We peruse the Internet headlines so you don’t have to. Here are the recent SOX and GRC headlines (and links) we felt are newsworthy:

SEC Outlines Compensation Disclosure Challenges Resulting from Bailout - John White, who directs the Corporate Finance Division of the Securities and Exchange Commission, warned that companies participating in the $700 billion rescue package might face disclosure challenges when it comes to executive compensation. The bailout’s restrictions on so-called "golden parachutes" - now limited to $500,000 per senior executive - may even impact non-participating companies, in that their disclosures may need to include salary restructuring that resulted from the economic crisis. White also noted that the SEC would examine the annual reports of the nine largest U.S. banks as part of its SOX-mandated selective review program.

PCAOB Proposes New Risk Rules - In an effort to highlight the integral nature of fraud and risk assessment to the auditing process, the PCAOB has proposed seven new auditing standards. The standards incorporate improved risk assessment methodologies and integrate risk assessment standards, while coming into greater alignment with those developed by the International Assurance Standards Board and the U.S. Auditing Standards Board. The proposed standards are open for public comment until February 18, 2009.

U.S. Firms Pressured to Reduce Power of CEOs - Among corporate governance activists, there’s an increasing demand for a "separation of powers" in the CEO and chairman roles. While European companies typically have a different person filling each role, in slightly over half of U.S. and Canadian companies, the same person is both CEO and chairman. The activists, who are looking to mutual funds to take the lead in urging the split, argue that many of the companies that have gone under or faced problems during the stock meltdown had dual-role leaders at the helm.

Employee Ghosts Haunt Your System - Just as the Powell Doctrine calls for a threat to national security, use of overwhelming force, and a clear exit strategy before going into battle, those engaged in IT risk management need to develop and implement a plan to mitigate the risk left behind by former employees. Deleting accounts and files poses a minefield of legal compliance issues; removing access and tracking data access provides no meaningful information; and the unknown detritus of employees gone bad could derail you. The solution? A centralized ID management strategy that defines roles and privileges ahead of time. This gives you the force and exit strategy you need to mitigate threats to your company’s security.

Seven years after Sept. 11, and in the wake of many major natural disasters such as forest fires, hurricanes and flooding, nearly half of U.S. states either have no state-level emergency plan or do not provide it readily to the public, reveals a new study by George Mason University Communication Professor Carl Botan.

Despite federal laws that require a state emergency operations plan (EOP) as a prerequisite to some federal funding, 22 states were unable to provide Botan with an EOP, withheld the plan on security grounds or made it difficult for even trained researchers to gain access.

Residents of these states, Botan says, may question their state’s preparedness because they are unable to find out how the highest authorities in their state coordinate responses to major disasters or how to have a say in those plans.

"While most Americans will have access to some important state-level information during emergencies, many may not. When minutes may make the difference between life and death in an emergency situation, the population should not have to waste precious time looking for answers or who to turn to," Botan said.

The study, "Using Sense-Making and Co-orientation to Rank Strategic Public Communication in State Emergency Operations Plans," graded and ranked the state emergency operations plans of the 50 U.S. states and the District of Columbia on their communication components.

Botan analyzed the accessible state EOPs for three criteria: if the plans had a two-way communication component, if they addressed the communication needs of vulnerable populations and if they treated public communication as important enough to specifically address it in the plan.

He found that the 29 jurisdictions that do have plans available make provisions for public communication — including news releases and public broadcasts, but only 16 of them make explicit or implicit provisions for two-way public communication such as community forums and focus groups. Botan feels that two-way public communication is essential in the plans, for that will allow the state to understand what its residents feel they need in emergency situations.

Of the 29 plans obtained, only two — Washington, D.C. [which is treated as a state-level entity for this purpose] and New Mexico — received a perfect score of eight for communication.

In addition, while 16 states mentioned vulnerable publics, only 13 of these discussed specific communication strategies for these vulnerable publics in their plans. For example, California mentions specific strategies such as dispatching special teams targeting vulnerable populations like the aged and the disabled, while Arizona simply mentions that emergency managers must pay attention to "special needs" people like residents of nursing homes and the hearing impaired, but does not outline specific strategies to communicate with them.

As of 1988, all states are required under the Stafford Disaster Relief and Emergency Assistance Act to have a written EOP in order to qualify for some federal funding. "Billions of tax dollars have been spent on homeland security in the last half-decade," Botan says. "It’s very important that these plans are available to the public. Otherwise residents can’t be confident their needs have been thought of, and aren’t sure who they can count on."

The study, co-authored by George Mason University alumni Paul Penchalapadu, is to be presented at the National Communication Association annual conference in San Diego on Saturday, Nov. 22.

    Table 1
                       RQ 1: Two way          RQ 2: Vulnerable
                       communication             Populations
                     Two way     Phone      Specific       If no
                    strategies   lines     strategies    strategy,
                     employed     only      employed      mention?

    DC                  4                       2
    New Mexico          4                       2
    Ohio                4                                    1
    New Hampshire                   2           2
    Vermont                         2           2
    Georgia                         2           2
    South Carolina                  2           2
    Mississippi                     2           2
    Nebraska                        2           2
    Alaska                          2                        1
    Arizona                         2                        1
    Virginia                        2                        0
    Maine                           0           2
    Oregon                          2                        0
    Pennsylvania                    0           2
    Oklahoma                        0           2
    North Carolina                  2                        0
    Texas                           2                        0
    Alabama                         2                        0
    Rhode Island                    0           2
    California                      0           2
    Wisconsin                       0                        0
    North Dakota                    0                        0
    Kentucky                        0                        0
    West Virginia                   0                        0
    Washington                      0                        0
    Colorado                        0                        0
    Louisiana                       0                        0
    Utah                            0                        0

                  RQ 3: Separate Component    Total
                    Separate    If no         Score
                   component   component,
                    present     mention?

    DC                  2                       8
    New Mexico          2                       8
    Ohio                2                       7
    New Hampshire       2                       6
    Vermont             2                       6
    Georgia             2                       6
    South Carolina      2                       6
    Mississippi         2                       6
    Nebraska                        1           5
    Alaska              2                       5
    Arizona             2                       5
    Virginia            2                       4
    Maine               2                       4
    Oregon              2                       4
    Pennsylvania        2                       4
    Oklahoma            2                       4
    North Carolina      2                       4
    Texas               2                       4
    Alabama             2                       4
    Rhode Island                    1           3
    California                      1           3
    Wisconsin           2                       2
    North Dakota        2                       2
    Kentucky            2                       2
    West Virginia       2                       2
    Washington          2                       2
    Colorado            2                       2
    Louisiana           2                       2
    Utah                2                       2

RSA recently announced the findings of its latest insider threat survey, conducted among attendees at industry events in North America and Latin America in the spring and summer of 2008.

The survey polled 417 individuals — including delegates at the RSA Conference — who confessed to their work-related security behaviors and attitudes. The survey respondents work across a range of industries, with a heavy concentration within the financial and technology sectors. Almost half of the respondents’ job functions were in information technology. During this era of well-publicized data breaches, the results indicate that even those who should know better are not exempt from the everyday behaviors that can trigger significant risk to sensitive business information.

Of the respondents polled:

• 46 percent work in the financial services sector.
• 20 percent work in the technology sector.
• 46 percent are IT professionals.
• 11 percent are executives.
• 54 percent work in companies with more than 5,000 employees.

The results of the survey show that employees are well aware of the restrictions placed upon them by their corporate IT departments, yet many often work around these controls in order to get their jobs done in a convenient and timely manner.

Of all respondents polled:

• 94 percent are familiar with their organizations’ IT security policies, yet 53 percent have felt the need to work around IT security policies in order to get their work done.
• In response to a separate question, 64 percent frequently or sometimes send work documents to their personal e-mail address in order to access and work on them from home.
• At the U.S. event, this statistic decreased to 50 percent, but increased to 62 percent at the Mexico event and 71 percent at the Brazil event
• 15 percent have held a door open for someone at work that they did not recognize
• The Brazil event reported the best figures at 7 percent, followed by 16 percent at the Mexico event. By contrast, the results from the U.S. event revealed almost one in three insiders (31 percent) have let a stranger into their workplace.

When trusted insiders work around security policies, sensitive data can be exposed that places businesses and their customers — often consumers — at unnecessary risk. Organizations can greatly mitigate this risk by developing information-centric security policies that acknowledge and align with the needs and realities of the business. This can help guard the integrity and confidentiality of information throughout its lifecycle — no matter where it moves, who accesses it or how it is used. In tandem, organizations should build-in more convenient, invisible, and layered security technologies that can reduce the factors that cause employees to break the rules and defeat their own company’s security policies.

In a mobile world, the survey affirms that employees depend on remote access to corporate information when outside the office, whether at home or in public places.

Of all respondents polled:

• 89 percent frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail.
• 58 percent frequently or sometimes access their work e-mail via a public computer, and 65 percent frequently or sometimes access their work email via a public wireless hotspot.

Remote access to sensitive data requires stronger forms of authentication than a simple, static and vulnerable combination of a username and password. To help solve this problem, organizations can maintain the flexibility and convenience of remote access to VPNs and webmail by providing one-time passwords via a hardware token, or a software token that is easily accessible on mobile devices such as BlackBerry smartphones.

The survey findings show that, in order for employees to be most productive, information has to be free to move. However, employee mobility increases the collective responsibility of protecting the information that is carried outside of the organization.

Of the respondents polled:

• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it.
• The Mexico event reported the highest incidence of exposed corporate data, with a staggering 29 percent of all respondents confirming that they had lost a laptop, smartphone and/or USB flash drive; the U.S. event had the lowest figures, at 5 percent.
• 79 percent frequently or sometimes leave their workplace carrying a mobile device containing sensitive information related to their jobs, such as a laptop, smartphone and/or USB flash drive.

While mobility is essential to business agility, unprotected information — wherever it is kept or stored — increases risk. A policy-based approach to securing data helps to enable organizations to classify their sensitive data, discover that data across the enterprise, enforce controls, and report and audit to ensure compliance with policy.

"Data loss prevention is a key concern for those in charge of today’s corporate networks and information assets. However, with the sheer portability of information that we have today, it is essential that that data is governed not by the whims and day-to-day actions of your employees, but rather by pre-determined policy and subsequent controls," said Tom Corn, vice president of data security at RSA. "In this way, organizations can prevent sensitive information from being written to a USB flash drive in the first place — or at least mandate that it is encrypted."

Organizations are dynamic and individuals’ roles often change within the organization - be it an employee’s internal move to a different job function or an outside consultant who moves on after the completion of an engagement. However, the governance of the corporate network does not always stay in lockstep with these moves.

Of all respondents polled:

• 43 percent had switched jobs internally and still had access to accounts/resources which they no longer needed.
• The Mexico event reported the best results with 30 percent, followed by the Brazil event at 42 percent. However, at the U.S. event, one out of every two respondents (50 percent) still had access to unnecessary areas of their corporate systems.
• 79 percent reported that their company employs temporary workers and/or contractors who require access to critical organizational information and systems.
• 37 percent have stumbled into an area of their corporate network to which they believe they should not have had access.

Access to highly sensitive data should be granted only to those who need it, and in some job functions access to only very specific areas within the information infrastructure are necessary. Organizations can manage large numbers of users while enforcing a centralized role-based security policy that ensures compliance, protects enterprise resources from unauthorized access and makes it easier for legitimate users to do their jobs.

"The survey reveals that it is as important for businesses to diligently enforce information security controls and policies focused on protecting the everyday actions of well-meaning, innocent insiders as it is to enforce those designed to defend against those with malicious intent," said Christopher Young, senior vice president at RSA. "It remains clear that businesses need to take a layered approach to security to help mitigate the insider threat and keep data safe. As such, it is important for any organization to know who has access to your information; control access through policy; monitor for suspicious activity to verify user identities; create and enforce data security policies and controls; and transform real-time event data into actionable compliance and security intelligence."