 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
| |
|
|
|
|
|
|
|
|
|
|
Lack of an effective IT Risk Management program increases potential security breaches
to your organization’s computer systems. As a result, your organization may suffer from:
| • | Business disruption and unavailable services |
| • | Leak of corporate and trade secrets |
| • | Exposure of private customer data |
| • | Financial penalties due to regulatory non-compliance |
| • | Civil lawsuits |
| • | Loss of client confidence |
Needless to say, a security breach can be very embarrassing and costly. Regulators, shareholders,
clients and business partners, as stakeholders, mandate that management exercises due diligence;
hence, information systems must have adequate internal controls and are effectively addressing
the increasing security challenges.
Dodd–Frank Wall Street Reform and Consumer Protection Act
If your organization is not working towards assessing the implications of the Dodd-Frank Act,
then its compliance program may already be falling behind.
The Dodd-Frank Wall Street Reform and Consumer Protection Act was signed into law by
President
Barack Obama July 2010 to close the legal loopholes that contributed to the financial
crisis of 2007-2010
and provide more regulation and oversight of the financial industry although
the law applies to all publicly held
companies.
Similar to Sarbanes-Oxley Act, the Dodd-Frank comes with plenty of compliance requirements
including several
of which IT Risk managers should be aware of. For example, the whistleblower
incentive encourages employees to
provide the Securities and Exchange Commission (SEC)
with information on fiduciary wrongdoing at their
companies. Specifically, in cases where the
amount of a potential financial fraud tops $1 million,
a whistleblower could collect a bounty that
equal as much as 30% of the amount of the fraud. Therefore,
the whistleblower may not report
any potential fraud committed until it gets up over $1 million so the
reward can get to 30%
Although the law prevents enterprise compliance professionals from cashing in,
others in IT are
eligible. As a result, enterprise IT Risk professionals may face new headaches and must
ensure
that controls to avoid wrong doing performed using the company's electronic platforms.
The new law will be an incentive to spy on each other, or to ignore malfeasance until it’s worth
their while to report it.
Sarbanes Oxley (SOX)
In the wake of corporate scandals, investors, employees and the public at large demanded reform
in the regulatory environment of large corporations. In order to restore integrity and trust
among corporations, the Sarbanes-Oxley Act (SOX) of 2002 was created including Section 404
which deals specifically with internal control reporting.
SOX Section 404 requires annual evaluation and reports on the effectiveness of an organization’s
internal controls on financial reporting. Auditors must attest to and report on the internal control
assessment of the management team. Since financial reporting heavily relies on Information Technology
and Systems, such operations are included in the internal controls framework. As a result, Information
Technology (IT) and Information Systems (IS) have been should incorporated into the compliance
assessments.Unfortunately, most technology professionals are not familiar with the mandatory
requirements in order to be compliant with Sarbanes Oxley. However, in order to be effective and
efficient with the compliance requirements, it demands the right experience and understanding of
the internal control framework to scope the work that is truly needed, without including more than is required.
DataGuardZ has extensive experience working with public companies developing and maintaining their
regulatory compliance program.
Gramm–Leach–Bliley (GLBA) Act
The Gramm-Leach-Bliley Act (GLBA) was enacted in November 1999. Under this Act,
a financial institution was defined as any business that engages in "financial activities ".
Included in this act is a set of rules commonly referred to as the "Safeguards Rule."
The Safeguards Rule is intended to protect the financial institution’s customers from identity
theft and other harm by requiring financial institutions to assess their data information from
misappropriation, alteration, tampering, etc.
The specific GLBA Safeguards Rules include:
| • | Information Security Program and Coordinator - Financial Institutions need to have someone in charge of assessments, implementations, and updates to the physical and electronic security of the financial institution. This person(s) is in charge of managing security policies, procedures, and FTC required paperwork. |
| • | Risk Assessment - Financial institutions are required under the Safeguards Rule to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. This process should be done by Security Program Coordinator through a Risk Assessment that identifies foreseeable risks including: attacks through the Internet, viruses, and compromises to the physical aspects of security (i.e. no password protection or shared "common" passwords). |
| • | Security / Risk Control - Financial Institutions must design and implement safeguards to control the risks identified through the Risk Assessment. To protect from inside and outside threats, financial institutions must take “reasonable measures” to implement a system for intrusion detection and prevention. |
DataGuardZ can assist our clients in building the technical, administrative and procedural
controls in order to comply with the GLBA Safeguards Rules.
Federal Financial Institutions Examination Council (FFIEC)
The Federal Financial Institutions Examination Council (FFIEC) is charged with creating uniform
principals, standards and report forms for financial institutions. Thanks to the FFIEC Information
Technology Examination Handbook series, compliance with these standards is clear and
regulatory expectations are no longer ambiguous. The series was jointly developed by several
parties including the Board of Governors of the Federal Reserve System (FRB), the Federal
Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the
Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).
This series consists of a suite of a dozen IT handbooks that addresses expected controls for
topics such as audit, business continuity, operations and retail payment systems.
Conducting technology audits for your financial institution offers a cost-effective solution for
meeting FFIEC IT requirements. DataGuardZ knowledge pool includes a combination of
regulatory experience and technical knowledge which is unmatched. Working with financial
institutions for over a decade we understand the regulatory and technical challenges faced
by our clients.
Our audit services are designed to keep your institution in compliance and ensure that the
institution's technical environment is secure.
HIPAA/HITECH