Professional Documents
Culture Documents
March2011
1|P a g e
risk mitigation and effective responses in case of a breach or a disaster ; and (iv) accountability for non compliancewithauditpoliciesandprocedures.
More than 40 states have laws that require the custodian of the data that was lost to notify the individuals whosedata waslostwithinstancesin whichreachiswellbeyondtheirbordersandheavyfinesareimposed. CompaniesalsomustbeconcernedaboutcompliancewithanumberoffederallawssuchastheSarbanesOxley Act,HIPPA,GrammLeachBlileyAct;and,PCIDataSecurityStandard(whichhasbeenincorporatedatthestate levelinsome18states).ExamplesofregulatoryrequirementsincludetheMassachusettslaw(201CMR17.00) thatappliestoanycompanywhichholdspersonalinformationofaMassachusettsresident(withnorestriction astowheretheholderoftheinformationislocated)anditcarriesafineof$5,000perviolationperrecordlost; and,HIPAAHitech,wherefinesapplytopersonsthatwillfullyneglecttocomply;theyrangefrom$10,000.00to $50,000.00 per violation. A fine of up to $1.5 million per calendar year for one identical violation can be assessedifcorrectiveactionisnottakeninthecaseofwillfulneglect.
Failure to provide appropriate IT Governance for the rapidly increasing rate of change in technologies, the increased consumerism of IT by the in individual and the corporate deployment of IT assets are part of the reasons why the Lights on Doors Open does not work anymore. More succinctly, the common practice of continuing to push out the time horizon of retiring IT assets makes keeping up with the pace of transacting businessagreaterriskwhileatthesametimeelevatingrunrateexpenseandexposures;makingastrongcase for the need of a risk based approach promoting a more harmonious alignment between business processes, threatsandopportunitiesandtheITinvestmentcycle.
Tojumpstarttheprocess,corporatedirectorsshouldinquireon: What processes and metrics do we have in place to ensure there is a defined linkage between investments,organizationalresults,usageofourintellectualassetsandInformationTechnologycapacity levels? What processes, metrics and mappings do we have in place to ensure clear asset classification, safeguards,supportedbusinessprocessesandpertinenttechnologylifecycle? Howdowegoaboutensuringaclearunderstandingbyoperationalregionoftherelevantcompliance requirements,theirimpactonthebusinessandtheirunderlyingsupportingtechnology? Which initiatives do we have in place to determine what new and coming technologies might be relevanttoourbusinesswhileincreasingtheconsumerismofInformationTechnologyandourmarket position? If social media sites are part of the electronic footprint? Ensuring usage monitoring and proper use educationarepartanoverallawarenessandsecurityprogram. How do we ensure proper metrics and reaction times in the event of an unexpected business interruptionordisaster? Arcelay and Associates LLC is a proven industry leader in providing strategically aligned solutions for IT Risk Management, IT Due Diligence reviews and Interim CIO Services. Their published experts and industry recognized thought leaders work with their clients on developing customized aligned solutions that suit long termorganizationalgoals,regulatoryrequirements,culturalandregionalneeds. March2011 2|P a g e