IT Compliance and Controls

Supporting Links for “BEST and WORST IT Control Environments of 2007

The following are the references made during my ACFE 19th annual Fraud Conference session.  I will provide follow-up and greater detail on areas over the next few months, but please add any resources you find valuable below.

• Internet Crime Complaint Center (IC3) | Annual Reports
  • Internet Crime Complaint Center
• Internet Fraud Loss For 2007 Tops $239 Million — InformationWeek
  • The dollar loss reported from Internet crime reached an all-time high in 2007, while the number of reported crimes was lower than in each of the last three years, according to an IC3 report.
• Ineffective controls lead to corporate fraud
• SocGen sacks two Kerviel supervisors | Business | guardian.co.uk
  • Two immediate supervisors of the Société Générale trader accused of the biggest fraud in financial history are being sacked by the French bank
• Bloomberg.com: Worldwide
• APWG
  • Our mission is to provide a resource for information and solutions for eliminating the fraud, identity theft and electronic crime that result from phishing, pharming and email spoofing of all types.
• Federal Bureau of Investigation – Mortgage Fraud
  • About the Federal Bureau of Investigation
• The CPS : The Fraud Act 2006
  • Legal Guidance prepared by the Crown Prosecution Service to guide Crown Prosecutors and Designated Caseworkers in making decisions in cases
• U.K. FRAUD ACT 2007 BATTLES PHISHING
  • Acts of U.K. online fraud are now at epidemic levels, rising by 40% in 2006. The U.K., in trying to get its arms around a massive problem that has cost its residents $2 billion in theft over the last 10 years, has enacted a new law, the Fraud Act, to help battle this plague. It was especially designed to counter “phishing,” or crimes of online financial and identity theft, done by means of tricking the victim into volunteering details on financial information. To better understand the new law this article answers the following questions: How Prevalent is Phishing? How Does the UK Fraud Act Classify Fraud? How Does the UK Fraud Act Address Phishing? What are the Penalties for Phishing in the U.K. Fraud Act? Does the New Law Have Any Apparent Shortcomings?
• The CPS : The UK Fraud Act 2006
  • Legal Guidance prepared by the Crown Prosecution Service to guide Crown Prosecutors and Designated Caseworkers in making decisions in cases
• Global Fraud Report – economist
• Gartner Says Number of Identity Theft Victims Has Increased More Than 50 Percent Since 2003
  • Approximately 15 million Americans were victimized by some sort of identity-theft related fraud in the 12 months ending in mid-2006, according to a survey by Gartner, Inc. These statistics represent more than a 50 percent increase since 2003 when the Federal Trade Commission (FTC) reported 9.9 million American adult identity theft victims.
• Cost of regulation for world’s top 100 financial institutions is €36 billion; Uneven Irish regulatory burden between large and smaller institutions
  • Irish/Ireland Business News, Internationa, Global, World, European Union, Financial Information – Irish Finance and Business Portal – providing Irish, European and global market information including mortgages, pensions, investment, property
• ENISA: Index
  • The European Network and Information Security Agency, ENISA, is a new agency of the European Union. Formally, ENISA came into being on 14 March 2004, following the adoption of Regulation (EC) No 460/2004 of the European Parliament and of the Council on 10 March 2004. The Executive Director, was nominated by the Management Board and later appointed by the European Parliament on 6 October, 2004. Operations started 1, September, 2005, in Crete, after successful EU25-wide competitions and recruitment of skilled candidates from all over Europe. The Agency’s work is essential to achieve a high and effective level of network and information security within the Community. It will seek to develop a culture of network and information security for the benefit of citizens, consumers, business and public sector organisations in the European Union. This will also contribute to the smooth functioning of the Internal Market. As its in-house expertise grows, ENISA shall help the Commission, the Member States and, consequently, the business community to address, respond and especially to prevent network and information security problems. The Agency shall also assist the Commission in the technical preparatory work for updating and developing Community legislation in the field of network and information security.
• ISSEG Downloads
• ISSEG List of Recommendations in numerical order
  • Great public government site that provides clear action plans for conducting a technology audit, and establishing an IT control environment. While focused on Grid Security the concepts and principles may easily be transformed for any organization.
• NEOHAPSIS – Peace of Mind Through Integrity and Insight
  • Running message list and archive of data loss breaches with active discussions.
• Banks’ High-Tech Security Can’t Keep Up With Traders – WSJ.com
• Boeing has been stung by internal theft before
  • Information security controls are meant to do a lot more than stop hackers and kill computer viruses — especially because corporate fraud comes from within. Internal fraud can happen to any size firm — even tech-savvy Boeing.
• FSA fines Nationwide £980,000 for information security lapses
• FSA publishes commentary on systems and controls, in light of the Société Générale ‘rogue trader’
• FSA fines Norwich Union Life £1.26m for exposing its customers to the risk of fraud
• FSA fines BNPP Private Bank £350,000 for weak anti-fraud controls
• FTC Says It’s Gonna Cost Ya – Forbes.com
  • A host of companies find it’s expensive to mess with the Federal Trade Commission’s privacy police.
• FCC proposes $100,000 fines against Amp’d Mobile and other firms over phone records – International Herald Tribune
  • FCC proposes $100,000 fines against Amp’d Mobile and other firms over phone records
• Guidance Consent Agreement
• Frost Brown Todd – Publications – Data Security Breaches – Beware
  • Since 2005, a number of relatively high-profile data security breaches have been the subject of ever-increasing media and legal attention.  The breaches generally involved one of the following:  (i) the creation of fraudulent accounts; (ii) stolen laptops …
• Financial institutions cyber fraud report
• Banks: Losses From Computer Intrusions Up in 2007 – Security Fix
  • The latest news on computer, technology and network security issues. A blog by washingtonpost.com reporter Brian Krebs. Visit www.washingtonpost.com/technology.
• Welcome To FinCEN.gov
  • FinCEN’s mission is to enhance U.S. national security, deter and detect criminal activity, and safeguard financial systems from abuse by promoting transparency in the U.S. and international financial systems
• GAO-07-751T,Information Security: Persistent Weaknessnes Highlight Need for Further Improvement
• Computer security faults put Boeing at risk
  • For the past three years, The Boeing Co. has failed, in both internal and external audits, to prove it can properly protect its computer systems against manipulation, theft and fraud.
• Computer security faults put Boeing at risk
  • For the past three years, The Boeing Co. has failed, in both internal and external audits, to prove it can properly protect its computer systems against manipulation, theft and fraud.
• Techdirt: Latest VA Data Breach Worse Than Initially Reported
• MiPAL: Homeland Security
  • MERLN (the Military Education Research Library Network) is a comprehensive website devoted to international military education outreach.  It represents a consortium of military education research libraries that work together to provide access to a variety of unique electronic resources for the use of researchers and scholars.
• Dell To Restate Earnings, Reveals Accounting Troubles — Earnings — InformationWeek
  • The restatements stemmed from a yearlong investigation by Dell’s audit committee, which found evidence of accounting adjustments that appeared to have been made to hit financial targets.
• The Columbus Dispatch : Cybercrooks pocket billions
  • The Columbus Dispatch – Columbus, Ohio’s Daily Newspaper
• FT.com / In depth – Moody’s error gave top ratings to debt products
  • Bug in computer models blamed
• Ineffective controls lead to corporate fraud
• Web Application Security Consortium – Web hacking Incidents Database (WHID) – Full List of Incidents
• Errata: (DLDOS: Data Loss Database – Open Source)
  • errata: x company suffered serious data loss due to computer security incident, impacting privacy of customers and the public
• Cost of regulation for world’s top 100 financial institutions is €36 billion; Uneven Irish regulatory burden between large and smaller institutions
  • Irish/Ireland Business News, Internationa, Global, World, European Union, Financial Information – Irish Finance and Business Portal – providing Irish, European and global market information including mortgages, pensions, investment, property
• Press Releases – Information Commissioner’s Office (ICO)
• Enforcement – Data protection
  • The ICO has legal powers to ensure that organisations comply with the requirements of the Data Protection Act. Find out how the act is enforced.
• Fidelity Information Services: News Release
• Before the Subcommittee on Technology, Information Policy, Intergovernmental
• | Société Générale Bank | Press Releases
• Darling: Greater accountability key to data security – ZDNet.co.uk
  • The government needs to simplify organisational structures in some departments and review data-protection laws, chancellor of the exchequer…
• IPOhome – IPO Industry Breakdown
  • IPOhome, the leading source for information on IPOs, offers IPO news, IPO filings and pricings, calendars, market commentaries, IPO rankings, and a guide to IPO investing. IPOHome, powered by Renaissance Capital, is meant to be a learning tool for newcomers to the IPO market, as well as a continuous guide and source of information for those who are already Pros. IPOhome provides information about Renaissance Capital’s IPO Plus Aftermarket Fund, the first mutual fund to focus solely on the new issues market.
• Ukrainian Hacker Makes a Killing in Stock Market Fraud | Threat Level from Wired.com
  • The NY Times has an interesting story today that’s indicative of an emerging hacking-for-profit trend that just might allow the perpetrator to keep his ill-gotten gains. In this case, the
• Wall Street Technology: Blog: Soc Gen: Kerviel Messages with Broker Revealed by Wall Street & Technology
• Wall Street Technology: Blog: Merrill, NYSE Execs Talk about IT Security by Wall Street & Technology
• Computer Theft Statistics Details
  • View detailed laptop computer theft and recover statistics. Protect your mobile assets with Absolute’s suite of security tracking software.

Again, Thank you to the ACFE and everyone at the conference for their help in making our session the best!

Kind Regards,

James DeLuccia