The Court found that the method by which Public Company Accounting Oversight Board (PCAOB) members are appointed does not grant the Executive branch sufficient oversight because of the restrictions on when members can be removed from their position. According to Chief Justice Roberts' opinion, "The consequence is that the Board may continue as before, but its members may be removed at will by the (Securities and Exchange) Commission." And for those arguing that SOX doesn't have a severability clause that maintains the act's legality even when a portion of it is overruled, Roberts clarifies that "the unconstitutional tenure provisions are severable from the remainder of the statute."
Last Monday, Stephanie Balaouras and I recorded a podcast on a recent hot topic amongst Forrester clients — Enterprise Role Management (ERM). For the most part, people understand fundamental provisioning so I wanted to take this time to go through ERM in a little more detail.
Over the past few months, I have been asked many questions about taking ERM to the next level — about how to expand and automate identity management infrastructure. Before determining whether this is the right step for your company, however, it's important to understand the two most important benefits from doing so and also recognize the prerequisites.
Among others, two benefits of ERM are security and compliance. Achieving a more mature role management system will increase your organization’s security around information sharing, and it will enable understanding of the segregation of duties. Before achieving this level of security and compliance, it’s important to simplify your identity repository and create a clear-cut set of records. This allows for a recertification phase when managers can take the time to revoke or grant access to existing accounts. Once you have created a clean, up-to-date role management database, your organization is ready to look forward to taking ERM to the next level.
After speaking with many clients on this topic, I have garnered a solid list of best practices that everyone should be aware of before attempting to strengthen any ERM system. These practices include data points around user population and recertification timelines, whether or not a hierarchical approach should be adopted to organize roles, and the value of tools such as Web single sign-on and security incident and event monitoring as they relate to role management.
In my ongoing work with risk management professionals, I've been encouraged to see how quickly the role is growing in influence and responsibility in today's business environment (even though the drivers for that elevation are often disastrous). Along those lines, I read a great article this morning in StrategicRISK, discussing the window of opportunity for risk experts, aptly entitled Keep Your Eyes on the Prize.
The article quotes the Institute of Risk Management's deputy chairman, Alex Hindson, who says that top executives and boards of directors are looking for risk management guidance, and if risk experts in their organizations can't step up to fill that role in their "window of opportunity," it will be filled instead by auditors, finance professionals, or external consultants.
In my recent engagements with Forrester's clients in risk management, I've certainly seen a lot of interest and participation from other functions in the business - most notably audit and IT. And just last week, my colleague Craig Symons published a report explaining key issues in risk management for the CIO.
We recently embarked on a Forrester-wide research project to benchmark the use of social technologies across enterprise organizations. Why is this important? Well as you may know, we cover social technologies from a wide range of perspectives — from roles in marketing to IT to technology professionals. We find each of these roles differ in their general “social maturity” and that most companies are experiencing pockets of success, but few, if any, are successfully implementing it across the board. In fact, full maturity in this space could take years, but there are clear differences in how some “ahead of the curve” companies are using social technologies for business results.
There are serious security and risk concerns with social technology but there are also significant business and operational benefits. Security professionals have to determine how they can mitigate these risks to an acceptable level without significantly hampering the business. If you haven’t seen it, Chenxi Wang has written an excellent report on how effective management of social media can alleviate security risks. Check out To Facebook Or Not To Facebook.
There is also some discussion about how security professionals might use social technologies to their own benefit — particularly to leverage the knowledge of other security professionals to combat the growing sophistication of security attacks. If you haven’t seen it, check out John Kindervag’s report SOC 2.0: Virtualizing Security Operations.
A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.
The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.
In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.
I recently recorded a podcast with Stephanie Balaouras, discussing the potential for increased collaboration between crisis communication, business continuity, and risk management functions. The strategies that businesses implement to manage disasters can mean the difference between bankruptcy and resilience... and we unfortunately see reminders of this on an almost weekly basis.
As each disaster hits the news (BP’s oil spill in the Gulf Coast, the recent volcanic eruption over Iceland, the financial crisis, the H1N1 virus, the extreme weather that crippled Washington, DC this past winter, etc.), the overwhelmingly negative impacts that occur start to hit home. Fortunately, we are starting to see our clients turning more to their crisis communication, business continuity, and risk management teams to ensure that they are prepared for the worst.
There are many potential points of collaboration between these teams. . . from modeling critical business processes and assessing the business impact of incidents to executing effective remediation plans and conducting post-incident loss analysis. Recently, I’ve also seen companies that talk about starting from scratch with a risk management function, although they have already done a substantial amount of relevant work for their business continuity function.
Of course, while there are some good trends that point to increased cooperation, there are still many areas for further improvement for every company. In fact, our data shows it to be the rare case in which both internal and external crisis communication functions are handled well in the same plan, with one usually being much stronger and more of a focal point.
Last week I published two research reports on the hottest topic in PCI: Tokenization and Transaction Encryption. Part 1 was an introduction into the topic and Part 2 provided some action items for companies to consider during their evolution of these technologies. Respected security blogger, Martin McKeay, commented on Part 1. Serendipitously, Martin was also in Dallas (where I live) last week and we got an opportunity to chat in person about the report and other security topics.
Martin’s post highlighted several issues that deserve some response. He felt that I, “glossed over several important points people who are considering either technology need to be aware of.” Let me review those items:
Comment: “This is one form of tokenization, but it completely ignores another form of tokenization that’s been on the rise for several years; internal tokenization by the merchant with a (hopefully) highly secure database that acts as a central repository for the merchant’s cardholder data, while the remainder of the card flow stays the same as it is now.”
This is my first post as the new Research Director for the Security and Risk team here at Forrester. During my first quarter as RD, I spent a lot of time listening to our clients and working with the analysts and researchers on my team to create a research agenda for the rest of the year that will help our clients tackle their toughest challenges. It was a busy Q1 for the team. We hosted our Security Forum in London, fielded more than 443 end client inquiries, completed more than 18 research reports, and delivered numerous custom consulting engagements.
In the first quarter of 2010, clients were still struggling with the security ramifications of increased outsourcing, cloud computing, consumer devices and social networking. Trends have created a shift in data and device ownership that is usurping traditional IT control and eroding traditional security controls and protections.
We’re still dealing with this shift in 2010 — there’s no easy fix. This year there is a realization that the only way that the Security Organization can stay one step ahead of whatever business or technology shift happens next is to transform itself from a silo of technical expertise that is reactive and operationally focused to one that is focused on proactive information risk management. This requires a reexamination of the security program itself (strategy, policy, roles, skills, success metrics, etc.), its security processes, and its security architecture. In short, taking a step back and looking at the big picture before evaluating and deploying the next point protection product. Not surprisingly, our five most read docs since January 1, 2010 to today are having less to do with specific security technologies:
I was able to catch pieces of live testimony in front of the House Financial Services Committee yesterday on the Lehman Brothers collapse (covered via live blog by the Wall Street Journal). It was interesting to watch former Lehman head Richard Fuld reluctantly attempt to explain to an understandably skeptical audience, “We were risk averse,” in the period leading up to the company’s collapse.
Meanwhile, Goldman Sachs is back in the spotlight after the SEC leveled charges of fraud against the company last week related to alleged misstatements and omissions in the marketing of specific financial products. While this seems like a relatively small initial shot at the large financial firms, the SEC appears to be reasserting its authority after a series of embarrassing stories have come out about failures of oversight including Madoff, Stanford, and now Lehman.
So what does all this mean for governance, risk, and compliance professionals?
It’s hard to tell what might come of the fraud charges against Goldman Sachs, but if anything, this appears to build a case for more rigorous compliance policies and manual oversight. It’s hard to see how automated controls could have helped here, but the case could involve substantial e-discovery to determine how certain marketing decisions were made.
Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines? There are so many things consumers should know about the security of these new methods of payments *before* they allow their credit card to be captured by an iPad or iPhone. Is the card's Personal Account Number (PAN) encrypted at the moment it is swiped by the device? Does the device establish an encrypted tunnel to transport the transaction to the payment gateway? Doe the iPad store the PAN? Is that storage encrypted or unencrypted? Does the processor support a tokenization scheme to keep the iPad out of PCI scope? Is the payment app the only thing running on the iPad?