Published: September 30 2009, 05:15 AM | no comments
by Sumner Blount

This week I attended the GRC Summit 2009 conference in Boston.  As with all conferences of any kind, there were good sessions, less interesting sessions, and all things in-between.  But, in general, I thought they did a good job of getting interesting topics and knowledgeable speakers. The first keynote was given by Michael Rasmussen, a leading GRC analyst and Founder of Corporate Integrity, Inc.  His presentation was an excellent overview of the issues relating to GRC, and was based on the frameworks and models put forth by the Open Compliance and Ethics Group (OCEG).  OCEG is also a GRC thought-leader, and I would highly recommend their website as an excellent source of guidance for companies who want to  improve their risk and compliance activities. One of the areas that Michael covered nicely was a summary of the benefits of a unified approach to GRC.  There's nothing earth-shaking here, but sometimes in the heat of the GRC battle, the very profound benefits can get lost in the daily challenge of deployment.  Here's a quick summary of them:

• Sustainability – helps an organization become and remain agile and flexible, can respond better to business changes, especially new or changing regulatory requirements.
• Accountability – helps establish clear ownership of risks, policies, controls, etc.  And, as changes in one area (like a control test) occurs, the impacts on other areas (like the related risk) is clear.
• Consistency – when certain business processes (such as risk assessments) are done essentially the same across the organization, it increases efficiency and improves communication.  It also improves the quality of the information derived from each business process.
• Transparency – helps ensure that each person gets the information that they need for their job, and in a format that maximizes good decision-making.   Improves visibility of risk, mapping of controls to regulatory requirements, policy adherence, etc. 
• Efficiency – This is typically the biggest short-term benefit for most companies.  Efficiencies are gained from streamlined and common processes, elimination of redundancy (duplicate control testing activities), reduction in the number of controls (through rationalization of controls across regulations), and automation of previously manual processes.  The efficiency gains can, over time, be very significant.

To learn more about GRC efficiency benefits, I recommend the joint paper that I wrote with OCEG, which can be found here. I would be interested in hearing other opinions about the primary benefits that could be obtained from unified GRC.

Published: September 30 2009, 05:15 AM | 2 Comment(s)
by Sumner Blount

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, was enacted in 1999. As someone who has worked in and around the area of compliance for several years, I have always viewed GLBA primarily as a regulation that attempted to increase the security and privacy of consumer's confidential financial information. GLBA set new requirements for how private information is maintained, and the obligation of financial institutions to inform consumers of their privacy policies. The basic intent of this law, at least in this area, was to ensure that financial institutions had strong security measures in place, that their risk management processes were effective, and that measures were established to protect consumer's private information. A laudable goal, to say the least.

As the financial meltdown became apparent over the past year, the role of GLBA has begun to be re-visited. This is because there are other elements of GLBA that had a much more profound impact on our economic picture than the privacy rules mentioned above. And, whereas the key requirements of GLBA might have sounded quite reasonable many years ago, they have to be viewed in light of the current crisis to help us determine how effective it has been overall.

One of the most important aspects of GLBA was that it repealed some elements of the Glass-Steagall Act of 1933. Glass-Steagall (passed in part as a reaction to some of the excesses that created the Great Depression) prohibited any single institution from conducting business as any combination of an investment bank, commercial bank, and an insurance company. GLBA removed this restriction, and opened up the possibility of huge financial institutions that function as any combination of these types of firms. In particular, it gave rise to CitiGroup (a combination of Citicorp and Travelers Insurance), as well as a number of other huge, consolidated financial institutions.

Although voting was not strictly along party lines, the GLBA was originally passed because of very strong support from Republicans (Wikipedia has a detailed breakdown of the actual voting). This appeared to be a case where Republicans thought that "the market knows best," and freeing up companies to do whatever is in their best interests, was also in the best interests of the country.

It's clear that whatever your political leanings, you have to acknowledge that the restrictions that GLBA removed had a significant impact on the current financial environment. Your leanings will probably dictate how you view these impacts, but it's impossible to deny how important these impacts have been.

At minimum, GLBA opened up the potential for the creation of institutions that were far "too big to fail". And, the past year has seen the impacts of these "too big to fail" companies, as one after another have been bailed out by you and I. Other experts view GLBA as one of the major causes of the financial crisis. In fact, noted economist Paul Krugman has called Senator Phil Gramm the "father of the financial crisis" because of his sponsorship of this Act. (Not surprisingly, Gramm totally discounts the relationship between GLBA and the crisis. But, his case for that argument is tenuous, to say the least.)

There is no one single cause of the financial crisis. But, GLBA removed some important restrictions that later allowed huge financial institutions to participate in activities that directly caused or exacerbated the crisis.

Sometimes, the lack of restrictions (or deregulation) that appears quite reasonable in one financial climate can have dramatic and disastrous impacts in a different financial climate. And, sometimes (as in the case of GLBA), these changes can actually cause a significant dislocation of the economy when the current conditions change. This is a good lesson for the future "" short-term political expediency should not take precedence over the long-term needs of the economy and of consumers.

Published: September 30 2009, 05:15 AM | no comments
by Pete Pepiton

Industry experts Judge Ron Hedges and CA's eDiscovery Solutions Specialist Pete Pepiton discuss Cloud Computing and how it's related to eDiscovery.

Published: September 29 2009, 10:28 AM | no comments
by Merritt Maxim

The start of the academic school year in my house was accompanied by two technology events with parallels to security management.  First, a hard drive on our six-year-old home laptop died.  Thanks to online storage, no data was lost, but I did have to procure a new hard drive. 

I expected ordering a new hard drive for such an old PC to be a lost cause, but this vendor immediately pulled up the serial number, found the proper part and shipped it out to me.  A very simple process repeated daily in thousands of industries. 

What made this process stand out was what happened next.  The replacement part was delivered to my residence via one of the major overnight delivery services (with signature confirmation).  Within 20 minutes of delivery, I received a phone call from the laptop vendor offering assistance to install the new hard drive.  This call caught me by surprise, but proved that this vendor had taken the effort to integrate the 3^rd party delivery status with their customer support application to ensure customer support would receive notification and be able to follow up with the customer. 

Did this integration require a lot of effort?  Probably not as all the delivery services can be easily integrated into other systems for this purpose.  What was significant was this vendor had completed the integration and was using it not just to confirm delivery, but to take a proactive approach with customers.  Does integration like this drive more revenue or reduce costs?  Hard to tell on the former, but on the latter, the proactive approach helps reduce support calls.  What is definitely true is this approach improves customer satisfaction and brand loyalty which, while hard to quantify, are very important metrics.

This incident confirmed for me the value of integration and shows why we invest so heavily in integrating CA security management products, whether it is Enterprise Log Manager with Access Control or Role & Compliance Manager with Identity Manager.  While it is sometimes hard to quantify the value of integration, there is no doubt that integration can deliver value to customers in multiple ways.

In my second consumer electronics incident, I received a new mobile device.  My enthusiasm for this device was tempered when I realized that it uses a miniUSB charger as well as a different size headphone jack for music and hands-free phone, meaning a new series of home and car chargers as well as headsets! 

As someone who has a cell phone since the days of the 3V bag phone from Bell Atlantic, my home desk is littered with chargers from every possible vendor and type (contact me if you are looking for an old charger-chances are I have it!).  As I looked at my chargers on my desk, I noticed how these chargers have evolved from proprietary model specific chargers into standard based modes like USB and now miniUSB.  And while I am not thrilled about another set of chargers, it proves that technology standards matter.  It makes it easier for me to use other third-party products (like car chargers and headsets) without have to repurchase an entire new set every time I get a new device.  It also reduces my need to lug around six different chargers and cables when I travel.

This is certainly true in security management where standards such as SAML, LDAP, XACML, SPML and efforts like Kantara Initiative have directly accelerated adoption and deployment of identity and access management solutions.  Standards provide assurance to customers that products will interoperate as well as provide flexibility.  And while the hazards of proprietary approaches are more visceral in the consumer world than in enterprise software, the same guiding principle holds:  Standards and integration are no longer "nice to have", but an absolute requirement for today's enterprise-wide security deployments.

Published: September 25 2009, 08:07 AM | no comments
by CA IG Blog Admin

Melissa Ebert, ARMA Strategic Alliance Advisor, talks about ARMA 2009.