Comsec Consulting Outlines the Challenges and Provides the Guidance for Businesses to Stay Ahead of IT GRC

Comsec Consulting has presented valuable knowledge and real-life advice on the challenges faced by businesses to manage and stay ahead of IT governance, risk and compliance (GRC).

Addressing fifty senior IT security professionals from blue-chip companies, Roy Harari, Managing Director of Comsec UK introduced the sessions by addressing the trends and drivers from the old pure IT security to overall risk and compliance management.

Nissim Bar-El, Comsec's Chief Executive Officer and Chairman, highlighted the demands of GRC on any business, while explaining the complexity of this issue and the challenge of actually integrating GRC with Information Security. According to Mr. Bar-El, companies today are juggling the challenge of GRC with the numerous, existing GRC solutions, as well as with ongoing Information Security risks and requirements.

Also speaking at the event was Lord Erroll, spokesman for the House of Lords Science and Technology Select Committee's report on personal internet security. Lord Erroll highlighted the anecdotal way in which governmental rules and regulations are being referred to and relied upon as definite measures when it comes to securing information online.

He said, "The issue of IT security is complex. There are rules and regulations to adhere to, but the IT professional is still unsure of their role or their requirements to ensure their company's compliancy. Cybercrime and its implications on businesses are still not fully understood, or taken seriously at a governmental level, even in the wake of such serious data loss incidents as reported by the media. The government needs to take responsibility and put into place a serious provision of support and incentive guidelines, including technical information, for all UK businesses. The future lies in governance (not control) and incentives; in new and evolving encryption and authentication technology and in groups committed to cyberwarfare, such as the CPNI (Centre for the Protection of National Infrastructure)."

Henk Van der Heijden, senior manager at Comsec Consulting, provided the conference with an overview of compliance and defined it as the risk of legal or regulatory sanctions; material financial loss or loss to reputation a company may suffer as a result of its failure to be compliant. Simply put, compliance enables companies to assure the integrity and confidentiality of their data.

Mr. Van der Heijden said, "The first step for UK companies is to identify the rules, regulations, laws and policies applicable to their company, then breakdown the IT requirements and control objectives, ensuring that there is no duplication of IT requirement to fix one problem. Map out the business processes, use existing frameworks and monitor, analyse and report on compliances needed. Overall, be clear about what they are trying to achieve, set clear reporting and responding lines and define responsibilities."

Mike Popham of InfoGov, presented an integrated approach to GRC as increased competitive pressures, ethical and financial standards, accountability demands, increasing regulations and demands from stakeholders. He also outlined the different approaches to gaining compliance as: asset based risk assessment; threat modelling; technical auditing; dependency modelling and gap analysis, but enforced the need for companies to be more pro-active, bring top-level management onboard and set objectives with achievable results.

Addressing the payment and financial services industry, Peter Warner, Comsec Adviser and former Vice-President of Fraud & Security at Europay/MasterCard, revealed the extent to which hackers will go in order to retrieve credit card details and steal identities.

Mr. Warner said, "Total UK issued credit card fraud has increased by over 25% in 2007, compared to 2006. Card Not Present Fraud accounted for over half of all fraud and this fraud type alone increased by more than 36% in 2007. Fraud abroad saw a 77% rise year on year. This is for a number of reasons. Some merchants may be to blame, as they are not all storing data in compliance with the Payment Card Industry Data Security Standard (PCI:DSS), formulated by the five largest Credit Card companies (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) in order to enforce a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures, and thus regularise the multiple information security issues standing before credit card merchants and vendors worldwide. Fraud losses per card compromised can be as much as 500 or more and in addition those responsible for the breach face penalties from the card associations and compensation fees payable to the card issuers.

Mr. Warner continued, "PCI provides an organisation with an ample opportunity to review the security strategy and controls which can deliver competitive advantage, maintain a positive corporate image and safeguard consumer confidence. Non-compliance can result in damaged reputation to the brand; potential loss of consumer goodwill; financial liability for fraud/chargebacks; fines, penalties and potential legal liability."

GRC is a challenging trend in the Information Security market, combining various standards, schemes and complex controls all together. There is a lot of confusion on what exactly GRC is and what sub-components to consider when establishing a GRC programme. Professionals should be engaged in the establishment of such a programme, providing experience with adaptation to the specific circumstances of each company. There are quite a few common issues that should be noted before conducting a GRC program. Comsec's event "GRC Made Easy" focused on providing professional insights and practical guidance on some of the key issues when facing GRC.

write your comments about the article :: 2008 Networking News :: home page