Reboot Your Records Retention Strategy
Under the Federal Rules of Civil Procedure (FRCP), organizations must demonstrate that their electronic information is complete, accessible, and reliable. As a result, companies must formalize their retention management strategy and rapidly put in place the organizational and technological changes required to retrieve any given record.
IT Compliance Institute (January 15, 2008)

Changing Risk: Enter the CRO
What you don't know can kill you -- or sink the company. As executives and boards of directors demand an integrated, enterprisewide view of risk, they're turning to chief risk officers (CROs) to provide it. Where should CROs fit inside an organization, and do they have the authority and oversight to really make a difference? Learn how to make a CRO succeed.
IT Compliance Institute (December 18, 2007)

Own Your Identity: 10 Best Practices for Role-Based Access
In many companies, IT maintains the access controls, security defines roles, business managers assign these roles, and auditors review what users actually do. As that suggests, an effective approach requires careful coordination. Learn the 10 best practices for identity and access management collaboration.
IT Compliance Institute (November 20, 2007)

GRC Solutions: Tips for Tipping False Idols
New platforms and tools promise to solve companies’ governance, risk, and compliance (GRC) challenges, but managers should beware the hype. Ad hoc frameworks, narrow solution scopes, and too-tactical functionality often characterize so-called enterprise solutions. Experts offer insights to help you navigate the GRC hype.
IT Compliance Institute (November 13, 2007)

Fixing the PCI Encryption Problem
Fines and fees are looming after the September 30 PCI compliance deadline. Still, less than half of merchants report full compliance with PCI security requirements, and encryption failures contribute to four out of five failed PCI audits. Why can’t companies get encryption right? Here are five key steps for overcoming encryption hurdles.
IT Compliance Institute (October 23, 2007)

Reconciling with Records Management: Top 10 Requirements
Records management, in the words of the related ISO 15489 standard, is the "creation, receipt, maintenance, use and disposition of records." An increasing number of regulations have driven companies to put their records management programs in order. Learn the top 10 best practices for ensuring the integrity of your records.
IT Compliance Institute (September 18, 2007)

Top 10 Spreadsheet Compliance Risks and How to Avoid Them
One of the biggest threats to compliance isn’t rogue insiders or hackers, but a trusted tool: the lowly spreadsheet. Its life is unstructured, untracked, and unsecured—control challenges that can run afoul of everything from SOX to federal accounting rules. Learn to recognize top spreadsheet risks and what you can do to reduce them.
IT Compliance Institute (July 24, 2007)

Changing SOX: Redefinition, Refinement, and Reform
Compliance experts say that vague guidance and lack of bright-line definitions led to an era of expensive, ultra-conservative audits. As a result, and under the advice of their auditors, many companies are now reining in their SOX efforts. What’s changing? Experts detail the latest SOX guidance, new accounting standards, and optional risk-assessment methodology.
IT Compliance Institute (June 26, 2007)

Data Breach Kit: Five Steps to Help You Survive the Inevitable
Fact: Information systems are porous. Most companies will, despite their best efforts, allow some level of data exposure during the next year. Are you ready? Learn the tools and processes you need in place now to control data-breach damage, perform digital forensics, and gather the evidence required to recover and reduce risk.
IT Compliance Institute (June 19, 2007)

Under the Hood: The New ITIL V3
Are you ready for version 3 of the IT Infrastructure Library (ITIL)? After 10 years, the leading best practices IT service management framework has been updated with an official launch scheduled for May 30, 2007. Learn what’s behind the changes, and what they mean for organizations looking to improve IT service management as well as their IT compliance effectiveness?
IT Compliance Institute (May 30, 2007)

Top 10 Compliance Forums on the Web
When it comes to laws and governance frameworks, conventional wisdom can prove much more useful than oblique “official” guidance. These 10 online forums offer immediate answers to IT compliance questions, practical implementation advice, and been-there-done-that insight into CobiT and ITIL.
IT Compliance Institute (April 17, 2007)

Threats, Compliance, and the Human Condition
Blame human psychology: when it comes to information security, we’re simply not built to intuitively rank actual risks. Learn how building threat models can help companies rationalize the biggest security and compliance risks they face.
IT Compliance Institute (April 10, 2007)

Beyond SOX and Endpoint Security: Six Emerging Trends in Compliance
Last year, Sarbanes-Oxley (SOX) dominated companies' compliance efforts, organizations increasingly adopted endpoint security, data breaches grew epidemic, and experts warned companies Microsoft OS Vista would be no silver bullet for compliance or security efforts.
IT Compliance Institute (March 20, 2007)

Seven Strategies for Compliance Change Management
Driven especially by SOX, companies are turning to change management to provide needed discipline for changes to IT infrastructure and systems. To ensure the integrity of systems storing regulated data, as well as the attendant IT policies and procedures, companies are increasingly adopting change management practices.
IT Compliance Institute (February 6, 2007)

Rise of the Mutant Malware
The latest generation of malware is mercurial—able to adapt to defeat the latest detection and eradication measures. Who’s building the better mutant, and how is IT security taking this more “liquid” malware into account? Learn what’s being done to stop this evolved malware, and how companies are protecting themselves.
IT Compliance Institute (January 30, 2007)

Proving Grounds: Securing Test Data in Regulatory Environments
In many companies, developers use live data in unsound, test environments but remain unmindful of the fallout if that data leaks out. Why should your compliance guard be relaxed when developers use test data to design the systems that store and dole out access to such sensitive information? Here are five ways to manage test data in regulated environments.
IT Compliance Institute (October 17, 2006)

Foreign Correspondence: SOX Efficiencies and EU Issuers
As of July 2006, many foreign companies listed on US exchanges must comply with some Sarbanes-Oxley requirements. Can foreign companies learn from the US SOX experience to better meet their own reporting obligations? Can they leverage their native compliance experiences to turn SOX into a competitive advantage? And how will different applications of SOX to foreign issuers impact their ability to attain compliance effectiveness? Experts suggest that less effort might lead to more compliance for EU companies.
IT Compliance Institute (October 10, 2006)

A Sense of Entitlement: Security, Privilege, and the Need to Know
Up 60 percent of fraud is perpetrated by employees of the victim company, often because the wrong people have access to tempting data. Here are four tips for limiting access to sensitive data and thereby limiting the potential for misuse.
IT Compliance Institute (August 15, 2006)

Conditioning Your Workforce for Security Compliance
Corporations are realizing that the human element is often overlooked in their quest for compliance. Organizations are helping employees make the right decisions by revamping that age-old risk management tool: the security policy.
IT Compliance Institute (July 18, 2006)

Phantom of the Operation: Defining and Securing Privacy
Organizations often misidentify their top privacy breach threats and overestimate their level of compliance and integrity. Technical controls alone won't meet privacy requirements, and may even lull companies into a false sense of security. The problem is simple: how do you secure an abstract concept?
IT Compliance Institute (July 5, 2006)

Baring the Standard: Ins and Outs of ISO 17799
For companies seeking to comply with a deluge of data management and privacy regulations, ISO 17799 offers both technical best practices and managerial guidance. But the information security standard isn’t a silver bullet for compliance or even a good fit for every company. What are the potential and limitations of ISO 17799 and what do you need to know about certification?
IT Compliance Institute (June 20, 2006)

Why Ubiquitous Backup-tape Encryption Lags
Despite high-profile data breaches, storage encryption practices won’t change overnight
IT Compliance Institute (June 6, 2006)

Data Breach Damage Control
Your company just suffered a data breach. If you’re wondering what to do next, it’s already too late. An immediate, pre-planned response is vital to keeping your company’s reputation and revenue alive. Prepare yourself with these top tips.
IT Compliance Institute (May 16, 2006)

Case Study: Hospitals Find a Cure for Storage Costs
With back-up storage costs stretching the budgets of hospitals attempting to comply with HIPAA, one network of 16 Nevada hospitals found a way to cut storage costs by 80 percent without cutting compliance corners.
IT Compliance Institute (May 2, 2006)

Case Study: White Lab Coat Security
PDAs with comprehensive, current patient data can help a doctor save a life, but a lack of proper security controls also poses privacy risks. INTEGRIS Health has implemented mobile access restrictions that could also protect critical corporate data.
IT Compliance Institute (April 18, 2006)

Excess Baggage: Unwanted Inventory Costs Millions
Are your warehouses stuffed with unordered stuff? Companies are suffering huge financial losses due to a lack of effective business controls that check incoming inventory against orders. New software frameworks that tackle this dilemma could save your business millions.
IT Compliance Institute (April 4, 2006)

Loss, Litigation, and Hype: The E-mail Retention Enigma
What if a judge demanded all of your archived e-mails from June 21, 2003? Think carefully before you answer. Vendors say you must retain e-messages, but companies will lie to avoid handing over old mail; and judges might fine you whether you do or don't. What's a company to do?
IT Compliance Institute (March 21, 2006)

BNSF Railway On-track with Long-haul Compliance
While BNSF Railway needed to improve its application management processes to meet SOX regulations, it parlayed the effort into an application lifecycle management overhaul.
IT Compliance Institute (March 7, 2006)

Tangling with Test Data
Do your developers choose their own test data? Since 70 percent of data thefts are inside jobs, you can't assume that any visible information in your company is safe or even private. Companies need a strategy for obscuring—or just faking—sensitive data for use in testing environments.
IT Compliance Institute (February 21, 2006)

Handling PCI Hurdles
The PCI standard took effect on June 30, 2005. Is it effective?
IT Compliance Institute (January 17, 2006)

Consumers vs. Compliance: Where the Security Buck Stops
Regardless of the laws on the books, consumers hold companies responsible for data breaches, spyware, and phishing attacks
IT Compliance Institute(December 6, 2005)

When Data Walks: Safeguarding Portable Media
When cell phones have 40 GB hard drives and data breaches can cost millions of dollars, should organizations that handle sensitive information restrict the use of removable storage?
IT Compliance Institute(November 15, 2005)

Case Study: Tracking Software Changes for Compliance
"We've considered getting badges and guns, but the company frowns on the guns," explains the director of configuration management for ADP, a financial services software company. Certainly, tracking software changes can be a problem. Getting rid of the paper trail was a big first step.
IT Compliance Institute (November 1, 2005)

Learning from CardSystems: Compliance Doesn’t Equal Security
CardSystems blamed a shoddy audit for its 40-million-record data loss. But the auditor claimed the breached systems were beyond its scope. Who was right? Who was to blame? What can be learned from the argument?
IT Compliance Institute (October 4, 2005)

Zipping, Encrypting, and Shipping under HIPAA
Could your backup tapes disappear during shipment? Aurora Health Care decided to avoid the risk by encrypting and zipping health data before sharing or shipping it.
IT Compliance Institute (September 20, 2005)

Acute Care: HIPAA, a Hospital, and Database Security
If you want to secure databases containing protected health information, the first big challenge is to find them.
IT Compliance Institute (September 13, 2005)

FDIC: Spyware Cure Requires More Than Technology
When the FDIC recommended financial organizations improve their response to spyware, it meant helping to protect customers, as well. And, as its recent Financial Institution Letter notes, technology alone won't solve the problem.
IT Compliance Institute (September 6, 2005)

Bio-security: Healthcare Firm Uses Fingerprints for HIPAA Compliance
To comply with HIPAA security requirements in an environment with many public terminals, many different applications and databases, and many offsite users, West Tennessee Healthcare exchanged passwords for fingerprints. That was five years ago, and the company's CIO hasn't looked back.
IT Compliance Institute (August 23, 2005)

Case Study: Screen Actors Guild Healthcare Monitors IM
Ensuring the security of personally identifying information is a must for any healthcare organization. But the healthcare arm of the Screen Actors Guild was especially set on ensuring that information on well-known actors and celebrities didn't leak out through instant messaging.
IT Compliance Institute (August 2, 2005)

Financial IM and E-mail Storage Mandate
For financial services firms, archiving electronic communications isn't an option: it's a mandate. But not all organizations interpret the regulations correctly or have the technology approaches to meet auditor demands.
IT Compliance Institute (July 26, 2005)

Philadelphia Exchange Audits for Compliance
When it comes to regulations, organizations must implement effective processes and procedures or face the consequences. But not all organizations are sweating. The Philadelphia Stock Exchange shares its approach to meeting regulations—including managing auditors and staying competitive.
IT Compliance Institute (July 19, 2005)

Three Good Reasons to Look at Database Security Software
If you're relying on your database for access authentication, administration, and auditing, you may be on shaky ground. These core information security features aren't built into most database management systems. Third party tools can fill the gaps, but what kinds of functionality should security managers look for?
IT Compliance Institute (May 31, 2005)

Data Defense: Six Practices for Safeguarding Information
Databases are under the gun, with a spate of recent database breaches and backup-tape losses leading the headlines. While database security isn’t a new topic for regulated companies, today’s environment makes it imperative to properly lock down databases automatically. Here are policies and procedures to help.
IT Compliance Institute (May 17, 2005)

Secure the Farm: Evaluating Secure Storage Appliances
Database encryption protects critical data, while reducing the administrative cost and risks attached to its storage, transportation, and management.
IT Compliance Institute (April 26, 2005)

Out of Breach: Eight Ways to Beat IT Policy Resistance
Nobody loves reading IT policies, but every employee must adhere to them. From designing readable policies to making reasonable exceptions, IT and compliance managers must apply both professional insight and personal intelligence to policy enforcement. Eight best practices can help IT managers beat employee resistance to new policies.
IT Compliance Institute (April 19, 2005)

Securing Web Services in a Regulatory Environment
To secure Web services and meet regulatory requirements, organizations must keep their business and IT agendas aligned.
IT Compliance Institute (April 12, 2005)

Mortgage Data Network Tackles GLB Compliance
Companies handling confidential customer data must do more than claim their information is secure: they must prove they’re above reproach.
IT Compliance Institute (April 5, 2005)

InfoSec Synergies: Aligning Standards Improves Security
Pre-packaged policies and new "crosswalks" between HIPAA requirement and major security standards help companies blaze a faster trail to proven, defensible information security practices.
IT Compliance Institute (March 29, 2005)

Corporate Security Awareness Grows but Funding Lags
Survey shows security managers still face budget battle. (Reprint)
IT Compliance Institute (March 15, 2005)

Finding Better Opportunities for Automation ROI
SOX Approach Shifts From Tactical to Strategic
IT Compliance Institute (March 1, 2005)

The Good-Intention Gap: Records Management Realities
A “credibility gap” between the good intentions of organizations and what employees actually do highlights critical flaws in information-management.
IT Compliance Institute (February 1, 2005)

Compliance Drives Network Security Spending in 2005
In 2005, will the market view of compliance as a business and operational challenge overshadow compliance as an IT point-problem?
IT Compliance Institute (February 1, 2005)

Information Security Compliance: Outsourcing Grows
This year is likely to mark a sea-change in companies’ willingness to outsource information security practices. As compliance deadlines loom, many CIOs are opting out of building in-house security practices and turning to managed-security services vendors as a more viable and reliable compliance option.
IT Compliance Institute (January 18, 2005)

Opening the Black Box: IT Controls Aid Compliance
By helping companies to document cryptic IT processes, development frameworks promote compliance and improve productivity along the way.
IT Compliance Institute (January 4, 2005)