IT GRC Forum

In my previous blog "Something Rotten in my Kingdom" I asked the question: Can we envisage a way to improve security through compliance? 

Ten years ago, self-regulation through the implementation of good security practices was thought to be the way organizations would protect their, and our, sensitive data but the number of reported security incidents demonstrates that self-regulation doesn't actually work. It's like hoping that a kid does his home work only because he fully understands all the benefit for himself. Actually, this kind of self-governing behaviour requires some level of maturity and a deep self-consciousness of the risks faced.

If you ever endeavour getting data about the compliance rate from PCIco or the Payment Brands you would know how challenging it is, probably more challenging than finding the Holy Grail. So in this context the release of the Verizon 2011 Payment Card Industry Compliance Report is quite enlightening for the security industry and merchant community. It gives us a good sense of reality of the field.

All merchants who accept credit cards are now subject to strict Payment Card Industry standards, rules, and regulations, which require a level of security that took about five years to finally implement.

Regulatory compliance will be the top business issue affecting enterprise information technology (IT) in the next 12 to 18 months, according to a major new ISACA member survey of more than 2,400 IT, security, and audit and assurance managers from 126 countries worldwide.

I am very excited to have been invited to participate in the community here at itgrcforum.com. My professional passion is finding the sweet spot where security and compliance work as enablers of the business rather than impediements. I look forward to sharing my thoughts on practical ways that security and compliance professionals become that kind of asset to their business. What follows is the revised version of a piece I wrote in 2010 for my own site, but I believe it will nicely introduce you to my take on security, compliance and business.

The congressionally appointed Financial Crisis Inquiry Commission released a 535-page report on Thursday blaming the meltdown in part on compliance breakdowns and deficiencies.

This evening I attended a round table session organized by the Dutch chapter of ISACA. Antal, the presenter, did his best to show how compliance can influence the outsourcing relationship. At the end of the presentation Job, the host, concluded that this was a complex subject and that more time could, and should, be spent explaining all possible consequences. Antal, Job: sorry but I disagree with that conclusion.

Don’t you love the use of abbreviations? Often before you learn what the abbreviation stands for you have to read to the end of the story completely dazed about what it is the writer is trying to say. So let’s not do that: GRC stands for Governance, Risk and Compliance. These three functions are important to all organizations. Wikipedia define GRC as ‘an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas.’

Interview With Lyle Smith, Director of Global SOX Compliance at Walmart Stores Inc.

Oct 29 2010 - Since the enacting of the Sarbanes-Oxley (SOX) Act 2002, publicly quoted businesses have experienced a tightening of financial reporting regulations. Lyle Smith, Director of Global SOX Compliance, Walmart Stores Inc. gives his insight as to how the SOX provisions are continuing to impact companies across America. Lyle is a speaker at our partner event the 20th Edition SOX Compliance & Evolution to GRC Conference from November 4-5, 2010 at the Doubletree Hotel in Philadelphia, PA.