Product Security Features |  | Canadian Companies Slow to Follow Compliance LawsOnly 10 per cent of top executives feel their peers are fully compliant with C-SOX legislation Toronto, ON - March 13, 2007 - A Canadian study commissioned by Symantec Corp. (Nasdaq: SYMC) and conducted by
Info-Tech Research Group has revealed that only 10 per cent of executives believe Canadian businesses are fully prepared to conform to Bill 198 compliance legislation. Moreover, only 67 per cent of C-level respondents reported having a clearly defined role in supporting compliance processes, while 45 per cent of executives polled regarded the legislation as unnecessary. Ontario's Bill 198 and sister legislation in other provinces were passed to create a framework equivalent to the U.S. Sarbanes-Oxley Act. "C-SOX" requires publicly held companies to disclose their processes for testing and maintaining secure internal financial systems before implementing their plans over the course of 2007. The Symantec survey was conducted during the month leading up to and immediately following a critical Dec. 31, 2006 deadline for companies to report on investor protection processes they plan to implement in 2007. Despite the deadline, stiff penalties, and the legislation's intentions, more than half (55 per cent) of respondents from across Canada indicated their companies were, at best, "mostly but not completely compliant." An additional 35 per cent indicated their companies were only partially compliant. At the same time, 63 per cent of respondents indicated their companies spent less than half of one per cent of revenue achieving C-SOX
compliance, and one-fifth of those spent nothing at all. Additionally, 54 per cent of C-level executives were unsure how their companies would meet C-SOX requirements and almost a third (31 per cent) indicated they are not automating compliance processes with software despite the business performance advantages of doing so. Regionally, respondents from Quebec (52 per cent) felt the strongest that Canadian companies had not done enough to prepare for the Dec. 31 deadline while executives in Ontario were the most optimistic - with only 28 per cent having the view that companies would not meet the deadline. "The results of this survey indicate that companies are not working fast enough to conform with Bill 198 despite the potential for major fines, damage to reputation, and even jail terms of up to five years," said Constantine Karbaliotis, Canadian senior compliance business specialist, Symantec Corp. "There also seems to exist some confusion with regards to who within an organization is responsible for compliance. It's undoubtedly a big job. That being said, the expertise and solutions companies like Symantec offer are designed to help businesses understand and capitalize on C-SOX-associated advantages, such as improved trust and confidence from both customers and shareholders." With only nine months left until plans must be fully implemented, Karbaliotis advises executives responsible for compliance to make the effort an organizational priority. He also urges companies to carefully consider the benefits offered by software-based automation tools intended to make financial disclosure less labour intensive and less expensive to prove compliance to auditors and regulators. Not All Doom and Gloom
In spite of results that point to a general malaise about Canadian corporate fiduciary responsibilities, the Symantec survey did find a percentage of companies are meeting their legislative requirements as outlined by Bill 198: - Twenty-eight per cent of respondents indicated that, while some differences exist, roles and responsibilities within the corporation were aligned to effectively support compliance processes.
- Though seven per cent of executives admitted their company missed the Dec. 31 deadline for submitting an action plan, 43 per cent met deadlines with a bare minimum of effort, implying no investment in processes or tools.
"Meeting first-year Bill 198 deadlines was only half the battle, and, unfortunately, a high level of both inaction and resistance
to Bill 198 has forced many Canadian companies into a risky game of procrastination," said Ed Daugavietis, senior analyst,
Info-Tech Research Group. "Rather than wait any longer, Canadian companies would benefit from process automation before
manual ones reach the breaking point. We expect to see growing numbers of companies playing 'catch-up' as they embrace
software automation to bring themselves up to the regulatory benchmark and adjust their processes for greater clarity,
transparency and control." |
More on Security | |
On Friday, March 10, it can only be imagined that countless managers and CIOs of Canadian public companies breathed a sigh of relief. That day the Canadian Securities Administrators (CSA) announced its intention to propose an alternative approach to reporting on internal control over financial reporting. While the new direction will feature several elements (with more information to come from the CSA later this year), the one receiving the most attention is the intended elimination of the need for auditor attestation of an issuer's reporting on internal control. (There were no material changes to management's responsibilities.) Without auditor attestation, initial marketplace thinking was that management, including CIOs, could take a more relaxed approach to certification efforts. But as companies gain a better understanding of the impact of removing auditor attestation, the euphoria over this change will start to disappear.
|
Regulatory requirements and increasing consumer concerns about information security breaches are making data-level security controls a top priority for 2007, according to IT managers at the Computer Security Institute (CSI) trade show in Orlando held in November. After years of implementing technologies such as firewalls and intrusion detection systems to keep network perimeters safe, companies now must move similar controls down to the data level, they said.
|
It was two close calls that changed how Rob Israel thought about encrypting the data on his users' laptops. A few years ago, a laptop at the John C. Lincoln Health System, a Phoenix-area hospital group where Israel is CIO, was stolen from an employee's office. It could have contained financial data or patient information - which would have been worse. But, fortunately for Israel, "the laptop was brand-new and had no data on it yet." Still, this event and an earlier theft of a PC from a common work area (which resulted in a loss of non-critical data) led him to review his company's security strategy.
|
|
| | | | | | | |
| | More Resources Stay Informed
We're working on bringing you more info on Security.
Enter your e-mail address to be notified the moment new content is posted.
This email address will be used solely for the purpose of notifying the user when content is updated within the site. Please refer to our Privacy Policy for further information.
|
Featured Resource Paper  |
Download this report now to discover the trends and methodologies underlying network attacks today. Understand how an increasing interoperability between diverse threats and methods can lead to networks being compromised and used in concert as global networks of malicious activity that support their own continued growth. Complimentary with registration.
|
 |
IT Risk is a growing component of total Operational Risk. IT Risk Management, which includes security, availability, performance and compliance elements, each with its own drivers and capacity for harm, is emerging as a separate practice. This study examined IT Risk, along with the technology and process controls used to mitigate it, in a year-long study based on in-depth structured interviews with more than 500 IT professionals around the world.
|
 |
This paper is a guide to understanding the role of the IT department in the management of electronic documents and support of e-discovery, given new legislature described as "SOX for the CIO". Even without these changes, the issues related to how day-to-day document retention policies and practices affect the outcome of litigation, has become patently obvious at the board level. This will undoubtedly bring new interest to existing guidelines on e-discovery in Ontario and in Canada, as many Canadian companies must now consider these amendments as they do business in Canada, or are subject by contractual terms to US laws.
|
 | The time to develop a plan of action for the Canadian rules on the Sarbanes-Oxley Act ("CSOX") was December 31, 2006, and to put them into operation by end of December, 2007. Controls which have been developed and templated by Symantec for use with Symantec Enterprise Security Manager to manage SOX compliance in the US, are equally valid and useful in managing CSOX compliance in Canada. This paper seeks to show how the Canadian Securities Administrators' rules map to the equivalent US legislation.
|
 |
Given the public's knowledge on the occurrence of privacy breaches brought about by reports in the media, and that in fact these may be underreported, companies should be prepared for Canadians exercising their right to inquire not only what an organization knows about them, but whether their personal information is at risk or has been exposed.
Organizations would do well to be prepared for the receipt of the 'nightmare access letter' from an irate consumer who knows a little too much about privacy and information technology.
This white paper provides an overview of the principles relating to safeguarding and access.
In addition, it includes an example of an access letter, offered as a tool for C-level executives on the forefront of dealing with privacy breach fallout.
|
|
