Despite a slew of data privacy breaches that I have spoken about here, the EU and UK in general have a longer horizon to hit critical mass with secure and compliant payment card environments. This is generally surprising given the seriousness and depth of the body of law within these regions around data protection and security. This is being more seriously addressed by the PCI SSC with the appointment of Jeremy King as the Director for the EU.
A nice article is available by TechTarget available here. The challenge of addressing state, EU, and UK mandates is nicely articulated by King in the following excerpt:
He concedes that Europe is more complex because every country has its own rules, regulations and requirements. “This creates challenges that are different in each country. I’ll be going round the different banking associations and acquirers so we can tackle some of the issues and resolve some of the problems that are preventing people from achieving PCI compliance,” King said.
Though the value of the PCI DSS structure is that it is consistent across all borders and is therefore functionally applicable only to payment card environments (globally?). This should provide greater adoption and not less, unless there are state laws that conflict with the adoption of industry best practices.
An interesting discussion and a welcome progressive step to see stronger focus on providing resources, support, and time.
ComplianceWeek has two examples of implementing ITGRC solutions in two multi-billion dollar organizations. Each interestingly deployed in two unique fashions and had different takeaways from the experience. The article speaks directly about SAP technology, but the successful GRC implementation practices apply to any organization.
In fact, evolving an organization’s risk framework through the adoption of an IT-GRC solution is a benefit to any size organization and even individual lines of business within an organization. Additional support for GRC and it’s business benefits I discussed here for additional insight, and with registration the OCEG documents are quite insightful.
A key point within the article is the focus beyond the risk and security and or compliance benefits that are generally listed for GRC. There are numerous benefits to GRC that help improve profitability, lower failure rates within operations, and enhance business communications – among other benefits. The simple reality is having greater clarity and effective automated systems is a strategic advantage in every business.
The article highlights a few specific GRC implementation tips and can be found here at this link. Below are my ‘next’ three tips to consider:
- Do your pre-planning: Just as in a marathon one does not simply walk to the start line and figure it out as they go. Similarly organizations seeking to integrate an important technology such as GRC (one that will become ingrained into the critical business operations), must consider how things should happen out of the gate. Business leaders and technologists need to identify the specific objectives, parties, and input/outputs required. Such specifics will ensure targeted project management and prevent scope creep. The secondary benefit of this adherence to a plan (and there can be many cycles where the process is enhanced continuously) is the absolute recognition of achieving targeted goals and objectives. An effect that will certainly help to maintain the momentum of the project.
- Training and Paperwork: In order to successfully integrate the technology into your organization it is necessary to know how it is currently being accomplished today, or how it should be done based on the culture and business objectives. Therefore it is best to first work through the components of the GRC program on paper and in collaborative work sessions prior to sitting down in front of an administrative console. These work sessions should produce specific ‘paper’ on how such things as permissions, authorization, business core metrics, and such are to be enabled in the application. The technical specifics of how such will be done should be considered afterward. In most cases – this type of program design can occur prior to the selection of any actual vendor product, and therefore could be used as purchasing criteria when such are defined.
- Seek Professional Help: The article highlighted the benefits of leveraging third parties to augment the business staff to successfully launch these programs. It is critical that such third parties be brought onboard for such work. In lieu of these specialty teams a business could hire individuals with deep experience in the technology and specialty. In either case – focus on experience, targeted delivery, and proper teaming with business teams; tech teams; and other service providers.
The Two Reviews of GRC Software Implementations from ComplianceWeek can be found here.
Other best practices / thoughts?
James DeLuccia IV
The British government had their Defence Manual of Security (2001) leaked to the internet on October 4, 2009. The press and wikileaks provide a great breakdown of the information within it, and it is fairly accessible to those interested. What strikes me as interesting is not that it is in the public space now, but the concern that some organizations have with exposing their security protocols. The thinking is as follows:
How does this relate to your practices as an organization within information safeguards, PCI DSS, and GRC?
Security requires a good plan and a properly executed set of operations. The reality is security is good because it is good, and not because it is unknown. Meaning that security through obscurity is a flawed practice proven time and again. Think open source and other broken “proprietary / secret” protocols and methodologies. The point is this – good security should sustain the glaring spotlight and highlight the difficulty of breaching such security, and not have weaknesses that are only protected by blind luck.
In short organizations should not be afraid to share their security realities and compliance safeguards with their teams and partners. Obscurity is not the answer, only through prudent review, regular enhancements, and agile response to shifts in business and the risk landscape.
The combination of good self assessments, transparent and open audits with partners and firms providing attestation services, and open dialogue between the business and owners of information assets are key.
The document leaked is 2,389 pages, so you may want to get a venti coffee.
Other thoughts? Any moving forward lessons found in the document?
So, there are tremendous implications for their business model, but to place the spotlight on one area lets focus on data security and regulations (my favorite). AMEX is one of the organizations that built the PCI DSS, PCI SSC, and all recent publications. The intent of PCI was to have industry forced mandates that protect cardholder data. As private companies, Visa and MasterCard, had a lot of leeway on how they handled operations and were able to contain the management of requirements. Given the IPOs of these two associations, and now AMEX becoming a bank does present a future that is far different then it was 3 months ago and 12 months ago.
Banks are regulated under extensive regulations and there is substantial information surrounding the safeguarding of data through information technology controls. The FFIEC books are world renowned for their coverage in this area. In addition to these known requirements there are additional third party requirements that will be introduced. If anyone has done with a financial institution that is required to abide by GLBA, they know that they too must satisfy the requirements.
My highlighting of GLBA and regulatory leakage (when requirements of one trickle down into other sectors of the economy – SOX anyone) is that while PCI DSS is here to stay, there must be greater forms of validation surround Information Technology and Controls. Those who operate within the payment industry would be strongly advised to continue to practice PCI DSS, but also maintain a more holistic view of contributing and supportive regulation mandates to ensure smooth operations in the near future.
Other thoughts on how AMEX becoming bank will impact business?
James DeLuccia IV
Event Update: BOOK Signing, Free Tastings, and such at Starbucks 1400 Dunwoody Rd, 2-4pm Nov. 23rd. (there will be prizes, so feel free to stop by even for just a moment!)
In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners. The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts. While there is no substitute for reading the full report I will highlight the following key areas – Audience, Nuggets, and Action items.
The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited. Therefore the audience I see (beyond the obvious Fraud professionals) includes:
- Chiefs – CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
- Business Owners – VP, Directors
- Team Leaders – of small teams
- 67 pages of facts sum up 959 cases of occupational fraud
- 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
- In the U.S. that is approximately $994 Billion in fraud losses
- 25% of the fraud sample were a million plus in damages
- Tips identified 46.2% of all frauds
- Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
- Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
- Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines
- Re-prioritize internal controls to address fraud
- Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
- Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
- Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
- Establish Surprise Audits and mandatory job rotation
Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment. Segments may be adopted today and into the future. In addition, the ability to eliminate subjective values in risk calculations is tremendous.
James DeLuccia IV
Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston. My session on Best and Worst IT controls is on Monday!
“Medicine rarely tastes good. The introduction of Sarbanes Oxley was, for many, accompanied by significant distaste for the idea. In the longer term, it does appear that those institutions exposed to the rigours of more exacting compliance regimes have made more progress with developing integrated governance and controls frameworks.
Financial institutions in the western hemisphere are ahead of their eastern colleagues. Our analysis shows only a quarter of financial firms operating worldwide have a reasonably integrated compliance and controls framework – all of these firms are from the west. These results suggest there is much to do in the Asia Pacific region both in continuing to create regulatory regimes and continuing to raise the quality of internal governance and control systems. “
A published research study by Deloitte, quoted above, highlights the importance of integrating compliance, governance, security controls, and risk management into a enterprise control environment. The economies of scale translate to approximately 2.5% difference in expenses incurred, and at current $78 billion in expense that is a material impact on any companies bottom line. In addition, “Banks, insurers and investment banks have all seen the costs for governance and control rise by around a third between
2003 and 2006.”
Check out the article here, and consider how integrated is your control environment? Have you eliminated the silos that manifest themselves over time? Are you leveraging the full value of your technology infrastructure, your licenses, your power consumption?