I am a strong believer in group “live” training experiences where I am in a room with individuals who have different perspectives, challenges, and questions. Unfortunately, the real world keeps spinning and constant training is not always possible, so the web (yes… that which gives and takes) has online training. For those unaware there are several very good online free training seminars for PCI DSS. In fact, the one I am highlighting is “sponsored” by MasterCard.
After free registration – the simplest I have yet to see, you are provided with a list of sessions to listen to or you can download the PDFs! You can find nearly currently a dozen sessions here. They cover the following topics:
- Maximize Internal Preparation for PCI DSS New!, by Mathieu Gorge – CEO Vigitrust
- Network Segmentation New!, Mark Lippman – Senior Partner, Arsenal Security Group
- Data Encryption: Understanding Encryption and PCI DSS New!, by Gerard Onorato and Jeffrey Foresman
- An Introduction to the PCI Security Standards Council, by Bob Russo – General Manager, PCI Security Standards Council
- A Detailed Look at PCI DSS Requirements, by Andrew Henwood – Director of Operations, One-SEC/Trustwave
- A look into the new Self Assessment Questionnaire, by Jennifer Mack – Vice President, MasterCard Worldwide
- A Merchant’s Journey towards PCI Compliance, by Alexander Grant, General Manager British Airways
- Understanding Account Data Compromise, by A. Bryan Sartin – Vice President Investigative Response, Verizon Business
- Preparing for a Successful PCI Assessment, Lessons from the Field, by Michael Walter – Senior Partner, Arsenal Security Group
- Reducing Your Risk: A Look Into PCI Vulnerability Scanning, by John Bartholomew – Vice President, Security Metrics
- Security and the Payments Systems, By John Verdeschi – Vice President, MasterCard Worldwide and Jeremy King – Vice President, MasterCard Worldwide
- Compliance Validation & Beyond, by Sally Ramadan – MasterCardWorldwide
I have gone through several thus far, and my comments on a few are as follows:
- Maximize Internal Preparation – Helpful. Core Message: Setup a diverse team with senior management, and leverage your QSA’s experience
- Understanding Account Data Compromise – Educational. Great walk through! Check out Michael Dahn’s excellent ongoing articles on the carder market
Check out the online webinars here. I am sure there are many others, so please add them below in the comments to help everyone!
Best,
James DeLuccia
Categories: Compliance · IT Controls · PCI DSS · Payment Card Industry Data Security Standard · Security
In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners. The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts. While there is no substitute for reading the full report I will highlight the following key areas – Audience, Nuggets, and Action items.
Audience:
The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited. Therefore the audience I see (beyond the obvious Fraud professionals) includes:
- Chiefs – CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
- Business Owners – VP, Directors
- Team Leaders – of small teams
Nuggets:
- 67 pages of facts sum up 959 cases of occupational fraud
- 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
- In the U.S. that is approximately $994 Billion in fraud losses
- 25% of the fraud sample were a million plus in damages
- Tips identified 46.2% of all frauds
- Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
- Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
- Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines
Action items:
- Re-prioritize internal controls to address fraud
- Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
- Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
- Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
- Establish Surprise Audits and mandatory job rotation
Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment. Segments may be adopted today and into the future. In addition, the ability to eliminate subjective values in risk calculations is tremendous.
Kind regards,
James DeLuccia IV
Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston. My session on Best and Worst IT controls is on Monday!
Categories: Compliance · IT Controls · ROI · Risk Management · audit · regulations
