Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Portfolio Management Maturity Model at Chevron - Presentation & Discussion
November 13, 11:30 AM - 12:30 PM ET (GMT-4)
The fundamental goal of the model is to help IT become a business partner and earn a seat at the table. Core to the model is to establish a five year IT strategic road map that is owned by the business. Presenter Janinne Franke is manager of strategy, planning & optimization at Chevron's corporate department & services. She will share processes and lessons learned from developing and implementing the model.
Learn more about the CIO Executive Council »
Apply today for a FREE subscription to CIO Magazine!
Your Guide To Good-Enough Compliance
Noncompliance is a fact of life as the list of security and privacy regulations grows. The key is knowing how to comply just enough so that you don't waste your time or bankrupt your company.
April 06, 2007 — CIO — In November 2005, Jason Spaltro, executive director of information security at Sony Pictures Entertainment, sat down in a conference room with an auditor who had just completed a review of his security practices.
The auditor told Spaltro that Sony had several security weaknesses, including insufficiently strong access controls, which is a key Sarbanes-Oxley requirement.
Furthermore, the auditor told Spaltro, the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols. Sony employees were using proper nouns. (Sox does not dictate how secure passwords need to be, but it does insist that public companies protect and monitor access to networks, which many auditors and consultants interpret as requiring complex password-naming conventions.)
Summing up, the auditor told Spaltro, “If you were a bank, you’d be out of business.”
Frustrated, Spaltro responded, “If a bank was a Hollywood studio, it would be out of business.”
Spaltro argued that if his people had to remember those nonintuitive passwords, they’d most likely write them down on sticky notes and post them on their monitors. And how secure would that be?
After some debate, the auditor agreed not to note “weak passwords” as a Sox failure.
Doing the Right Thing
Spaltro’s experience illuminates a transaction that’s rarely discussed outside corporate walls. Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation. How to (or, for some CIOs, even whether to) follow regulations is neither a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing the right thing means doing what’s right for the bottom line, not necessarily what’s right in terms of the regulation or even what’s right for the customer.
“There are decisions that have to be made,” Spaltro explains. “We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions: What’re the most important things that are absolutely required by law?” Spaltro does those, noting that “Sony is over-compliant in many areas,” and he says that Sony takes “the protection of personal information very seriously and invests heavily in controls to protect it.”
He adds that “Legislative requirements are mandatory, but going the extra step is a business decision” based on what makes business sense.
FORTUNE 100 insurance leaders rely on the Symantec Data Loss Prevention solution to protect sensitive customer data.
Do you know where your confidential data is, where it is going, and how to prevent it from leaving your organization.
Learn what the thought-leaders at PricewaterhouseCoopers have to say on the risks associated with data security.
Incorporate best practices from many companies using DLP solutions as you establish your organization's requirements and safeguard confidential data.
Learn how this proactive implementation of a DLP solution helps ensure E-LOAN's customer trust and loyalty.
Best Practices for Providing Secure and Cost-Effective Remote Access
They Can't Steal What You Don't Have: Smart Security Choices for Mobile Workers
The Three Pillars of Data Protection
The Case for A Specialized Security Platform
Security and Trust: The Backbone of Doing Business over the Internet
Best Practices in Choosing and Consuming Managed Security Services
Building Competitive Advantage with Next-Generation Wireless Infrastructure
IT Risk Management: Preparing for the Perfect Storm
Advanced DNS and Traffic Management Solutions: The Keys to Enhancing and Securing your Enterprise Network
The Power of Data Deduplication
Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response
Find out what Forrester says about mobile endpoint security and its management.
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Google in Curious Alliance with Click-Fraud Detection Firm
Kernel Developers, Wall Street to Come Together
Ellison Strikes Bullish Tone At Shareholder Meeting
Yahoo Investor Proposal Unlikely to Push Microsoft
Ugandans Comment on 10 Years of ICT Regulation
Vodafone to Acquire 15 Percent More of Vodacom Group
Zoho Launches E-Mail App with Offline, Mobile Access
Mobile Penetration to Hit 95 Percent By 2013
UK Supermarket Uses IT to Cut Checkout Waits
Mobile Industry Split Over UMA Versus Femtocells
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
