Tag Archives: regulatory

How to Maximize Your IT Security Budget

Sophisticated cyber criminals have followed businesses into the online world; they now can steal everything from intellectual property to credit cards en masse. And that’s just the start Add social security numbers, addresses, and other personally identifying information to the list and you can essentially reconstruct and hijack entire identities. What’s worse is that cybercriminals benefit from anonymity: They can compromise entire databases of sensitive information and leave only a masked IP address behind as a trail—and that trail often ends in a foreign country where both jurisdiction and law enforcement are limited.

Regulators Focus On Large Enterprises

As cyber criminals successfully raided corporate databases and siphoned away credit card, tax, banking, healthcare and other consumer information, regulators took notice. In an effort to protect consumers, governments and industry consortiums imposed regulations and mandates like Sarbanes-Oxley Act SOX, the Health Insurance Portability and Accountability Act HIPAA, the Gramm-Leach-Bliley Act GLBA, and the Payment Card Industry PCI standard. The initial round of enforcement and deadlines, however, was mostly targeted at large enterprises. Thus it is not surprising that over the last few years, large enterprises have made significant investments in cyber security and have at least increased the barrier to such breaches.

When Cybercrime Moves Downstream

Undeterred, cybercriminals are finding it easier to move downstream and target small to medium businesses, which are increasingly online but do not have the necessary safeguards. The Privacy Rights Clearinghouse website lists a long chronology of breaches. Take a look and you’ll find that while familiar names like ChoicePoint, the U.S. Department of Veterans Affairs, TJX, and Circuit City have endured highly publicized breaches, the majority of breaches actually occur at small to medium merchants.

Regardless of whether you are a small retailer, a credit union with a single location, or a doctor’s office or clinic, you face the same problems as a global enterprise when a breach occurs: potential fines, bad press, class-action lawsuits and customer attrition. In fact, the costs of security breaches can be more devastating for a small enterprise that has fewer financial and other resources.

The squeeze doesn’t end there. Regulations increasingly apply to small and medium-sized businesses, not just larger ones. The PCI Data Security Standard (PCI DSS) must now be met by any business that stores, processes, or transmits credit card information—regardless of annual transaction volume. Similarly, publicly traded companies with a market capitalization under $75 million must now comply with SOX. HIPAA, of course, applies to the smallest doctor’s office and the largest hospitals and insurance firms.

Combating Cybercrime with the Hidden Trail

Just thinking about how to provide adequate security can seem overwhelming to a small business. But your business already has the information you need to detect breaches in a timely manner and to cost effectively address regulatory requirements. Every second of the day, your servers, laptops, applications, network infrastructure, and security devices leave a trail of activity behind in the form of logs. Everything from a login or logout to a badge swipe or file access is tracked in this hidden trail. Bring this information together and you have a powerful and cost-effective means to detect threats and protect your business.

Tips On How to Maximize Your Security Budget:

  • Improve efficiency—consider approaches to security that require less hardware and effectively support consolidation and green initiatives.
  • Manage clear visibility on the network—knowing where your internal/external threats and policy violations exist will eliminate or reduce the extraneous costs of a data breach, fraud, or cybercrime.
  • Avoid the â¬Sone size fits all⬝ solutions—look for multiple performance options and scalability to adapt to evolving security and compliance regulations.
  • Understand the impact of automation—reserve limited and valuable IT resources for more strategic tasks.
  • Integrate security as part of the business—leverage security solutions in more strategic ways by offer a clear path to ROI and productivity gains.

For organizations of any size, there’s no doubt that battling cybercrime and meeting regulatory compliance will be a top business issue in 2009. However, given the state of security in today’s economy, it will be important to measure the cost-comparisons between technology and IT resources used versus the costs associated with a data breach or cybercrime attack.

Ansh Patnaik is the director of product marketing at ArcSight. He is an ISSA and ISACA member and maintains the CISSP certification. Ansh has worked in the security space for over 10 years with companies such as BindView/Symantec and Omniva Policy Systems.

How to Maximize Your IT Security Budget.

The Forrester Blog For Security & Risk Professionals


Thomson Reuters Gets A Jump On Holiday Shopping, Acquires Paisley


Keep an eye out in the next week for Forrester’s GRC Trends 2009 report, which will take a look at how a decidedly rocky end of 2008 will impact those responsible for various aspects of corporate governance, risk management, compliance, audit, and finance… as well as the product and service firms that serve them.

One trend that we call out in the report is the impending consolidation of the GRC technology landscape, which is a top-of mind issue for many leading vendors in the space.

Wednesday, Thomson Reuters got an early start on this trend with a definitive agreement to purchase Paisley. A leader in the GRC platform and audit management markets, Paisley will be a strong addition to the company’s Tax and Accounting group.

Concern among businesses about their risk management practices and impending regulatory actions will be a major driver for growth in the GRC market, and considering this significant potential, we expect other attractive acquisition targets in the space to be scooped up over the next 12 months.

The Forrester Blog For Security & Risk Professionals

CISOs ponder new FISMA requirements

A bill that would amend the Federal Information Security Management Act (FISMA) could pass during the next session of Congress, and chief information security officers are wondering what more FISMA requirements might mean for them.

Legislation to amend the current FISMA requirements cleared the Senate Homeland Security and Governmental Affairs Committee earlier this year.

The bill would change how agencies’ information security practices are evaluated and would redefine the role of the CISO.

CISOs participating in a panel discussion at a Government Technology Research Alliance conference today in Hershey, Pa., said changes under the bill include:

  • Requiring an annual independent audit rather than an annual evaluation.
  • Increasing CISOs’ responsibilities.
  • Requiring operational evaluations.
  • Establishing a CISO council.
  • Mandating standard governmentwide contract language.
  • Requiring the Homeland Security Department to present an annual report to Congress.

The CISOs said one provision with potential difficulties would require them to direct and manage information technology security programs and functions in all subordinate agency organizations, including components, bureaus and offices.

“At a large department, I don’t see how that would be effective or doable,” said Richard Prentiss, CISO at the Treasury Department’s Office of Thrift Supervision.

He said different components’ networks in his department have different security rules, and it would be difficult to tell all component agencies how to handle subordinate network security.

He added that component agencies “do it differently. The outcome is the same, but we do it based upon the efficiencies that we have within our organization.”

Marian Cody, CISO at the Environmental Protection Agency, said the legislative language that would define the CISO’s authority over component offices needs clarifying. Cody said a provision that would give the CISO authority to block an agency’s information system from accessing the network if the system has been compromised or doesn’t meet security policies — essentially disconnecting a system — would be difficult to implement.

“At least at EPA, this really goes against the culture of the agency. This is big time,” she said. “There’s going to be lots of discussion around this and what this means and how to scope this appropriately to meet the agency’s culture and willingness to cooperate.”

The panel also discussed the bill’s requirements for a series of additional evaluations, and requirements that annual evaluations of agencies’ information security be audits.

“The theme of this entire act is audit, audit, audit and then audit some more,” Cody said. The bill “actually turns the CISO…into an auditor, and at EPA, what we’ve tried to do is exactly not that.… So we really don’t want to become yet another auditor.”

Patrick Howard, CISO at the Nuclear Regulatory Commission, said compliance is measured differently by various agencies, and the bill aims to provide some consistency across the government.

“There is going to be a need for some implementing instructions from the Office of Management and Budget, the [U.S] Computer Emergency Readiness Team, the National Institute of Standards and Technology, [and] others in order for us to really comply,” he said. “They need to really help us define what the requirements are.”  

CISOs ponder new FISMA requirements.

NextGov.com – Melding Security

With computers now controlling critical assets, it’s more important than ever for cyber and physical security managers to work together.

Comment on this article in The Forum.Linda Wilbanks can’t fire a gun, but as chief information officer at the Energy Department’s National Nuclear Security Administration, she’s working with executives to ensure nuclear materials don’t fall into the wrong hands. Why is the CIO involved in keeping nuclear materials secure? “Somewhere along the line, there’s going to be IT controls” involved, Wilbanks says.

The distinctions are disappearing between securing physical assets like radioactive material and securing information stored on laptops and in networks. Computers have become the de facto mechanism for controlling critical infrastructure. Networks manage not only sensitive data but also the operations of everything from generators to water pumps to nuclear reactors. Many of these systems are accessible through the Internet, which means agencies run the risk of a hacker shutting down operations or a catastrophic failure.

“There are many overlapping components in IT security, cybersecurity and physical security,” says Pat Howard, chief information security officer at the Nuclear Regulatory Commission. “More recent is the desire of our opponents to exploit those [overlapping components] and use them against us by bringing down our critical infrastructure remotely.”

In March 2007, researchers at the Idaho National Laboratory demonstrated to the Homeland Security Department how they could go online to hack into the programs that control the operations of a generator and manipulate settings so it would self-destruct. The scene of a generator shaking, spewing steam and then breaking down sent shock waves through governments and corporations.

DHS later developed the National Infrastructure Protection Plan and strategies for each economic segment to provide a coordinated approach to protect networks that operate critical infrastructures in the areas of finance, transportation and utilities.

The U.S. Computer Emergency Readiness Team’s Control Systems Security Program coordinates infrastructure network protection, offering resources such as a control system cybersecurity self-assessment tool, a curriculum for security training and recommended practices. But agency needs vary, influenced largely by the type and sensitivity of assets. Best practices focus on comprehensive risk assessment, collaboration between those responsible for the security of physical assets and IT, and a governance structure that ensures the managers in charge aren’t the weak link.

“[Physical] access restrictions to a particular asset are not good enough if you’re also giving all employees access to its networked control system,” says Robert Jamison, undersecretary for DHS’ National Protection and Programs Directorate. “Agencies have to understand that if they have control systems or physical assets that are connected to a network that is connected to the Internet, there is inherent risk.”

In theory, if CIOs conduct risk assessments, as required under the 2002 Federal Information Security Management Act, then protecting physical assets shouldn’t add much work, if any. FISMA requires agencies to determine the risk if a hacker gained access to its information systems. Each is assigned a level of risk – low, medium or high – and then the agency determines which security controls to apply.

If an agency deems an asset high risk, it should do as much as possible to shield the system from access. At the National Nuclear Security Administration, IT systems that link to sensitive control systems are housed on the agency’s highly classified red network, which is not connected to the Internet. NNSA has classified one of its two other networks as yellow, because it connects semiclassified IT systems and includes extensive access controls. The agency has classified the third system as green, because it connects nonclassified systems and manages information delivered to the public Web site.

To provide guidance on how to assign risk to systems, the National Institute of Standards and Technology released Special Publication 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories.”

“The NIST process is absolutely superb,” says Marian Cody, senior information security officer at the Environmental Protection Agency. “What I don’t see, however, is the same bible for those who handle physical security. . . . You have to know what you have, and then you have to know the associated risk so you can figure out how to protect it.”

NNSA launched its network infrastructure classification this spring, almost a year after an employee at Los Alamos National Laboratory entered a protected vault and saved on a flash drive information on underground nuclear weapons tests that was stored on a classified computer server. The employee printed more than 200 pages of documents to work on them at home.

“In that case, it was shortcomings in physical and cybersecurity,” Wilbanks says. Access to the server was not protected properly, allowing the thumb drive to be attached and data to be downloaded, and gates that block access to computer servers were not locked. Now cybersecurity managers work with managers in charge of physical security to conduct inspections of the labs and infrastructure. The team spends four hours a week walking through facilities to check security.

Physical security has long been isolated from IT at federal agencies, and changing that can be hard. But some agencies like NNSA have changed their reporting structure to ease collaboration between the physical and cyber worlds. Wilbanks reports to the deputy administrator of NNSA, whose office collects data on new assets that facilities commission. At NRC, the CIO also carries the title of deputy executive director for corporate management, which oversees physical assets.

“There’s alignment that allows closer coordination and cross fertilization,” Howard says. “It’s new, but it’s clear that it will be advantageous to have that level of integration that provides both sides a seat at the same table. We can learn to speak a common language.”

NextGov.com –.

IT Management Building an IT Governance Foundation – Baseline

While organizations have similar goals such as controlling costs and achieving data consistency, IT departments across government, corporations and nonprofits operate differently. IT management needs an overarching governance model like CobiT, ITIL, CMM and Six Sigma to ensure that investments in technology generate business value and mitigate risks.

Information technology governance defines the overall structure, policies, processes and relationships necessary to provide the desired level of standardization and consistency across an IT organization. It encompasses systems, performance measures and risk management procedures, helping organizations make informed decisions about their operations and investments. While organizations have similar goals—such as controlling costs and achieving data consistency—IT departments across government, corporations and nonprofits operate differently.

Even after a rigorous focus on compliance initiatives—and the widespread acknowledgment that large-scale, complex, strategic IT projects commonly progress beyond scope and budget without due attention—standardization around IT governance models is still being sought.

When organizations are examined and the use of best-practice disciplines are polled, a number of frameworks and standards for varying aspects of IT operations are found. These frameworks typically include:

* IT Infrastructure Library (ITIL), developed by the United Kingdom’s Office of Government Commerce, focuses on service support and service delivery.

* ISO/IEC 27001 (ISO 27001) consists of a set of best practices to implement and maintain an information security program.

* AS8015-2005 is the Australian Standard for Corporate Governance of Information and Communication Technology.

* Capability Maturity Model Integration focuses on software engineering, people and implementation.

* Balanced Scorecard is a strategic planning and management system used to align business activities to the organization’s vision and strategy.

* Six Sigma is a manufacturing-based system focusing on quality assurance.

IT management needs an overarching governance model to ensure that investments in technology generate business value and mitigate associated risks. The model should also provide a common language for IT and users, enable more focused planning, and create a level of standardization, consistency and predictability.

First published in 1996, Control Objectives for Information and Related Technology (CobiT) provides a set of generally accepted best-practice objectives to help maximize the benefits derived through IT use. It further aids in developing appropriate IT governance and control in an organization. Managed by the Information Systems Audit and Control Association and its research body, the IT Governance Institute (ITGI), CobiT became the IT governance standard against which auditors measured process and control maturity in support of compliance with the Sarbanes-Oxley Act of 2002.

CobiT provides a control- and objective-based foundation upon which decisions and investments can be based. These include defining a strategic plan; defining the information architecture; acquiring the necessary hardware and software to execute a strategy; managing projects; ensuring continuous service; and monitoring the performance of the IT system.

This is achieved by providing tools to assess and measure the performance of 34 high-level processes that cover 214 control objectives, which are categorized in four domains: Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate. By implementing processes and procedures supporting the CobiT objectives and identifying and monitoring associated controls, users and auditors will recognize greater reliability and performance throughout the enterprise.

Building IT Governance: Overcoming Challenges

Throughout IT organizations, common themes are described as areas of opportunity: improve project planning and investment; increase collaboration and information sharing; facilitate effective communication and transition across the lifecycle; control cost while providing efficient operations and support; enhance service delivery; and improve security. These themes are usually approached as individual programs or are carefully orchestrated as an overarching organizational transformation related to technology operations.

Certain areas, such as security and managing data across an enterprise, require heavy investment and monitoring. These are also areas that auditors commonly spend time scrutinizing and directing change for heightened control.

When remediation is essential, reactive solutions are typically implemented. Though necessary, these solutions can be costly and inefficient. Once a baseline is set, however, and the auditors leave, it is far more efficient for IT management to proactively design and support an improvement plan with cross-functional reach. The CobiT model can help with this.

By understanding the four domains and the underlying process areas, IT management and staff can begin communicating from a common frame of reference. Leveraging the CobiT toolkits, IT management can promote a standard set of metrics, process structures, improvement plans and self-assessment mechanisms. This allows each area to initiate, report and monitor in a similar fashion.

In almost every change-management or operational-improvement approach, stakeholder involvement is critical, yet this is often where things fall apart. Think how many project managers ask for executive stakeholder meetings to communicate issues and detailed plans. Now ask how many IT managers have enough time to devote to such detail. The answer would be “very few.”

With an understanding of CobiT and having a common approach to managing and measuring processes, IT management will have an informed understanding of the objectives to be achieved. This understanding allows IT management to focus on the actions that require their attention, enabling the program to stay on track based on meaningful risk and opportunity reviews.

From the ITGI CobiT 4.1 framework document, the four domains and their relationships are described and the related process areas listed. The relationships can help IT management focus on areas of opportunity or risk.

Plan and Organize (PO) provides direction to solution delivery (AI) and service delivery (DS); Acquire and Implement (AI) provides the solutions and passes them to be turned into services; Deliver and Support (DS) receives the solutions and makes them usable for end users; and Monitor and Evaluate (ME) monitors all processes to ensure that the direction is followed.

A governance framework is worthwhile only if it is actually used; otherwise, it becomes a waste of money and a burden to the staff. To be effective, its language must permeate regular conversations among the leadership team and find its way into dashboards and documents.

By using CobiT tools, IT management can quickly assess strengths, weaknesses and opportunities. It can then reduce costs, improve the top-line, enhance customer service, or meet compliance and regulatory reporting by balancing risk mitigation and process improvement in a proactive fashion.

Building IT Governance: Collaboration and Support

As an example, one state government’s IT strategic planning group wanted higher levels of collaboration and a stronger sense of support. The sense of buy-in across multiple agencies would strengthen appropriation requests for strategic initiatives, allowing for economies of scale, including:

  • Solutions that address and automate inter- and intra-agency business processes
  • Smaller, more focused teams to drive progress more quickly
  • More statewide, standardized technology platforms and tool sets
  • Enhanced information sharing and increased reusability
  • Lower total cost of ownership for solutions.

To achieve its goals, the state government embarked on a more collaborative planning effort, beginning with an agency director approach. This top-down model was meant to align agencies having similar business-oriented goals and challenges. Facilitated discussion and collaborative decision making identified and defined capabilities that would help alleviate challenges in support of goals that could be met through technology. This transition—from business-driven need to technology-based capability—also allowed the agency directors to communicate more effectively with the IT directors.

The transition to technology occurred when enabling capabilities, such as business intelligence, were identified. More than 50 agencies were represented and more than 100 directors, chiefs of staff, and IT leads collaborated in the process to iterate balanced objectives and identify existing and new initiatives.

The state’s intent for the strategic planning process was a set of IT-oriented priorities that support state and agency business goals and can be translated into a set of recommended projects and budgets. With the iterative, collaborative process utilized, it was essential to be sensitive to time and competing priorities. In support of the process, the state established a legislative technology committee and formalized the agency director advisory committee.

The state’s approach—developing output for the framework—was designed to facilitate discussion and move quickly toward decisions in a collaborative fashion that built support and consensus.

Looking at CobiT’s Planning and Organizing domain, the very first process area is Define a Strategic IT Plan. This satisfies the business requirement for IT to sustain or extend the strategy and governance requirements, while still being transparent about benefits, costs and risks.

Another CobiT process area, Define the IT Processes, Organization and Relationships, has several applicable objectives. These include Defining an IT Process Framework, Establishing an IT Strategy Committee and Establishing an IT Steering Committee.

The state government achieved several CobiT objectives through its planning process, which had the goal of developing a long-term strategic plan—not overtly aligning with the CobiT framework. This is a model of success that other standard and framework maturity programs can learn from.

{mospagebreak title=Building IT Governance: IT Governance Transformation

Enabling IT Governance Transformation

The steps enabling transformation—in the context of an IT governance, compliance or enterprise risk management initiative—describe a business process. Similar to any other business process, it must be documented, followed with discipline and improved with every iteration.

For a successful CobiT experience, always begin from a perspective of knowledge and leverage experienced support. Implementing an enterprise risk management, compliance or IT governance program is like any other transformation: It must have the support of a dedicated team to be successful.

Lessons taken from enabling organizational transformation hold true for an IT governance program to reduce cost and effort, while enhancing chances of success and building support across an organization. There are only so many tasks that one person or a group working part-time can push forward simultaneously.

For an IT governance effort to succeed, therefore, dedicated resources must be allocated, IT management must have a common understanding to allow for more focused decision making, and progress must not be predetermined by an arbitrary schedule, such as a quarterly earnings call.


  • Define a strategic IT plan.
  • Define the information architecture.
  • Determine the technological direction.
  • Define the IT processes, organization and relationships.
  • Manage the IT investment.
  • Communicate management aims and direction.
  • Manage IT human resources.
  • Manage quality.
  • Assess and manage IT risks.
  • Manage projects.


  • Identify automated solutions.
  • Acquire and maintain application software.
  • Acquire and maintain technology infrastructure.
  • Enable operation and use.
  • Procure IT resources.
  • Manage changes.
  • Install and accredit solutions and changes.


  • Define and manage service levels.
  • Manage third-party services.
  • Manage performance and capacity.
  • Ensure continuous service.
  • Ensure systems security.
  • Identify and allocate costs.
  • Educate and train users.
  • Manage service desk and incidents.
  • Manage the configuration.
  • Manage problems.
  • Manage data.
  • Manage the physical environment.
  • Manage operations.


  • Monitor and evaluate IT performance.
  • Monitor and evaluate internal control.
  • Ensure compliance with external requirements.
  • Provide IT governance.

Adam Nelson is director of management and IT consulting at Keane, a global IT consulting firm headquartered in San Ramon, Calif.


International Challenges in PCI Security

In a country that’s seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective.

In the process, companies tend to forget that PCI compliance has been a recipe for international indigestion.

“Remember that credit cards are used abroad, and many American companies have personnel handling credit card transactions in offices all over the world,” says Bruce Larson, security director at American Water, a major water utility that employs more than 10,000 people. “If you have a multinational organization, your data is not just sitting in the U.S.”

There may be some irony in hearing that from someone whose concerns are mostly based on security threats inside the U.S. Larsen has to worry about everything from cyberattacks targeting computerized water filtration systems to terrorists who might try to bomb pipelines or poison the water supply. He also loses sleep whenever there’s the chance of a natural disaster.

The inconvenience of online, global commerce

But more people are using credit cards to pay the water bill online, and he knows the credit card data is floating around in databases outside the U.S. Losing any of that data could be a body blow in terms of public confidence. Then there’s the fact that American Water does business with vendors across the globe.

“I have a very geographically distributed network — more than 1,500 locations where humans work, 150-200 of those are critical operations facilities,” Larson told attendees during a PCI security seminar CSOonline held in New York in September.

For Harshul Joshi, director of IT-risk and advisory services at CBIZ and Mayer Hoffman McCann P.C. (MHM), a professional business services company, doing business internationally can make for a lot of confusion regarding the PCI security ground rules.

“When we deal with non-U.S. companies, there is often confusion over what PCI security requires,” Joshi says. “We work with one of the largest magazine publishers with operations around the globe and if you dial an 800 number, chances are you’ll be talking to someone in a call center in Vietnam. You give your credit card number and it is recorded somewhere outside the U.S.”

On the outside looking in

If a company is based outside the U.S. — in Sweden or Ukraine, for example — the problem is usually a lack of communication and money regarding PCI security needs.

Dmitriy Tsygankov, director of the corporate customer care center at a bank based in Europe, says Visa USA tends to offer American companies more incentives and assistance for their compliance efforts. As an example, he mentions the US$20 million in financial incentives Visa USA offered nearly two years ago to encourage quicker adoption of the standard.

“Why does Visa USA offer merchants a $20 million bonus to become compliant and not other regions?” he asked. He suspects it’s because e-commerce is more popular and profitable in the U.S. In the bigger picture, he says, it can be harder for foreign companies to come up with the cash needed to achieve compliance.

No financial incentives were mentioned in a recent statement from Visa Inc. announcing new global PCI compliance deadlines. Under the deadlines, announced last week, global merchants and service providers must show by Sept. 30, 2009 that they are not storing full magnetic stripe data (track data), security codes or PIN data after a transaction is approved. Sept. 30, 2010, is the deadline for all service providers and Level 1 merchants to file compliance reports.

David Taylor, founder of the PCI Knowledge Base, agrees companies outside the U.S. don’t enjoy the same degree of financial support. “There really are no global incentives, just a marketing pitch in the Visa Global PCI Deadlines announcement last week to service providers,” he says.

Visa spokesperson Rosetta Jones confirmed Monday that the company does not currently offer any financial incentives for merchants outside the U.S.

“While Visa USA did offer some monetary incentives for U.S. merchants for a short period of time, the major motivator for merchants to achieve compliance has been their desire to properly protect cardholder data and to prevent being the target of a data compromise,” she says.

Keep the global perspective

Regardless, security experts agree companies must look at PCI security as a global mandate and ensure that the same controls used in the U.S. are being used elsewhere. There’s a danger of that not happening when companies find themselves deep in the weeds trying to get their arms around the sheer scope of the standard, says Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles.

His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.

“File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency,” he says, noting that’s good for business as a whole — wherever in the world the company operates from.


How to ensure Call Center security

Information security has emerged as a significant concern for businesses that use call centers and Interactive Voice Response or voice portal systems for customer service, which include financial services institutions, insurance agencies and health care companies. Here, Knowledge Center contributor Ron Settele explains how companies can safeguard against a contact center security breach, while meeting new regulatory demands to prevent identity theft.

Identify theft remains a major problem in the United States, with Americans losing $45.3 billion last year. In 2007 alone, 8.4 million adult Americans, or one in 27, were the victims of identity fraud.

While this is a drop of 11 percent from the $51 billion lost in 2006, it’s still a significant issue for consumers. Contact centers and IVR Interactive Voice Response / voice portal systems are particularly vulnerable since existing methods of confirming callers’ identities are insecure.

The pressures

Understandably, consumers today are concerned about security. When it comes to access to voice self-service systems, they are not satisfied with PIN numbers and content knowledge alone for identity verification. Compared to current authentication methods, an increasing number of consumers feel that the use of their voiceprint would go a long way in making their transaction more secure and convenient. Most consumers would enroll their voiceprint with their financial institution, for example, if given the opportunity.

The politics

Established in 1979, the Federal Financial Institutions Examination Council FFIEC is a “formal interagency body empowered to prescribe uniform principles, standards and report forms for….financial institutions.” In 2001, the FFIEC provided specific guidance on authentication in an Internet banking environment. In 2005, it updated that guidance to include high-risk services performed through telephone banking systems and call centers attached to financial institutions. As financial institutions enhance their Internet banking security, threats will migrate to other access channels–mainly the telephone.

The insurance and health care industries are being similarly impacted by the Privacy Rule under HIPAA Health Insurance Portability and Accountability Act of 1996. HIPAA itself protects “individually identifiable health information” held or transmitted, in any form, whether electronic, paper or verbal. HIPAA’s Privacy Rule establishes regulations for the use and disclosure of Protected Health Information PHI, which is any information about an individual’s health status, including biometric identifiers such as finger and voiceprints.

Both of these policies are forcing organizations to a heightened awareness of how to address critical security issues.

Until very recently, you could always count on being prompted for your account number and the last four digits of your social security number when accessing a self-service system. In many cases, the same would be true when speaking to a live agent. Times have certainly changed! There are now many methods available to enhance caller authentication. However, no single method is adequate. Utilizing multiple “factors” to authenticate the identity of a caller is advised.

What is a factor? The FFIEC places factors into three specific categories:

Category #1: Something the user has, such as an ID card, security token, software token, phone or cell phone

Category #2: Something the user knows, such as a password, passphrase or PIN number

Category #3: Something the user is (such as voiceprint, fingerprint or retinal pattern)

In some cases, providing access with a single-factor, multi-item authentication would be considered adequate. In this case, challenging the caller with pieces of information that only they would be likely to know are used. These solutions are typically simple to implement and could be deemed adequate for callers accessing information that is not considered sensitive.

But that’s where the rub is! Opinions differ widely as to what types of information should be deemed sensitive. And, with the proliferation of information that can be accessed via the Internet, could single-factor, multi-item authentication ever be viewed as secure enough?

Multifactor and risk-based authentication solutions

These concerns by the consumer are pushing enterprises to consider multifactor and risk-based authentication solutions. Using something the user “knows” in combination with something they “are,” provides a much more secure environment in which callers can access account information and transact business. The ability to compare and verify a voice sample from the caller against the voiceprint found in the customer profile (for the account being accessed) significantly increases the likelihood that the right person is attempting to access the account.

Even more secure authentication methods are available if other parameters are taken into account. What if, on top of the multifactor authentication method described above, the system also took into account the number from which you were calling? Or how about whether or not the transaction you are performing is typical based on past behavior? How about taking into account the “Superman Effect?” What do I mean by that? It’s when someone tries to access your account from Los Angeles and then tries again just an hour later from New York City.

Risk-based authentication can take all of these parameters into account and more. How about taking into account access attempts from the Internet and the contact center? Solutions such as these are available today and can be tailored to meet your business needs. Market and regulatory pressure is building to require enterprises to deliver more secure access to customer account information. How secure is your customers’ information?


New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft

New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft

Identity thieves use people’s personally identifying information to open new accounts and misuse existing accounts, creating havoc for consumers and businesses. Financial institutions and creditors soon will be required to implement a program to detect, prevent, and mitigate instances of identity theft.

The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Who must comply with the Red Flags Rules?

The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

Complying with the Red Flags Rules

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

How flexible are the Red Flags Rules?

The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. Guidelines issued by the FTC, the federal banking agencies, and the NCUA (http://ftc.gov/opa/2007/10/redflag.shtm) should be helpful in assisting covered entities in designing their programs. A supplement to the Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point. They fall into five categories:

# alerts, notifications, or warnings from a consumer reporting agency;

# suspicious documents;

# suspicious personally identifying information, such as a suspicious address;

# unusual use of – or suspicious activity relating to – a covered account; and

# notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

More detailed compliance guidance on the Red Flags Rules will be forthcoming. For questions about compliance with the Rules, you may contact RedFlags@ftc.gov.

Read more about this regulation at http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm

And about the extension of the compliance deadline at http://www.ftc.gov/opa/2008/10/redflags.shtm


New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft.

Hedge Your Bets: The Importance of IT Risk Management in M&A

Information & technology (IT) is a critical component in achieving an M&A strategy; without effective IT risk management, the value of the deal could be threatened or even eroded. IT risk management is a multi-disciplinary undertaking, and covers a variety of functional domains—ranging from data protection to change management. (See “Common IT Risk Management Areas” below) It is also a multi-faceted and complex undertaking that also entails consideration of a wide array of compliance requirements. As such, in a business environment with increasing emphasis on regulatory compliance, the role of IT risk management becomes more important as an enabler of the M&A strategy.

Often, many organizations need to demonstrate compliance with several overlapping requirements. A large financial company may need to meet Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry data security standard (PCI), Health Insurance Portability and Accountability Act (HIPAA), and other mandates such as those from the Federal Financial Institutions Examination Counsil, Office of the Comptroller of the Currency, and Federal Trade Commission; a global transportation company may need to meet SOX, HIPAA, PCI, FTC, and European Union and Asia-Pacific Economic Cooperation data protection requirements. The effort to meet these regulations often further complicates the efforts required to identify an approach and develop a strategy to mitigate risks when consolidating or separating companies.

Although many of these regulations address similar requirements such as data protection, access controls, transaction auditing, data availability and system monitoring; compliance with one set of regulations does not necessarily translate into compliance with another. The specifics of each set of regulations must be carefully evaluated.

Furthermore, international M&A transactions are likely to be much more complex than domestic transactions. In international transactions, companies must not only consider the regulatory compliance concerns noted above; they must also take into account the potential risks to corporate risk governance, employee data rights, customer data expectations, cross-border data flow, as well as the risk and compliance culture of the home countries of all entities involved in the M&A transaction. Failure to adequately address these factors could scuttle the transaction.

In this complex risk environment, it is clear that IT risk management must be effectively implemented to effectively address the myriad legal, regulatory, contract, and compliance requirements; otherwise, IT risk issues left unaddressed could fundamentally affect the overall M&A strategy and desired value creation.

Is the Loss of Business Value Real?
Based on Deloitte’s experience with M&A transactions, when IT risks, especially those risks that are compliance-driven, are not fully addressed, they can completely undermine the expected value creation of an M&A transaction. Generally, IT risk tends to impact M&A deal value in four primary areas: IT cost, EBITDA, technology, and regulatory and governance.

Examples of common IT risk issues that can have a serious negative impact on M&A transactions include:

  • Inevitable technology changes occur with disparate systems in combined entities and often create system consolidation delays and increase the security and compliance risks with the existing systems
  • The combined entity creates a new state, federal, and/or global jurisdiction operating footprint that often faces potential regulatory and financial risk from the possible compromise of personally identifiable information (PII)
  • The listing of IT assets assumed to be acquired during the financial due diligence process does not reconcile with detailed IT-listed assets, which results in lost value transfer
  • Unclear legal rights over existing key applications and information often inhibits integration and/or separation of IT systems
  • Sensitive information cannot be identified and located, which impedes, and can completely halt, application and system integration and/or isolation
  • The merged entities have disparate access management systems, but they have a need for immediate access to information, which often results in poorly consolidated systems that lead to segregation of duty conflicts and improper data access
  • Hidden liabilities in licenses and third-party contracts results in lost value and increased legal costs
  • Dated technology prevents customization and leads to lost business agility, opportunity and value

So, what is needed to minimize these types of risks from compromising an M&A transaction?

The IT Risk Management Framework
To mitigate the risks described above, M&A due diligance teams should incorporate a comprehensive IT risk management framework and readiness diagnostic into their planning and implementation efforts.

A sound IT risk management framework and readiness diagnostic has several key qualities. First, it is structured, risk-focused, and customizeable to cover small and large organizations. Next, it helps in the translation of information protection and technology issues into business risk impacts that will affect the overall M&A transaction. Finally, it helps address industry standards and regulatory requirements for each of the IT risk areas higlighted earlier in this paper.

The IT risk management framework and readiness diagnostic can be organized around five core components — integrated requirements, technology assessment, information assessment, business assessment, and risk quantification.

Integrated requirements establish the required IT risk management practices to be assessed during the M&A transaction. Assessment practices and criteria are established by identifying and aligning the applicable IT risk-related business requirements for each of the common IT risk management areas (see above). These should include:

  • Industry common practices (e.g. International Organization for Standardization (ISO) 27002, COBIT 4.1, Information Technology Infrastructure Library (ITIL), American Institute of Certified Public Accountant’s (AICPA) Generally Accepted Privacy Practices, etc.)
  • Laws and regulations (e.g. GLBA, HIPAA, EU Privacy Directive, CA SB1386, FTC Standards for Safeguarding Customer Information, etc.)
  • Industry standards (e.g. PCI Data Security Standard, BITS, etc.)
  • Acquiring and acquired organizations’ internal IT risk-related policies and standards for each of the common IT risk management areas previously mentioned

This particular IT risk management component is especially benefical to those organizations that worry about compliance such as How does the “new” operating structure comply with SOX quickly?’ By establishing and evaluating integrated requirements early in the IT due diligence process, the acquiring organization should have already identified the SOX related requirements and their impact on the other organization’s operations. Once the M&A transaction has been executed, the acquiring organization should be able to quickly apply their SOX control framework to the acquired organization and assimilate the various reporting entities into the new organization’s compliance testing and reporting process.

A Framework for Value Protection

The technology assessment considers core technology development, licensing and integration issues. Generally, this assessment will consider:

  • Technology software and infrastructure vulnerabilities that may affect service levels
  • Capacity and scalability of key systems to satisfy business requirements
  • System backup and power issues that may cause business disruptions
  • Unsupported systems and code
  • Vendor-owned source code that is not available for changes
  • Vendor service-level adequacy
  • Non-favorable clauses in vendor agreements that would be affected by change in ownership
  • Termination of key employees
  • Loss of quality resources required for integration efforts
  • Legal rights to existing key applications
  • Source code that is not in escrow
  • Hidden liabilities in licenses and support contracts

The information assessment considers sensitive data-handling requirements and how well data is protected. Generally, this assessment will consider:

  • Systems and data accessible by unauthorized users and how unauthorized access to such data can affect the company’s brand and reputation
  • Authorization, development, and approval processes for the records program
  • Privacy, intellectual property, and other sensitive information collection, usage, storage and complaints-handling processes
  • Third party contractual arrangement adequacy for addressing sensitive information handling

The business assessment considers technology strategy alignment with the business, business process control integrity & automation, and governance & compliance matters. Generally, this assessment will consider:

  • IT strategy that is not aligned with the current and future business requirements
  • Current systems that are not suitable for business requirements
  • Inefficient manual work-around procedures that are required to operate the business
  • Level of system automation that does not match the level disclosed by management
  • Recently-integrated business systems that have internal control integrity issues
  • Internal controls and SOX 404 issues that will impact regulatory compliance
  • Insufficient governance of IT system projects that could result in hidden future IT costs or write down of IT assets due to inappropriate system development

The risk quantification translates identified IT risks into financial impact statements and helps prioritize them for consideration in the final M&A transaction decision.

Today’s risk and compliance environment compels organizations that are developing M&A strategies to integrate IT risk management into their M&A planning and implementation processes. Left unaddressed, IT risk issues can fundamentally affect the overall M&A strategy and desired value creation. A properly structured IT risk management framework and readiness diagnostic can provide practical insights into the information and technology risk issues. Including IT risk management from the outset can make the M&A picture complete, rather than an unfinished puzzle. ##

Bill Kobel(bkobel@deloitte.com) is a Principal and John Gimpert (jgimpert@deloitte.com) is a Partnerwith Deloitte & Touche LLP.

Hedge Your Bets: The Importance of IT Risk Management in M&A.

Note to McCain, Obama: Don’t forget information security

Note to McCain, Obama: Don’t forget information security

Posted by Jon Oltsik

Regardless of whether you favor Barack Obama or John McCain, you have to admit that the next president will inherit a monumental mess.

Each candidate has been scrambling to explain how he plans to right the financial ship, reign in growing health-care costs, improve education, and balance the budget. Yikes!

As if this wasn’t enough, the new president and Congress also have an obligation to figure out how to proceed with a strategic plan for IT and information security.

Now I understand that economic, social, and national security issues should have precedence, but the fact is that the federal government is sort of treading water on a number of highly visible strategic initiatives regarding information security. The issue here isn’t new legislation or initiatives, however. It is finishing work that has already been started.

Here are a few examples:

1. The Comprehensive National Cyber Security Initiative (CNCI). This effort grew out of presidential and Department of Homeland Security directives with the goal of standardizing security practices and appointing DHS as the overseer of critical information security infrastructure across all federal agencies. It is estimated that CNCI will ultimately cost around $18 billion to $30 billion. But for now, DHS is asking for $200 million in 2009. As of this writing, these funds have not been allocated to the project.

2. The next revision of the Federal Information Security Management Act (FISMA) of 2002. Back in 2002, FISMA was passed in order to provide a set of guidelines and requirements for federal agencies. Each agency was then graded on a FISMA report card with the results presented to Congress and the public. Several agencies (alarmingly, including DHS) received an “F”, while others saw FISMA as nothing more than a series of check boxes with no teeth. To improve the efficacy and benefits of FISMA, the Senate is currently working on the FISMA Act of 2008 (S.3474). As of now, this bill remains in committee.

3. A national information privacy act. The Personal Data and Privacy Act (S.495) has been languishing in the Senate for years. In lieu of national personal-privacy legislation, 42 states have enacted their own laws leading to a messy situation for any organization doing business across the country. Some states like Nevada and Massachusetts now mandate data encryption to protect data confidentiality, but individual laws remains vague and unique.

These examples pale in comparison to the federal train wreck around Homeland Security Presidential Directive 12 (HSPD-12), a well-intended but unfunded effort to standardize identity technologies for federal workers and contractors. In my opinion, the lack of federal funding has rendered HSPD-12 a bad joke inside the Beltway.

As a private citizen, I can’t help but lament the tremendous amount of wasted effort here, especially in the face of increasingly dangerous information security threats. Bills are discussed but not passed. Some legislation gets passed and is either ignored or treated as a mere check-box item. Other bills are passed and never funded.

Unfortunately, these examples are a microcosm of a broken, wasteful system. Regardless of who becomes our next president, I’ll judge progress in Washington by the government’s ability to pass and fund legislation, meet regulatory compliance mandates, improve information security, and strive for constant improvement. I, for one, will be watching carefully.

Note to McCain, Obama: Don’t forget information security | News – Security – CNET News