Tag Archives: risk management

FISMA capstone document released by NIST — Government Computer News

The National Institute of Standards and Technology has released a draft of its guidelines for implementing enterprisewide information risk management. The document defines the underlying principles for implementing the Federal Information Security Management Act.

via FISMA capstone document released by NIST — Government Computer News.

In 2011 The GRC Market Will Grow 20%, Driven More By Breadth Than Maturity | Forrester Blogs

On the heels of Forrester’s GRC Market Overview last month, this week we published my Governance, Risk, And Compliance Predictions: 2011 And Beyond report. Based on our research with GRC vendors, buyers, and users, this paper highlights the aggressive regulatory environment and greater attention to risk management as drivers for change

via In 2011 The GRC Market Will Grow 20%, Driven More By Breadth Than Maturity | Forrester Blogs.

E-crime Now More Common Than Real Crime

If there was any doubt about the popularity of electronic dupery, it should be put to rest with a report on global fraud released the week by the risk management consulting firm Kroll. For the first time since 2007, when the company began putting together its annual survey on crime, electronic fraud surpassed physical scams as the most common form of fraud in the world.

via E-crime Now More Common Than Real Crime.

Enterprise risk management: Get started in six steps

I propose that ERM is worth doing and doesn’t have to be so complex if you simply “begin with the end in mind,” as Stephen Covey says in The 7 Habits of Highly Successful Security Leaders. Or would have said if he’d written such a book.

The basis of my thoughts is COSO’s ERM framework (link goes to a PDF of the Executive Summary). Here is the end to keep in mind as you begin your ERM efforts, taken from COSO’s work:

via Enterprise risk management: Get started in six steps.

SEC Approves Enhanced Disclosure About Risk, Compensation and Corporate Governance

In particular, the new rules require disclosures in proxy and information statements about:

* The relationship of a company’s compensation policies and practices to risk management.

via Press Release: SEC Approves Enhanced Disclosure About Risk, Compensation and Corporate Governance; 2009-268; Dec. 16, 2009.

ISO 31000 Risk management

By now, many of you have read the newly released ISO 31000 Risk management — Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)

It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”

via The Forrester Blog For Security & Risk Professionals.

ISACA to host IT security conference in Las Vegas |

The role of the IT security professional has expanded from securing an enterprise’s information to also managing the associated risk. ISACA has responded by offering the new Information Security and Risk Management Conference, which combines the most timely material from two of ISACA’s well-regarded security-related conferences.

ISACA, a nonprofit association serving 86,000 IT governance professionals, will host the Information Security and Risk Management Conference in Las Vegas, Nevada, USA, on 28-30 September 2009. The all-encompassing event is designed for all levels of IT security professionals.

via ISACA to host IT security conference in Las Vegas |.

Is IT Risk Management Compatible With ERM?

But in spite of these warnings, my conversations with enterprise risk and IT risk professionals still reveal many disconnects, including that IT risks are not measured consistently with other enterprise risks. In addition, many IT risk professionals do not see their biggest risks showing up on the corporate risk register.

via The Forrester Blog For Security & Risk Professionals.

PCI DSS Incident Response: The Legal Perspective #PCI

The SANS Institute InfoSec Reading Room recently published an article by Christian J. Moldes entitled PCI DSS and Incident Handling: What is required before, during and after an incident. Moldes’ whitepaper is a good starting point for developing an incident response plan to address payment card security breaches. The paper hits upon the key aspects of payment card security breach handling from an information security professional’s point of view. The paper, however, speaks little of the legal implications of a payment card security breach, and the incident response considerations that arise out of those implications.

via InfoSecCompliance.com – Technology, Privacy and Security Law & Risk Management » Blog Archive » PCI DSS Incident Response: The Legal Perspective.