|
Home - Industry Article - Aug 04 Issue |
Enterprise Risk Management in Today’s Information-Centric Environment continued... page 2 |
Can you get full content, “proof positive” evidence from your information systems for you to see precisely what types of activity are taking place?
Another approach to finding a strong solution to minimize your enterprise risk is to ask your peers about how they are handling their information security. Business press, trade associations and technology analysis are good sources of information, case studies, and white papers.
There are also software solutions available that can enable companies to manage and monitor these various forms of risk. Several offer exposure assessments that can monitor your network and see your information assets at risk.
Here is an example of a large technology company who utilized an enterprise risk management system to monitor all forms of internet communications, but particularly to monitor and help meet the requirements of Sarbanes-Oxley regulations. Some of the key benefits immediately recognized by the company were antifraud programs and controls specifically regarding:
Code of conduct and ethics (Section 406)
Whistleblower program (Sections 301 and 806)
Fraud risk assessment (Section 103)
The enterprise risk management system also alerted the company to:
1. Potential Insider Tipping
Just prior to a Company’s earnings announcement (but luckily after the close of trading), a Sales Employee contacted a third party by email and indicated that the Company would have a great quarter and that the third party should buy stock. This violated the Company’s policy as well as federal law prohibits such activity. The email was retrieved along with other emails and the employee was dismissed.
2. Posting of Confidential Company Information on the Internet
Highly confidential Product roadmap information was posted on a message board on the Internet. Given the information, the Company believed that someone in an Engineering lab might be posting the information or providing a third party with the information. The Company conducted an investigation and immediately communicated to all employees a new email policy noting that any email communications are not subject to privacy. Management also described to the employees an enterprise risk management system was being utilized. No similar Internet postings have occurred since the communication of the policy and notification of the software tool.
The enterprise software industry can be greatly impacted by information theft. A financial cost is one example, but there are many areas which can be impacted. For example, in the fiercely competitive computer storage industry, the Director of Security suspected that individuals were leaking sensitive information to its competitors, perhaps instigated from within the company by its competitors. He also believed a competitor with whom they were embroiled in contentious, multi-million dollar litigation had planted moles inside his company to steal highly sensitive, proprietary trade secrets.
By working with an enterprise risk management system, he began to monitor the employee network activity to find the internal source of the leaks. Over the course of two month, he gathered enough actual evidence of the espionage identify and bust the entire ring of six employees involved.
Additional evidence captured included:
An employee emailing the entire customer list to the competition
A top executive with access to extremely sensitive company information negotiating for a new job with the competition
An employee looking for hacker exploits on the network applications and systems used by the client
As you can see, with more information being electronically stored and shared, and with communication tools such as instant messaging, peer-to-peer and web-based email being adopted, safeguarding your sensitive information has become a challenge. Not to mention that these information breaches are negatively impacting stock price, creating compliance exposure and eroding customer trust. What you don’t know about your information liabilities can, will, or possibly has hurt your business.
Tery Larrew brings over 20 years’ technical and entrepreneurial experience to his role as CEO for Vericept Corporation, the leading provider of information privacy and compliance solutions with over 600 clients. As CEO, he works closely with corporate clients to ensure the security and appropriate use of enterprise network systems. Prior to Vericept, Tery was Chairman and CEO of UPDATE Systems, where he led the company to significant growth and facilitated its successful sale to Webb Interactive Services, Inc., a provider of Internet commerce infrastructure services. Tery can be reached for article feedback at: tlarrew@vericept.com.
|
|
|