Brightfly, Inc.» PCI DSS Becoming the Standard of Due Care

PCI DSS Becoming the Standard of Due Care

bsdunlap — Tue, 07 Jul 2009 11:46:14 +0000

Nevada just passed new legislation that in effect, mandates the provisions of PCI DSS for businesses and other entities that handle non-public personal information. You can read it yourself here, or see additional details and commentary can be found at BankInfoSecurity.com.

Since my trip to London earlier this year, I have actively pondered what the future brings for the standard of due care. Specifically, what frameworks and practices will emerge as being the minimum standard to which we are judged in our efforts to protect data. In my post on US vs. UK perspectives for choosing a controls framework I mentioned how the people I talked to in the UK were focused on becoming ISO compliant with regards to their security programs and that they felt this was a competitive differentiator for their businesses. They also stressed the outside validation provided by BSI on a recurring basis as an independent audit and how it helped establish confidence in their ability to protect sensitive customer information.

With the absolutlely phenomenal reach of PCI DSS, and the move by Nevada to legislate its adoption, I think we are entering into an era where this standard becomes the minimum. After all, with it being so widely enforced it soon becomes what a reasonable person in similar circumstances must do.
The real trick for practitioners then becomes not the controls being applied, but the effectiveness and efficiency that the organization can expect on a per dollar basis. In summary, it isn’t what you are controlling, or even how, it is how well that matters.

Related articles:

2008: More ID Theft

IFRS: The New Cash Cow

madams — Mon, 17 Nov 2008 16:57:17 +0000

Last Friday the SEC released its new roadmap for migrating U.S. companies from U.S. GAAP (Generally Accepted Accounting Principles) to IFRS (International Financial Reporting Standards). According to the article:

“…all publicly traded U.S. companies would be required to use IFRS within six years. However, at least 110 companies could use the international rules as early as next year, depending on their size and their industry. The SEC predicts that those companies would each incur about $32 million in additional costs in the 10-Ks they file in 2010.”

For everyone else, the SEC estimates that U.S. companies will spend between 0.125 percent and 0.13 percent of their revenue on making the transition to international financial reporting standards from U.S. GAAP in the first year of filing. This is just more evidence that the new revenue stream the accounting firms have been waiting for is here. Some of my former Big 4 colleagues (including a partner) have come out and told me as much. The big difference though between SOX and IFRS is that once companies have made the transition, that’s it. In other words, unlike SOX, IFRS has an end date.

It should also be noted that this timeline could change once Barack Obama takes office in January. SEC chairman Christopher Cox is a Republican, and he has indicated he will resign early next year. Comments to the roadmap are due in mid-February, so we’ll have to wait and see what the final version will look like.

Related articles:

SEC Told to Mandate XBRL

admin — Thu, 01 Jan 1970 00:00:00 +0000

On January 18th I wrote an article discussing how the proposed adoption of XBRL (Extensible Business Reporting Language) will drive up compliance costs and provide auditing firms with another revenue stream. Well, according to this article at CFO.com, an SEC advisory committee is paving the way for the regulator to require companies to turn their traditional financial statements into more easily searchable, comparable, and interactive documents.

If the SEC takes the committee's advice, all U.S. publicly traded companies could be required to file audited XBRL financial statements in three years. Reading further, it looks like I'm not the only one who sees higher audit fees in the future.

"At Monday's meeting, Peter Wallison, a senior fellow at the American Enterprise Institute for Public Policy Research, tried to assuage committee members' fears that the use of XBRL could lead to high assurance costs for companies hiring auditors to check that they have tagged data correctly."

It's fairly obvious that this is a done deal, and anyone who voices concerns over higher assurance costs will simply be ignored. Vendors are already lining up to provide XBRL implementation services, and audit firms are right behind them. I know this sounds cliche, but I can hear CFOs everywhere mumbling that "the hits just keep on coming."

Related articles:

FFIEC compliance nearly universal among banks?

admin — Thu, 01 Jan 1970 00:00:00 +0000

According to this short news item , ninety-five percent of US banks are either in compliance or very close to compliance with the online security measures mandated by the Federal Financial Institutions Examination Council (FFIEC), according to recent research. I cannot express how much I question the results of this research.

Back in June of this year, Sestus Data released a white paper that detailed how non-compliant banks were with FFIEC multi-factor authentication guidelines. In this paper the researchers concluded that only 4% of sampled banks employed consistently multi-factor authentication methods, while 64% used single-factor only. So, are we to believe that most of these banks have gotten their act together in the last five months? I seriously doubt that. Unfortunately, there is no link to the original research mentioned in this news item, but I strongly suspect that the researchers adopted the banks' definition of "multi-factor authentication" as opposed to the FFIEC's. Anyone who is familiar with this issue understands that the banks have been waging a fierce battle with the FFIEC over what exactly constitutes multi-factor authentication, with the banks adopting a much more lax definition. I'll keep a lookout for this latest research paper to see if I'm right.

Related articles:

AICPA Comes out in Favor of IFRS

madams — Thu, 22 Nov 2007 04:10:54 +0000

Ok, I was going to leave IFRS alone for a week, but I couldn’t resist this bit of news. WebCPA covered the testimony on IFRS to the Senate Banking Committee. The AICPA came out in favor but the former SEC Chief Accountant, Lynn Turner came out against it.

At the hearing, the AICPA Vice Chairman for Professional Standards and Services, Chuck Landes told the sub-committee “One common accounting language will benefit all participants in the capital markets. A single worldwide set of accounting standards would help investors by facilitating the comparison of financial results.”

However, former SEC Chief Accountant Lynn Turner warned that adopting IFRS could put US investors at risk. “I believe strongly if the SEC reconciliation is eliminated, it will also eliminate the incentive for standard-setters to work together,” he said. “Indeed, each of the standard-setters is likely to go their own way, and I suspect within 10 years, if not sooner, FASB will cease to exist, leaving the U.S. without a viable private standard-setter responsive to the needs of U.S. investors.”

Related articles:

New FTC Requirement!

admin — Thu, 01 Jan 1970 00:00:00 +0000

Not too long ago I posted a story about how the Federal Trade Commission has been going after companies with lax security around private information. Well, apparently the FTC has gotten even more serious.

On October 31st the FTC issued the final rules on what organizations must do to prevent identity theft. The full 256-page document can be found here. Part of the document reads "The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts." In my opinion, companies that already have a robust security environment shouldn't have too far to go to comply with the FTC's requirements, expecially those that are PCI-compliant. However, for those that are resisting the PCI mandates, this should be a wake-up call.

Related articles:

SOX as a campaign issue

admin — Thu, 01 Jan 1970 00:00:00 +0000

SOX is quickly becoming an issue for the presidential candidates. According to the Financial Week , in a speech to the Club for Growth in Washington, he supported the idea of SOX but stated that "We sure as heck have to go back and moderate Sarbanes-Oxley".

He specifically criticized the certification requirements as being usesless. I agree with his comments on certifications. The folks at Enron would have signed the certifications because they thought what they were doing was correct. They fired or demoted anyone who didn't agree with them. Anderson agreed that what they were doing was right. Therefore, I am not sure that the cerfications would have made a difference.

Not to be left out, Mitt Romney has also suggested that we prune SOX. In remarks to the Detroit Economic Club, he stated that "it's driving away IPO's, depressing jobs, and requiring billions of unnecessary cost."

On the other side of the aisle, John Edwards is proposed last Friday that we expand corporate responsibility further than Sarbanes and require companies to publish more information on executive compensation and social impact.

As the election gets closer, I am sure that this issue will continue to be a hot topic.

Related articles:

Grant Thornton Survey says CFOs don’t like IFRS

admin — Thu, 01 Jan 1970 00:00:00 +0000

Apparently CFOs are not in favor of using IFRS as opposed to GAAP. Grant Thornton released a survey of CFOs last week showing that 55% of CFOs do not believe that US Companies should be allowed to issue their financials using IFRS. In addition, 90% of public companies and 75% of private companies surveyed believe that current regulations are too complex. Sixty-seven percent preferred "Principles-based standards that provide for use of professional judgment in the application of accounting standards" which sounds a whole lot like IFRS…I guess that statistic is not suprising considering 77% of CFO's have no experience preparing financial statements in accordance with IFRS. Guess its time for for some education for CFOs.

Related articles:

Restitution for Victms of ID Theft

admin — Thu, 01 Jan 1970 00:00:00 +0000

A bipartisan bill that would let victims of identity theft seek restitution for money and time they spent repairing their credit history was introduced on Oct. 16 in the Senate. Called the Identity Theft Enforcement and Restitution Act of 2007, the bill would also expand the jurisdiction of federal computer fraud statutes to cover small businesses and corporations, and it would eliminate the requirement that the loss resulting from damage to a victim’s computer must exceed $5,000. Under this bill, violations resulting in less than $5,000 damage would be criminalized as misdemeanors. For a more complete list of provisions read the article here . While I believe this is a good idea, my fear is that the cost of fines and penalties paid out to victims will simply be passed along to the consumer. As with other pieces of legislation, we’ll just have to wait and see what the final bill looks like, and then see how it’s used before drawing any conclusions.

Related articles:

Talking Up Sarbanes-Oxley?

admin — Thu, 01 Jan 1970 00:00:00 +0000

Have you ever seen a situation where a group of people want so badly for something to be true that they make every effort to make it true by talking about it as much as possible in hopes that it will become true? This tactic is commonly used by politicians and the news media to convince people that something is true (like a strong or weak economy), even though it may not actually be true — yet. Well, I've had suspicions for the past year or so that this was happening with Sarbanes-Oxley, specifically the impact that it has had on the incidence of fraud.

It seems that there are reports and studies being released all the time now purporting to show that SOX has had a positive effect on reducing fraud and improving investor confidence in capital markets. Yet the only "evidence" we see is either anecdotal, or it's based on opinions from respondents to a poll or survey. And of course we're going to see glowing reports from audit firms, the federal government, the SEC, and the PCAOB. Can you imagine one or more of the above groups stating that SOX has been a colossal waste of time and money and should never have been passed in the first place? Of course not! They have to talk it up no matter what the reality is. What's worse is that this official party line permeates industry to such a degree that it becomes almost politically incorrect to challenge it. I wonder what would happen if I openly criticized SOX as a total disaster in my next presentation at an ISACA or IIA meeting. Would I ever be invited back? Perhaps, but I'd rather not find out. Besides, I would receive a much warmer response at an event consisting mostly of IT people. They've hated SOX from day one, so there would be no love lost there. I'd simply be preaching to the choir. However, there are some rumblings out there that suggest that SOX may not be theanswer to global warming – cure for cancer – peace on earth solution that many think it is.

A story released yesterday says that according to the most recent biannual global survey of economic crime conducted by PricewaterhouseCoopers, 53 percent of US companies reported they had been hit by economic crime during the last two years, with losses totaling $223 million. Companies of all sizes were affected, and the level of fraud has not dropped (italics mine) in the eight years that the firm has been conducting the survey. However, seventy-one percent of the US respondents said they thought that Sarbanes-Oxley was at least some help in detecting economic crime inside the company, and 61 percent thought it was at least some help for detecting economic crime that originated outside the company. So, we see here that fraud has remained steady for the last eight years, but the majority of the respondents still have to credit SOX in some way for that. Why? I mean SOX has only been around for four years, so how do we know that there would have been a huge increase in fraud had SOX never been passed? We don't! It's simply a nonfalsifiable presupposition, and since we'll never really know for sure, it becomes extremely easy to credit SOX.

Another article states that for the first time in four years, a survey of in-house corporate lawyers shows that the rate of corporate litigation has fallen. Fifty-five percent of the respondents credited Sarbanes-Oxley with the decline in litigation, but experts also pointed to the recent relative stability of the economy and the rising stock market, which tends to produce fewer disputes involving corporations. Here again we see obligatory credit being given to SOX, but it's nice to see that at least some experts can still think for themselves by pointing to other factors.

I'm not saying that SOX has not had any kind of positive effects; I am saying that there are too many people creditng SOX without really thinking about why they're doing so. If you really believe SOX has helped then be prepared to provide harder evidence than a survey conducted by an audit firm or the SEC. Let's really debate the topic for once.

Related articles: