Today’s information security professionals need to study current and upcoming regulatory compliance requirements to get ahead of the curve. We also need to help protect the organization from fraud and waste and of course that next disaster. This week’s resources involve leading articles and papers regarding compliance, fraud, and business continuity.
It really never ends!
Have another great week.
Dan Swanson
1. Role of Information Technology in Sustained Regulatory Compliance (2006)
This paper focuses on the importance of automated control activities and the role of IT in enabling reliance on those control activities to help organizations achieve sustained compliance and on how to leverage for other business purposes the corporate knowledge collected and maintained for compliance purposes. http://www.cica.ca/index.cfm/ci_id/30229/la_id/1.htm
2. The Canadian Center for Emergency Preparedness (CCEP).
We live in uncertain times. In addition to the day to day pressures of operating, we are now faced with more extreme natural disasters and a new variety of human induced threats (terrorist acts, computer viruses, cyber crime, anti-globalization riots, etc.). For many years, emergency preparedness and contingency planning were thought of as a luxury. Corporations were reluctant to allocate the necessary time, staff or funds to prepare for the possibility of emergencies such as earthquakes, hurricanes, tornadoes, fires, or floods. Many chief executives mistakenly believed that the sheer size of a corporation would ensure survival. Among larger organizations this view has changed and senior management is now recognizing the true value of being prepared.
3. Governing for Enterprise Security
Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business. If an organization’s management does not establish and reinforce the business need for effective enterprise security, the organization’s desired state of security will not be articulated, achieved, or sustained. To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance. http://www.cert.org/governance
4. Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention
This paper focuses on: (1) the audit committee’s responsibilities under SOX; (2) internal controls and how they alone cannot prevent management fraud; (3) how to deter management override of an otherwise effective internal controls system; and (4) procedures to use once the Audit Committee detects management override. http://www.aicpa.org/audcommctr/download/achilles_heel.pdf
5. Auditor Answers: What Should Your Business Continuity Efforts Focus On?
Your BCP and disaster recovery programs should be designed to respond to a wide variety of potential incidents, covering both man-made disasters, such as power-grid or environmental control failures, and natural disasters, such as hurricanes and mass staff outages due to epidemics. http://www.itcinstitute.com/display.aspx?ID=2090
6. Boardroom Briefing: Business Continuity and Disaster Recovery
The modern world, despite a surfeit of obfuscation, complication, and downright deceit, is not impenetrable, is not unknowable, and—if the right questions are asked—is even more intriguing than we think. All it takes is a new way of looking. The board members’ job—is to ask the right questions and to be the “new look” eyes and ears for the management team. This Boardroom Briefingwill seed many of those questions. http://www.directorsandboards.com/BoardroomBriefing6.pdf