Saturday, August 30, 2003

Don't fear HIPAA police if rules deadline is missed ... American Medical News

AMNews: Aug. 11, 2003. Don't fear HIPAA police if rules deadline is missed ... American Medical News: "Proof of good faith

If you are not compliant with HIPAA's electronic transactions standards by Oct. 16 and someone files a complaint against your office, you need to be able to show that you have been making a good-faith effort to comply. Here are some of the activities CMS officials are likely to take as a good-faith effort:

You are steadily increasing testing between your office and trading partners, such as insurers or claims clearinghouses.

You tried to start testing before the deadline, but your trading partner was not ready or refused requests to do so.

You have a written action plan for achieving compliance.

You have clearly documented your efforts as well as any obstacles you have faced."

Hedge fund managers told to focus on business continuity practices

Hedge fund managers told to focus on business continuity practices


The Managed Funds Association’s 2003 ‘Sound Practices For Hedge Fund Managers’ recommends that BC is treated as a high priority.

The Managed Funds Association (MFA), the global voice for the hedge fund industry, has submitted its 2003 ‘Sound Practices For Hedge Fund Managers’, to the US Securities and Exchange Commission (SEC).

Sound Practices for Hedge Fund Managers is the product of several months of preparation by MFA and its members. It builds upon a similar document that was published for the hedge fund industry in February 2000 and aims to establish a set of sound practices for hedge funds’ risk management and internal controls. The 2003 guidance expands and updates the 2000 document and, for the first time, includes business continuity and disaster recovery advice.

The recommendations contained in the 2003 Sound Practices are divided among the following six topics:
* Management and internal controls;
* Responsibilities to investors;
* Valuation policies and practices;
* Risk monitoring;
* Regulatory and documentation controls.
* Business continuity and disaster recovery.

The business continuity and disaster recovery advice is as follows (verbatim):

Hedge Fund Manager should establish a business continuity plan that includes practices to ensure, to the greatest extent practicable, that appropriate personnel will have the ability to monitor a Hedge Fund’s existing portfolio positions and execute transactions where necessary in the event of a market emergency or other severe market disruption.

Arrest Made in Attacks on Computers

Arrest Made in Attacks on Computers:

By SARAH KERSHAW and LAURIE J. FLYNN - New York Times

Minnesota teenager who the authorities said created a virulent version of the Blaster computer worm was arrested yesterday morning by federal investigators who were tracking the origin of the worm that wreaked havoc on users of Microsoft Windows.

Federal law enforcement officials said that the teenager, Jeffrey Lee Parson, 18, of Hopkins, Minn., was acting alone when he copied the Blaster virus and wrote a variant known as Blaster.B. Mr. Parsons, who used the Internet name 'teekid,' was able to develop the B version by modifying codes of the original virus.

Federal authorities in Seattle have taken the lead in the investigation because Microsoft's headquarters are in nearby Redmond. They said Mr. Parson had no connection to those responsible for unleashing the original Blaster worm. It and its variants have affected more than 500,000 computers worldwide and cost North American companies $1.3 billion, according to computer security experts."

CIO | If IT's a Crapshoot: How Much Are You Willing to Risk?

CIO | If IT's a Crapshoot: How Much Are You Willing to Risk?: "

Sue Bushell, CIO

There's a common thread that runs through the 1984 Bhopal chemical factory disaster, the rogue trading of Nick Leeson a year later, the collapses of Ansett in 2001 and HIH in 2002, and the mass recall that recently engulfed Pan Pharmaceuticals.

No, it is not just they all made it to the top of national news agendas and stayed there for weeks or months as the reputations of the affected companies got serially hammered. They are also all stark examples of gross failures in operational risk management.

The notion of operations risk has had currency since the Committee of Sponsoring Organisations of the Treadway Commission (COSO) coined the term in 1991. Nick Leeson kicked it along in spectacular manner after his rogue trading activities caused the collapse of Barings Bank, and he has been a poster boy for advocates of operational risk management ever since. But now CIOs in a range of industries are being forced to take operations risk seriously, pushed along by the June 1999 reforms of the Basel Committee on Banking Supervision requiring banks to reserve capital to cover their operational risk exposure and fostered by the new sense of vulnerability exposed by the September 11, 2001 terrorist attacks on New York and Washington. "

Friday, August 29, 2003

New privacy rules could mean headaches for financial services IT - Computerworld

New privacy rules could mean headaches for financial services IT - Computerworld: "A ballot initiative and a judge's ruling may reach beyond California

Story by Jaikumar Vijayan

AUGUST 11, 2003 ( COMPUTERWORLD ) - A consumer-privacy-related ballot initiative by a political group in California could complicate matters for financial services companies that are already scrambling to comply with other regional and federal privacy mandates.

And just like the recently instituted California state privacy law SB 1386 (see story), the proposed ballot measure will have a nationwide reach, privacy experts said.

A group called Californians for Privacy Now on July 30 announced that it had collected more than 550,000 signatures supporting a ballot initiative that would require financial services companies to get explicit opt-in permissions from consumers before sharing their personal information with third parties. "

Be safe this Labor Day holiday

Be safe this Labor Day holiday: "Be safe this Labor Day holiday

by Gen. Hal M. Hornburg
Air Combat Command commander

8/29/2003�-�LANGLEY AIR FORCE BASE, Va. (AFPN)�--�I want to thank each of you for your hard work and dedication in providing support to the Global War on Terrorism during the past months. Long duty hours and deployments require the best from all of us, and you have proven you are up to the task.

As the end of summer nears, Labor Day weekend offers an opportunity to spend some well-deserved time with our families. We want everyone to enjoy the time off, but it%u2019s important to remind ourselves of the statistical risks associated with Labor Day.

Historically, Labor Day weekend has been one of the most dangerous holidays for Air Force people. It is a time when many families will take to the highways to get in one last summer activity. Have a good plan, ensure you have adequate rest, wear your seatbelt, and don%u2019t drink and drive! Our goal this holiday weekend is zero mishaps.

Our nation is counting on us to help win the Global War on Terrorism. We cannot afford to lose anyone. We must all remember, as airmen, our standards of conduct apply 24/7. Operational Risk Management and Personal Risk Management should be a part of all our activities.

Every Air Force member is important, and we need to do everything we can to ensure we return safely after the holiday, refreshed and ready to continue the fight! (Courtesy of Air Combat Command News Service)

"

Directors need focus...

Operational Risk
Every minute a director spends in analysis of the latest theories on independent directors, executive salaries, audit committees and option-expense debates is a minute not spent coming to grips with the real business challenges.

Where are your employees right now?

EMC survey - European Executives say it would take 3 days to recover...

Operational Risk

European business and technology executives, surprisingly, generally agree on their data vulnerability. An EMC survey polled 254 senior business and IT execs in seven countries and found that 40 percent of business executives and 44 percent of IT executives feel very vulnerable. The executives were also in agreement on expected lengthy recovery times, with a quarter of all business and IT executives surveyed in Europe feeling that it would take three days or more to resume normal business operations following a disaster.

US vs. UK - the Higgs Report

“Whereas in the US most governance discussion has focused on corporate malpractice, in the UK sharp loss of shareholder value is more common than fraud or corporate collapse. The fall in stockmarkets in the period 2000-2002 has thrown up some stark examples. In recent cases of corporate under performance in the UK, the role of the board, and of non-executive directors in particular, has understandably been called into question.” –from the Higgs Report.

Australian Subsidiaries of US companies beware

As the US corporate reporting season begins, there's a warning this morning for Australian subsidiaries of US companies. Tough new corporate governance laws are now in force in the US, following scandals like Enron and WorldCom, and Australian subsidiaries of US companies need to be careful not to breach them.

Sarbanes-OxleyCompliance—the Cloud or the Silver Lining?

In most large businesses, critical financial processes—including accounts payable and receivables,
order administration, customer billing, inventory management, and payroll—run automatically on a vast,
complex computing and networking infrastructure. It’s tempting to believe that this infrastructure is a
monumental, unchanging entity and once policies are established and the systems are running, everything
is fine. In fact, IT operations are fluid. New servers and network devices are put into production. New
software is installed. Old software is patched. Hundreds of configurations change daily. Systems can
change from a known good state—either intentionally or via a process known as “integrity drift.” Security
breaches or unintentional errors create vulnerabilities that may go unnoticed. Even remedying security
breaches or patching software can cause changes that are never fully documented.

IT operational integrity hinges on change and configuration management processes. Proven integrity
assurance software can verify that these processes are actively managed and that monitored systems
match a known, good state. Therefore, when an organization puts internal controls in place for meeting
compliance regulations, the only way to assure that internal controls are effective is to assure the integrity
of the critical underlying IT change and configuration management processes.

The silver lining to all of this? When IT best practices and integrity assurance frameworks are
implemented, organizations not only can evaluate systems and controls against a known good state
and meet compliance regulations—they gain understandable, verifiable information that enables them
to significantly improve systems availability, IT service quality, IT staff productivity, and cost savings.
--Courtesy of Tripwire Sarbanes-Oxley White Paper

Euro Commission Data Protection held up by France

A new report says the European Commission's Data Protection Directive has met many of its objectives, including removing most legal obstacles to the free movement of data that existed as a result of differences in various countries' data protection legislation, according to a new report on the directive's effectiveness. But long delays in getting the directive implemented--and the fact that eight years after it was created, France has yet to bring its data protection laws in line with it--"have prevented Europe's economy from getting the full benefit of the Directive," says the report.