IT Policy Compliance Group Issues 2008 Report on Best Practices

(Courtesy of ITpolicycompliance.com)

The IT Policy Compliance Group just released their annual report on the state of affairs of what they refer to as IT governance, risk and compliance (IT GRC).

The goal of the group is to promote the development of research and information to assist IT and Finance professionals meet their organization's policy and regulatory compliance goals. They do this by providing information for organizations to improve compliance results by providing reports based on primary research.

If you take the time to check out their site, they have other items of interest to anyone charged with the ever growing responsibility of protecting systems from those who have the intent to compromise them.

The recently released report suggests that measuring the value delivered by IT has been traditionally associated with applications that have an impact on customer service, sales, expenses and profit. Unfortunately -- as more organizations have their data compromised -- the result of not protecting information can be a loss of revenue, added expenses (legal costs), and a loss of consumer trust.

This is especially true, if the compromise becomes a matter of public record.

Included in the report are an analysis of recent losses incurred by a large retailer ($530 million) and a large financial services firm ($100 million). The analysis takes into account the loss of revenue due to business disrruption, loss of consumer trust in addition to the harder costs, such as legal expenses. Other analysis includes losses suffered by a automotive manufacturer and a rental and leasing company.

IT departments are constantly being challenged to be up and running 100 percent of the time to maximize efficiency. While doing this, they need to protect their data and adhere to legal and regulatory requirements at the same time.

The challenge is to manage business opportunity and risk at the same time. The 2008 report shows that the firms with the most mature practices in compliance and risk management are doing better and spending less to achieve their goals. This translates into more revenue, profit and customer retention.

The report shows that continuous improvement in risk management and compliance with a focus on operational excellence is paying dividends. Organizations with a mature compliance process have evaluated their processes and made them part of the culture within an organization. While this encompasses the involvement of all facets of an organization, two key items are the support of senior management and training employees to embrace a culture of compliance.

The most mature firms have developed formalized training for their employees, supported by senior management, on subjects like ethics and codes of conduct, IT security and data protection policies, legal compliance, as well as, subjects like sexual harassment and discrimination. They have also developed processes and trained their employees how to deal with emergency situations.

The human factor is always the key to success in any organization. It makes sense that successful organizations focus their efforts through their most valuable resources, which are human beings. Very few exploits are successful without a healthy dose of social engineering.

Also of interest in this informative report is an analysis of results by industry and size. One shoe doesn't necessarily fit all and taking the time to examine all the different types of organizations that use technology to accomplish their goals makes the report a valuable read.

The report, which is located on ITpolicycompliance.com, is only available to members of the site. Saying that, the site is soliciting new members and the sign-up process is simple.

Besides this report, the site has a lot of other valuable information on it, also. I would recommend the site and it's resources to anyone interested in the mysterious world of compliance because it takes it to the level of making sense and developing best practices that will benefit the overall objectives of any organization.

Ruby Tuesday serves a blow to credit card skimmers

Ruby Tuesday is doing something about credit card fraud. They announced yesterday that they will be introducing an ultra-secure (encrypted) credit card system to protect their customers from fraud.

The AP is reporting:

The system, which is expected to be in all the restaurant chain's 900 locations by April, leaves no credit card information at the restaurant and is instead sent to the bank in encrypted form. The system is said to help prevent identity theft.

Criminals (some say of the organized type) have been targeting a lot of unprotected information, recently. Some of this information is bartered in underground chat rooms set up for this purpose.

Of note, Visa International commented that the new system is fully compliant with PCI data protection standards.

AP story, here.

If you would like to see the sheer volume of recent data breaches, Attrition.org has a chronology, here.

If you would like to see how easy it is for your payment card information to get skimmed at a restaurant - you can view an interesting video, here.

Does Teamwork Make Sense in the Age of Compliance

The Age of Compliance is rapidly coming into vogue. Inspired by the need to deal with terrorist organizations and an ever increasing rise in financial crimes, governments and private organizations are tightening down their procedures.

Traditionally, the business approach to controlling exposure has been segmented into different areas. In most organizations this would include the finance, legal, corporate security and IT departments.

But let's face it, compliance/security costs money and the entities that ensure this don't bring in money to the bottom line. They do prevent losses to the bottom line, but when they do their jobs, exposure is prevented and there is nothing tangible that can be measured.

DataMonitor (Norkom Technologies) recently did some interesting research, which might reflect a means to be more effective and reduce the cost of compliance.

"Traditionally financial service providers have viewed...Financial crime and compliance as separate disciplines, explained Paul Kerley, CEO of Norkom Technologies, continuing:

"But within an increasingly tight-margined industry there is a strong desire to pursue a single investment stream to both reduce criminal losses and drive down the cost of compliance. This is now achievable since single technology platforms are now emerging that can detect crime, investigate it and compile the management information required to fulfill the regulator's requirements."

Teamwork is a powerful tool and with the rapidly changing face of the business world this makes perfect sense. In fact, anyone involved in compliance knows the exposure increases daily and that the bad guys (terrorists and criminals) use the ever changing face of technology to further their sordid goals.

Organized criminals and terrorists are also combining "job disciplines" and many experts suspect that they recruit experts from the financial, IT and legal sectors. In the case of the Eastern European Groups, they also employ former security and intelligence experts.

Terrorists are doing the same thing.

Phil Williams, Professor of International Security Studies, University of Pittsburgh highlighted this in a paper a few years ago when he wrote:

"Many governments, businesses, and individuals around the world are just beginning to learn how to make best use of the latest information technologies. But organized criminal enterprises have already discovered these technologies as new opportunities for exploitation and illegal profits."

In his paper, Professor Williams also wrote:

"Criminal organizations and drug traffickers have increasingly hired financial specialists to conduct their money laundering transactions. This adds an extra layer of insulation while utilizing legal and financial experts knowledgeable about financial transactions and the availability of safe havens in offshore financial jurisdictions."

"Similarly, organized crime does not need to develop technical expertise about the Internet. It can hire those in the hacking community who do have the expertise, ensuring through a mixture of rewards and threats that they carry out their assigned tasks effectively and efficiently."

So far as the Terrorists, their use of technology and financial expertise is well documented.

Recently, the FBI and other law enforcement organizations have recognized the need for greater teamwork between experts from the law enforcement and business worlds.

Based on the signs of the times, consolidation of resources within companies not only will cut costs, but it will probably also make their efforts more effective. In fact, it makes perfect sense, at least to me.

For an article about this by InvestorsOffshore.com, click on the title of this post.