SmartPros.com

The Ethics Resource Center's recently released 2005 National Business Ethics Survey is welcome confirmation of the trends we have been seeing: if an organization wants to reduce the risk of unethical conduct, it must focus more effort on building the culture than on building a compliance infrastructure.

Based on interviews with over 3,000 employees and managers nationwide, the survey disclosed that despite the increase in the number of ethics and compliance program elements being implemented, desired outcomes, such as reduced levels of observed misconduct, have not changed since 1994. Even more striking is the revelation that while formal ethics and compliance programs have some impact, it is the organizational culture that has greater influence in determining program outcomes.

Only lagging companies still measure the success of their ethics and compliance programs only by tallying the percentage of employees that have certified reading the Code and attended ethics and compliance training. The true indicator of success is whether the company has made significant progress in achieving key program outcomes. The NBES listed several key outcomes that can be used to determine the success of a program:

Reduced misconduct observed by employees;

Reduction of pressure to engage in unethical conduct;

Increased willingness of employees to report misconduct;

Greater satisfaction with organizational response to reports of misconduct.

What's going to move these outcomes in the right direction? Not the mere presence of codes of conduct, reporting systems, and compliance training.

What the NBES uncovered is that only by influencing key elements of the culture will the organization see positive movement in program outcomes.

[Read on for more on relating Ethics-Related Actions to your compliance programme.]

__posted by Carolyn L Burke @ 11:28 a.m.
subscribe to Integrity

(1) comments

Security Watch: CNET reviews:

You know when an industry has matured; that's when companies begin purchasing one another at a rapid clip. This happened back in the 1980s when fledgling security supercompanies Symantec and McAfee went on a purchasing spree; and, it's happening again, only the players are slightly different. Within the last two years, Symantec purchased six security-related companies, Computer Associates bought six, Microsoft four, and McAfee and Trend Micro picked up two each. Some of the swallowed-up company names should be familiar: Groove, Qurb, PestPatrol, PowerQuest, and Tiny Personal Firewall. But here's the amazing thing: 11 of the 20 purchases occurred within 2005 alone. What does all this mean to you and me? Well, for one thing, less choice when it comes to security software. [..]

Here's a chart of who's who in the security space today.

(Alphabetical order)	Symantec	Computer Associates	Microsoft	McAfee	Trend Micro
@Stake (security auditing)	Bought in 2004
BrightMail (e-mail)	Bought in 2004
BindView (security)	Bought in 2005
Concord Communications (wireless, VoIP)		Bought in 2005
Foundstone (security auditing)				Bought in 2004
FrontBridge (network security)			Bought in 2005
Giant Software (antispyware)			Bought in 2004
GeCAD (antivirus)			Bought in 2003
Groove (P2P)			Bought in 2005
Intermute (antispyware)					Bought in 2005
Kelkea (IP filtering)					Bought in 2005
Netegrity (security)		Bought in 2004
PestPatrol (antispyware)		Bought 2004
PowerQuest (drive utilities)	Bought in 2003
Qurb (antispam)		Bought in 2005
Sybari (antivirus, antispam)			Bought in 2005
Sygate (firewall)	Bought in 2005
Tiny Personal FireWall (firewall)		Bought 2005
Veritas (backup)	Bought in 2004
Wireless Security Group (wireless)				Bought in 2005
Totals	Bought 6	Bought 6	Bought 4	Bought 2	Bought 2

[...]

(0) comments

Applied Improvisation Network

Hi Tech and Improv

At the recent AIN conference, I convened an Open Space session to explore how hi tech 'things' and improv 'things' could enhance each other. Scribed and blogged here are some of the results and resource links.

(0) comments

Computer Business Review

The proposed new scoring system for IT security vulnerabilities known as CVSS has reached a stage that several vendors are planning ways of promoting enterprise adoption of the Common Vulnerability Scoring System. [Guide (ppt pdf)]

CVSS has said to have been tested by about 30 companies since February, and now Assuria, CERT/CC, Cisco Systems, IBM, Internet Security Systems, JPCERT/CC, netForensics, Pentest, Qualys, Sintelli, Skybox Security and Unisys have all agreed to test the system and look into applicable usage.

The CVSS system promises to transform the way in which network threats are evaluated and dealt with, in the way that the common rating system it provides should make for a framework against which enterprises can start to prioritize their patch routines and better manage risk, Ed Cooper, VP of marketing for Skybox the vendor of security risk management software said.

He explained that the system uses a scale of 1 to 10 to rate the severity of vulnerabilities. It also lets organizations input site specific information that will provide them with a risk score which is customized to their operating environment.

Different systems for scoring vulnerabilities are in use today, and these systems use different metrics. CVSS weighs various criteria in a formula that includes measures of the impact of a vulnerability on system availability, data confidentiality and integrity, as well as the potential for collateral damage.

[T]the group is working together to build on the first-generation framework that has already been developed, in order to come up with a system that is usable and accepted across the industry.

CVSS has three components and includes a baseline vulnerability severity, which is then adjusted with temporal and environmental modifiers, so that any given bug has a different score depending on the time and the enterprise's own network. As such, it provides a scoring mechanism that rates how secure a network is and stands as a basis for comparison against comparable peer network.

The new rating system is being backed by the Forum of Incident Response and Security Teams, and the body will encourage IT executives to start testing the index as one way to address the issues caused by the numerous incompatible scoring systems currently in place.

(0) comments