Category: Compliance Programs

SEC Inspector General Testifies In Congress

SEC Inspector General H. David Kotz In the first Congressional hearing since the Madoff scandal broke in December, Mr. Kotz said his agency’s handling of the Madoff case may be a symptom of more widespread problems with how the agency handles its examinations and investigations.

Kotz testified on the subject of “Assessing the Madoff Ponzi Scheme.”

Frankly it sounds like the SEC will spend as much time and energy investigating themselves on the Madoff matter as they will actually investigating the Madoff matter itself.

See also:

You Need An Impartial Chief Compliance Officer

As Merritt Maxim of CA points out, Madoff Scheme Highlights Need for Impartial CCO, one of the biggest red flags in the Madoff scandal was that was the disclosure that Madoff’s brother Peter served as the firm’s Chief Compliance Officer.

“While having any sibling or family member serve as a CCO should not be an immediate cause for concern, the results of the Madoff scheme indicate that the only CCO who could have enabled the Madoff scam to persist was someone who was either:

A) Related to Bernard Madoff
B) Complicit in the fraud
C) Did not adequately fulfill their responsibilities as a CCO or
D) All of the Above.”

Corporate In-House Counsel in the Age of Internal Compliance

You can listen to a webinar from the Georgetown Journal of Legal Ethics Fall Symposium – Corporate Compliance: The Role of Company Counsel from October, 2007.

Panel III – Corporate In-House Counsel in the Age of Internal Compliance

Professor Rostain started off with a summary of her paper: General Counsel in the Age of Compliance – A Research Agenda (.pdf).

She cites two reasons for compliance regimes. One is the diffusion of compliance throughout the organization. The goal is to centralize the management of those functions. The second is the multi-disciplinary approach to compliance. You need different types of knowledge and expertise.   In-house counsel needs to relinquish some of the control to group managers.

Are in-house counsel managers first? or are they lawyers first? Which is the better model? Do they exert more influence when they take the role of manager or the role of lawyer? Professor Rostain cited some previous studies on these topics. If they focused on legal risk, they had less influence over corporate decision making. Lawyers limited to explaining the risk and deferring the risk decision to the managers had less influence in the the corporation.  One survey responder equated managers as playing offense and counsel playing defense.

Professor Rostain stated an example of counsel making clear what her personal opinion was and what her professional opinion is.

Killingsworth pointed out the dark side of the new powers of general counsel. After SOX, new reporting obligations were forced on general counsel.  One problem is that the general counsel may be investigating a potential violation and have a duty to report it at the same time, making it difficult to do both well. Counsel are also worried about the increased risk of criminal action against in-house counsel. You only talk to regulatory people about your compliance program when it has failed. You need to penetrate down to everyone that can get you in trouble and everyone that can keep you out of trouble. Is important to mpve from abstract compliance terms into the mechanics of the business processes.

Straw states that “knowledge of the business” is the most important part of creating an effective compliance program. The face of compliance needs to be visible and accessible. A code of conduct sitting on the bookshelf is not effective.

Barlow focused on risk.  She talked about ERM, the process and how it fits into compliance.

The Roles and Responsibilities of the General Counsel in the Organization’s Ethical Culture

The Markkula Center for Applied Ethics at Santa Clara University hosted a panel discussion on The Roles and Responsibilities of the General Counsel in the Organization’s Ethical Culture. The panel consisted of:

  • Tom McCoy, executive vice president, legal affairs, and chief administrative officer, Advanced Micro Devices, moderator
  • Craig Nordlund, senior vice president, general counsel and secretary, Agilent Technologies
  • Martin Collins, senior vice president and general counsel, Novellus
  • Fred Gonzalez, vice president, general counsel, and secretary, SonicWall

You can also listen to an audio recording of the panel discussion. (MP3)

Craig offers up the Winona Ryder paradigm as the reason Enron happened:

“Why did she do it? Well, first of all, she figured she wouldn’t get caught. And secondly, if she did get caught, she figured because she was famous, she would get off scot-free. And so he said in the environment in which Enron was operating, Ken Lay and his executive team had that same sort of sense, that they probably wouldn’t get caught, but if they did, nobody was punishing white collar crime of that magnitude, and so they’d get off and they could move on successfully to another job.”

Craig sees the role of the general counsel shifting from one acting as an advocate to one acting as a policeman. The Chief Compliance Officer, the General Counsel and the Audit Committee are holding the company accountable as a whole.

Martin likes to look at general counsel as a “consigliere,” someone that is turned to for their advice and their judgment. If you are just repeating the law as it’s written down by outside counsel, you are not doing your job. General counsel needs to focused on preventing problems from arising in the first place.

Fred believes that general counsel needs to “avoid underestimating the risk of suppressing facts solely to preserve internal solidarity.”

Is it unethical if you do not get caught? Of course it is still wrong.

Is ethics a function of the general counsel. One response is that it is not a function at all. It is a set of values and a vision.

What Is Your Scope of Compliance?

Unified Compliance Framework  put together this list of compliance requirement and regulatory schemes that may need to be part of your compliance program.

Below is a long list of regulatory schemes that may need to be part of your compliance framework:

Sarbanes Oxley Guidance

  • Sarbanes-Oxley Act (SOX)
  • PCAOB Auditing Standard No. 2
  • AICPA SAS 94
  • AICPA/CICA Privacy Framework
  • AICPA Suitable Trust Services Criteria
  • Retention of Audit and Review Records, SEC 17 CFR 210.2-06
  • Controls and Procedures, SEC 17 CFR 240.15d-15
  • Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3
  • COSO Enterprise Risk Management (ERM) Framework
  • OMB Circular A-123 Management’s Responsibility for Internal Control
  • Securities Exchange Act of 1934
  • Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control
  • PCAOB Audit Standard No. 3
  • PCAOB Audit Standard No. 5
  • SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
  • SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

Banking and Finance Guidance

  • Basel II: International Convergence of Capital Measurement and Capital Standards – A Revised Framework
  • BIS Sound Practices for the Management and Supervision of Operational Risk
  • Gramm-Leach-Bliley Act (GLB)
  • Standards for Safeguarding Customer Information, FTC 16 CFR 314
  • Privacy of Consumer Financial Information, FTC 16 CFR 313
  • Safety and Soundness Standards, Appendix of OCC 12 CFR 30
  • FFIEC IT Examination Handbook – Information Security
  • FFIEC IT Examination Handbook  – Development and Acquisition
  • FFIEC IT Examination Handbook   – Business Continuity Planning
  • FFIEC IT Examination Handbook   – Audit
  • FFIEC IT Examination Handbook   – Management
  • FFIEC IT Examination Handbook   – Operations
  • ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58
  • Bank Secrecy Act (aka Currency and Foreign Transaction Reporting Act)
  • Check 21 (Check Clearing for the 21st Century) Act
  • FCRA (Fair Credit Reporting Act)
  • FDIC and FFIEC Guidance on Authentication in an Internet Banking Environment
  • FFIEC IT Examination Handbook – Outsourcing Technology Services
  • FFIEC IT Examination Handbook – Supervision of Technology Service Providers
  • FFIEC IT Examination Handbook – Wholesale Payment Systems
  • FFIEC IT Examination Handbook – Retail Payment Systems
  • FFIEC IT Examination Handbook – E-Banking

NASD NYSE Guidance

  • NASD Manual
  • Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1
  • Records to be made by certain exchange members SEC 17 CFR 240.17a-3
  • Records to be preserved by certain exchange members SEC 17 CFR 240.17a-4
  • Recordkeeping SEC 17 CFR 240.17Ad-6
  • Record retention SEC 17 CFR 240.17Ad-7
  • NYSE Listed Company Manual
  • Securities Act of 1933
  • Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management’s Report on Internal Control Over Financial Reporting; Final Rule

Healthcare and Life Science Guidance

  • HIPAA (Health Insurance Portability and Accountability Act)
  • HIPAA HCFA Internet Security Policy
  • Introductory Resource Guide for HIPAA NIST (800-66)
  • CMS Core Security Requirements (CSR)
  • CMS Information Security Acceptable Risk Safeguards (ARS)
  • SYSTEM SECURITY PLANS (SSP) METHODOLOGY
  • CMS Info Security Business Risk Assessment
  • CMS Business Partners Systems Security Manual
  • FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1

Energy Guidance

  • FERC Security Program for Hydropower Projects
  • North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards

Payment Card Guidance

  • PCI DSS (Payment Card Industry Data Security Standard) 1.1 [Redacted: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Security Audit Procedures 1.1 [Redacted: Q3 08]
  • Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 [Released: Q4 08]
  • PCI DSS Security Scanning Procedures [Released: Q3 07]
  • Payment Card Industry (PCI) Payment Application Data Security Standard 1.1 [Redacted: Q3 08]
  • MasterCard Wireless LANs – Security Risks and Guidelines [Released: Q3 07]
  • Payment Card Industry Self-Assessment Questionnaire A [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire B [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire C [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire D [Released: Q4 07]
  • VISA CISP: What to Do If Compromised [Released: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008 [Released: Q4 08]
  • VISA Incident Response Procedure for Account Compromise [Released: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008 [Released: Q4 08]
  • Visa Payment Application Best Practices (PABP) [Redacted: Q4 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 [Released: Q4 08]
  • VISA E-Commerce Merchants Guide to Risk Management [Released: Q3 08]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 [Released: Q4 08]
  • MasterCard Electronic Commerce Security Architecture Best Practices [Released: Q3 07]
  • American Express Data Security Standard (DSS) [Released: Q3 07]
  • BBB Online Code of Business Practices [Released: Q3 07]

US Federal Security Guidance

  • FTC Electronic Signatures in Global and National Commerce Act (ESIGN) [Released: Release 1]
  • Uniform Electronic Transactions Act (UETA) [Released: Release 1]
  • FISMA (Federal Information Security Management Act) [Released: Release 1]
  • FISCAM (Federal Information System Controls Audit Manual) [Released: Release 1]
  • FIPS 140-2, Security Requirements for Cryptographic Modules [Released: Release 1]
  • FIPS 191, Guideline for the Analysis of LAN Security [Released: Release 1]
  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems [Released: Release 1]
  • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems [Released: Q3 07]
  • Clinger-Cohen Act (Information Technology Management Reform Act) [Released: Release 1]
  • DoD 5220.22-M, National Industrial Security Program Operating Manual [Released: Q3 07]
  • The National Strategy to Secure Cyberspace [Released: Release 1]
  • GAO Financial Audit Manual [Released: Release 1]
  • Standard for Electronic Records Management Software, DOD 5015.2 [Released: Release 1]
  • Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives [Released: Release 1]
  • CISWG Information Security Program Elements [Released: Q3 07]
  • Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources [Released: Release 1]
  • NCUA Guidelines for Safeguarding Member Information, 12 CFR 748 [Released: Release 1]
  • CT-PAT Best Practices Guide [Released: Q4 07]
  • US Export Administration Regulations [Released: Q4 07]
  • US The International Traffic in Arms Regulations [Released: Q4 07]

US Internal Revenue Guidance

  • IRS Revenue Procedure: Retention of books and records, 97-22 [Released: Release 1]
  • IRS Revenue Procedure: Record retention: automatic data processing, 98-25 [Released: Release 1]
  • IRS Internal Revenue Code Section 501(c)(3) [Released: Release 1]

Records Management Guidance

  • Federal Rules of Civil Procedure [Released: Release 1]
  • Uniform Rules of Evidence [Released: Release 1]
  • ISO 15489-1, Information and Documentation: Records management: General [Released: Release 1]
  • ISO 15489-2, Information and Documentation: Records management: Guidelines [Released: Release 1]
  • The DIRKS Manual: A Strategic Approach to Managing Business Information [Released: Release 1]
  • The Sedona Principles Addressing Electronic Document Production [Released: Release 1]
  • 16 CFR Part 682 Disposal of consumer report information and records [Released: Q3 08]

NIST Guidance

  • Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 [Released: Release 1]
  • Developing Security Plans for Federal Information Systems, NIST SP 800-18 [Released: Release 1]
  • Security Self-Assessment Guide, NIST SP 800-26 [Released: Release 1]
  • Risk Management Guide, NIST SP 800- 30 [Released: Release 1]
  • Underlying Technical Models for Information Technology Security [Released: Release 1]
  • Contingency Planning Guide for Information Technology Systems, NIST SP 800-34 [Released: Release 1]
  • Creating a Patch and Vulnerability Management Program, NIST SP 800-40 [Released: Release 1]
  • Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 [Released: Release 1]
  • Recommended Security Controls for Federal Information Systems, NIST SP 800-53 [Released: Release 1]
  • Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60 [Released: Release 1]
  • Computer Security Incident Handling Guide, NIST SP 800-61 [Released: Release 1]
  • Security Considerations in the Information System Development Life Cycle, NIST SP 800-64 [Released: Release 1]
  • Guide for Developing Performance Metrics for Information Security, NIST SP 800-80 [Released: Q4 07]
  • Security Metrics Guide for Information Technology Systems, NIST SP 800-55 [Released: Q4 07]
  • Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A [Released: Q3 08]
  • Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1 [Released: Q4 08]

ISO Guidance

  • ISO 73:2002, Risk Management – Vocabulary [Released: Release 1]
  • ISO 17799:2000, Code of Practice for Information Security Management [Released: Release 1]
  • ISO 17799:2005 Code of Practice for Information Security Management [Released: Q1 08]
  • ISO 27001:2005, Information Security Management Systems – Requirements [Released: Q1 08]
  • ISO/IEC 20000-12:2005 Information technology – Service Management Part 1 [Released: Release 1]
  • ISO/IEC 20000-2:2005 Information technology – Service Management Part 2 [Released: Release 1]
  • ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1 [Released: Q1 08]
  • ISO/IEC 15408-2:2005 Common Criteria for Information Technology Security Evaluation Part 2 [Released: Q1 08]
  • ISO/IEC 15408-3:2005 Common Criteria for Information Technology Security Evaluation Part 3 [Released: Q1 08]
  • ISO/IEC 27002-2005 Code of practice for information security management [Released: Q1 08]
  • ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3 [Released: Q3 08]
  • ISO 13335-1:2004, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management [Released: Q1 08]
  • ISO 13335-3:1998, Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security [Released: Q1 08]
  • ISO 13335-4:2000, Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards [Released: Q1 08]
  • ISO 13335-5:2001, Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security [Released: Q1 08]

ITIL Guidance

  • OGC ITIL: Planning to Implement Service Management [Released: Release 1]
  • OGC ITIL: ICT Infrastructure Management [Released: Release 1]
  • OGC ITIL: Service Delivery [Released: Release 1]
  • OGC ITIL: Service Support [Released: Release 1]
  • OGC ITIL: Application Management [Released: Release 1]
  • OGC ITIL: Security Management [Released: Release 1]
  • CobiT 3rd Edition [Redacted: Release 1]
  • CobiT 4.1 [Released: Release 1]
  • ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals [Released: Release 1]
  • Disaster / Emergency Management and Business Continuity, NFPA 1600 [Released: Release 1]
  • ISF Standard of Good Practice for Information Security [Redacted: Release 1]
  • ISF Security Audit of Networks [Released: Release 1]
  • A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM [Released: Release 1]
  • Business Continuity Institute (BCI) Good Practice Guidelines [Released: Release 1]
  • ISSA Generally Accepted Information Security Principles (GAISP) [Released: Release 1]
  • CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) [Released: Release 1]
  • The GAIT Methodology [Released: Release 1]
  • AICPA Incident Response Plan: Template for Breach of Personal Information [Released: Release 1]
  • IIA Global Technology Audit Guide (GTAG): Information Technology Controls [Released: Release 1]
  • The Standard of Good Practice for Information Security [Released: Q4 08]

US Federal Privacy Guidance

  • Cable Communications Privacy Act Title 47 § 551 [Released: Release 1]
  • Telemarketing Sales Rule (TSR), 16 CFR 310 [Released: Release 1]
  • CAN SPAM Act [Released: Release 1]
  • Children’s Online Privacy Protection Act (COPPA), 16 CFR 312 [Released: Release 1]
  • Driver’s Privacy Protection Act (DPPA), 18 USC 2721 [Released: Release 1]
  • Family Education Rights Privacy Act (FERPA), 20 USC 1232 [Released: Release 1]
  • Privacy Act of 1974, 5 USC 552a [Released: Release 1]
  • Video Privacy Protection Act (VPPA), 18 USC 2710 [Released: Release 1]
  • Specter-Leahy Personal Data Privacy and Security Act [Released: Release 1]
  • Amendments to the FTC Telemarketing Sales Rule [Released: Release 1]
  • Children’s Online Privacy Protection Act [Released: Release 1]
  • FACT Act (Fair and Accurate Credit Transactions Act of 2003) [Released: Q3 08]

US State Laws Guidance

  • Arkansas Personal Information Protection Act AR SB 1167 [Released: Release 1]
  • Arizona Amendment to Arizona Revised Statutes 13-2001, AZ HB 2116 [Released: Release 1]
  • California Information Practice Act, CA SB 1386 [Released: Release 1]
  • California General Security Standard for Businesses CA AB 1950 [Released: Release 1]
  • California Public Records Military Veteran Discharge Documents, CA AB 1798 [Released: Release 1]
  • California OPP Recommended Practices on Notification of Security Breach [Released: Release 1]
  • Colorado Prohibition against Using Identity Information for Unlawful Purpose, CO HB 1134 [Released: Release 1]
  • Colorado Consumer Credit Solicitation Protection, CO HB 1274 [Released: Release 1]
  • Colorado Prohibiting Inclusion of Social Security Number, CO HB 1311 [Released: Release 1]
  • Connecticut law Requiring Consumer Credit Bureaus to Offer Security Freezes, CT SB 650 [Released: Release 1]
  • Connecticut law Concerning Nondisclosure of Private Tenant Information, CT HB 5184 [Released: Release 1]
  • Delaware Computer Security Breaches DE HB 116 [Released: Release 1]
  • Florida Personal Identification Information/Unlawful Use, FL HB 481 [Released: Release 1]
  • Georgia Consumer Reporting Agencies, GA SB 230 [Released: Release 1]
  • Georgia Public employees; Fraud, Waste, and Abuse, GA HB 656 [Released: Release 1]
  • Hawaii Exempting disclosure of Social Security numbers HI HB 2674 [Released: Release 1]
  • Illinois Personal Information Protection Act IL HB 1633 [Released: Release 1]
  • Indiana Release of Social Security Number, Notice of Security Breach IN SB 503 [Released: Release 1]
  • Louisiana Database Security Breach Notification Law, LA SB 205 Act 499 [Released: Release 1]
  • Maine law To Protect Maine Citizens from Identity Theft, ME LD 1671 [Released: Release 1]
  • Minnesota Data Warehouses; Notice Required for Certain Disclosures, MN HF 2121 [Released: Release 1]
  • Missouri War on Terror Veteran Survivor Grants, MO HB 957 [Released: Release 1]
  • Montana bill to Implement Individual Privacy and to Prevent Identity Theft, MT HB 732 [Released: Release 1]
  • New Jersey Identity Theft Prevention Act, NJ A4001/S1914 [Released: Release 1]
  • New York Information Security Breach and Notification Act [Released: Release 1]
  • Nevada Security Breach Notification Law, NV SB 347 [Released: Release 1]
  • North Carolina Security Breach Notification Law (Identity Theft Protection Act) , NC SB 1048 [Released: Release 1]
  • North Dakota Personal Information Protection Act, ND SB 2251 [Released: Release 1]
  • Ohio Personal information – contact if unauthorized access, OH HB 104 [Released: Release 1]
  • Rhode Island Security Breach Notification Law, RI HB 6191 [Released: Release 1]
  • Tennessee Security Breach Notification, TN SB 2220 [Released: Release 1]
  • Texas Identity Theft Enforcement and Protection Act, TX SB 122 [Released: Release 1]
  • Vermont Relating to Identity Theft , VT HB 327 [Released: Release 1]
  • Virginia Identity theft; penalty; restitution; victim assistance, VA HB 872 [Released: Release 1]
  • Washington Notice of a breach of the security, WA SB 6043 [Released: Release 1]
  • § 1724 California Civil Code [Released: Q3 07]
  • Texas Business and Commerce Code, secs. 48.102, 48.103 [Released: Q3 07]
  • Minnesota Plastic Card Security Act (H.F. 1758 [Released: Q3 07]
  • California Personal Information: Disclosure to Direct Marketers Act (SB 27) [Released: Q3 08]

EU Guidance

  • EU Directive on Privacy and Electronic Communications, 2002/58/EC [Released: Release 1]
  • EU Directive on Data Protection, 95/46/EC [Released: Release 1]
  • US Department of Commerce EU Safe Harbor Privacy Principles [Released: Release 1]
  • Consumer Interests in the Telecommunications Market, Act No. 661 [Released: Release 1]
  • OECD / World Bank Technology Risk Checklist [Released: Release 1]
  • OECD Guidelines on Privacy and Transborder Flows of Personal Data [Released: Release 1]
  • UN Guidelines for the Regulation of Computerized Personal Data Files (1990) [Released: Release 1]
  • ISACA Cross-Border Privacy Impact Assessment [Released: Release 1]
  • Information Technology Security Evaluation Manual (ITSEM) [Released: Release 1]
  • Information Technology Security Evaluation Criteria (ITSEC) [Released: Release 1]
  • Directive 2003/4/EC Of The European Parliament [Released: Release 1]
  • EU 8th Directive (European SOX) [Released: Q4 08]
  • OECD Principles of Corporate Governance [Released: Q4 08]

UK and Canadian Guidance

  • Financial Reporting Council, Combined Code on Corporate Governance [Released: Q4 08]
  • Turnbull Guidance on Internal Control, UK FRC [Released: Release 1]
  • Smith Guidance on Audit Committees, UK FRC [Released: Release 1]
  • UK Data Protection Act of 1998 [Released: Release 1]
  • IT Service Management Standard , BS 15000-1 [Released: Release 1]
  • IT Service Management Standard – Code of Practice, BS 15000-2 [Released: Release 1]
  • British Standards Institute PAS 56, Guide to Business Continuity Management [Released: Release 1]
  • Canada Keeping the Promise for a Strong Economy Act, Bill 198 [Released: Release 1]
  • Canada Personal Information Protection Electronic Documents Act (PIPEDA) [Released: Release 1]
  • Canada Privacy Policy and Principles [Released: Release 1]
  • Canadian Marketing Association Code of Ethics and Standards of Practice [Released: Q4 08]

Other European and African Guidance

  • Austria Data Protection Act [Released: Release 1]
  • Austria Telecommunications Act [Released: Release 1]
  • Bosnia Law on Protection of Personal Data [Released: Release 1]
  • Czech Republic Personal Data Protection Act [Released: Release 1]
  • Denmark Act on Competitive Conditions and Consumer Interests [Released: Release 1]
  • Finland Personal Data Protection Act [Released: Release 1]
  • Finland act on the amendment of the Personal Data Act (986/2000) [Released: Release 1]
  • France Data Protection Act [Released: Release 1]
  • German Federal Data Protection Act [Released: Release 1]
  • IT Baseline Protection Manual Germany [Released: Release 1]
  • Greece Law on the Protection of Individuals with Regard to the Processing of Personal Data [Released: Release 1]
  • Hungary Protection of Personal Data and Disclosure of Data of Public Interest [Released: Release 1]
  • Iceland Protection of Privacy as regards the Processing of Personal Data [Released: Release 1]
  • Ireland Data Protection Act of 1988 [Released: Release 1]
  • Ireland Data Protection Amendment 2003 [Released: Release 1]
  • Italy Personal Data Protection Code [Released: Release 1]
  • Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data [Released: Release 1]
  • Lithuania Law on Legal Protection of Personal Data [Released: Release 1]
  • Luxembourg Data Protection Law [Released: Release 1]
  • Netherlands Personal Data Protection Act [Released: Release 1]
  • Poland Protection of Personal Data Act [Released: Release 1]
  • Slovak Republic Protection of Personal Data in Information Systems [Released: Release 1]
  • Personal Data Protection Act of the Republic of Slovenia of 2004 [Released: Release 1]
  • South Africa Promotion of Access to Information Act [Released: Release 1]
  • ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data [Released: Release 1]
  • Sweden Personal Data Act [Released: Release 1]
  • Switzerland Federal Act on Data Protection [Released: Release 1]
  • German Corporate Governance Code (“The Code”) [Released: Q4 08]
  • The Dutch corporate governance code, Principles of good corporate governance and best practice provisions [Released: Q4 08]
  • The King Committee on Corporate Governance, Executive Summary of the King Report 2002 [Released: Q4 08]
  • Swedish Code of Corporate Governance; A Proposal by the Code Group [Released: Q4 08]

Asia and Pacific Rim Guidance

  • Australia Better Practice Guide – Business Continuity Management [Released: Release 1]
  • Australia Spam Act [Released: Release 1]
  • Australia Spam Act 2003: A practical guide for business [Released: Release 1]
  • Australia Privacy Act [Released: Release 1]
  • Australia Telecommunications Act [Released: Release 1]
  • Hong Kong Personal Data (Privacy) Ordinance [Released: Release 1]
  • Japan ECOM Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector (version 1.0) [Released: Release 1]
  • Japan Handbook Concerning Protection Of Personal Data [Released: Release 1]
  • Japan Personal Information Protection Act (Law No. 57 of 2003) [Released: Release 1]
  • Korea Act on Promotion of Information & Communication Network Utilization and Information Protection, etc [Released: Release 1]
  • Korea Act on the Protection of Personal Information Maintained by Public Agencies 1994 [Released: Release 1]
  • Korea Act Relating to Use and Protection of Credit Information [Released: Release 1]
  • New Zealand Privacy Act 1993 [Released: Release 1]
  • Taiwan Computer-Processed Personal Data Protection Law 1995 [Released: Release 1]
  • India Information Technology Act (ITA-2000) [Released: Release 1]
  • Australian Government ICT Security Manual (ACSI 33) [Released: Q3 08]
  • Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 [Released: Q4 08]
  • Corporate Governance in listed Companies – Clause 49 of the Listing Agreement [Released: Q4 08]
  • CODE OF CORPORATE GOVERNANCE 2005 [Released: Q4 08]
  • Argentina Personal Data Protection Act [Released: Release 1]
  • Mexico Federal Personal Data Protection Law [Released: Release 1]

System Configuration Guidance

  • CI Security Persistent Identifiers [Released: Q3 07]
  • CI Security Solaris Benchmark v2.1 [Released: Q3 07]
  • CI Security Solaris Benchmark v1.3 [Released: Q3 07]
  • CI Security HP-UX Benchmark v1.3 [Released: Q3 07]
  • CI Security Red Hat Enterprise Linux Benchmark v1.0 [Released: Q3 07]
  • CI Security Red Hat Enterprise Linux Benchmark v1.0.5 [Released: Q3 07]
  • CI Security SuSE Linux Enterprise Server Benchmark v1.0 [Released: Q3 07]
  • CI Security Slackware Linux Benchmark v1.1 [Released: Q3 07]
  • CI Security AIX Benchmark v1.0 [Released: Q3 07]
  • CI Security FreeBSD Benchmark v1.0 [Released: Q3 07]
  • Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2 [Released: Q4 07]
  • Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 5 Release 1 [Released: Q4 07]
  • CI Security Windows XP Professional SP1/SP2 [Released: Q3 07]
  • Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 [Released: Q4 07]
  • NSA Guide to Security Microsoft Windows XP [Released: Q4 07]
  • CI Security Windows 2000 Professional [Released: Q4 07]
  • DISA Windows XP Security Checklist Version 6 [Released: Q1 08]
  • CI Security Windows 2000 Server [Released: Q3 07]
  • CI Security Windows Server 2003 [Released: Q4 07]
  • CI Security Windows 2000 [Released: Q4 07]
  • CI Security Windows NT [Released: Q4 07]
  • DISA Windows VISTA Security Checklist Version 6 [Released: Q1 08]
  • NSA Guide to Securing Microsoft Windows 2000 Group Policy [Released: Q4 07]
  • Center for Internet Security Mac OS X Tiger Level I Security Benchmark
  • Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings
  • Mac OS X Security Configuration for version 10.4 or later, second edition]
  • Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings
  • DISA Windows Server 2003 Security Checklist Version 6
    DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 1.2
  • DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2

Researching the Federal Securities Law

sec-sealThe SEC has put together a collection of Researching the Federal Securities Laws Through the SEC Website.

This guide provides an overview of how to research the securities law through the SEC website and is provided as a service to investors and members of the public. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule you should consult with an attorney who specializes in securities law. This guide does not address primary and secondary sources available in print or through other websites, other than those to which the SEC website links. The guide is organized by providing suggestions for the research of:

  • Statutes (the Securities Laws)
  • SEC Rules and Regulations
  • SEC Concept Releases
  • SEC Interpretive Releases
  • SEC Staff Interpretations

In general, you should conduct your research on the federal securities laws in the order prescribed above. This is because while the federal statutes and the SEC rules and regulations have the force of law, other SEC-issued documents vary in the degree to which they carry the force of law.

Managing Ethics and Compliance During a Recession

LRN hosted a webinar on Managing Ethics and Compliance During a Recession.

The panel consisted of:

  • Marjorie Doyle, Practice Leader, Solutions Management at LRN
  • David Greenberg, Executive Vice President of Knowledge at LRN
  • Debra Hennelly, President and Senior Adviser at Compliance & Ethics Solutions LLC
  • Adam Turteltaub, VP of Membership Development at The Society of Corporate Compliance and Ethics.

An ERC survey found that 60% of employees who feel pressured to do misconduct said “keeping their job” was a reason. As the economy sours, there seems more pressure to perform and to take shortcuts to achieve that performance. In times of economic stress, it is better to over-inform rather than under-inform.

How do you enlist support in your ethics and compliance program?

  • Make management aware that bad things happen more often when there is economic stress on the company.
  • First question a prosecutor will ask is: “What steps have you taken?” You do not want the answer to be: “We cut programs.”
  • Government is increasing pursuit of corporate wrong-doing. They just hired two new deputy chiefs.
  • People feel pressure to cut corners and make the numbers.

It is important to let people know the consequences of bad behavior. There are concrete remedies for badness. Also celebrate good behavior.

Highlight the non-retaliation policy. People are not going to make the call if they think they may lose their jobs. Silence is not good.

Obviously, compliance is not a profit center, so you need to be concerned when there are declining profits.

General Counsel as the Chief Ethics and Compliance Officer

Over at the Society of Corporate Compliance and Ethics bulletin boards there was a great deal of discussion about whether the CECO should hold a concurrent role as general counsel or whether the positions should be split. Here are a collection of reasons:

  • In some industries, including healthcare, the government has specifically stated that it does not believe that the compliance officer and general counsel roles should be filled by the same person or that the compliance officer should report to the general counsel.  This position occurs in “compliance program guidance” issued by the HHS Office of Inspector General. Daniel Roach
  • The role of compliance is to unearth issues and potential issues while they are still inchoate – not necessarily the same as the GC who is generally reactive and then not beyond the specific question presented. Emil Moschella
  • I think the joint role could affect the integrity of the attorney-client privilege.  If the roles are separate then I think the privilege is less assailable on the grounds that the hat being worn at the time the alleged protected information was received that the individual was wearing the hat of the compliance officer and not that of the GC. Emil Moschella
  • Many of the processes that the Compliance Officer (CO) may wish to review, may have been previously blessed by the office of the GC so that they may not get the fresh look of the compliance office would give it.  Independence of the compliance review is questioned. Emil Moschella
  • The compliance and ethics function is not the business of giving legal advice.  It is a management function that calls for good project management skills. It calls for a focus on ethics and compliance, when often lawyers focus on just the law.  Joseph Murphy

IT for GRC: Improving Information Quality

Carole Switzer, President of OCEG and Lee Dittmar, principal of Deloitte Consulting LLP presented this webinar.

There is an imperative to improve governance, risk management and compliance processes to better manage risk, address increasing regulatory requirements, increased executive accountability and the fragmentation of information. It is about getting the right information, to the right person, at the right time. (Isn’t that knowledge management too? )

What is the information problem?

  • Managers need to know, anticipate and respond quickly and correctly
  • Stakeholders expect reliable and transparent reporting
  • Time and resources are spent searching for data
  • Data overload
  • DINK – Data Is Not Knowledge

It is not about “check the box” compliance it is about improving your business.

Lee thinks governance, risk and compliance should be viewed comprehensively and leverage common systems. Integrated systems can help overcome silos. The key is a single source of the truth.

The goal is to get GRC embedded in the core processes. To be “in the flow” instead of “above the flow.”

Lee is seeing organizations adopting the business concepts of integrated GRC (even if they do not call it GRC).