now browsing by tag
DOJ Emphasizes Adequate Funding in Updated Compliance Guidance | Health Care Compliance Association (HCCA) | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | #
Report on Medicare Compliance 29, no. 21 (June 8, 2020)
Whether an organization shows its commitment to compliance with dollars is a new focus of the second update to guidance on evaluating compliance programs from the Department of Justice (DOJ). In its updated Evaluation of Corporate Compliance Programs, released June 1, DOJ indicates that adequate funding of the program and its people helps distinguish between a paper and an active program.
The guidance is used by white-collar prosecutors who evaluate compliance programs when deciding whether to file fraud charges and what the charges should be. Compliance officers also use the guidance to benchmark their organization’s compliance program. DOJ published the first version in 2017 and revised it in April 2019. The Evaluation of Corporate Compliance Programs modifies the Principles of Federal Prosecution of Business Organizations in the Justice Manual.
There are detailed questions about compliance programs in the guidance, which is organized around three “fundamental questions” that prosecutors try to answer when evaluating effectiveness. The 2020 version modified the second question to refocus on resources:
“Is the corporation’s compliance program well designed?“
“Is the program being applied earnestly and in good faith?” In other words, is the program adequately resourced and empowered to function effectively?
“Does the corporation’s compliance program work” in practice?
In elaborating on resources, DOJ explained that “prosecutors are instructed to probe specifically whether a compliance program is a ‘paper program’ or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner.’ [Justice Manual § 9-28.800]. In addition, prosecutors should determine ‘whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts.’ [Justice Manual § 9-28.800].”
The emphasis on funding doesn’t come as a shock. “You would have to have adequate resources before you get to adequate or better effectiveness,” said attorney Gabriel Imperato, with Nelson Mullins Broad and Cassel in Fort Lauderdale, Florida.
Prosecutors have always factored in the funding of compliance programs, although it’s significant to see this in writing, said Kirk Ogrosky, former deputy chief of DOJ’s fraud section. “You can have compliance officers who are making a fraction of what other senior executives are making,” he said.
The guidance also encourages organizations to advance compliance at all times, even during an investigation, said former federal prosecutor Robert Trusiak, an attorney in Buffalo, New York. As DOJ states, “In answering each of these three ‘fundamental questions,’ prosecutors may evaluate the company’s performance on various topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program both at the time of the offense and at the time of the charging decision and resolution.” DOJ reinforces this point when it talks about the risk assessment. “Prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
In other words, Trusiak said, “effective compliance is not set it and forget it. Compliance is an iterative process.”
DOJ Revises Other Questions
DOJ’s revisions ripple through the rest of the document, which is loaded with specific questions about commitment by senior and middle management, risk assessments, due diligence, communication with employees, oversight of third parties and other hot topics.
For example, the 2019 guidance asked whether the organization’s risk assessment was “current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”
The 2020 guidance drills down. “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?”
There are also more questions about how organizations ensure that policies get in the hands of employees and vendors. For example, “have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?” The stakes also are raised on employee awareness of the hotline. “Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?”
Imperato noted that DOJ “dwells a fair amount on third-party due diligence” and whether it continues after the deal is done. For example, DOJ asks, “What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post acquisition audits, at newly acquired entities?”
Questions on learning from mistakes were also tweaked. “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?” There are other changes to questions, including, for example, about training and “monitoring investigations and resulting discipline.”
Imperato said he will attach the updated guidance to his board training, along with other documents. “This automatically becomes the benchmark…for setting up a compliance program and determining its effectiveness.”
Ogrosky noted, however, that even well-funded, effective compliance programs may fail to detect bad actors. “Fraud is a non-self-revealing offense,” he said. “The people who commit fraud at large corporations are doing it to avoid the compliance folks.” He’s referring to flat-out fraud, not a debate about whether an arrangement fits within a safe harbor, for example.
Whether fraudsters inside corporations are unmasked depends more on whether executives ask the right questions vs. looking the other way, Ogrosky said. For example, if a salesperson outperforms his or her peers 50 times over, managers should dig into it. “If a contractor is able to do what no one has been able to do, ask why, because the fraud is not self-revealing.” DOJ will expect the corporation to accept some responsibility for bad actors, even when they have good compliance programs, he said.
1 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020), http://bit.ly/2Z2Dp8R.
2 U.S. Dep’t of Justice, Justice Manual, Principles of Federal Prosecution of Business Organizations, § 9-28.000 (2020), http://bit.ly/2GtxXFt.
The post DOJ Emphasizes Adequate Funding in Updated Compliance Guidance | Health Care Compliance Association (HCCA) | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | # appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans The California Attorney General released an update to its proposed California Consumer Privacy Act Regulations, and companies have until 5 pm PT on February 24 to submit comments on this updated draft. Key changes include: Definitions Clarifying that to qualify as personal information (“PI”), information must be maintained […] View full post on AmIHackerProof.com
#cybersecurity | #hackerspace | From my Gartner Blog – Updated Paper on Penetration Testing and Red Teams
I finally managed to publish the update to my paper on pentesting, “Using Penetration Testing and Red Teams to Assess and Improve Security”. It has some small tweaks from the previous version, including some additional guidance around Breach and Attack Simulation tools role.
Questions about how to define the scope of penetration tests are very common in my conversations with clients. I always tell them it should be driven primarily by their objective for running the test. Surprisingly, many have problems articulating why they are doing it.
The discussion about comparing pentests with other forms of assessments is there too, although we also published a paper focused on the multiple test methods some time ago.
A few good pieces from the document:
“Research the characteristics and applicability of penetration tests and other types of security assessments before selecting the most appropriate one for the organization. Select a vulnerability assessment if the goal is to find easily identifiable vulnerabilities.”
“Definitions for security assessments vary according to the source, with a big influence from marketing strategies and the buzzword of the day. Some vendors will define their red team service in a way that may be identified as a pentest in this research, while vulnerability assessment providers will often advertise their services as a penetration test. Due to the lack of consensus, organizations hiring a service provider to perform one of the tests described below should ensure their definition matches the one used by the vendor”
“Pentests are often requested by organizations to identify all vulnerabilities affecting a certain environment, with the intent to produce a list of “problems to be fixed.” This is a dangerous mistake because pentesters aren’t searching for a complete list of visible vulnerabilities.”
Next on the queue is the monitoring use cases paper. That’s my favorite paper and excited to refresh it again. You’ll see it here soon!
The post Updated Paper on Penetration Testing and Red Teams appeared first on Augusto Barros.
from Augusto Barros https://ift.tt/2Gx5wWq
*** This is a Security Bloggers Network syndicated blog from Security Balance authored by Unknown. Read the original post at: http://feedproxy.google.com/~r/SecurityBalance/~3/1h–omhBJ4Q/from-my-gartner-blog-updated-paper-on.html
View full post on National Cyber Security
Google has announced plans to restrict political advertising on its platforms ahead of the UK General Election and next year’s US Presidential election, in a move which will further turn the heat up on Facebook.
Although the web giant claimed that it never allows controversial micro-targeting of election ads, it announced a further clarification of its policy on Wednesday to limit election ad targeting to “age, gender, and general location.”
It’s also explicitly banning deep fake content, misleading claims about the election process, and “ads or destinations making demonstrably false claims that could significantly undermine participation or trust in an electoral or democratic process.”
“Whether you’re running for office or selling office furniture, we apply the same ads policies to everyone; there are no carve-outs,” argued Google Ads VP of product management, Scott Spencer.
“It’s against our policies for any advertiser to make a false claim — whether it’s a claim about the price of a chair or a claim that you can vote by text message, that election day is postponed, or that a candidate has died.”
That appears to put more distance between Google and Facebook, whose stance is that tech firms should not be the arbiters of what politicians can and can’t say — despite it having strict rules on false advertising elsewhere on its platform.
This position has invited heavy criticism from various quarters as tantamount to allowing politicians to lie — especially after Facebook rejected a request from Presidential hopeful Joe Biden to remove a Trump campaign ad containing misinformation about the former vice president.
“Of course, we recognize that robust political dialogue is an important part of democracy, and no one can sensibly adjudicate every political claim, counterclaim, and insinuation,” Spencer continued.
“So we expect that the number of political ads on which we take action will be very limited — but we will continue to do so for clear violations.”
Twitter has already announced a ban on virtually all political advertising, which will begin today.
The UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have called for urgent legislation to regulate the “wild west” of political advertising, fearing that outside forces could sway elections and that secret micro-targeting of voters undermines the legitimacy of results.
Google has previously blocked political ads two weeks before polling in the Irish referendum and during the entirety of the recent Israeli and Canadian election periods.
#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
The post #infosec | Google’s Updated Political Ads Policy Steps Up Pressure on Facebook appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | Have you updated your browser yet? Severe Chrome Zero-day vulnerability getting actively exploited
Attention! Are you using Chrome as your web browsing software on your Windows, Linux and Mac? High time you update your browser!!
That’s right. With Google recently releasing Chrome version 78.0.3904.87 for Windows, Mac, and Linux, there come’s an urgent warning, requesting billions of users to update their software immediately. The warning comes after news of hackers exploiting two high-severity zero-day vulnerabilities. Apparently, the new Chrome version addresses these vulnerabilities.
What are these zero-day vulnerabilities?
According to Google, the following 2 zero-day vulnerabilities have been detected:
- CVE-2019-13720 – This is basically a use-after-free-bug that has been detected in the audio component of Chrome.
- CVE-2019-13721 – This again is a user-after-free security vulnerability and affects the PDFium library. This is basically used to view and generate PDF files in your browser, a feature that is commonly required by users.
How do these vulnerabilities work?
A user-after-free security vulnerability is basically a memory-corruption flaw that allows modification or corruption of memory data, allowing a hacker to take control of an affected software or system. All that the remote attackers need to do, is to escalate privileges on your Chrome web browser by convincing you to click and visit a malicious website. This instantly allows attackers to run malicious code on your affected system while bypassing any sandbox protections.
How can you protect yourself?
The use-after-free vulnerability has been existing in the wild for quite some time now and is one of the most commonly discovered vulnerabilities. Thus, the chances of it reappearing in frequent periods are high.
Thankfully, Google has already released an update for this new Chrome version, to patch this active zero-day vulnerability and the stable channel has been updated to 78.0.3904.87. So now, all you need to do is to Click on the update arrow visible at the top-right corner of Chrome browser. Once you have successfully updated to the latest version of Chrome across your desktop and mobile, you will become safe from these vulnerabilities.
Such security bugs and vulnerabilities are bound to appear and reappear from time to time. It is for this reason that Quick Heal strongly recommends that you keep your web browser and security products up-to-date and follow best security practices for optimum defense against the rising/evolving threats and zero-day vulnerabilities.
Have something to add to this story? Share it in the
View full post on National Cyber Security
CNBC – Nov 5 – Tinder has changed its algorithm, to boost matches. The details will be revealed in the next few days. Tinder CEO, Sean Rad, said that the new algorithm will increase the number of matches by ~30%. Read More….
The post Tinder Users Want Long-Term Relationship, The App Updated Matching Algorithm appeared first on Dating Scams 101.
View full post on Dating Scams 101
According to Tim Rains, director of Microsoft Trustworthy Computing Microsoft’s threat modeling tool updated with new features designed to offer organizations more flexibility and help them implement a secure development lifecycle.
“More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,” blogged Tim Rains. “Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.”
The latest version of the tool includes the following new features:
• New Drawing Surface this new release has its own drawing surface and Visio is no longer needed.
• STRIDE per Interaction Big improvement for this release is change in approach of how we generate threats. Microsoft Threat Modeling Tool 2014 uses STRIDE per interaction for threat generation, were past versions of the tool used STRIDE per element.
• Migration for v3 Models Updating your older threat models is easier than ever. You can migrate threat models built with Threat Modeling Tool v3.1.8 to the format in Microsoft Threat Modeling Tool 2014
• Update Threat Definitions We over further flexibility to our users to customize the tool according to their specific domain. Users can now extend the included threat definitions with ones of their own.
Further he wrote “Microsoft Threat Modeling Tool 2014 comes with a base set of threat definitions using STRIDE categories,” blogged Emil Karafezov, program manager on the Secure Development Tools and Policies team at Microsoft. “This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. You should analyze your threat model with your team to ensure you have addressed all potential security pitfalls.”
“We hope these new enhancements in Microsoft Threat Modeling Tool 2014 will provide greater flexibility and help enable you to effectively implement the SDL process in your organization,” he added.
View full post on Am I Hacker Proof
Android Marshmallow arrives today. Of course, some phones may still take months or years to get an update. We’ve collected all the information we can on which devices will get updates and when. Below, you’ll find a non-comprehensive list of all the phones and tablets we can find that may be receiving an update to Android Marshmallow. Keep in mind that we don’t have any special insider information. We only know what the companies that make these devices announce. We’ll do our best to keep this list updated and check in when updates are due. However, some manufacturers may change their plans, or simply fail to acknowledge some phones entirely. Many phones also come with variants that may delay updates. We’ll make note of carrier or regional variants wherever possible, but unless otherwise noted, assume any reference to a device refers to the generic, carrier-free version. If you bought your phone from a carrier (particularly a CDMA carrier like Verizon or Sprint), your phone may have a different update schedule. If you see a phone that’s not on this list, that a manufacturer or carrier has confirmed an upgrade to Android Marshmallow for, let us know. We can’t keep up […]
For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com
The post Every Phone That’s Getting Updated To Android Marshmallow appeared first on National Cyber Security.
View full post on National Cyber Security
The Richmond County Sheriff’s Office has released information on the investigation into child abuse allegations a deputy is facing.
Investigators say, Tuesday night at approximately 8:00 p.m., deputies responded to a residence on the 2800 block of Anne Street, in Augusta, where it was alleged an off-duty uniformed deputy from the Richmond County Sheriff’s Office was involved in the physical abuse of a 12-year-old child.
Based on the information and evidence obtained at the scene and after consulting with the District Attorney’s office; the deputy, now identified as Alton A. Walker, has been detained and criminal charges were pending.
Wednesday morning, investigators applied for and obtained arrest warrants for Deputy Walker for the felony charges of False Imprisonment and Cruelty to Children in the 1st Degree.
The post UPDATED ON 6: Richmond County Deputy Fired, Facing Child Abuse Charges appeared first on Parent Security Online.
View full post on Parent Security Online
Researchers have uncovered new, currently unpatched vulnerabilities in multiple versions of Internet Explorer that criminals are actively exploiting to surreptitiously execute unusually advanced malware on computers that visit booby-trapped websites. The vulnerabilities in various configurations of IE versions 7, 8, 9, and 10 running on Windows XP and Windows 7 are separate from the Microsoft Windows […] View full post on Gregory d. evans