Chief Compliance Officer Job Description Just Updated
Chief Compliance Officer Job Description is critical in the recruiting process for an effective CCO. The individual must have a broad vision and perspective. Additional skills enable him/her to function in the ‘global’ regulatory environment. This requires that they consider many key factors to ensure the success of the compliance management processes.
C-Level executives are continuously looking for help in preventing fraud and protecting sensitive information. The fact that key corporate executives carry personal liability in the event of non-compliance virtually ensures compliance to be a key initiative in any large organizations.
Role of CCO
The Chief Compliance Officer oversees the Corporate Compliance Program, functioning as an independent and objective body that reviews and evaluates compliance issues/concerns within the organization. The position ensures the Board of Directors, management and employees are in compliance with the rules and regulations of regulatory agencies, that company policies and procedures are being followed, and that behavior in the organization meets the company’s Standards of Conduct.
Janco’ detail CCO job description provides afocus on these key factors. It offers a strategic and top-down view of this important new function. It defines how the CCO can materially assist the enterprise in establishing a function with an aggregate view of Governance, Risk Management and Compliance. They need to replace the highly fractionated structure that was typical of previous risk and compliance functions that functioned at mainly the tactical and operational level.
The job description is 2,000 words in length and takes up six packed pages of job requiurements.
Compliance Management Team
The Compliance Management Team serves as the focal point for compliance activities. The team typically is composed of persons of high integrity, having other duties that are not in conflict with the compliance goals.
Coordination and communication are the key functions of the Compliance Management with regard to planning, implementing, and monitoring the compliance program.
10 Point Power Checklist Disaster Recovery and Business Continuity
10 point power checklist that adddresses the issues associated with power after an event that disrupts a network, availability of power to recover and run the network often is critical.
10 Point Power Checklist Disaster Recovery and Business Continuity needs to be incorporated into the disaster recovery – business continuity plan. The Disaster Recovery Business Continuity template contains many checklists and best practices to follow. The checklist includes:
Electricity, water, broken wires do not mix. Review all electrical and plumbing plans in detail.
Understand the minimum power requirements to be operational.
Have an adequate fuel supply to operate backup power sources. If the outage lasts for more than 30 days will the faciulity be ale to continue operations.
Set reasonable response times for standby generator.
Maintain your equipment and test it operations. Test at least once a quarter and review supplies on hand.
Understand your environment and geography.
Set up generators in an “open environment”. Carbon monoxide fumes can build up and poison people.
Compliance Mandates come from multiple sources. How companies are impacted by them varies by size of company and the markets they serve.
Compliance Mandates impact every company that does business on the Internet. Few companies are impacted by all of the mandates. In the U.S. the most impactful is the CaCPA inacted by Califorinia and the GDPR from the EU
The EU has implemented a single privacy and compliance mandate. In the U.S. that is not the case as of yet. The U.S. Congress has talked about it but, as of yet, there is no consensus on what that legislation will look like. Until that occurs the various states, and California in particular, will set the rules.
The standards for user privacy and control drove the released of an update to its Security Manual Template which identifies mandated user rights and enterprise responsibilities related to privacy protection. Janco reviewed in detail the California Consumer Privacy Act of 2018 (CaCPA) and generated a detail list of user rights and business responsibilities that are mandated. The CaCPA requirements are very complex and significant resources will have to be allocated for organizations to comply with these new mandates. These mandates will impact all organizations that have an Internet presence in the U.S. and California in particular. The compliance deadline is January 1, 2020.
How to Guide for Cloud Processing and Outsourcing 2019 Version Released
How to Guide for Cloud Processing and Outsourcing 2019 Version Released with new fearures. It now is available in ePub format. The version is provided with the basic product.
As interest in cloud computing continues to gain momentum,there is increasing confusion about what cloud computing represents. Without a common, defined vocabulary and a standardized frame of reference, organizations cannot have a cogent discussion about cloud computing. The practical guide for cloud computing outsourcing addresses this challenge by providing a context for productive discussion and a structure for planning, both short and long term, for a successful implementation.
In a recent study, Janco identified the 5 major reasons why CIOs, and enterprises in general, are moving towards Cloud and Outsourcing as processing solutions.
H-1B Visa make up a major portion of the IT Job Market. Just the visa holders who were approved in 2018 make a total compenstation of close to $15 billion dollars. Those are all high wage jobs with the mean compensation of $91,604.
On an annual basis the mean compensation for the holders continues to rise. Since most of these are “temporary” postions, the long term value for the enterprises is questionable.
H-1B Visa applicants typically go to larger companies. In addition, most of the companies requesting visas are the same year after year. Question is that a way for them to get unique skills or to hold salaries down
CIO Infrastructure Policy Bundle Update 2019-02 now available
CIO IT Infrastructure Policy Bundle contains 20 full polices that are easily modified to meet an enterprise’s unique operation environment.
CIO Infrastructure Policy Bundle has just been updated. It inclues both the updated Record Classification, Management, Retention and Disposition Policy and the BYOD Access and Use Policy. This is all part of the annual review process which Janco is going through for its entire product like of CIO and IT Management tools to validate they meet all of the compliance, security and privacy mandates.
The policies are all part of the overall IT Governance Model. That model addresses the issues associated with the overall processes associated the design, developement, implementation , and ongoing operation of technology in the ever changing Internet based operational enviroment.
Currently, data classification is an area that CIOs need to address in light of GDPR and CaCPA.
Each of the polices in the CIO IT Infrastructure Policy Bundle can be acquired separately. See Policy offerings.
Blog and Personal Website Policy (revised 01/2019)
BYOD Access and Use Policy (revised 03/2019)
Mobile Device Access and Use Policy (revised 01/2019)
Physical and Virtual Server Security (revised 01/2019)
Record Classification, Management, Retention, and Disposition Policy (revised 03/2019)
Sensitive Information Policy (revised 1/2019)
Travel, Laptop, PDA and Off-Site Meeting Policy (revised 01/2019)
Updated in 2018 – Scheduled to be updated within the next three (3) months:
Backup and Backup Retention Policy
Google Glass Policy
Incident Communication Policy
Internet, Email, Social Networking, Mobile Device, and Electronic Communication Policy
Outsourcing and Cloud-Based File Sharing Policy
Patch Management Version Control
Privacy Compliance Policy
Service Level Agreement Policy including sample metrics
Social Networking Policy
Technology Acquisition Policy
Text Messaging Sensitive and Confidential Information
Record Classification, Management, Retention, and Destruction Policy Updated
Record Classification was just added to the Data Management Policy. The purpose of the addition was to reduce the sensitive data footprint to meet the most recent rigorous compliance standards,
Record Classification, Management, Retention, and Disposition Policy can be acquired separately or with the CIO IT Infrastructure Policy Bundle.
Most other data classification tools don’t go the extra mile. Their technology only looks for specific terms in your documents; it doesn’t provide the intelligence you need to secure the personal information of your customers or employees. Janco’s Record Classification, Management. Retention and Disposition Poicy provides visibility into where sensitive files are, what content is inside, who can access the files and who actually uses them.
Included with the policy is a crisp definition of data classification.
The foundation of any good record management program is developing a consistent records classification system across the organization.
While there are many record classification systems, one recommended best practice is a three-tier classification based on business function, record class, and record type.
The first step toward developing a records classification system is taking an inventory or a comprehensive and accurate listing of locations and contents of all records within the organization.
The second step is grouping the records in the inventory according to business functions, record class, and record type:
Common business functions include operations, finance, legal, marketing, human resources, and others.
The top-level business functions are broken down into record classes. For instance, two record classes of record-function accounting are accounts payable and accounts receivable.
Record types are a further subdivision of record classes. For instance, the accounts payable record class can be further broken down into accounts payable aging reports, accounts payable distribution reports, cash disbursement reports, and other categories.
IoT Challenges are varied and unique to the capture of real-time data
IoT Challenges – IoT is more than internet enabled sensors and analytics. It is a way to get real-time information. There is a very good chance that the IoT device can be remotely controlled, monitored, updated and maintained using remote management tools, sensors and predictive analytics that continually collect device data that can identify problems before they happen.
Granted most of these devices are not critical in life or death situations. However, there can be property loss when a device fails, does not have the current BIOS or software, or is used in an inappropriate manner. In addition the implications on data storage in order to meet the mandated records management requirements have not been understood to their fullest.
Add that to the fact that typically IoT data is proprietary and enterprise confidential, security is a major concern.
Driver Support Review is mixed. The product / service is a good offering but there are some areas of concern that you need to be aware of if you use this producrt.
Functionality – the product does not work with a number of software virus / malware checkers. For example. the service will NOT run with Malwarebytes without modifications to the the exclusion file which is understandable. However the issue is that Driver Support (DS) does not give you any help on the files that need to be put in the exclusion file. In addition, to get this to work it took several phone calls to their customer service group. It did not help that the CS staff is located in Jamaica and their English skills are poor at best.
Registration key issues – We purchased the premium version of the product which was to allow us to register up to 5 PCs. When we tried to register the 4th PC, the program told us that we had exceeded the number of machines that could be registered.
We went to the customer portal. It showed that we had 3 PC installed and that we had one registration left to use. 3 plus 1 does not equal 5. Also there is no way for the user to delete a machine.
Now the really interesting process follows. We tried to contact the company and got ah email message that the “Office was closed”. We sent several email over the next few days and go NO response. We finally called them when they said their office was open. The first two people we talked to have very poor English and we were disconnected in the transfer process. Finally we got to the CS technicain in our 4th call. There was an ECHO on the line on all of the phone calls.
We explained the issue to the person and were told they had to route the problem to their engineers who were in the US and it would take 24 hours for them to get back to me.
We cannot in good judgement recommend this product eventhough the driver update service they offer is excellent.
BYOD Best Practices to ensure the security of enterprise sensitive an confidential information
BYOD Best Practices – BYOD (Bring Your Own Device) now is standard practice for most individuals working for companies. Device include everything from laptop computer to tablets and smartphones. 10 Best Practices to secure BYODs – More employees and enterprise associates are bringing their own iPhones and tablets to the office. How sure are you that they are secure. While these oersonal devices are great for employee productivity, they can introduce security risks to your organization.
Implement a formal written BYOD policy that clearly states which devices and applications are supported.
Set up a locking password on each device. Integrate password usage with wipe the phone after x number of invalid tries. At the same time have a way to restore the phone if the phone is wiped.
Implement a phone locater on all SmartPhones. In the case of the iPhone use the “Find My Phone” application.
Protect the access point of your network so that only devices that meet your stringent security requirements are allowed access to you network and data.
Implement anti-virus where possible. In the case of iPhone there is not anti-virus. That means that you email service provider needs to do the scan BEFORE emails are sent to the device.
Manage authorized applications so the contact and other sensitive data is not extracted from the device by the applications.
Utilized data encryption on e-mails and enterprise data
Utilize the cloud as a back up source
Be wary of applications like QR coder readers. They can direct the user to sites that can take control of the device.
Monitor access and data usage by device and by user. Have processes in place that actively inform management of any potential ares were the network and data can be compromised.