You are here: Home / Archives for guidance

NIST issues security, privacy guidance for public cloud – FierceGovernmentIT (Molly Bernhart Walker)

February 2, 2012 By Leave a Comment

Many of the features that make public cloud-computing services attractive run up against government’s traditional security models and controls, according to the National Institute of Standards and Technology’s recently-released Special Publication 800-144 (.pdf), which tallies the threats, risks and access concerns agencies should consider before entering into such contracts.

The publication stops short of recommending service arrangements, service agreements, service providers or deployment models, however. Departments and agencies should use NIST’s guide to analyze their specific requirements against public cloud services, write report authors.

Sign up for our FREE newsletter for more news like this sent to your inbox!

The publication emphasizes that in the end, the organization is responsible for security and privacy in the cloud, not the service provider. As such, SP 800-144 stresses a risk-based approach in analyzing how and what functions to move to the public cloud–organizations should extend to the cloud the same governance practices employed when deciding to outsource any other IT service.

via NIST issues security, privacy guidance for public cloud – FierceGovernmentIT.

Filed Under: Tech Bytes Tagged With: , , , , , , , ,

Cybersecurity Disclosures: The SEC Wants Them and Wants Them Now

November 8, 2011 By Leave a Comment

(Business Law Currents) Cyber risk poses enormous questions and the U.S. Securities and Exchange Commission wants answers. On October 13, 2011, the SEC’s Corporation Finance Division (the Division) provided guidance to public companies for disclosures on cybersecurity. While the guidelines are non-binding and the Commission itself has neither approved nor disapproved them, they guidance does paint a fuller picture of what kind of risks companies should (and need not) be disclosing.

The guidance allows that cyber risk is uncharted territory.1 “Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents,” explains the Division, “a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”2

Gauging what degree of risk rises to the level of materiality not unsurprisingly remains a judgment call. The Division suggests prior cyber incidents, their severity, their “quantitative and qualitative magnitude,” and the possible costs and consequences as factors underlying proper evaluation.3 Still, the risks should be identifiable and not descend into yet another element of boilerplate disclosure.4

The Division has proposed non-exhaustive examples of the kinds of cyber risks and incidents appropriate for disclosure. These topics include:

Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;

To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;

Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;

Risks related to cyber incidents that may remain undetected for an extended period; and

Description of relevant insurance coverage.

via Cybersecurity Disclosures: The SEC Wants Them and Wants Them Now.

Filed Under: From The News Tagged With: , , , , , , , , ,

U.S. Guidelines Aim to Bolster Software Security – NYTimes.com

June 28, 2011 By Leave a Comment

The Homeland Security Department unveiled a new system of guidance on Monday intended to help make the software behind Web sites, power grids and other services less susceptible to hacking.

The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. It adds new tools to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products.

The effort to improve software security has been three years in the making, according to Robert A. Martin, principal engineer at Mitre, a technology nonprofit organization that conducts federal research in systems engineering.

The costs of flaws or omissions that make software susceptible to attack was highlighted by a number of recent attacks that resulted in the theft of credit card information, user names and passwords from government and banking sites.

During an online news conference, government officials pointed out that a wide range of stakeholders had an interest in seeing the top 25 errors addressed, and they stressed the need for better training and education for people writing software.

via U.S. Guidelines Aim to Bolster Software Security – NYTimes.com.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Survey: Fear of Corruption Leads Companies to Pass Up Business

April 7, 2011 By Leave a Comment

On the heels of the U.K.’s guidance on its new Bribery Act comes a survey that suggests businesses are deeply concerned about global corruption. Downright gloomy, in fact. One of the few upbeat responses concerns the new British law, about which compliance professionals are described as “most optimistic.”

Beyond that, there wasn’t much to cheer about in the biannual Dow Jones State of Anti-Corruption Survey, released on Thursday.

“At face value these findings support the view that anti-bribery and corruption regulation damages business and is ineffective in stopping corporate bribery,” said Rupert de Ruig, managing director of Risk & Compliance at Dow Jones & Company, in a press release that accompanied the results.

But he did see a possible silver lining. “There may be a stronger argument that the findings are an indication of higher standards and controls in companies,” he suggested, “and an increasing awareness of bribery and unethical business practices in the marketplace.”

Again, on the bright side: Almost three-quarters of the companies have anti-corruption programs in place, and they’re implemented consistently across all regions and industries. Most programs have been established for at least three years.

Yet half the companies have delayed or called off new business opportunities because corruption risks could not be assessed. And more than half have avoided deals for fear of violating regulations.

via Survey: Fear of Corruption Leads Companies to Pass Up Business.

Filed Under: From The News Tagged With: , , , , , , , , ,

UK Bribery Act Guidance: Freeing Foreign Companies

March 31, 2011 By Leave a Comment

(Westlaw Business) The UK Bribery Act guidance is out and it looks like foreign companies and Wimbledon fans may breathe a sigh of relief as the guidance suggests that sporting events and non-UK companies may not be caught by the new regime.

Released this week, the guidance seeks to provide practical advice to companies ahead of the Bribery Act (“the Act”) coming into force on July 1, 2011, although questions remain over the legal standing of the guidance. The 45-page guide builds upon and departs from earlier draft guidance in that it provides substantially more concrete examples and describes the policies that sit behind many of the new provisions of the Act. Some commentators have, however, complained that the guidance does not have the force of law and that it will be up to the government and the courts not to revise the new provisions

via UK Bribery Act Guidance: Freeing Foreign Companies.

Filed Under: From The News Tagged With: , , , , , , , , ,

Britain Backpedals on Bribery Act – Law Blog – WSJ

March 31, 2011 By Leave a Comment

Lawyers, company executives, and politicians have been waiting feverishly for guidance on how to apply the U.K’s new Bribery Act, the supercharged corruption law dubbed the FCPA on steroids.

Well, the wait is over. The British government today offered guidelines here that some believe indicate that the U.K. has caved into pressure to soften its bribery law, which is due to take effect July 1, the WSJ reports.

For example, the guidance says that gifts and hospitality, which were thought to be verboten under the Bribery Act, will not be prosecuted so long as they are “reasonable and proportionate,” WSJ reports.

Also, the guidelines appear to reduce the geographical scope of the law by saying that companies with subsidiaries or listings in the U.K. may not be impacted.

via Britain Backpedals on Bribery Act – Law Blog – WSJ.

Filed Under: From The News Tagged With: , , , , , , , , ,

2nd Advanced Forum on FCPA Compliance in Emerging Markets

January 16, 2011 By 1 Comment

If your company is operating in high risk markets, you will not want to miss the 2011 Advanced Forum on FCPA Compliance in Emerging Markets. The brand new agenda will feature an even greater number of speakers from China, Russia, Brazil, India, Mexico and other key markets. Designed to provide you with country-specific FCPA guidance, you will gain comprehensive knowledge of the anti-bribery landscape in BRIC countries, firsthand insights into how to address bribery risks in these markets, and practical guidance on tailoring your anti-corruption compliance policies to the idiosyncracies of each market.  Senior corporate ethics and compliance executives, FCPA and anti-corruption attorneys and consultants from the US, UK, Brazil, Russia, India, China, Mexico, and the Middle East will share key insights on:

China

* Identify who is a “government official”

* Prevent gifts and hospitality pitfalls

* Weave local law requirements into your global anti-corruption compliance program

Russia

* Set up internal accounting controls to prevent unauthorized payments

* Detect patterns of bribery and non-compliant behavior

* Conduct internal investigations into questionable payments

India

* Vet and control customs brokers, agents and intermediaries

* Deal with requests for bribes when obtaining regulatory approvals

* Promote anti-bribery awareness and train in-country employees and third-parties

Brazil and Mexico

* Minimize bribery risks in customs operations

* Develop appropriate oversight procedures for subsidiaries, branches and offices

via 2nd Advanced Forum on FCPA Compliance in Emerging Markets.

Filed Under: From The News Tagged With: , , , , , , , , ,

Westlaw News & Insight Securities Litigation Blog

January 4, 2011 By Leave a Comment

A recent report by the Organization for Economic Co-Operation and Development (OECD Report) notes, “complications often arise when the law in the U.S. is different from that of the foreign state.”

The OECD is an intergovernmental economic organization tasked with monitoring the implementation and enforcement of the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, a convention adopted by 38 countries, including the United States, which established legal standards to criminalize bribery of foreign officials.

The OECD Report, which addressed the United States’ enforcement of these standards, provides several examples in which disclosure to U.S. authorities led to unintended but nonetheless difficult consequences, such as public disclosure of confidential information in foreign proceedings.

While the United States has touted the “credit” it offers for self-disclosure and cooperation, that credit may be of limited value if the company faces harsh penalties in a foreign country based on variations in the weight given to certain factors across jurisdictions.  As the record-setting penalties in the cases against Siemens illustrates, the penalties from foreign governments may be just as significant as the sanctions imposed by U.S. authorities under the FCPA; out of a combined total of $1.6 billion in penalties, more than $800 million went to non-U.S. authorities.

Commentators and the defense bar have long argued, in the face of uncertainty, for more specific guidance regarding the use of settlement agreements and for an amnesty program similar to that permitted in antitrust conspiracy cases.  The government’s willingness to provide more guidance or benefits, however, appears to be increasingly limited.  The OECD Report confirmed that the private sector and government continue to disagree about the amount and type of guidance that should be provided.

via Westlaw News & Insight Securities Litigation Blog.

Filed Under: From The News Tagged With: , , , , , , , , ,

Top 10 FCPA Enforcement Actions in 2010-Part I | Thomas Fox – JDSupra

December 22, 2010 By Leave a Comment

The FCPA year in 2010 has been quite interesting. As the year is ending I wanted to put forth some of the more significant enforcement actions for the FCPA practitioner to provide lessons learned and perhaps some educational opportunities for all our clients. One of the more frequent criticisms of the Department of Justice regarding the FCPA is that there is very little case law guidance or interpretation. The FCPA Blog has opined that this has led to his Big Lesson which is:

“I know there’s practically no FCPA-related case law, no precedent to follow, no stare decisis to light the way. So the FCPA is pretty much what the enforcement agencies say it is. And that’s what’s so very different and difficult about it.”

However in reviewing the past year, there is a fair amount of information which can be gleaned from FCPA enforcement actions. Additionally, it appears that the DOJ is tacitly responding to this criticism in some of the recent detailed compliance programs set forth in the Deferred Prosecution Agreement and Non-Prosecution Agreements that have been released in the second half of the year. With all of this in mind we submit for your consideration out Top Ten FCPA Enforcement Actions for 2010, Part I.

via Top 10 FCPA Enforcement Actions in 2010-Part I | Thomas Fox – JDSupra.

Filed Under: From The News Tagged With: , , , , , , , , ,

UK Introduces Practice Direction 31B Addressing the Disclosure of Electronic Documents : Electronic Discovery Law

December 17, 2010 By Leave a Comment

Effective October 1, 2010, the UK has introduced Practice Direction 31B addressing in detail the disclosure of electronic documents.  According to the Ministry of Justice, this new Practice Direction “aims to focus the parties on the sources of electronic material and give guidance to those with less experience of dealing which such issues.”  A comprehensive discussion, the Practice Direction addresses a myriad of topics, including preservation, topics for discussion between the parties, reasonable searching, keyword and automated searching, the disclosure of metadata, and the format of production.

via UK Introduces Practice Direction 31B Addressing the Disclosure of Electronic Documents : Electronic Discovery Law.

Filed Under: From The News Tagged With: , , , , , , , , ,
« Older Posts