|
IT Governance, Risk and Compliance report 2008
11/06/05
Comsec
Consulting, an information security consulting firm, presents
valuable knowledge and real-life advice on the challenges faced by
businesses to manage and stay ahead of IT governance, risk and
compliance.
Addressing
fifty senior IT security professionals from blue-chip companies, Roy
Harari, Managing Director of Comsec UK introduced the sessions by
addressing the trends and drivers from the old pure IT security to
overall risk and compliance management.
Nissim Bar-El,
Comsec's Chief Executive Officer and Chairman, highlighted the
demands of GRC on any business, while explaining the complexity of
this issue and the challenge of actually integrating GRC with
Information Security. According to Mr. Bar-El, companies today are
juggling the challenge of GRC with the numerous, existing GRC
solutions, as well as with ongoing Information Security risks and
requirements.
Also speaking
at the event was Lord Erroll, spokesman for the House of Lords
Science and Technology Select Committee's report on personal
internet security. Lord Erroll highlighted the anecdotal way in
which governmental rules and regulations are being referred to and
relied upon as definite measures when it comes to securing
information online.
He said, 'The
issue of IT security is complex. There are rules and regulations to
adhere to, but the IT professional is still unsure of their role or
their requirements to ensure their company's compliancy. Cybercrime
and its implications on businesses are still not fully understood,
or taken seriously at a governmental level, even in the wake of such
serious data loss incidents as reported by the media. The
government needs to take responsibility and put into place a serious
provision of support and incentive guidelines, including technical
information, for all UK businesses. The future lies in governance
(not control) and incentives; in new and evolving encryption and
authentication technology and in groups committed to cyberwarfare,
such as the CPNI (Centre for the Protection of National
Infrastructure).'
Henk Van der
Heijden, senior manager at Comsec Consulting, provided the
conference with an overview of compliance and defined it as the risk
of legal or regulatory sanctions; material financial loss or loss to
reputation a company may suffer as a result of its failure to be
compliant. Simply put, compliance enables companies to assure the
integrity and confidentiality of their data.
Mr. Van der
Heijden said, 'The first step for UK companies is to identify the
rules, regulations, laws and policies applicable to their company,
then breakdown the IT requirements and control objectives, ensuring
that there is no duplication of IT requirement to fix one problem.
Map out the business processes, use existing frameworks and monitor,
analyse and report on compliances needed. Overall, be clear about
what they are trying to achieve, set clear reporting and responding
lines and define responsibilities.'
Mike Popham of
InfoGov, presented an integrated approach to GRC as increased
competitive pressures, ethical and financial standards,
accountability demands, increasing regulations and demands from
stakeholders. He also outlined the different approaches to gaining
compliance as: asset based risk assessment; threat modelling;
technical auditing; dependency modelling and gap analysis, but
enforced the need for companies to be more pro-active, bring
top-level management onboard and set objectives with achievable
results.
Addressing the
payment and financial services industry, Peter Warner, Comsec
Adviser and former Vice-President of Fraud & Security at Europay/MasterCard,
revealed the extent to which hackers will go in order to retrieve
credit card details and steal identities.
Mr. Warner
said, 'Total UK issued credit card fraud has increased by over 25%
in 2007, compared to 2006. Card Not Present Fraud accounted for
over half of all fraud and this fraud type alone increased by more
than 36% in 2007. Fraud abroad saw a 77% rise year on year. This
is for a number of reasons. Some merchants may be to blame, as they
are not all storing data in compliance with the Payment Card
Industry Data Security Standard (PCI:DSS), formulated by the five
largest Credit Card companies (American Express, Discover Financial
Services, JCB International, MasterCard Worldwide and Visa Inc.) in
order to enforce a security standard that includes requirements for
security management, policies, procedures, network architecture,
software design and other critical protective measures, and thus
regularise the multiple information security issues standing before
credit card merchants and vendors worldwide. Fraud losses per card
compromised can be as much as £500 or more and in addition those
responsible for the breach face penalties from the card associations
and compensation fees payable to the card issuers.
Mr. Warner
continued, 'PCI provides an organisation with an ample opportunity
to review the security strategy and controls which can deliver
competitive advantage, maintain a positive corporate image and
safeguard consumer confidence. Non-compliance can result in damaged
reputation to the brand; potential loss of consumer goodwill;
financial liability for fraud/chargebacks; fines, penalties and
potential legal liability.'
GRC is a
challenging trend in the Information Security market, combining
various standards, schemes and complex controls all together. There
is a lot of confusion on what exactly GRC is and what sub-components
to consider when establishing a GRC programme. Professionals should
be engaged in the establishment of such a programme, providing
experience with adaptation to the specific circumstances of each
company. There are quite a few common issues that should be noted
before conducting a GRC program. Comsec's event - "GRC Made Easy" -
focused on providing professional insights and practical guidance on
some of the key issues when facing GRC.
Nick Gibson, editor
|
