Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search

View all Portals

Scheduled Events

White Paper Library
Research Papers

View Job Listings
Post a job


DM Review Home
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

Buyer's Guide
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

About Us
Press Releases
Advertising/Media Kit
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

Auditing and Risk Management:
When Ignorance Became Negligence

online columnist Murray S. Mazer     Column published in DMReview.com
December 29, 2005
  By Murray S. Mazer

There has been an important shift in the expected behavior of organizations that handle sensitive data, a shift brought on by public discussion about corporate mismanagement, data breaches, and the associated disclosure and control requirements. Not long ago an organization could have weak controls around their sensitive data (whether personal or corporate), and if a data breach occurred, the organization could make its own determination about the impact of that breach and act accordingly without involving outside parties. That is no longer acceptable. And the responsibility for ensuring proper procedures and safeguards now extends from the information technology organization all the way to the boardroom.

This means that people without IT expertise are now expected to become familiar with issues of IT controls, database access, privileged users, separation of duty and other key concepts that play a role in an effective corporate response to data access accountability. Likewise, IT professionals are being forced to learn about regulatory compliance and control concepts that are not part of the standard IT kit. Both groups were ignorant, probably blissfully so, of the need to understand these arcane and otherworldly topics.

The problems of data breaches and corporate mismanagement are so widely known today that there is no longer ignorance - there is only negligence among those who have not yet stepped up to the challenge.

Data Breaches Can Have Serious Consequences

At some point your organization may have been the victim of a data breach. Perhaps, as in the popular movie Ferris Buehler's Day Off, someone got into your database and changed some information. Research shows that 78 percent of data fraud involves inappropriate or unauthorized changes to data, typically by an employee or a partner's employee. Until recently companies could shield the consequences from public view. Companies that experienced such an incursion would quietly fix the problem - or at least block the now-known path the perpetrator had used - keep a lid on the story and move on.

How things have changed! Now it's impossible to imagine a major organization sweeping a data incursion under the rug. The downside potential is just too great. In today's world of strengthened regulations, insider informants and rampant blogging a company has very little chance of keeping a database breach quiet. And because of the strict disclosure requirements in the recent regulations, covering up is now illegal. Organizations have no choice but to disclose data break-ins and to take the consequences - up to and including going out of business.

What has led us to today's situation, in which IT organizations, CIOs, CEOs and even the board of directors are vulnerable to charges of negligence after the failure to protect data properly? It's been a rapid confluence of developments. Here are just a few:

Increased regulation. An array of recent regulations have placed heavy burdens on organizations to maintain the security of their data and to have an audit trail of any activity that touches their databases. The Sarbanes-Oxley Act, HIPAA, the Gramm-Leach Bliley Act, Basel II, parts of the USA Patriot Act, along with new state laws in California and other states all require that companies ensure the integrity and privacy of their databases. Many of these regulations require companies to document and validate that their databases have been used only for authorized purposes.

More regulations are on the way. In November 2005, the Senate Judiciary Committee approved the bill proposed by Senators Arlen Spector and Patrick Leahy. Their " Personal Data Privacy and Security Act" would require companies that experience data breaches to notify their customers and would set up rules for the U.S. government's use of private databases . Also, the bill would mandate that a business which has the personal data of more than 10,000 U.S. residents in its electronic records must conduct risk assessments and implement a data privacy and security program.

The list of laws that organizations can break through inadequate data protection practices is daunting and ever-growing.

Serious financial costs. The financial downside to organizations that do not provide adequate data security comes in several bitter flavors. First, there are the actual financial penalties imposed by regulatory agencies for failing to comply with regulations. These penalties can reduce profits, generate significant and ugly publicity, damage brands and perhaps scare away customers. For example, under the proposed Personal Data Privacy and Security Act businesses that fail to implement appropriate data protection practices could be fined up to $500,000 per violation. That's a regulation with teeth.

Second, an organization can experience other types of serious financial consequences. For example, Moody's has warned companies that their credit ratings may be downgraded (and thus the cost of money increased) because of pervasive controls problems , including deficient data access controls. In another example, a regional bank that was growing through mergers and acquisitions was prevented by regulators from pursuing its strategy for six months because of a failed audit on its IT controls. In the high-stakes world of bank mergers, a six-month delay costs tens of millions of dollars.

Third, there is the cost of recovering from a publicly disclosed breach. Companies such as Choicepoint and CardSystems have suffered major loss of business because of data fraud So far ChoicePoint's legal expenses for its widely publicized data breach have topped $6 million. BJs Wholesale Club failure to secure information has cost it $16 million (Source: Wall Street Journal, July 25, 2005 ).

Published policies. Many regulations and data security standards specify that organizations must have published policies regarding data security. The existence of published policies carries the obligation to validate: to test, measure and report on compliance. The results of a failed validation can hurt a company, and failing to report this can hurt as well.

Organizations can no longer self-insure. Until recently organizations could "self-insure" against the costs of data fraud. This enabled organizations to keep such costly and embarrassing disclosures out of the public eye. An end to self-insurance is a direct implication of the various legislations. A company can no longer choose to hide something from the public in the face of disclosure laws and governance requirements, eliminating the major benefit of self-insurance.

The Data Protection Challenge is Growing

These are complex and challenging times for those charged with maintaining data security and preventing data fraud. There was always strong internal pressure to protect vital company and customer data. Now, expanding regulations, fear of cyberterrorism, strengthened privacy laws and the remorseless verdict of the market make the job even tougher. Even with the vastly heightened awareness and understanding of the problem, it's unsettling to realize that in the financial industry, internal security and data controls caught about 20 percent of improper activity. More than 20 percent were caught simply by accident or through tips. Clearly, the current approaches IT staffs are using to prevent or detect data breaches are falling well short of success. Yet, at the same time, the penalties for failure have grown substantially.

Acknowledging these pressures, what is an organization to do? The organization must adopt and implement strong data protection practices that include ongoing assessment, auditing, validation, and reporting. Important principles to build into the data protection plan include: 1) secure at the source (ensure a strong set of controls around the database); 2) manage adherence to security policy (continuously assess compliance with your security policies and with best practices); 3) maintain a trusted audit trail of data-related activity (ensure you can investigate any unexpected activity and create appropriate reports for various stakeholders); and 4) automate the controls as much as possible (manual controls can introduce cost inefficiency, increased room for human error or maliciousness and increased audit scrutiny).

In today's world of data access accountability, there is no room for ignorance. Nor is negligence an acceptable posture. The appropriate response is to implement deliberate, strong information security management practices with support from the data center, the boardroom and the rest of the organization.


For more information on related topics visit the following related portals...
Risk Management.

Dr. Murray S. Mazer is co-founder and vice president of Lumigent Technologies, a leading risk management solutions company. With 20 years of industry experience in startups and established companies, he has directed security, server, intellectual property and technology licensing strategies and development. Before becoming an entrepreneur, Mazer led R&D programs for the Defense Advanced Research Projects Agency (DARPA), OSF and Digital Equipment Corporation; he and his teams innovated in areas such as data replication, workflow, location-aware computing, mobile data access, security and proxy-based applications. You can reach him at murray.mazer@lumigent.com.

Solutions Marketplace
Provided by IndustryBrains

Numara Track-It! Help Desk Software
Numara provides Track-It! - the leading help desk solution for call tracking, problem resolution, IT asset management, LAN/PC auditing, patch management, electronic software distribution, remote control, and more. Free demo

Strategic CRM Analytics White Paper
This white paper explores how companies can extend their CRM applications by using BI tools to turn CRM data into actionable information to drive strategic decision-making and improve ROI.

Rosette Linguistics Platform
Basis Technology utilizes powerful software techniques to provide meaningful intelligence from unstructured text in Asian, European and Middle Eastern languages.

Website tracking, web statistics and analytics
Watch your visitors in real time as they browse your site. Website statistics provide insight. Understanding website traffic and visitor clickstream behavior is crucial to managing a website on a daily basis. Real-Time reporting. 4 week free trial.

Blackfox is the world premier IPC Certification Co
Blackfox is the premier IPC Certification and Training Center, offering all 5 IPC Certifications. We also specialize in manufacturing skill training and processes, including Lean and Lead Free Processes

Click here to advertise in this space

E-mail This Column E-Mail This Column
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2006 DM Review and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.