Content Copyright © 2010 Bloor. All Rights Reserved.
Also posted on: The IM Blog
You often hear security officers, not to mention vendors, talk
about fraud detection and prevention but you seldom (never in my
experience) hear anyone talking about Bribery. However, in the
wake of BAE Systems settlement with the both the UK and US
authorities, it is worth paying a little more attention to it. In
particular, in the UK there is a bribery bill currently passing
through parliament, and it is expected to be passed before the
next general election: in other words in the next few months.
One of the provisions of the bill is that companies can be held
accountable for the actions of their employees. In order to
defend themselves against such charges companies will need to be
able to prove that they have suitable provisions and processes in
place to prevent bribery in the first instance and, in the
second, to detect it when it does happen.
Well, that sounds a lot like fraud prevention and detection. But
it also sounds a lot like Sarbanes-Oxley or other compliance
requirements. Fraud is something you would like to prevent for
obvious business reasons, however there are not, typically, any
regulations that require you to have anti-fraud processes in
place. You might argue that PCI-DSS falls into that category but
that is a special case.
Of course, while bribery is a crime in terms of offering
inducements to other people it is also a crime to accept such
inducements. In the UK we tend to think of bribery as being
something that is only done in foreign countries but that’s
certainly not the case: I did some consulting for a UK-based
public company a few years ago looking into its supply chain and
during the course of that work the manufacturing director was
suspiciously unenthusiastic about rationalising the company’s
suppliers and what it bought from whom. Indeed, so suspicious
that the CEO and CFO started to look into it and discovered that
he was taking backhanders. So there is no place for complacency.
Until the bill is passed, assuming that it is, we won’t know the
full extent of the regulation and what will be required of
companies but it seems likely that appropriate compliance
monitoring will be required, along with forensics. If this is the
case then those forensics will need to be run on a regular basis.
However, whatever is required this looks another opportunity for
SIEM (security information and event management) and log