Don’t Let Compliance Blind you to Security

profile-picturePosted by David Hunt

The field of security is constantly growing, shifting and adapting to meet an ever changing threat landscape. To provide a degree of order in this chaotic landscape, we look to compliance standards such as NIST 800-53, PCI, HIPPA, ISO’s …. These standards provide frameworks which allow us to measure or determine the maturity of an organization’s security program. However, these frameworks need to be tempered by the current security environment or we risk sacrificing our security for compliance.

This idea was illustrated nicely at this year’s BSides Las Vegas security conference. Lorrie Cranor the Chief Technologist for the Federal Trade Commission provided the keynote speech about why we need to start training our clients and end users to reevaluate their thinking on mandatory password changes. In brief, Lorrie questioned the practice of frequent mandatory password changes, meant to prevent brute forcing (trying all possible combinations) or to lock out those who may have a shared or stolen password.

Here is what she found: Frequent password change requirements can actually make us less secure based on two separate studies. Lorrie’s message was to empower users to create good passwords and agree on what good is, while addressing common misconceptions. Questionmark OnDemand’s new portal, empowers customers to determine what good passwords are and to create customized roles based on their requirements. When configuring passwords requirements for your OnDemand users, consider Lorries advice for passwords.lorrie-cranor-image

  • Avoid common words, names
  • Avoid patterns
  • Digits and symbols add strength
  • Understand different types of attacks
  • Make them Better (Not Perfect)
  • Change them only when Required
  • Start with your Core accounts
  • Use Tools where appropriate

In this case, Lorrie did not blindly follow the path of compliance, leading to ever shorter password refresh limits. She got it right by looking at the issue from a security perspective. What are the threats to the use of passwords and are our mitigations of these threats reducing our risk? The answer, when it comes to mandatory password changes, is NO! We are actually increasing our risk in some cases. So when setting password policies in Questionmark OnDemand, it is always a good practice to regularly review your settings to ensure you are getting it right.

As with any good keynote speech, this one was a catalyst for many subsequent conversations both at and after the conference.

The dangers of security programs that blindly check compliance requirements off a list, news-driven security programs, and the proverbial not being able to see the security forest for the trees. The takeaway from these conversations was that we have an obligation to “disobey.” Not that we should break the rules but rather question them — lest we face a fate such as that which befell those in “The Charge of the Light Brigade,” a poem describing the tragedy resulting from the miscommunication of orders at the Battle of Balaclava.  in our case, we may not face a physical death by blindly following orders, but a virtual death is plausible.

Just as Lorrie asked “Why?” we should be asking it as well. As anyone who has spent time with a 3-year-old child knows, this one simple question is the key to building knowledge. We all should ask “Why?” and grow our technical and security knowledge to ensure we are not just compliant, but secure!

 

mk-cybersecurity

7 ways assessments can save you money and protect your reputation [Compliance webinar]

Julie ProfilePosted by Julie Delazyn

Last week, illegal banking practices cost Wells Fargo, one of America’s largest banks, $185 million in fines. Regulators have called the scandal “outrageous” and stated that the widespread nature of the illegal behavior shows the bank lacked the necessary controls and oversight of its employees.

Educating and monitoring employee understanding of proper practices is vital for regulatory compliance.  How do you ensure your workers are compliant with the rules and regulations in your industry? How do you prove that employee training is understood?

Register today for the FREE webinar: 7 Ways Assessments Fortify Compliance

The webinar will examine real-world examples of how assessments are used to strengthen compliance programs. It will also provide tips for developing valid, reliable assessments.

Infographic: Online or Test-Centre Proctoring?

Julie ProfilePosted by Julie Delazyn

For many exams, candidates are required to travel to brick-and-mortar test centers where proctors (or invigilators) supervise the process; However, a new way of proctoring certification exams is rapidly gaining traction. Two of the world’s largest software companies, SAP and Microsoft, offer online proctoring for their certification programs, and many other companies are looking to follow suit.

Do you need to understand the key differences and benefits? Here’s an infographic that explains some of the pros and cons of the two approaches.

Proctoring Infographic

For more on online proctoring, check out this informational page and video below:

 

 

The Ultimate Guide To Using Assessments for Compliance [eBook]

ebookJulie ProfilePosted by Julie Delazyn

With increasing regulatory requirements, compliance is becoming more and more of a priority for many organizations.

Without regular testing, how do you know what your employees know? And in the case of an audit or an emergency, is it good enough to have had the participant sign off saying that they’ve attended training and understand the content? Most organizations today see online assessments as a critical part of their compliance programs.

Download your complimentary copy of the eBook: Using Assessments for Regulatory Compliance to learn about the most useful applications of assessments in a compliance program and best practice recommendations for using them.

Did your training work? Prove the value of your learning programs with results you can measure

Headshot JuliePosted by Julie Delazyn

Quizzes, tests, and exams do so much more than determine whether or not a learner passed a training course. These assessments, as well as surveys, play a crucial role in learning, performance improvement and regulatory compliance. Check out our most popular white paper: Assessments Through the Learning Process,  which explores the varied and important roles assessments play before, during and after a learning experience.

It’s a great places to start exploring the possibility of using online assessments in education, training, certification or compliance. Learn more about the ways you can use assessments to improve learning and measurement. Download your complimentary copy today.

ATTLP WP cover

Assessments worth their weight in gold?

John Kleeman HeadshotPosted by John Kleeman

Another day, another big fine for a financial institution.

Nothing in this article should be construed as specific criticism of any individual bank, but last week, the United States Federal Reserve Board fined a large investment bank $36m for unauthorized use and disclosure of confidential information. The Board required the bank to:

“submit … an acceptable written plan …for the training of all appropriate … personnel regarding the restrictions, controls and legal requirements governing the use of confidential supervisory information. At minimum, the plan shall include … a requirement that training be conducted and documented no less frequently than annually”

McKinsey & Company have calculated in a report that in the period 2009-Gold bars2014, regulatory fines and settlements have increased by nearly 4500 percent for the top 20 US and EU banks. It used to be that bad loans (credit impairment) were banks’  biggest challenges, but this is now a smaller problem. And whereas regulatory compliance used to be a small part of a bank’s job, it is much more crucial to their operating performance. McKinsey suggest banks need to rethink their response to compliance and make it much more central to their mission.

There are many complex compliance challenges in financial organizations. It is not easy to strike the right balance between giving employees responsibility and incentive to make money, whilst preventing them from misusing that responsibility to take risks that injure the bank.

But ensuring that your employees know, understand and can apply the rules is very achievable. Many banks and other financial institutions use Questionmark technology to deliver regular, trustworthy assessments to their employees — you can see case study examples here. The assessments focus on the specific regulations and duties each employee has, and they also allow assessing understanding of products and job skills.

If you conduct regular online assessments of your employees in this way, you can:

1. Find out if your employees know and understand the rules that apply to them and identify those who don’t.

2. By using scenario questions, also find out if they can apply the rules in practical situations.

3. Gain evidence to demonstrate to regulators that your employees are trained and competent.

4. Provide an incentive to make employees learn the rules, because they know they have to pass the test.

5. You can also save time by allowing knowledgeable employees to “test out” of all-company training on topics they are already expert in.

6. if you require managers as well as employees to pass tests, it demonstrates internally your organization’s commitment to compliance.

7. If you combine regular assessments with other measures, you can help mitigate the risk of regulatory fines.

In their report, McKinsey suggest that firms consider shifting their organizational structure to give compliance a higher and more central profile. If you are running a central compliance function, the ability to assess all your employees and measure directly their understanding of regulations and their ability to meet regulatory needs is a genuinely golden capability.

Questionmark has written a white paper “The Role of Assessments in Mitigating Risk for Financial Services Organizations” which explains the benefits of assessments in mitigating risk and gives good practice in using them as well. You can download the white paper (free with registration) here.Role Mitigating risk_Blog

« Previous PageNext Page »