risk assessment

healthcare Organizations: Security a major concern

November 22nd, 2013

2014 IT audit survey results released by Protiviti, a consulting firm, provided some perspective on where some healthcare organizations are at the moment in IT auditing, including security, and strengthening governance and controls, and the level in which they’re managing IT risk.

The vendor’s third-annual IT audit benchmarking study, titled From Cyber security to IT Governance – Preparing Your 2014 Audit Plan, more than 460 IT audit executives and professionals were surveyed, including 6 percent of healthcare providers and 3 percent payers. Some of the top technology challenges identified include IT security, IT governance, vendor management, big data analytics and cloud computing, among others. IT security, including data security, cyber security and mobile security, was the number one challenge for the second consecutive year.

Following are the key findings from the report:

  • Organizations should be looking to expand IT audits as one component of a broadening net of assurance to evaluate the design and operating effectiveness of management’s security risk assessment, system of controls and monitoring of the environment.
  • Organizations do not have adequate IT audit resources, and these resources are not always a formal part of the audit group.
  • Not enough companies are performing IT audit risk assessments on a regular basis, nor are they updating these assessments as frequently as they should. As a result, IT components aren’t being sufficiently reviewed.
  • Strong IT governance and controls are a priority across all industries.

Brian Christensen, Protiviti executive vice president of global internal audit in the press release said “In today’s organizations, virtually every function is technology-dependent, which means companies face a greater number of challenges to ensure an efficient, secure IT environment. Based on the study, it’s apparent that there is a tremendous gap between where most companies are and where they should be in terms of managing IT risk and strengthening governance and controls. As audit plans are developed, these technology challenges should also be top-of-mind for internal audit.”

Some of the numbers suggest that there needs to be improvement in the different industries. According to the report, 42 percent of organizations reported that they rely on outside resources to augment their IT audit departments because they lack the appropriate internal resources to fully assess potential risks. And one-third of companies with less than $100 million in revenue do not conduct any type of IT audit risk assessment.

David Brand, a Protiviti managing director and leader of the firm’s IT Audit practice said “Although there are areas that clearly need attention, it’s a good sign that more companies are working to implement IT governance policies and procedures. We have seen an uptick in the number of companies that are evaluating IT governance as part of their audit process”.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Decoding the Red Flags

April 12th, 2013

Investors can now heave a sigh of relief. The Securities and Exchange Commission and the Commodity Futures Trading Commission (CFTC) have formulated a new set of rules and guidelines that enable entities subject to their enforcement authorities to develop platforms which would protect investors from identity theft.

The rules that were tabled on April 10th are not very different from the present day rules put in place by the Fair Credit Reporting Act and federal banking regulators.

The rules, named, ‘Red Flags Rules’ can be looked at as an adopted pursuant to the Dodd-Frank Act. For the uninitiated, Dodd-Frank Act was an act to promote the financial stability of U.S.A; to save the tax payer’s money by improving accountability and transparency in the financial system; to protect the American taxpayer by ending bailouts; to protect consumers from abusive financial services practices and for other purposes.

It requires the businesses to implement a written identity theft prevention code to scrutinize the signs of theft termed as the red flags.

The new set of acts are meant for those “creditors” and “financial institutions” that have certain covered accounts .These rules necessitate such “creditors” and “investors”  to process and execute a theft identification and detection platform.

The program should identify and detect and find an answer to such activities that would indicate identity theft.

Entities such as broker dealers who create accounts for minors, investment companies permitting investor wire transfers and check writing, and investment advisers permitting payments out of transaction accounts are the ones who would fall in the ambit of the SEC. CFTC, on the other hand, would look after futures commission merchants, retail foreign exchange dealers, commodity trading advisers, commodity pool operators, introducing brokers, swap dealers and major swap participants.

It’s pertinent for an entity maintaining one or multiple covered accounts to determine whether the accounts meet the risk- assessment criteria. Since any account other than an account for personal, family or household purposes under the covered account contains foreseeable risk to customers this rule is particularly meted out for such kind of accounts. These types of consumer accounts include ‘‘a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.’’

How to identify Red Flags?

The theft detection code of each business entity must carry out the following five functions.

  1. Identifying red flags : Identification of relevant patterns, practices  and specific forms in a periodic and sporadic manner would rule out any possible theft.
  2. Detecting them: Detecting the red flags so that suitable policies implemented.
  3. Finding a suitable response: Resolving those issues would come in this step.
  4. Periodic Review and Updating. There should also be a mechanism to evaluate and update the code for future threats.
  5. Administration of Program. The program must be approved by the board of directors of the company. Also, an experienced person must be responsible for administering the program.
  6. The program must initially be approved by the board of directors or, if the entity does not have a board, by a senior-level manager. It must specify who is responsible for implementing and administering the program.

The Red Flags Rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after the effective date (around November 15).

The Red Flag Rules are deemed to be a breath of fresh air for the investors. Even though most of the entities are privy to similar rules doled out by FTC, this rule is deemed to be a novel one for many private fund advisers.
The results of the risk assessment would help to prioritize the risk areas (e.g., portable devices, offshore business associates, lack of encryption) that would be targeted for the implementation of controls (e.g., policies, processes, training) to manage identified risks.

Secure your Data with Alertsec

Following the essential guidelines is very necessary for data security in any organization. This news exemplifies the need for data protection applications. In an incident which highlights the need ofData encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Enhanced by Zemanta