This research paper attempts to find about the Emergency Response and Crisis Management blueprints that top Banking Corporations have to protect both the information of their client and their financial statements/plans.  It also attempts to research on the steps, software, plans, response, benefits and costs of putting an emergency response.   Financial institutions are a major target for predators who each day become more intelligent and sophisticated in finding ways to steal, hack, or intrude into a system to cause harm or for personal gains.  Financial institutions have been around for hundreds of years now.  Their first business processes were to make money advances to trading companies who needed to buy inventory before they could gather any revenues.  Today, financial institutions make business transactions with the general population by providing checking and savings services.  With the money gathered, financial institutions are able to make loans to private businesses or individuals who have an investment in mind.  That is why by researching the financial institutions we can get a better understand of Crisis Management.  Money transactions between financial institutions and the general population and businesses happen on a daily basis. There is a proportion of the population who is interested in finding ways to steal, hack, or intrude into a system to cause harm or for personal gains.  By researching financial institutions we can also understand more about the emergency response plans that corporations use at this point in time, the new innovations and plans.  Above all, we will be able to understand the approaches many financial institutions have towards crisis management and what plans they have in case of an emergency.

In the global community there are many different types of standards and frameworks that help a company to manage and secure IT such as COSO, COBIT, ISO, ITIL and many others. In order to have a strong and sound IT governance, a company has to implement appropriate IT frameworks that would fit a company’s main processes.

COSO is a very broad group of standards that includes different financial and auditing institutions’ functions, while COBIT, ISO and ITIL are more specific and focuses more on IT security and risk management. As a part of my individual project, I want to narrow my search to COBIT and ISO standards. ISO standards are used globally more often than COBIT due to the fact that ISO fits more smoothly into different frameworks of most of the countries in terms of business processes since COBIT addresses standards only, while ISO concerns about both standards and processes (e.g. organizational security, personnel security, communications and operations management, business continuity management, and so on). I will show it in my report supporting my ideas with relevant cases and examples from certain companies.

Let us talk a little bit about COSO (the Committee of Sponsoring Organizations of the Treadway Commission) and its role in IT Governance. As was mentioned earlier COSO is a very broad set of standards (to be precise a private sector organization) that focuses not only on IT Governance control and improvement, but also and mostly focuses on financial reporting’ quality, internal control and corporate governance. This organization was formed in order to find out factors that lead to frauds in financial reporting as well as give recommendations how to prevent these factors for companies, auditors, educational institutions and so on. Among sponsoring organizations within the Committee there are “five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants)” (1). In spite of the fact that there is a sponsorship deal, the Commission is independent from all of the sponsoring organizations, and has representatives from industry, public accounting, the New York Stock Exchange, and different investment firms.

COSO defines Internal Control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in such categories as effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. IT Governance is part of internal control within the COSO framework. Therefore, different frameworks for IT security and management (COBIT, ITIL, ISO, and so on) should comply with COSO organization’s rules and requirements. While COSO is generally accepted as the internal control framework for enterprises, COBIT, ISO and other similar frameworks are the generally accepted internal control frameworks for IT.

Although the performance calculation software package is quite something new in the power generation business, it plays a major role in contemporary power generation control, electricity grid control and monitoring via SCADA system. Every power plant construction contract nowadays always requires bundling power performance calculation as its minimum requirement because the major player in the electricity generating business realizes that the fossil fuel, the major power source nowadays, is going to extinct from the world and also the nuclear fuel is still the major public concern and dangerous for using. The way to operate power plant efficiently at low fuel gas or fuel oil consumption will be an answer and major role of the contemporary power generating player.

The power performance calculation does not only perform a real – time monitoring, but it also provides a sophisticated power plant simulation analysis such as what – if analysis with varying power plant loads in different ambient conditions. This module provides an advantage on the worst case scenario and best case scenario simulation. It can simulate in on – line mode, connect to power plant control system, or off – line mode for power plant analysis team.

The power plant simulation will give a clear picture of the power plant react characteristic on the unwanted situation such as electricity blackout. This information will give a clear picture of emergency plan, preventive power plant maintenance, and how to prevent the electricity blackout.

Whereas the SCADA network is used to be the media of the performance real – time monitoring is vulnerable from the hacker, I will discuss power plant performance software in terms of power plant performance calculation, power plant simulation and security issue. Also, I will address the future direction with suggestion.

Information technology is expanding throughout all processes from e-mail to transaction systems, to databases full of data.  With crackers and rogue insiders on the prowl, organizations need to be vigilant in their protection of their systems.  The breach of security is harmful for all parties involved – the organization and those who conduct business with it.  This paper begins by discussing the current security environment and concerns.  Then it elaborates on what the specific issues businesses should be concerned with when thinking about safeguarding their information.  An extreme example of a breached system and the resulting consequences is the provided case of TJX.  This leads into the discussion of two approaches of safeguarding an organization against attacks, in particular penetration testing (also known as ethical hacking).  An elaboration of the concerns and processes of both client and hackers ends from beginning to end of a penetration test is the bulk of the paper.

Key Words: Security, Penetration testing, Vulnerability management.

As internal control monitoring and reporting becomes routine, companies will need to adopt a more comprehensive solution and develop long-term strategies to ensure Section 404 compliance. In my paper I will begin by giving an overview of the Sarbanes-Oxley Act, focusing on Sarbanes-Oxley compliance, specifically Section 404. I will discuss impediments to the process of developing a long-term strategy, as well as proposed solutions, mainly implementing business process management software. I will cover the short-comings of current documentation warehouses as well as the advantages of employing business process management software. Ultimately, I hope to emphasize the need for companies to develop and implement a long-term strategy to ensure Section 404 compliance.

The topic that I choose to research is Sarbanes Oxley Act. The reason I chose to research the subject was that many of the speakers in the course mentioned the effects SOX has on their business. I did not fully understand what the law is and what effect it has on businesses for that reason I chose this topic to research. I also wanted to know what software’s are available to help comply with SOX.

The different areas that I will be discussing in the paper to better understand what Sarbanes Oxley is and its effect on businesses is to first discuss the history and the reason the law was created. The second aspect I will cover is to review the Sarbanes Oxley compliance. I will also look at four sections of the law in more detail in order to have a better understanding of what the law requires companies to do. The third aspect of the paper that I will cover is how has SOX affected companies what are the issues, benefits and cost that are related to the enforcement of SOX on corporation. Last I will talk about software that has been created in order to help companies comply with SOX. The reason I chose to research Sarbanes Oxley software is that I feel it will be helpful to know what software is a better fit for companies and what software’s I would recommend companies to have in order to comply with SOX.  

Since the Sarbanes-Oxley Act of 2002, many public companies have faced challenges while trying to comply due to the high cost and inexperience. After the bill passed, auditors did not have a set of guidelines to follow when first auditing the companies. As auditors gain more experience throughout these years, they have developed more of a routine, or best practice for IT auditing. One headache for compliance with Sarbanes-Oxley Section 404, is that the section makes no specific mention of what controls need to be implemented to be in compliance with SOX. How can companies comply with it, if they do not know what they need to do to comply? Although there are varying practices within different organizations, many choose to follow the guidelines of ITIL, ISO 17799, or COBIT. ITIL, ISO17799, and COBIT are guidelines companies are able to follow to be compliant with SOX. However, many companies have been able to find significant benefits in not only complying with SOX, but with adopting one of these guidelines beyond SOX’s scope.

It’s hard to imagine what businesses would do without technology. With most commercial interactions (and transactions) riding on multiple internal and external electronic environments—and ever-mounting mandates for demonstrating accountability—organizations have more incentive than ever to keep core business data safe and secure. What are companies doing to protect their data, and are these efforts successful? My project provides a clearer understanding of the state of data protection across many different industries, and compares the characteristics, strategic and tactical Actions for improving results. Due to the under-reported nature of the issue—no organization wants to be featured on the front-page of the business press for losing customer data—the findings and numbers are enlightening, compelling, and hopefully will act as a diagnostic framework for taking action that will help to reduce data loss, customer loss, revenue loss and hence improve results.

Nowadays, protection of information became more crucial issue than two, three decades ago. The mass circulation of information allows people to find all the necessary information through internet. Therefore, protection of sensitive information such personal, financial, customers and employee information  are becoming more difficult especially for big companies where from Customer Lists, to Merger and Acquisition information, emails and electronic documents companies hold most valuable and sensitive data.   In high competitive world, companies are trying be most innovative in order to be profitable and sustain which come being different by creating unique products. Nevertheless, to make it so companies should protect their internal privacy this can be attack as well by external for example hackers as internal by employees and customers. In world of information overflow, each can easily gather electronic documents of most valuable and sensitive information some are trying to be benefit from selling stolen information. According to the Privacy Rights Clearinghouse (PRC) from February 15 2005 to January 19 2007 453 separate incident of data lost was recorded where almost 100 million sensitive, personally identifiable information was unprotected and stolen or lost.  Based on information of stolen or lost data which was made public, it becomes clear that different industries are faced and have experienced with sensitive data lost where some companies affected more than others due to kind of industry and size of organization. In the list of organizations, which was announced as data lose, were widely known companies where trust hood is playing a big role. Thus, protecting the sensitive electronic information is a huge challenge, which can be improved by leveraging Six Sigma program by eliminating defect in order to meet customer and employees satisfaction. This report will help understand Six Sigma theory, Six Sigma tools that are available, and the ways in which Six Sigma can be applied to IT.

This report is focusing on ITIL framework, which is a set of guidelines for an IT department to control and measure their quality of IT operation. The principles of ITIL mainly deal with processes about IT Service Delivery and Support in order to reach the objectives of the organization.

The content of this report includes three major parts which are, first of all, the advance of information security issues involved with SOX Act and other best practices such as COSO, CobiT, and ISO 17799. Secondly, the ITIL overview and its main processes and coverage, which will be coming up with the other two case studies, that are deriving from educational organization and other areas. Finally, the report will discuss the connection of ITIL with other key practices to see how they complement and link with ITIL.

While IT governance covers many facets of running a business (risk management, security, and trustworthy computing), this paper will focus on Information Technology Compliance.  Not surprisingly, there are many laws governing the operations of businesses.  However, due to information technology’s increasingly pivotal role in all businesses, it too is becoming a greater concern of governance.  Generally, governance with regard to IT is discussed in terms of internal controls.  A guest lecturer from Pricewaterhouse Coopers may have best defined internal control.

“Internal control is broadly defined as a process…effected by an entity’s board of directors, management, and other personnel…designed to provide reasonable assurance…regarding the achievement of objectives in the following categories:  1.) effectiveness and efficiency of operations, 2.) reliability of financial reporting, 3.) compliance with applicable laws and regulations.” [Pricewaterhouse Coopers guest lecture]

We’ll first review some major pieces of legislation that impacts many industries, not the least of which is the Sarbanes-Oxley Act of 2002.  In this review is included experiential statistics by companies which have already complied with SOX during the past several years.  Trend information is included because this is an evolving legal act due to the heavy financial impact experienced by publicly traded companies.

Next, we’ll review some of the Enterprise and IT Process Frameworks that are available for a company to utilize as it evaluates its current processes, controls, and maturity level in being compliant with SOX.  Sprinkled throughout will be references to real world statistics, professional opinions including guest lecturers, and secondary source data taken from websites.

Finally, we’ll summarize with some discussion and a conclusion.

Since the Sarbanes-Oxley Act (Sarbanes-Oxley or SOX) was signed into law in 2002, many companies have adopted some IT practices to comply the regulation.  In this paper, I will discuss overall IT best practices and the business benefits by aligning them.  After introducing the SOX and the internal control framework called COSO’s Internal Control briefly, I will discuss three international IT best practices (CobiT, ITIL, and ISO 17799) and the best way to implement the best practices.  In the end, I will write about the business benefits from understanding SOX and aligning the IT best practices.  The Following figure shows the relationship among SOX and its control frameworks mentioned in this paper.

As the sizes and scopes of business entities are expanding, the IT governance becomes much more complicated and important than before. Because controlling IT governance became the most critical part of business activities especially for companies whose organizations are decentralized or have many sub-divisions, Enterprise Architecture is emerging in many business entities. The more business functions are, the more difficult the IT governance works. Because each business unit has its own agenda of the unit’s business goals with own IT infrastructure, each business unit might be out of line from the whole business strategy. Organizational sub-units’ efficiency might not result in the best efficiency of the aggregate whole business entity. It is necessary to higher the efficiency of each sub-unit and that of the whole business entity at the same time.

Enterprise Architecture is not a part of IT governance but it is a critical system to help IT governance work efficiently in terms of Effectiveness, Transparency and Accountability. I would like to define Enterprise Architecture as the structure of management and control for IT governance as a whole. To understand the concept of Enterprise Architecture through this paper, I am going to describe essential features of EA(Enterprise Architecture) and the framework of it in general.

As of May 14, 2007, legally recognized public telecommunications carriers in the United States will be required to keep records of all transactions across their networks.  This act entitled Communications Assistance for Law Enforcement Act, or CALEA, has added to the costs telecommunications carriers incur but is necessary with the increasing amount of information transmitted over digital and analog services.  CALEA not only provides the opportunity for law enforcement but also businesses to monitor network traffic for their own purposes, assuming ownership of that data.  In this paper, CALEA will be briefly described, the history of the act and some early monitoring technologies, some costs involved in the implementation and technical options carriers have in order to meet requirements in a timely fashion.

With the vast number of computer crimes in existence, and computer vulnerabilities on the rise, a select few computer scientists on the leading edge are taking a new approach to information security.  They believe incorporating security early on, into the systems development life cycle, may be the key to making safer products that can withstand malicious attacks.  This paper gives vulnerability statistics, reviews a survey of patch management costs, and analyzes the findings of a computer crime survey to outline the threat level and cost effectiveness of current security solutions.  The paper then focuses on Microsoft’s Trustworthy Computing Security Development Life Cycle (SDL), and it goes into non-technical detail about activities, design methods, and techniques SDL uses to minimize vulnerabilities in their products, while pointing out the similar findings of the Social Security Administration and the National Institute of Standards and Technology.

My term project will be connected to privacy concerns.  The focus of my effort will be centered on Radio Frequency Identification Tags, otherwise known as RFID tags.  I chose RFID tags because this technology has been around since the mid 1990’s but lately the use of them has skyrocketed. It’s the common story of many people often use them but have no idea that they do.  These tags offer endless possibilities for the future and already impact daily life quite a bit, but there is a great concern with privacy.  Many of these RFID tags hold private, personal information and some even contain financial data on them.  Many are calling Radio Frequency Identification Tags “the mark of the beast” due to the risk of identity theft and a host of other concerns.

I envision this project will offer some awareness on the privacy concerns and also some comfort in the protection against those issues.  I am also very excited to look into how other are using RFID tags and speak on some future possibilities for them.

For business entities, personal information is useful for their marketing and new product development. However, there are increasing risks in this digital age associated with it. If it is maliciously used, people get suffered.

In this report, I focus on Act on Protection of Personal Information which has been enforced since April 2005 in Japan. My objective is to identify the background of the establishment of this act, what this act is, what problems business entities are facing, what IT solutions there are to solve those problems.   

Radio Frequency Identification (RFID) systems are being implemented in various applications from supply chains to transportation.  Companies want to maximize efficiencies in their processes and systems so that they can take a competitive advantage over their competitors.  This new technology is opening new doors for companies as it becomes more cost effective and widely used throughout industries. 

Although, there are benefits with this RFID technology, companies will face privacy concerns whether real or perceived by its customers.  Privacy management is a huge concern; therefore methods to implement these systems will have to be developed to ensure that the information is protected.  These protections will have to be implemented with laws in mind, such as HIPAA.  The problems expressed with this technology show how emerging new technologies can disrupt the balance of privacy, benefits, safety of public, and security.

You will need to understand the RFID technology and its applications, competing technologies, regulations and privacy issues, and implementation methods so that you can determine if this new technology can provide benefits to your business. In this paper I will define this technology, compare it to competing or supporting technologies, and discuss various applications.  Also, I will discuss proposed implementation best practices.  Finally, RFID standards will be overviewed and some of the potential drawbacks of this technology.

This term paper studies ISAC, an industry-based information sharing collaboration initiative in IT security management. After the introduction, the paper summarizes a case study of the financial service ISAC. Then, I analyze and discuss economic benefits and challenges associated with ISACs, which are followed by a review of related literature solving similar problems. Finally, the paper raises future research opportunities in sharing information to manage IT security.

The Healthcare Industry has been undergoing radical transformations and has been rapidly changing to adopt information technology solutions to meet the challenges of regulatory burdens, cost reduction, and patient care.  A few examples of the solutions being implemented are computerized physician order entry initiatives (CPOE), electronic medical records (EMR), and electronic claims processing.  A recently study has shown that healthcare providers in the United States will increase IT spending from $15.1 billion in 2002 to $17.3 billion in 2007 (Rotbert Law Group).The demand for healthcare technology has significantly increased and has created remarkable opportunities for health care solution providers.  The expanding use of IT though has also created numerous challenges for organizations.  As information in the healthcare industry moves to becoming completely electronic, privacy and security concerns are increasing.  The foremost concerns hospitals and healthcare systems face are protecting the patients’ information and making sure it is secure and preventing people from accessing the information who should not have access.  Healthcare organizations look to IT to help them solve this problem but fulfilling the promise of technology is an ongoing and daunting task due to limited budgets, the need for legacy system migration and new technology insertion.  A regulatory framework has been put into place in order to respond to these rising concerns.  Part of this regulatory framework is the Health Insurance Portability and Accountability Act, otherwise known as HIPAA.  Health plans and health care providers who transmit health information in electronic form must be in compliance with HIPAA or face the possibility of significant fines or even jail time.

With the healthcare industry in the US rapidly expanding and modernizing, a technological push has resulted in many healthcare providers implementing process changing and cost efficient technological innovations. However, a recent focus on security and privacy of health records and information, called for by the United States HIPAA legislation, has conjured a new focus within the industry.

Pharmacy, with increasing demand for prescriptions and patient care, is a key player in both technological modernization of processes, and the requirement for security and privacy compliance of protected healthcare information. Taking a broad look at newly emerging technologies, with a focus on pharmacy automated systems and paperless physician order entry, pharmacies are fighting both the costs of increased demand and labor, and need for HIPAA compliant privacy and security safeguards, with an implementation of these new technologies.

According to the United States Congress, who passed the Health Insurance Portability and Accountability Act of 1996, it has become increasingly important to protect the privacy of peoples’ health and medical records, also known as protected health information (PHI).  However, since the passage of the Act in 1996 and the provisions that have passed since then, little to no progress has been made to secure the privacy of electronic health records.  HIPAA violations can be found in news headlines with alarming regularity all across the country.  The questions remain, why is HIPAA failing and what can be done to improve it?