• Guide to balancing risk management and compliance

    It seems like there are new IT risk factors, and compliance regulations to go with them, popping up every day. But just because you’re protected from risk doesn’t mean you’re compliant -- and vice versa. It’s important for a company to strike the proper balance between alleviating the biggest risks and meeting compliance guidelines unique to its industry. With limited budgets and resources, this is no easy task.

    In this tutorial, we’ve gathered best practices for balancing your risk management and compliance strategies. You’ll learn how risk management and compliance can be tied together to get the maximum positive impact for your organization, and new ways to look at the delicate relationship between the two. Properly developing this relationship may even gain customer confidence and boost your bottom line.

    This guide is part of’s Compliance Briefings series, which is designed to give chief compliance officers strategic management and decision-making advice on timely topics.

  • FAQ: What is the Computer Fraud and Abuse Act?

    The Computer Fraud and Abuse Act (CFAA) was passed in 1986 to combat hacking of computer systems operated by the U.S. government and some financial institutions. The act made it a federal crime to access a protected computer without authorization or to exceed authorized access.

    The law has been amended repeatedly, with expanded scope and penalties. It has come to be used very broadly not just by the government to prosecute hackers, but also by private corporations to help safeguard trade secrets and other proprietary information.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: How do corporate social media policies hold up against labor law?

    Facebook, Twitter and other social media sites are popular venues for complaining about a job, boss or co-workers, and companies sometimes fight back. The result is a new, evolving legal area with little case law to offer guidance. The National Labor Relations Board (NLRB) has seen a growing number of cases dealing with corporate social media policies and employees terminated for social media activities.

    For example, an ambulance service employee in Connecticut was fired after calling her boss a “scumbag” on Facebook, but she got her job back when the NLRB deemed her comment protected speech. However, a Wal-Mart employee who was disciplined after calling a supervisor a “super mega puta” on Facebook and a bartender who called customers “rednecks” on Facebook received no NLRB assistance.

    Whether these activities are protected by law appears to have less to do with the postings themselves than with the circumstances surrounding them.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: How would Volcker Rule regulations affect compliance programs?

    The Volcker Rule is a section of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act that aims to rein in banks' high-risk, speculative trading. Initiated by former Federal Reserve Chairman Paul Volcker in the wake of the 2007 financial crisis, the main goal of the Volcker Rule regulations was to avoid another taxpayer-funded bailout of Wall Street. Volcker was chairman of the White House Economic Recovery Advisory Board from February 2009 to January 2011.

    The Dodd-Frank Act created the Financial Stability Oversight Council to study and make recommendations about how regulators should implement the law. The Volcker Rule was originally conceived as a simple idea to prohibit banks from proprietary trading and investing in hedge funds or private equity funds. However, the rule morphed into a 298-page set of proposed regulations that included hundreds of questions for which regulators sought feedback.

    The public is invited to submit comments through Feb. 13, 2012, and the rule is scheduled to go into effect July 21.

    This FAQ is part of's IT Compliance FAQ series.

  • Briefing: Governing risk management and compliance

    Every organization has different risks and compliance mandates. Often, risk management efforts tie directly to regulatory compliance mandates -- allowing you to “kill two birds with one stone.” But it’s not easy. Too often, risk management and compliance efforts aren’t in sync -- which leads to wasted time and money.

    Whether it’s social media risks, hackers, malware or any of the myriad threats to IT operations, you need to identify and handle potential issues before they result in compliance violations. In this tutorial, you’ll learn some of the latest risk factors that threaten every organization, and how you can tie your risk management efforts to your compliance functions and avoid wasting valuable resources.

    This guide is part of’s Compliance GRC Briefings series, which is designed to give chief compliance officers strategic management and decision-making advice on timely topics.

  • What is the European Commission's data protection framework proposal?

    On Jan. 25, the European Commission announced a proposal to reform the European Union's data protection framework. When making the announcement, the commission noted that the existing framework -- known as the 1995 EU Data Protection Directive -- is outdated because of globalization and rapid technological change.

    Those pushing for reform contend that the existing framework lacks coherent rules among the member states, making it harder and more expensive for businesses to comply. The power of regulators in different member states varies, so the rules are not applied consistently or effectively, they add. This makes it more difficult for individuals to exercise their data privacy rights in some countries than in others.

    The European Commission plans to reach an agreement with the European Parliament and the Council of the European Union on the new data protection framework by year's end. The rules will go into effect two years after they have been adopted by the member countries.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: The economic crisis and SEC compliance rules

    In the wake of the 2008 financial crisis, the U.S. Securities and Exchange Commission (SEC) has brought charges against nearly 100 business entities and individuals in the financial services industry for misconduct that led to or arose from the crisis. More than $1.2 billion in penalties have been levied through SEC enforcement action, and dozens of individuals have been barred from the industry or had their commissions suspended.

    Some of the charges directly involve compliance issues, and others do not. As SEC Enforcement Division Director Robert Khuzami said in November 2011, “not all compliance failures result in fraud, but many frauds take root in compliance deficiencies.” This “simple truth,” as Khuzami put it, redoubled SEC efforts to identify and charge individuals and firms that fail to maintain sufficient corporate compliance programs.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: How has Foreign Corrupt Practices Act enforcement evolved?

    Briefcases filled with cash. Bribes disguised as sales commissions. Consultants used as conduits for improper payments and old-fashioned kickbacks. In recent years, these types of violations were all cited by the Securities and Exchange Commission and the Department of Justice as the agencies ramped up Foreign Corrupt Practices Act (FCPA) enforcement.

    Enacted in 1977, the FCPA prohibits companies from bribing foreign officials to obtain contracts or other business. It covers publicly traded companies, their officers, directors, employees, stockholders and "agents" (which can include consultants, distributors and partners). Companies charged with FCPA violations usually agreed to pay hefty fines -- up to hundreds of millions of dollars -- to settle charges rather than go to trial.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: Wal-Mart de Mexico scandal and how it triggered FCPA violations

    The details surrounding the Wal-Mart de Mexico bribery scandal sound like a cliché: Envelopes stuffed with cash handed off to mayors, bureaucrats and other government officials who wield the power to stand in the way of business. Wal-Mart Stores Inc. is accused of not only participating in such bribery at its Mexican subsidiary, but also of sweeping it under the rug once it came to light.

    On April 21, The New York Times published a lengthy article alleging that Mexico-based Wal-Mart officials participated in an ongoing bribery scheme several years earlier to achieve market dominance in the country, and that top executives had covered it up. The allegations are corroborated by internal company documents, according to lawmakers investigating the conduct.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: How has the MF Global bankruptcy influenced financial regulation?

    Following a series of questionable business practices, MF Global Holdings Ltd., the parent company of MF Global Inc., filed for bankruptcy protection on Oct. 31, 2011. Soon after the MF Global bankruptcy, the company's chairman and CEO, Jon Corzine -- formerly a U.S. senator, governor of New Jersey, and chairman at Goldman Sachs Inc. -- resigned.

    It was quickly discovered that $1.6 billion in customer funds were missing, likely in violation of federal regulations surrounding segregating customer assets. This was the first time a commodities broker's customers suffered losses as a result of the improper handling of customer funds, according to lawmakers who oversee the financial industry.

    MF Global's collapse and the missing funds remain the subject of ongoing investigations by the Department of Justice, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC), as well as trustees appointed by the bankruptcy court to oversee the firm's liquidation.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: How has Knight Capital Group's software errors swayed regulation?

    The speed and complexity of software designed for high-frequency stock trading propelled Knight Capital Group's success in recent years, but those same properties drove the firm to the brink of bankruptcy. When New York Stock Exchange trading opened the morning of Aug. 1, 2012, a technology breakdown in Knight Capital's newly installed trading software caused a deluge of erroneous stock orders that severely disrupted the market. The new software had been deployed the day before, the company said, and it took about half an hour to halt the erroneous orders once the problem was discovered.

    After Knight Capital Group lost $440 million in about 45 minutes of trading that day, regulators redoubled efforts to limit stock exchange damages inflicted by faulty technology. Specifically, they launched a review of the testing and control requirements needed to prevent highly complicated and interconnected IT systems from causing market upheaval when errors occur.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: What is the COBIT framework's approach to IT management?

    The Control Objectives for Information and related Technology, more commonly referred to as COBIT, is an information management and control strategy framework. It consists of principles, practices, tools and models to help enterprises improve information and technology management processes. The COBIT framework is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). The original version, published in 1996, focused largely on IT auditing. The latest version is COBIT 5, which was released in April 2012 and emphasizes the value information governance can provide to a company's bottom line.

    The COBIT framework weaves together models and approaches used by different IT specialties, such as standards from the Information Technology Infrastructure Library (ITIL) and the International Organization for Standardization (ISO). The aim is to provide an overarching framework that incorporates different subsets of information management and control while promoting greater consistency among these areas. Unlike prescriptive requirements for a specific regulation, COBIT can be used for a wide range of enterprise needs, including information security, regulatory compliance, risk management and financial processing.

  • FAQ: How does an SSAE 16 report provide compliance control guidance?

    When companies outsource IT and other business processes, they are looking for assurances that the service providers' corporate controls pass muster and that data is not exposed to undue risk. Companies can request audits of service providers' systems, but this can be an expensive and time-consuming endeavor.

    To help ease customer concerns, a service provider can hire a third-party auditor to conduct an examination based on a set of standards known as the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). Although not a compliance certification in the traditional sense, SSAE 16 reports have become a commonplace guide for service providers' internal compliance controls and the reporting standard for all service auditors' reports since going into effect in June 2011.

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: What is the current status of U.S. cybersecurity legislation?

    Lawmakers on Capitol Hill have been debating cybersecurity bills for many years, but opposition from industry and civil right groups have always stymied the initiatives. In 2012, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA) despite vehement opposition from online privacy advocates and the White House. The Senate, however, voted down a version of cybersecurity legislation, titled the Cybersecurity Act of 2012, in large part because of industry opposition.

    There has been a wide variety of legislative proposals for safeguarding American computer systems and networks, but recent bills have focused on two goals. These include protecting critical infrastructure -- such as power plants, chemical facilities, communications networks, transportation networks and financial networks -- and promoting information-sharing between the government and industry. Information-sharing provisions examine ways to encourage private companies to inform government organizations such as the National Security Agency about cybersecurity threats and responses. For affected industries, such provisions must include liability protection should they share information protected by privacy laws.

  • FAQ: How do BYOD security concerns complicate regulatory compliance?

    The bring-your-own-device movement has enticed organizations that pursue BYOD to increase productivity, improve morale and possibly even reduce capital costs. When employees use their own devices without constraint, however, they are susceptible to unsecure networks, application downloads and data. They are also more likely to visit dubious websites and sometimes forget the devices in places such as on a train or at a bar, creating more BYOD security concerns.

    Allowing employees to use personal devices for work increases the risk that company data is lost or vulnerabilities are exploited. When users choose their own equipment and operating systems, it becomes more challenging for IT to secure hardware and data, and it becomes harder to ensure compliance with data-related regulations. As a result, meeting compliance requirements for data security, e-discovery and industry standards without endangering user privacy becomes complicated in the BYOD environment.  

    This FAQ is part of's IT Compliance FAQ series.

  • FAQ: How does shadow IT complicate enterprise regulatory compliance?

    Shadow IT is any application or other IT resource obtained or built by business users without the knowledge or approval of the IT department, and it's becoming a pervasive problem. In 2012, 77% of businesses were home to shadow cloud deployments, and 40% of these deployments resulted in the exposure of confidential data, according to a 2013 study by security firm Symantec Corp.

    Business users say they resort to shadow IT to save time and money, but this practice of surreptitiously bypassing the IT professionals creates increased costs for companies. Because shadow applications -- also called rogue deployments, rogue IT or stealth IT -- are not managed by IT or integrated into an organization's other systems, they aren't subject to the same security controls or other compliance-related safeguards. If the IT team isn't aware of applications or services procured directly by business users, it may not know where data is stored or who can access it.

    Shadow IT did not start with cloud computing or Software as a Service, but the cloud has made bypassing the IT department easier and has exacerbated ensuing compliance difficulties. It's tough enough to retain control over data that is held within an organization's own jurisdiction, but the challenge is greatly magnified when data is transmitted, handled or stored by a public cloud provider. And, it's nearly impossible for IT to manage compliance in the cloud if it doesn't have a well-defined relationship with the service provider.

    This FAQ is part of's IT Compliance FAQ series.