Compliance News

• Federal agent indicted for using a government database to stalk his ex-girlfriend

  Jilted agent made unauthorized use of the database 163 times

• Loss of backup tape in Ohio leads to Connecticut state lawsuit against Accenture

  State of Connecticut sues for negligence and other causes

• Apple’s Jobs is subpoenaed in stock option-scandal

  SEC wants testimony in its suit against Apple’s former general counsel

• Simple measures can’t gauge outsourcing success, experts say

  Forrester Research takes a holistic approach, uses 150 different measures

• UK defense agency hands out BlackBerries to staff members

  Units can be erased remotely if stolen or lost

• Security system doesn’t protect online firm from coordinated hacker attacks

Working in tandem from multiple IP addresses, hackers systematically milk customer credit card data from Web site

• New PCI DSS guidelines are on the horizon for application developers

  New rules would add to, rather than replace, the current set

• Most financial institutions have suffered external security breaches, and users are typically to blame, UK survey shows

  But upper management has been slow to get involved

• Ex-CFO files for damages after dismissal for document destruction

  Whistleblower or weasel, ex-exec wrestles with Sunrise Senior Living over claims of wrongful termination

• Storm worm botnet flexes its muscle

  Huge botnet has been attempting to drive anti-spam organizations off-line for weeks with denial of service attacks

• Cybercrime now bigger than the illegal drug industry, expert says

  The criminals have the upper hand as cybercrime becomes a burgeoning business bringing in $105Bn and the authorities are slow to respond

• Daylight Savings Time poses potential problems for unpatched systems

  Unpatched systems must set their clocks and "fall back" on October 28th as opposed to November 4th

• IT Process Institute releases survey and benchmark of best practices that really work

  Change management and configuration management were found to be important

• Business managers overlook IT risk management to their detriment

  IT risk management can make the business far more agile and ensure smooth change management

• E-Health records too easy to hack, report complains

  Medical users spend too little attention, money on IT security

• European Commission claims the UK failed to properly implement one third of the Data Protection Directive

  Of the 34 aricles in the Data Protection Directive, the European Commission reports 11 were not satisfied by the UK Data Protection Act 1998

• GAO says SEC investigations are floundering

  Decentralization and inadequate management systems are touted

• DHS issues preparedness investment guidelines

  Regional collaboration and communications are near the top of the list

• TD Ameritrade data breach exposes entire customer database

  Intruders appear to have used the information for spam rather than identity fraud

• Online bazaar for stolen credit card details still flourishes

  $400 can get you someone else’s bank account details

• Google calls for minimum global privacy standards

  Search engine endorses principles already proposed by APEC

• COSO publishes preliminary version of internal control monitoring guidance

  Document is intended to help organizations who must comply with Sarbanes-Oxley section 404

• DoJ workers must now use government-issued computers for telecommuting

  The department bans the use of privately-owned PCs and digital assisants to ensure proper encryption and monitoring for all machines utilized for telecommuting

Posted in General | No Comments »

Continuity Corner #6

The Radian Group’s

Business Continuity

Approach

Over the next few months we will update the Continuity Corner weekly about “breaking news” in the world of Business Continuity Planning, or about details specific to developing a BC Plan. The approach we will use is diagrammed below.

© 2007 The Radian Group                                                      

Before we get started, are there any specific topics that you want to explore?

Lisa DuBrock is a Partner and IT Compliance Practice Manager for The Radian Group, LLC.  You can contact her via email.

Posted in Business Continuity Management, General | No Comments »

Selling IT’s Business Value to Management

Why IT must take a lowest-common-denominator approach to dealing with the suits.

By Stephen Swoyer (For IT Compliance Institute)

If business executives are from Mars, IT managers are … well, not from Mars, in any event. The rub, analysts have long maintained, is that business and IT leaders come from two very different worlds. As a result, they not only speak different languages but often have entirely different perspectives.

The upshot, Cutter Consortium researchers say, is that business and IT frequently talk through (or even past) one another. One way to change this, they argue, is for IT to take a lowest common denominator approach to dealing with the suits.

"The IT organization has been incapable of communicating IT’s business impact to business executives. That is, other than IT’s cost, the IT organization has not credibly communicated the impact and value of what they do to the business executives who pay the bills," write analysts Bob Benson, Tom Bugnitz, and Bill Walton in a Cutter Consortium research advisory.

Such advice might seem like a no-brainer, but the Cutter trio says it’s actually a distinct refinement of the prevailing conventional wisdom, which argues that IT should justify itself on the basis of its costs and benefits to the business. While this is as true as ever, the Cutter researchers stress, it’s also undeniably vague. What’s needed, they argue, is a prescription—call it a protocol—for how IT can most clearly communicate its impact to business executives.

Enter the lowest common denominator. "To establish IT’s business impact requires expressing what IT accomplishes in business terms, as viewed by business executives. This means describing what IT does with business basics such as return on investment, business process improvement, flexibility and responsiveness to business requirements, competitive differentiation, and so forth," they write. "This positions IT, in the minds of business executives, like a business service provider, not like a technology supplier."

As for brass tacks, Benson, Bugnitz, and Walton suggest a four-pronged approach: For starters, they argue, IT needs to express 100 percent of its costs in service-to-business terms—for example, in terms of application services (i.e., the business support IT provides); infrastructure services (the technical support—e.g., e-mail—IT provides), user services (the business-user support IT provides, such as help desks), management services (the internal organizational support IT provides, such as budgeting), and project services (IT’s ability to deliver new business capabilities). Similarly, the trio writes, IT must learn to assess the performance of each of its service portfolios in strictly business terms. Lest there be any confusion about just what this entails, Benson, Bugnitz, and Walton note, IT organizations must articulate their contributions in terms of business/strategic alignment, service-levels and quality, responsiveness and functionality, and technical and business risk.

The Cutter researchers stress that organizations must learn to budget IT in service-to-business terms. What this means, they explain, is that organizations must learn to recast their IT budgets in terms of what it costs them to provide each of their basic IT services, and not just in traditional terms, such as salaries, hardware or software, and so on.

Finally, organizations must charge out IT to line-of-business customers in service-to-business metrics. This, too, calls for a redefinition of the status quo: in this case, the Cutter researchers stress, IT must establish the charge-out—as perceived by business customers—not in terms of conventional metrics (e.g., resource-utilization), but in terms of the overall utilization of each of the services.

There’s a caveat here, however: IT organizations must learn to charge-back for services as they appear to line of business customers, not as they’re understood by IT itself. "CIOs [must] successfully address business executives’ demand for more impact and less cost—because the conversation is about what the business units actually receive, in terms of service, and exactly what those services cost. This is the foundation for determining how to proceed," they conclude.

Courtesy of Enterprise Strategies

Posted in Compliance Management | No Comments »