efficient for IT management to proactively design and support an improvement plan with cross-functional reach. The CobiT model can help with this.

By understanding the four domains and the underlying process areas, IT management and staff can begin communicating from a common frame of reference. Leveraging the CobiT toolkits, IT management can promote a standard set of metrics, process structures, improvement plans and self-assessment mechanisms. This allows each area to initiate, report and monitor in a similar fashion.

In almost every change-management or operational-improvement approach, stakeholder involvement is critical, yet this is often where things fall apart. Think how many project managers ask for executive stakeholder meetings to communicate issues and detailed plans. Now ask how many IT managers have enough time to devote to such detail. The answer would be “very few.”

With an understanding of CobiT and having a common approach to managing and measuring processes, IT management will have an informed understanding of the objectives to be achieved. This understanding allows IT management to focus on the actions that require their attention, enabling the program to stay on track based on meaningful risk and opportunity reviews.

From the ITGI CobiT 4.1 framework document, the four domains and their relationships are described and the related process areas listed. The relationships can help IT management focus on areas of opportunity or risk.

Plan and Organize (PO) provides direction to solution delivery (AI) and service delivery (DS); Acquire and Implement (AI) provides the solutions and passes them to be turned into services; Deliver and Support (DS) receives the solutions and makes them usable for end users; and Monitor and Evaluate (ME) monitors all processes to ensure that the direction is followed.

A governance framework is worthwhile only if it is actually used; otherwise, it becomes a waste of money and a burden to the staff. To be effective, its language must permeate regular conversations among the leadership team and find its way into dashboards and documents.

By using CobiT tools, IT management can quickly assess strengths, weaknesses and opportunities. It can then reduce costs, improve the top-line, enhance customer service, or meet compliance and regulatory reporting by balancing risk mitigation and process improvement in a proactive fashion.

Building IT Governance: Collaboration and Support

As an example, one state government’s IT strategic planning group wanted higher levels of collaboration and a stronger sense of support. The sense of buy-in across multiple agencies would strengthen appropriation requests for strategic initiatives, allowing for economies of scale, including:

  • Solutions that address and automate inter- and intra-agency business processes
  • Smaller, more focused teams to drive progress more quickly
  • More statewide, standardized technology platforms and tool sets
  • Enhanced information sharing and increased reusability
  • Lower total cost of ownership for solutions.

To achieve its goals, the state government embarked on a more collaborative planning effort, beginning with an agency director approach. This top-down model was meant to align agencies having similar business-oriented goals and challenges. Facilitated discussion and collaborative decision making identified and defined capabilities that would help alleviate challenges in support of goals that could be met through technology. This transition—from business-driven need to technology-based capability—also allowed the agency directors to communicate more effectively with the IT directors.

The transition to technology occurred when enabling capabilities, such as business intelligence, were identified. More than 50 agencies were represented and more than 100 directors, chiefs of staff, and IT leads collaborated in the process to iterate balanced objectives and identify existing and new initiatives.

The state’s intent for the strategic planning process was a set of IT-oriented priorities that support state and agency business goals and can be translated into a set of recommended projects and budgets. With the iterative, collaborative process utilized, it was essential to be sensitive to time and competing priorities. In support of the process, the state established a legislative technology committee and formalized the agency director advisory committee.

The state’s approach—developing output for the framework—was designed to facilitate discussion and move quickly toward decisions in a collaborative fashion that built support and consensus.

Looking at CobiT’s Planning and Organizing domain, the very first process area is Define a Strategic IT Plan. This satisfies the business requirement for IT to sustain or extend the strategy and governance requirements, while still being transparent about benefits, costs and risks.

Another CobiT process area, Define the IT Processes, Organization and Relationships, has several applicable objectives. These include Defining an IT Process Framework, Establishing an IT Strategy Committee and Establishing an IT Steering Committee.

The state government achieved several CobiT objectives through its planning process, which had the goal of developing a long-term strategic plan—not overtly aligning with the CobiT framework. This is a model of success that other standard and framework maturity programs can learn from.

{mospagebreak title=Building IT Governance: IT Governance Transformation

Enabling IT Governance Transformation

The steps enabling transformation—in the context of an IT governance, compliance or enterprise risk management initiative—describe a business process. Similar to any other business process, it must be documented, followed with discipline and improved with every iteration.

For a successful CobiT experience, always begin from a perspective of knowledge and leverage experienced support. Implementing an enterprise risk management, compliance or IT governance program is like any other transformation: It must have the support of a dedicated team to be successful.

Lessons taken from enabling organizational transformation hold true for an IT governance program to reduce cost and effort, while enhancing chances of success and building support across an organization. There are only so many tasks that one person or a group working part-time can push forward simultaneously.

For an IT governance effort to succeed, therefore, dedicated resources must be allocated, IT management must have a common understanding to allow for more focused decision making, and progress must not be predetermined by an arbitrary schedule, such as a quarterly earnings call.


  • Define a strategic IT plan.
  • Define the information architecture.
  • Determine the technological direction.
  • Define the IT processes, organization and relationships.
  • Manage the IT investment.
  • Communicate management aims and direction.
  • Manage IT human resources.
  • Manage quality.
  • Assess and manage IT risks.
  • Manage projects.


  • Identify automated solutions.
  • Acquire and maintain application software.
  • Acquire and maintain technology infrastructure.
  • Enable operation and use.
  • Procure IT resources.
  • Manage changes.
  • Install and accredit solutions and changes.


  • Define and manage service levels.
  • Manage third-party services.
  • Manage performance and capacity.
  • Ensure continuous service.
  • Ensure systems security.
  • Identify and allocate costs.
  • Educate and train users.
  • Manage service desk and incidents.
  • Manage the configuration.
  • Manage problems.
  • Manage data.
  • Manage the physical environment.
  • Manage operations.


  • Monitor and evaluate IT performance.
  • Monitor and evaluate internal control.
  • Ensure compliance with external requirements.
  • Provide IT governance.

Adam Nelson is director of management and IT consulting at Keane, a global IT consulting firm headquartered in San Ramon, Calif.


Inquiry Spotlight: Governance, Risk, And Compliance, Q4 2008 by Chris McClean – Forrester Research

Governance, risk, and compliance (GRC) continues to be a hot topic of interest for security and risk professionals. Between July 2007 and July 2008, Forrester’s security and risk management team received 1,798 inquiries on a variety of topics — 198 of which were from clients interested in GRC. Of the GRC-related inquiries recorded, 46% covered compliance best practices, 32% concerned GRC vendor selection, and 24% addressed risk management. Forrester doesn’t expect the focus on compliance to diminish drastically, but maturing companies are focusing more on how to manage a federated compliance program that encompasses all standards and regulations rather than managing separate initiatives for each. Inquiries about enterprise risk management and selecting comprehensive GRC management software platforms also echo the same trend toward maturity. Forrester recommends that professionals looking to adopt GRC programs begin by identifying where converging governance, risk, and compliance can provide greater efficiency and insight, and only then consider technologies that can support these benefits.

Inquiry Spotlight: Governance, Risk, And Compliance, Q4 2008 by Chris McClean – Forrester Research.

Hedge Your Bets: The Importance of IT Risk Management in M&A

Information & technology (IT) is a critical component in achieving an M&A strategy; without effective IT risk management, the value of the deal could be threatened or even eroded. IT risk management is a multi-disciplinary undertaking, and covers a variety of functional domains—ranging from data protection to change management. (See “Common IT Risk Management Areas” below) It is also a multi-faceted and complex undertaking that also entails consideration of a wide array of compliance requirements. As such, in a business environment with increasing emphasis on regulatory compliance, the role of IT risk management becomes more important as an enabler of the M&A strategy.

Often, many organizations need to demonstrate compliance with several overlapping requirements. A large financial company may need to meet Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry data security standard (PCI), Health Insurance Portability and Accountability Act (HIPAA), and other mandates such as those from the Federal Financial Institutions Examination Counsil, Office of the Comptroller of the Currency, and Federal Trade Commission; a global transportation company may need to meet SOX, HIPAA, PCI, FTC, and European Union and Asia-Pacific Economic Cooperation data protection requirements. The effort to meet these regulations often further complicates the efforts required to identify an approach and develop a strategy to mitigate risks when consolidating or separating companies.

Although many of these regulations address similar requirements such as data protection, access controls, transaction auditing, data availability and system monitoring; compliance with one set of regulations does not necessarily translate into compliance with another. The specifics of each set of regulations must be carefully evaluated.

Furthermore, international M&A transactions are likely to be much more complex than domestic transactions. In international transactions, companies must not only consider the regulatory compliance concerns noted above; they must also take into account the potential risks to corporate risk governance, employee data rights, customer data expectations, cross-border data flow, as well as the risk and compliance culture of the home countries of all entities involved in the M&A transaction. Failure to adequately address these factors could scuttle the transaction.

In this complex risk environment, it is clear that IT risk management must be effectively implemented to effectively address the myriad legal, regulatory, contract, and compliance requirements; otherwise, IT risk issues left unaddressed could fundamentally affect the overall M&A strategy and desired value creation.

Is the Loss of Business Value Real?
Based on Deloitte’s experience with M&A transactions, when IT risks, especially those risks that are compliance-driven, are not fully addressed, they can completely undermine the expected value creation of an M&A transaction. Generally, IT risk tends to impact M&A deal value in four primary areas: IT cost, EBITDA, technology, and regulatory and governance.

Examples of common IT risk issues that can have a serious negative impact on M&A transactions include:

  • Inevitable technology changes occur with disparate systems in combined entities and often create system consolidation delays and increase the security and compliance risks with the existing systems
  • The combined entity creates a new state, federal, and/or global jurisdiction operating footprint that often faces potential regulatory and financial risk from the possible compromise of personally identifiable information (PII)
  • The listing of IT assets assumed to be acquired during the financial due diligence process does not reconcile with detailed IT-listed assets, which results in lost value transfer
  • Unclear legal rights over existing key applications and information often inhibits integration and/or separation of IT systems
  • Sensitive information cannot be identified and located, which impedes, and can completely halt, application and system integration and/or isolation
  • The merged entities have disparate access management systems, but they have a need for immediate access to information, which often results in poorly consolidated systems that lead to segregation of duty conflicts and improper data access
  • Hidden liabilities in licenses and third-party contracts results in lost value and increased legal costs
  • Dated technology prevents customization and leads to lost business agility, opportunity and value

So, what is needed to minimize these types of risks from compromising an M&A transaction?

The IT Risk Management Framework
To mitigate the risks described above, M&A due diligance teams should incorporate a comprehensive IT risk management framework and readiness diagnostic into their planning and implementation efforts.

A sound IT risk management framework and readiness diagnostic has several key qualities. First, it is structured, risk-focused, and customizeable to cover small and large organizations. Next, it helps in the translation of information protection and technology issues into business risk impacts that will affect the overall M&A transaction. Finally, it helps address industry standards and regulatory requirements for each of the IT risk areas higlighted earlier in this paper.

The IT risk management framework and readiness diagnostic can be organized around five core components — integrated requirements, technology assessment, information assessment, business assessment, and risk quantification.

Integrated requirements establish the required IT risk management practices to be assessed during the M&A transaction. Assessment practices and criteria are established by identifying and aligning the applicable IT risk-related business requirements for each of the common IT risk management areas (see above). These should include:

  • Industry common practices (e.g. International Organization for Standardization (ISO) 27002, COBIT 4.1, Information Technology Infrastructure Library (ITIL), American Institute of Certified Public Accountant’s (AICPA) Generally Accepted Privacy Practices, etc.)
  • Laws and regulations (e.g. GLBA, HIPAA, EU Privacy Directive, CA SB1386, FTC Standards for Safeguarding Customer Information, etc.)
  • Industry standards (e.g. PCI Data Security Standard, BITS, etc.)
  • Acquiring and acquired organizations’ internal IT risk-related policies and standards for each of the common IT risk management areas previously mentioned

This particular IT risk management component is especially benefical to those organizations that worry about compliance such as How does the “new” operating structure comply with SOX quickly?’ By establishing and evaluating integrated requirements early in the IT due diligence process, the acquiring organization should have already identified the SOX related requirements and their impact on the other organization’s operations. Once the M&A transaction has been executed, the acquiring organization should be able to quickly apply their SOX control framework to the acquired organization and assimilate the various reporting entities into the new organization’s compliance testing and reporting process.

A Framework for Value Protection

The technology assessment considers core technology development, licensing and integration issues. Generally, this assessment will consider:

  • Technology software and infrastructure vulnerabilities that may affect service levels
  • Capacity and scalability of key systems to satisfy business requirements
  • System backup and power issues that may cause business disruptions
  • Unsupported systems and code
  • Vendor-owned source code that is not available for changes
  • Vendor service-level adequacy
  • Non-favorable clauses in vendor agreements that would be affected by change in ownership
  • Termination of key employees
  • Loss of quality resources required for integration efforts
  • Legal rights to existing key applications
  • Source code that is not in escrow
  • Hidden liabilities in licenses and support contracts

The information assessment considers sensitive data-handling requirements and how well data is protected. Generally, this assessment will consider:

  • Systems and data accessible by unauthorized users and how unauthorized access to such data can affect the company’s brand and reputation
  • Authorization, development, and approval processes for the records program
  • Privacy, intellectual property, and other sensitive information collection, usage, storage and complaints-handling processes
  • Third party contractual arrangement adequacy for addressing sensitive information handling

The business assessment considers technology strategy alignment with the business, business process control integrity & automation, and governance & compliance matters. Generally, this assessment will consider:

  • IT strategy that is not aligned with the current and future business requirements
  • Current systems that are not suitable for business requirements
  • Inefficient manual work-around procedures that are required to operate the business
  • Level of system automation that does not match the level disclosed by management
  • Recently-integrated business systems that have internal control integrity issues
  • Internal controls and SOX 404 issues that will impact regulatory compliance
  • Insufficient governance of IT system projects that could result in hidden future IT costs or write down of IT assets due to inappropriate system development

The risk quantification translates identified IT risks into financial impact statements and helps prioritize them for consideration in the final M&A transaction decision.

Today’s risk and compliance environment compels organizations that are developing M&A strategies to integrate IT risk management into their M&A planning and implementation processes. Left unaddressed, IT risk issues can fundamentally affect the overall M&A strategy and desired value creation. A properly structured IT risk management framework and readiness diagnostic can provide practical insights into the information and technology risk issues. Including IT risk management from the outset can make the M&A picture complete, rather than an unfinished puzzle. ##

Bill Kobel(bkobel@deloitte.com) is a Principal and John Gimpert (jgimpert@deloitte.com) is a Partnerwith Deloitte & Touche LLP.

Hedge Your Bets: The Importance of IT Risk Management in M&A.

Expect a Rise in Governance, Risk and Compliance Vulnerabilities in U.S. Corporations Following the Government’s $700 Billion Bailout Plan

Accounting Firm SingerLewak Expects a Rise in Governance, Risk and Compliance Vulnerabilities in U.S. Corporations Following the Government’s $700 Billion Bailout Plan

Leading California Accounting and Consulting Firm Seeks to Advise America’s Executives To Tighten Internal Controls Now

By: PR Newswire

Oct. 13, 2008 05:00 AM

LOS ANGELES, Oct. 13 /PRNewswire/ — SingerLewak, a full service accounting and management consulting firm headquartered in Los Angeles, today issued a Governance, Risk and Compliance advisory following the federal government’s authorization of the $700 billion bailout plan of the U.S. financial system. Analysts with the firm’s Enterprise Risk Management Services practice forecast that the hotly debated economic rescue of U.S. financial institutions could trigger an increase in vulnerabilities to the internal controls of public and private companies.

According to Troy Snyder, Lead Partner of SingerLewak’s Enterprise Risk Management Services practice, the current uncertainty in the markets and the global economy could directly result in a significant percentage increase of U.S. corporations facing security compromises and financial liabilities.

“With the $700 billion government bailout plan, the potential fallout could affect a company’s risk profile due to less people and smaller budgets to detect fraud. As such, inappropriate employee behavior can seriously compromise the integrity of the corporate structure,” cautioned Mr. Snyder.

Mr. Snyder further specified that among the highest concerns are the risks posed by unsettled and edgy employees whose behavior can lead to actions such as fraud, theft of sensitive proprietary data, or critical intellectual digital property, through the inappropriate use of information systems resources.

“In past times of general financial instability, it has not been uncommon to see a weakening in the internal controls of businesses struggling to survive in unfavorable market conditions,” Mr. Snyder commented. “Although initially helpful to quell investor unease, the $700 billion bailout plan has the very real potential to adversely affect the risk profile of a broad spectrum of corporations, due to workforce reductions, budgetary cutbacks and other factors known to compromise the integrity of the corporate infrastructure.”

To provide historical perspective, Mr. Snyder recalled the lack of enthusiasm that greeted Sarbanes-Oxley controls immediately following legislation mandating them in 2002.

“Internal control measurements over financial reporting systems were the focus of the Sarbanes-Oxley Act of 2002,” Mr. Snyder stated. “SOX was created to strengthen regulations for corporate governance, internal control assessment and enhanced financial disclosure, following the Enron, Tyco and WorldCom fiascos. Reluctance by many companies to implement Sarbanes-Oxley’s internal controls fully may now become evident in the form of weakened corporate systems platforms, possibly exposing the cracks in otherwise reliable financial reporting systems, information and security foundations.”

Employee Behavior Management: What Controls Need to Be Tightened:

Due to the historic reluctance of U.S. businesses to implement Sarbanes- Oxley, weaknesses can occur in the Internal Controls of any organization, necessitating some or all of the following actions:

— Fraud prevention and detection

— Strategies and safeguards to prevent employee misappropriation of

Intellectual Property

— Documentation and systems implementation to deter misstatements

— IT Security for prevention of unauthorized access via internal or

social engineering

— Loss prevention strategies to thwart financial malfeasance and asset


As a proactive response to thwart the possibility of greater risk within organizations, Bob Green, CPA.CITP, SingerLewak Enterprise Risk Management Services partner and Information Management expert, suggested corporate officers and executives begin by having an internal controls assessment and diagnostic performed.

“The first step is to evaluate the controls in place in order to reduce inappropriate employee behavior relating to the use of a company’s systems and resources,” said Mr. Green. “Limiting the possibility of theft and misuse of corporate intellectual property and other sensitive digital information by employees is essential. Our specialized Employee Behavior Management initiatives help both public and private companies mitigate risks posed by employees who may foster an ‘anything goes’ mentality during challenging economic times.”

As a professional courtesy to the business community, SingerLewak’s Enterprise Risk Management Services practice partners offer telephone briefings and seminars for executives interested in finding out more about mitigating Governance, Risk and Compliance Vulnerabilities for their organizations.

Getting the Right Tools Implemented:

Information about EBM services and how to tighten your Internal Controls and protect your business can be obtained by contacting Troy Snyder or Bob Green at 310-477-3924 or sending an e-mail to MarketingLA@SingerLewak.com. Members of the media are invited to contact Ronit Koren at (310) 948-6237 or rkoren@SingerLewak.com.

Accounting Firm SingerLewak Expects a Rise in Governance, Risk and Compliance Vulnerabilities in U.S. Corporations Following the Government’s $700 Billion Bailout Plan

Credit-card security standard issued after much debate

Credit-card security standard issued after much debate

End-to-end encryption and virtualization security on horizon for credit/debit card handlers

By Ellen Messmer , Network World , 10/01/2008

Share/Email Buzz up! 3 Comments Print

The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, last week issued revised security rules. The council also indicated that next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization.

Adherence to PCI rules could play a key role in preventing big data thefts, like the 2005 TJX breach, security experts say. 

New! Watch this Network World Webcast – Minimizing the Risk of Information Security Breaches: Best Practices for SOA Governance and Compliance – Live October 21

The PCI 1.2 data security standard (DSS) seeks to clarify several pieces of the earlier 12-part PCI 1.1 standard that had many confused. Among other things, Version 1.2 clarifies that all operating systems associated with card processing have to run antivirus software, while many had thought this was only about Microsoft Windows.

"That sounds like a sensible piece of advice," says Sushila Nair, product manger at BT, who says organizations often deploy antivirus on Windows but erroneously believe Unix and Macs and other operating systems are somehow more invulnerable. However, she notes accommodating the clarified PCI rule on antivirus in many places will be "expensive."

Related Content

The PCI 1.2 standard from the PCI Security Standards Council

Hannaford discloses data breach

Details emerging on Hannaford data breach

New payment-card rules on tap

Spyware: Know Your EnemyWHITEPAPER

Credit card skimming: How thieves can steal your card info without you knowing itSLIDESHOW

TriCipher launches hosted identity federation service

IBM software bundle targets retail theft, data breaches

Sun goes commercial with OpenSSO

IT Search: What it is and how it helpsWHITEPAPER

Start-up adds SSO to cloud integration platform

Retail security: ‘Knee-jerk’ standards compliance isn’t enough

View all related articles

Click to see: Chart of what's new with PCI standard

One of the biggest topics of debate at last month's PCI Council meeting was how to determine what "network segmentation" means since the standard is aimed at trying to devise technical methods to cordon off where credit cards are stored so that PCI compliance assessment can be focused on specific parts of a merchant's network involved with cardholder data.

"There was a lot of talk about network segmentation," says Sumedh Thakar, PCI solutions manager at vulnerability management and policy compliance product company Qualys. "A lot of merchants were trying to get answers. The guidelines now are to restrict access using firewalls."

The PCI 1.2 standard advises the use of "internal firewalls, routers with strong access control" and other network-restricting technologies to assure internal network segmentation for card-processing purposes.

Some IT managers say the PCI-based reviews that their organizations are now undergoing are already based on PCI 1.2 as the baseline. Such reviews are typically carried out by PCI Council-certified assessors if self-assessment procedures aren't applicable.

"It was in draft form so we decided to use that since there seemed to be no point in using 1.1 anymore," says one IT manager, who preferred not to be named. But he says his organization is finding it very difficult to isolate the network to protect specific servers and applications associated with cardholder data, plus monitor and log according to the PCI 1.2 guidelines.

Credit-card security standard issued after much debate
– Network World