ComplianceHome: FFIEC White Papers
ComplianceHome is one of the Web's largest library of resources for compliance management of HIPAA, SOX, FISMA, GLBA, FDA, COOP & COG, FFIEC, Basel II, OSHA and ISO 27002/17799. Visit our directories which are the best source on White papers, related news articles, resources on the web, training, webinars, conferences, rules & regulation overview, ask the expert, job and search on vendors, solutions & products.

• Spam Filtering: Building a More Accurate Filter
  Spam issues and volume have been escalating in severity for many years. It is one of the key productivity, security and user policy enforcement issues facing small and large businesses today. Large businesses can afford to set up hardware specific, or server side software solutions that while effective, are resource and cost intensive. Small businesses are either underprotected, or rely upon client side, software solutions that dont meet all their needs. Managed Security Services, or on demand solutions have emerged as a clear leader in SMB solutions, offering high end performance, management and maintenance, and minimal entry cost. On average, small business employees manually remove three to seven spam mails per day. If you have 100 employees, this 10 minutes per employee adds up to 16 man/hours per day of lost time. Unfortunately, some spam headings are too interesting for readers to ignore. How many of these emails lead your employees to waste further time responding to or check
• Identifying Broken Business Processes
  A business process is a collection of interrelated tasks that solve a particular issue or produce a desired output. Because most business processes are human-driven even automated processes are defined and developed by human input often the most carefully constructed processes can break or cease to operate as designed. The end result may still be reached successfully, but the desired efficiency, optimization, and security may be adversely affected. When the broken business process involves information technology and sensitive data, it can lead to a data breach, which in turn can lead to such consequences as financial losses, fines, and the loss of customer confidence. Enterprises therefore need the ability to identify and correct broken business processes without suspending operations or waiting until the breach occurs.
• Web Applications Under Attack Four Eye-Opening Findings
  Todays business and government organizations depend on software applications to conduct their operations. The need to exchange information with customers, partners and suppliers further requires these applications to increasingly open up to the outside world bypassing firewalls and other traditional network security designed to protect them and the valuable data they contain. These open, and largely web enabled applications are subject to greater and greater levels and types of attacks as hackers exploit vulnerabilities within the software. Although there are numerous reports covering viruses, network-based attacks, public vulnerability announcements, and Spam/Phishing schemes, there is little empirical data on the attacks that specifically target web applications. This report aims to shed light on how applications are being attacked. Over the past six months, Fortify Software gathered data via its Fortify Defender product from numerous, Internet-facing sources. Data for this
• Instant Messaging, VoIP, P2P, and Games in the Workplace: How to Take Back Control
  IT departments have long understood the need to prevent viruses, spyware and other malicious applications or activity from compromising security and disrupting business continuity. Now the rapid emergence of Web 2.0 is beginning to redefine how individuals interact with the internet, and the related technologies pose a range of new threats. Web-savvy users who have local administration rights for their work computers are downloading applications such as Instant Messaging (IM), peer-to-peer (P2P) file-sharing applications and Voice over Internet Protocol (VoIP) services to help them communicate, share files and work collaboratively online for both official and unofficial business. In September 2006, a Sophos online poll asked IT administrators to evaluate what kind of software applications they would like to prevent their users from being able to access and use. The results reveal that administrators have a clear desire to be able to exert more control and to prevent users from instal
• Preventing Data Loss: Ten Imperatives
  Consider that the majority of your data, between 80 to 90 percent, resides on file servers. Now think about how you are controlling access to those shares. Most organizations find themselves with overly permissive access controls. Employees join and leave the organization frequently, and roles, responsibilities and project teams change quickly as well. All this leads to more access permission granted than revoked, since it is nearly impossible to manually keep up with the changes. The result is that most folders on file shares are oversubscribed in terms of access by well over 70%. By fixing broken access control to your file servers, you can significantly reduce the probability of data misuse in your environment. Any program to reduce the probability of data loss and misuse has to start with rightful and warranted access controls. Ensuring that only the right people can get to the right data at all times not only reduces the odds of misuse, it also makes any subsequent safeguards and
• Solving Online Credit Fraud Using Device Identification and Reputation
  The Internet has become a strategic customer acquisition and services distribution channel for financial services companies. Consumers are able to apply and obtain credit online, transfer funds, trade commodities and pay bills by simply clicking a few buttons from anywhere at any time. Unfortunately, in the online environment, it is difficult to discern real customers from fraudsters. Device identification and reputation is a relatively new but proven fraud management approach that is helping financial services companies stay ahead of fraudsters. Customer device/PC identification can effectively expose hidden associations among credit applications/financial transactions and accounts that would otherwise appear completely unrelated. This paper includes: Criteria for selecting a fraud management solution that uses device identification technologies. How device identification works as a foundation for fraud management. How iovation's ReputationManager(TM) fraud management solution u
• Managing Identity Theft Risk in Software: The Need for Software Risk Analysis
  Since January 2005, over 167 million credit card numbers have been exposed due to security breaches. Many of the most damaging breaches were the result of hackers exploiting flaws in software. With the PCI Security Standard Councils regulations recently expanding to include specific mandates to assess software for security vulnerabilities, financial services firms are getting serious about understanding and addressing flaws in software. This new white paper from Ounce Labs can guide the way. This expert paper uses key examples to discuss causes, costs, liability, and solutions to help organizations secure their software and document their compliance. The paper includes: The Top 4 causes of identify theft from insecure software The 5 most effective steps to address identify theft in your organization PCIs 7 application security mandates that will change the way you approach application security
• How to Use the PCI-DSS to Provide High Security for All Your Sensitive Data
  If your company transfers, transmits or processes credit card data you fall under the Payment Card Industry Data Security Standard (PCI DSS). However although the PCI DSS was developed to protect credit card data, it is fast becoming a security standard for all sensitive company data such as patient records, financial data, or social security numbers. Companies need to look at their security processes, policies, and procedures that not only protect data in transit and at rest but also how they maintain security and/or compliance. This whitepaper describes the 12 requirements and the 130+ sub requirements that make up the standard. It also shows how GlobalSCAPEs High Security-PCI solution can help put in place high security best practices for data transfer, access, and storage for ANY sensitive data - credit card related or not while providing continuing compliance to the PCI-DSS for those that need it. Key features: A monitoring system to capture what is in compliance, what has failed
• Embracing PCI Making it work for you
  With the recent rise in data breaches and identity thefts, implementing a sound information security program is no longer optional. Companies processing credit card information are encouraged to embrace and implement sound data protection strategies to protect the confidentiality and integrit