Compliance

• IT and Compliance: 5 Big Predictions for 2008
  Service-oriented IT processes and technologies will help managers bring the enterprise into line in 2008—perhaps not a moment too soon. We can't shake the feeling that something big and very bad is lurking 'round the corner. Grab a security blanket and carefully read on for the hopes and horrors of 2008.   (1/2/2008)
• Case Study: A Healthy Sense of Security
  While reacting to changes in the market, a health care services company has proactively tightened down security beyond HIPAA and aims for certification on the relatively tough ISO 27001 standard.   (11/28/2007)
• Own Your Identity: 10 Best Practices for Role-Based Access
  Learn the 10 best practices for access management collaboration.   (11/20/2007)
• Fixing the PCI Encryption Problem
  Fines and fees are looming after the September 30 PCI compliance deadline. Still, less than half of merchants report full compliance with PCI security requirements, and encryption failures contribute to four out of five failed PCI audits. Why can't companies get encryption right? Here are five key steps for overcoming encryption hurdles.   (10/23/2007)
• Top 10 Employee Security Gaps to Plug Right Now
  If it seems that companies aren't learning anything from the front-page security mistakes of competitors, take heart: Consultants and security experts are. Based on their experience and observations, here are 10 security gaps the experts have observed over and over, along with advice for addressing them.   (10/16/2007)
• Reconciling with Records Management: Top 10 Requirements
  Records management, in the words of the related ISO 15489 standard, is the "creation, receipt, maintenance, use and disposition of records." An increasing number of regulations have driven companies to put their records management programs in order. Learn the top 10 best practices for ensuring the integrity of your records.   (9/18/2007)
• Shoring Up Your Framework
  No single enterprise risk management framework is comprehensive enough to guide your company in meeting all of its compliance, governance, and risk management needs. Instead, you'll want to selectively combine standards by building around a central framework, such as COSO or AS/NZS 4360, and reinforcing it with one or more of these risk assessment standards.   (7/17/2007)
• Data Breach Kit: Five Steps to Help You Survive the Inevitable
  Fact: Information systems are porous. Most companies will, despite their best efforts, allow some level of data exposure during the next year. Are you ready? Learn the tools and processes you need in place now to control data-breach damage, perform digital forensics, and gather the evidence required to recover and reduce risk.   (6/19/2007)
• Private Lessons: Public Sector Notes on Security
  Although the spotlight tends to shine on the poor grades federal agencies receive for their information security efforts, notable security successes in government are often overlooked.   (5/15/2007)
• Complaisant or Compliant: Training Employees to Care
  In compliance, a focus on technical security can eclipse human factors. Particularly in IT compliance, a focus on technical security tends to eclipse human factors, with serious compliance implications. Good training programs need to be measured, controlled, and incorporate feedback loops so that the people responsible for the rulemaking get input from the enforcers and (more importantly) from the employees who are subject to them.   (5/1/2007)
• Moving Targets: The Risk of Mobile Devices
  Mobile data management: a risk vs. reward scenario for business. Mobile data management presents a classic risk vs. reward scenario for business. While mobile devices are all but essential for many aspects of business, the risk of lost or stolen data is significant. Learn how companies are controlling the risk around these proliferating devices by assessing critical areas of mobile data management.   (4/24/2007)
• Access Control: 10 Best Practices
  Properly implemented, access controls only give employees access to the applications and databases they need to do their jobs. At many regulated organizations, such controls are too often manual, outdated, and largely ineffective. Here's how to overhaul your access control program.   (3/27/2007)
• Access Control: 10 Best Practices
  Properly implemented, access controls only give employees access to the applications and databases they need to do their jobs. At many regulated organizations, such controls are too often manual, outdated, and largely ineffective. Here's how to overhaul your access control program.   (3/27/2007)
• Access Control: 10 Best Practices
  Properly implemented, access controls only give employees access to the applications and databases they need to do their jobs. At many regulated organizations, such controls are too often manual, outdated, and largely ineffective. Here's how to overhaul your access control program.   (3/27/2007)
• Beyond the Crudware Complex: Planning Smarter IT Investments
  Technology acquisition is a complex, often speculative task. Whether the means is build or buy, long-term value goes unmeasured and unrealized. The result is vaporware—or worse. What's the solution to spending savvy? A little-known framework for IT investment management could provide the answer.   (2/13/2007)
• Seven Strategies for Compliance Change Management
  Driven especially by SOX, companies are turning to change management to provide needed discipline for changes to IT infrastructure and systems. To ensure the integrity of systems storing regulated data, as well as the attendant IT policies and procedures, companies are increasingly adopting change management practices.   (2/6/2007)
• ESI Come, ESI Go: Next Steps for E-Discovery
  Since December, the US civil code has included electronically stored information (ESI) in its requirements for legal discovery. But surveys show most companies are unprepared to comply. What's the holdup, and how can companies move toward sustainable e- discovery management?   (1/23/2007)
• Disaster Recovery Planning: Lessons From the Recent Past
  In terms of disasters, it's been an eventful few years with hurricanes, floods, earthquakes, and winter storms. However, the silver lining of every dark cloud is a lesson that can help you prepare for the next incident. Experts share valuable advice to bolster your business continuity plans and face the inevitable force majeure that could cripple your company.   (1/16/2007)
• The Best Compliance Resource You Don't Know About
  The Government Accountability Office (GAO) produces a wealth of guidance and reports for the entire federal IT system, but this knowledge is just as applicable to their private sector counterparts. Here's a treasure map to navigate the GAO site, find reports of interest, and access critical compliance information.   (12/12/2006)
• Corporate Life or Death: Data Breach Triage
  When disaster strikes and victims flood into an emergency room, doctors conduct triage to determine the severity of injuries and who gets treatment first. Companies can similarly prepare for the inevitable data breach by building a cross-disciplined incident team trained to assess the damage, stop the bleeding, and respond appropriately to regulatory bodies and customers.   (10/24/2006)
• Proving Grounds: Securing Test Data in Regulatory Environments
  In many companies, developers use live data in unsound, test environments but remain unmindful of the fallout if that data leaks out. Why should your compliance guard be relaxed when developers use test data to design the systems that store and dole out access to such sensitive information? Here are five ways to manage test data in regulated environments.   (10/17/2006)
• Q&A: How Security Budgets Determine Compliance Success
  New study highlights commonalities between companies with the fewest IT compliance deficiencies.   (8/15/2006)
• Q&A: Automating Security Controls for Compliance
  Can companies use built-in ERP capabilities to better automate their IT controls?   (7/25/2006)
• Q&A: Balancing E-Mail Security and Compliance
  How quickly can you search and retrieve e-mail and instant messages relevant to a regulatory inquiry or court-ordered discovery process?   (2/21/2006)
• Spinning Can-Spam
  The FTC says federal anti-spam legislation is effective. Experts disagree.   (1/31/2006)