Tag Archives: Compliance

Immediate Vault Immediate Access . пин ап Казино предлагает огромный выбор азартных игр, включая слоты, рулетку и живое казино. Щедрые бонусы, регулярные акции и честная игра ждут тебя! Присоединяйся к Pin-Up Казино и почувствуй азарт настоящих ставок прямо у себя дома.

Cultivating a Reporting Culture

Posted on by

While many organizations view whistleblowers as disgruntled employees looking for revenge and monetary rewards from the SEC, this is generally not the case, according to a recent study.

According to “Embracing Whistleblowers: Understand the Real Risk and Cultivate a Culture of Reporting,” by The Network, whistleblowers most often turn to the U.S. Securities and Exchange Commission only after they have tried reporting internally, or if they are concerned about retaliation by their company. In fact, only 20% ever reported to someone outside their company.

Organizations can do much to protect themselves, while also looking after employees. Since the majority of employees go to the company first with their concerns, organizations have an opportunity to address issues before regulatory involvement.

According to the report:

The fact that whistleblowers may prefer to keep things in the company doesn’t mean they won’t turn to the government or media if they think it necessary. Sixty-five percent of surveyed employees would be willing to report externally, “if my company didn’t do anything with my internal report.” An even higher percentage would report externally, “if keeping quiet would cause possible harm to people” or “if it was a big enough crime.”

How can companies manage this risk? By encouraging a strong “reporting culture,” they can learn about, and take care of potential problems through quality hotline reporting programs, The Network said.

Hotline programs have been around for years, but are more important than ever in today’s regulatory and business environment. Compliance teams should stop thinking of hotlines as purely telephonic; they’ve grown to include mobile and Web-based reporting solutions that give employees and others a safe and reliable way to raise their concerns internally via whichever method is most comfortable for them. They also give the compliance team important insight into what is going on inside the company.

 

Staying Ahead of the Financial Industry’s Next Wakeup Call

Posted on by

The financial services sector is no stranger to stringent regulation. At the very least, financial institutions are audited every 18 months. But without a proper security posture, complying with the likes of the Payment Card Industry Data Security Standard (PCI DSS) and others doesn’t always have the dual benefit of protecting against breaches: the PwC 2015 Global State of Information Security report noted a 141% year over year increase in the number of financial services firms reporting losses of $10 million to $19.9 million.

This tells us a few things: first, compliance is all about a company’s interpretation of the rules, which can be bent and glossed over–compliance is, after all, a minimum standard to which firms should adhere. Additionally, regulation needs to have more teeth as security threats become more sophisticated and targeted. Most importantly, with the regulated ecosystem being so complex, institutions should identify the elements prescribed most frequently across compliance mandates and put solutions in place that meet them. While doing so won’t guarantee complete security, it will put firms in the best possible position to protect against attack while simultaneously satisfying auditors.

The Cost of Compliance

The 2014 SANS Financial Services Security Survey, which examines the drivers for security-related spending in the financial services industry, reports that 32% of organizations spend more than one quarter of their IT security budget on compliance mandates. Nearly 16% of respondents say they are spending more than 50% of their security budgets on compliance.

Unfortunately, this investment in compliance doesn’t translate to investment security dollars. In fact, the survey also demonstrates that certain drivers behind firms’ information security programs are competing for resources with compliance mandates; while 69% of respondents say that demonstrating regulatory compliance is a top driver, a majority also cited drivers that tie closely to that, including reducing risk (64%) and protecting brand reputation (51%).

To ensure investment in security and compliance are not mutually exclusive, it takes effort on both sides–firms should put more effective solutions in place, while regulators should have stronger directives to encourage firms to streamline those efforts.

Securing the Endpoint

Specifically, firms should put systems in place that address endpoint vulnerabilities, including insider threat and malware on the devices, rather than on network solutions. The same SANS report elucidates that endpoint vulnerabilities were the biggest causes of security incidents among financial institutions, with abuse or misuse by internal employees or contractors (43%) and spear phishing emails (43%) the most prevalent, followed by malware or botnet infections (42%).

It doesn’t take long to find explicit use cases that corroborate these findings. The JPMorgan Breach, which impacted nearly 76 million households, came down to a hacker that gained high-level administrator privileges. Put simply, the cause for breach wasn’t necessarily the sophisticated malware, but rather, the ritual IT administrator tasks that were compromised. Clearly, while perimeter technologies like firewalls can prevent certain types of external attacks, they cannot block malware that has already found its way onto endpoints within an organization. Layering proactive solutions will be critical to preventing serious threats from occurring.

Least Privilege: The One-Two Punch

Proactive solutions should incorporate layering elements like patching, application whitelisting and privilege management. Taking this defense-in-depth approach will enable financial organizations to more effectively protect against the spread of malware, defending their valuable assets and ultimately their reputation. The dual benefit? They will satisfy auditors.

The least privilege methodology in particular, which limits administrator privileges from individuals and grants them to certain applications instead, is broadly prescribed across multiple financial mandates in the United States–from PCI DSS, to Federation of Defense and Corporate Counsel (FDCC) to the Sarbanes-Oxley Compliance (SOX) mandate. For instance, the PCI DSS has a specific requirement to log activity of privileged users and states that employees with privileged user accounts must be limited to the least set of privileges necessary to perform their job responsibilities.

Internationally, the practice is even more strictly enforced. For instance, the Monetary Authority of Singapore (MAS) has technology risk management guidelines that detail a number of system requirements–such as limiting exposure to cyber and man-in-the-middle attacks – that would be very difficult to achieve without a least privilege environment. In fact, the document presents one section dedicated entirely to least privilege. Here, requirements encourage restricting the number of privileged accounts and only granting them on a ‘need-to-have’ basis. The guidelines also encourage the close monitoring of those who are given elevated rights, with regular assessments to ensure they are always appropriately assigned.

Ultimately, limiting privileged access limits hackers’ attack vector and also prevents staff from implementing sophisticated attacks like logic bombs, knowingly or unwittingly. At the same time, the practice will help achieve compliance, driving down unnecessary spending. While progress is being made collectively between firms and regulators, more can be done; regulators can bring endpoint security top of the priority list and firms can put in practice simpler elements for a strong architecture. A next high-profile security beach shouldn’t be the industry’s wakeup call.

How Does Google Face Global Challenges?

Posted on by

NEW YORK—Staying a step ahead of regulators around the world is challenging for any global business. For Google, it is a “significant challenge, to say the least,” said Andy Hinton, vice president of global ethics and compliance at Google, Inc. After organizing the world’s information and making it universally accessible, the company’s secondary mission is products that help users, he said.

“Google is boundary-less when it comes to what those products might be and what they might look like,” Hinton said during The Wall Street Journal’s Newsmaker’s Forum in April. “So trying to keep up with driverless cars, drones and providing internet service with floating balloons around the world (Project Loon) is a challenge.”

Google’s compliance program includes the company’s trade, bribery, internet security and privacy issues. While any number of issues may surface, he said, “one of them is to help the company respond to some of the criticism leveled against it, mostly in jurisdictions outside the United States, and to make sure responses are consistent with applicable laws.”

With Google Earth, for example, equipment must be moved around the world. Google Earth “enables people to get information access to the earth, where they otherwise might not be able to see those things,” Hinton said, noting that people can now view Mt. Everest and other places they may never get to see otherwise. This involves contact with customs officials and governments and also creates “lots of opportunities to do things wrong and get in trouble,” he said. “So we are always on top of that. Plus, the equipment we use is so unique that we show up in front of a customs official with a camera on top of a tripod on top of a car and they ask, ‘What is that? It’s not in the manual.’ You have to spend time explaining what it is and help them to be comfortable with it.

online pharmacy amoxicillin with best prices today in the USA

While some governments are more difficult to deal with than others, “there are definite challenges in all the continents and countries,” he said. “Obviously privacy is a challenge in Europe, because there is a different perspective around privacy and internet security than there is in the United States. With APAC [Asia Pacific] there is an integration of gift-giving and business that is relatively unique to the APAC region and can present challenges.”

An important part of its compliance strategy is the company’s diversity, which he added is also part of its mission. “Not just diversity in the traditional perspective, but in bringing on people who can understand the challenges in these regions,” he said.

online pharmacy prelone with best prices today in the USA

“So for gift-giving in the Middle East, sure I can sit in Mountain View trying to figure it out, but we hired an attorney who is in that culture and understands U.S. law and can, in that context, help us navigate the region—balancing expectations of the region with legal expectations in the United States.”

Company Strategy

In fact, Google’s overall hiring policies are part of its strategy to “do things differently, or do them better than other companies,” he said. “That requires us to be incredibly sharp in the way we do hiring.” Now that the company has about 60,000 employees, “it’s important to hire people who share your values and buy into your mission. Because if you are not going to have a lot of rules and you are not going to have an enormous compliance program and checkers following people around, there is a lot of trust and autonomy that you give to your Googlers.”

How does the company accomplish this? “When I interview people and they talk about winning and beating the competition, that’s a huge red flag to me,” he said. “When we started, Larry was very much about the users and we still are. If you build something good that users really like, you can figure out the rest. Revenue and everything else will come. People who have that backwards are tremendously dangerous to the company.”

Google also acquires staff through acquisitions, he said, adding that this talent is “much harder to manage. The larger the acquisition and the more the acquisition has its own culture, the greater the challenge.”

Enterprise Risk Management Needed in Battle Against Corruption

Posted on by

Even though the U.S. government has broadened its pursuit against corruption, only about 9% of organizations see Foreign Corrupt Practices Act monitoring as a top concern, according to “Bribery and Corruption: The Essential Guide to Managing the Risks” by ACL.

Many companies have policies against corruption, but it still exists. Although remaining competitive can be difficult in some parts of the world that see payments, gifts and consulting fees as part of doing business, companies need to identify these risks and manage them across the organization. There is much is at stake, as penalties are rising and more companies globally are being fined, the study found.

According to ACL, if a formalized ERM process exists within an organization, then the anti-bribery and anti-corruption (ABAC) risk assessment process should ideally be carried out within that ERM framework. In some organizations, however, the overall risk management process is fragmented, meaning that the risks of bribery and corruption are considered in relative isolation. Whichever approach is taken within an organization, the process of defining the risks should involve individuals with sufficient knowledge of the regulations and ways the business actually works.

“We encourage companies to maintain robust compliance programs, to voluntarily disclose and eradicate misconduct when it is detected, and to cooperate in the government’s investigation. But we will not wait for companies to act responsibly,” said Leslie Caldwell, assistant attorney general in the criminal division at the Department of Justice. “With cooperation or without it, the department will identify criminal activity at corporations and investigate the conduct ourselves, using all of our resources, employing every law enforcement tool, and considering all possible actions, including charges against both corporations and individuals.”

The study’s findings also include: