Did you know that the difficulty in scaling existing compliance such as Sarbanes Oxley, HIPPA, PCI DSS, and security management programs to meet new requirements is creating a resource crisis within many organizations. As a result, large enterprises are seeking ways to actively streamline their compliance activities, to operationalize their security management programs, and to gain value from automating and integrating both.
By creating scalability in your compliance efforts, you can reduce manual processes and gain efficiencies for future compliance. By examines trends in compliance and security management along (more…)
Popularity: 15% [?]
From a regulatory compliance perspective, IT teams have two responsibilities: support enterprise-wide compliance efforts and ensure that IT itself is compliant with internal and external regulations such as Sarbanes-Oxley (SOX), HIPAA, PCI DSS, FDA, etc. In other words, the IT and SAP teams support the compliance efforts across all departments in the company as well as ensure their own governance, risk, controls and systems are compliant.
This means IT is second only to the finance department when you assess the day to day impact of SOX. Most of the internal compliance effort is focused on the change management controls driven by section 404, which dictates management’s responsibility to implement/document internal controls, implement good segregation of duties, assess their effectiveness, and report on their ultimate compliance to the documented process.
For SAP teams, this translates into several (more…)
Popularity: 14% [?]
Security has been and will continue to be an overhead expense for all organizations, as are payroll and other administrative tasks that are required to keep an organization running. The question that seems to pop up every few months in the security industry is, What is the value of all the security work that takes place within an organization? Organizations want to see what the Return on Investment (ROI) is for the security budget that is currently used or expected to be used in the future. Establishing an RIO is a very difficult task. After all, if the security team is doing its job, the organization will likely not see a measurable impact from security problems.
Although several projects are under way to determine what the ROI on security is, none of them has effectively or simply defined what the ROI is for security. You can find more information on this subject by performing a simple Internet search on “Security ROI.” The best approach is not trying to determine the ROI for security, but rather to determine the benefit of cost avoidance provided by the security work accomplished, and what ROI that can provide. (more…)
Popularity: 16% [?]
Different types of documentation serve different purposes. As the following list explains, some documentation is internally driven and some is externally driven. To prepare for the interview process for an information security position, you need to understand what types of internal security documentation the organization may have and what external security-related regulations the organization must comply with. Your understanding should include the differences between regulations, policy, procedures, legislation, and guidance, as follows:
Regulations: Regulations are requirements that can come in many forms. They may be industry specific regulations such as the Health Information Portability and Accountability Act (HIPAA), which addresses health care organizations. Regulations may also be wider in scope for example, the Federal Information Security Management Act (FISMA). Regulations are basically the formal requirements that an organization must follow. Regulations can be either internally or externally generated, monitored, and enforced (more…)
Popularity: 40% [?]
Recently SEC Approves One-Year Extension for SOX 404(b) Compliance for Smaller Public Companies. This should be a good news since many of small public company find a difficulties comply to this standard.
The SEC announced that it has approved a one-year extension of the compliance date for smaller public companies to meet the Section 404(b) auditor attestation requirement of the Sarbanes-Oxley Act. The SEC also announced that it received Office of Management and Budget (OMB) approval yesterday to proceed with data collection for a study of the costs and benefits of Section 404 implementation, focusing on the consequences for smaller companies and the effects of the Section 404 auditor attestation requirements. The results of the study are expected to become available during the extension period.
With the extension, smaller companies will now be required to provide the attestation reports in their annual reports for fiscal years ending on or after Dec. 15, 2009. SEC Chairman Christopher Cox first proposed this one-year delay for small businesses during December 2007 testimony before the House Small Business Committee, and the Commission formally proposed this extension on Feb. 1, 2008.
Popularity: 11% [?]