Monday, December 31, 2007

CESG Assurance Model

The new CESG Assurance Model for the control of Information risk is scheduled for authorittive release in January, 2008. At present there is an excellent overview website at the following link that includes graphics and an article describing the proposed model. The model encompasses four main elements of information risk and control - intrinsic, extrinsic, operational and implementation. CESG Assurance Model

Saturday, December 29, 2007

Google Replies to Lawmaker's Questions on Privacy - CIO.com - Business Technology Leadership

Despite the considerable attention given to it over the past several years, privacy continues to be a major concern. The current issues around Google and its acquisition of DoubleClick exemplify some of these concerns, and lead to the call by Google for new and better privacy laws. They may have a point. Google Replies to Lawmaker's Questions on Privacy - CIO.com - Business Technology Leadership

Thursday, December 20, 2007

U.K. Data Woes Deepen as 3 Million More Records Lost - CIO.com - Business Technology Leadership

It just keeps happening. A new revelation in the UK of the loss of another three million data records held on CDs in transit. It points once again to the need for strong security over data in transit, particularly encryption and strong controls over the physical custody of the media on which data are stored. U.K. Data Woes Deepen as 3 Million More Records Lost - CIO.com - Business Technology Leadership

Tuesday, December 18, 2007

Security > Hacking and Viruses > Facebook watchers offer advice against data leaks

With the abundance of data included on Facebook, and the recent attempts by hackers to obtain the private information of users, the question arises of whether Facebook is the latest potentially grave threat to the IT systems of companies whose employees use Facebook. Some experts think it is. Security > Hacking and Viruses > Facebook watchers offer advice against data leaks

Friday, December 14, 2007

IBM SJ 46-4 | IBM business transformation enabled by service-oriented architecture

In the latest issue of IBM Systems Journal, there is an article by L Walker titled IBM Business Transformation Enabled by Service Oriented Architecture which provides an excellent description of SOA and how it is used to link the functionality of a business IT system. IBM SJ 46-4 IBM business transformation enabled by service-oriented architecture

Tuesday, December 11, 2007

Online holiday shopping could put corporate IT systems at risk

More people are doing their holiday shopping online and more are doing it at work. Besides the obvious loss of productivity, there are also risks to the IT Systems at this time of year as a result of the shopping. It attracts more viruses and other malicious software. Online holiday shopping could put corporate IT systems at risk

Monday, December 10, 2007

IT Control Objectives for Basel II

ISACA has released the final version of the booklet IT Control Objectives for Basel II. This pulications contains a framework for managing IT risk related to Basel II and is available for download from the following URl: IT Control Objectives for Basel II

Thursday, December 6, 2007

Should your company 'crowdsource' its next project?

Don Tapscott would nod his head and say "Of course". The author of Wikinomics has stated many times that the future lies in open collaboration with large broadly defined groups. Companies are developing new systems using a new technique known as crowdsourcing, which involves essentially outsourcing the code writing to the world. Should your company 'crowdsource' its next project?

Saturday, December 1, 2007

Be gone phishing

Phishing and pharming are modern hacking techniques that pose a serious threat to information systems. IT staff need to be not only aware of them but familiar with the safeguards that can be put in place to thwart these attacks. This article provides a good summary of the major risks: Be gone phishing

Thursday, November 29, 2007

Technology News: ID Security: Data Breaches More Expensive Every Year

A recent report released by PGP Corp has found that the cost of data breaches is growing. The study also finds that the number of breaches by third-party organizations has also been growing signficantly. There are clear lessons here for IT control systems. Companies need to tighten up their controls over both their home systems and their outsourced systems. Technology News: ID Security: Data Breaches More Expensive Every Year

Tuesday, November 27, 2007

Insecure About Security - Security - CFO.com

While technology for security detection and prevention is improving, companies cannot rely on technology too much. They still need to have best practices in place for their system, from well designed business processes to solid security administration. The stronger technology can only augment the security provided by solid IT Systems practices. Insecure About Security - Security - CFO.com

Monday, November 26, 2007

Securing the Laptop: Mission Impossible?

Mobile devices in general and laptops in particular represent the weakest link in business systems. They are constantly in the news because of the loss of mobile units that have private or sensitive information in them. Encryption is the obvious answer, or a big part of the answer, and enterprises need to pay more attention to encryption techniques and put more resources into their implementation. Securing the Laptop: Mission Impossible?

Saturday, November 24, 2007

Is security software becoming a security risk?

Companies and their auditors rely heavily on security software of various kinds, including anti-virus software. However, it is noteworthy that anti-virus software, to be effective, must open and scan data very quickly and in all kinds of formats. This means that there is the potential for hackers to exploit this capability where there are not adequate safeguards in place within the software. Is security software becoming a security risk?

Thursday, November 22, 2007

Journal Online - Online Exclusive Articles

The Journal Online of ISACA contains a recent article of interest to both managenment and auditors. It is "One of today's Most Overlooked Security threats - Six Ways Auditors Can Fight it." The article identifies this threat as IT staff, and then goes on to identify ways to deal with this threat. this is one of the more difficult challenges auditors face, as the level of IT sophistication of IT staff is high and their methods can be arcane. (Available to ISACA members only) Journal Online - Online Exclusive Articles

Tuesday, November 20, 2007

Accenture Helped Deutsche Telekom Improve its Financial Data Management

The case referenced in this entry outlines how Accenture helped Deutsche Telekom to integrate its data within its financial system using ERP. It's an old story with a modern flavour. Accenture Helped Deutsche Telekom Improve its Financial Data Management

Monday, November 19, 2007

COBIT Mapping: Mapping of TOGAF 8.1 With COBIT 4.0

ISACA's website contains a mapping of Cobit, its IT process and control framework, with TOGAF, a methodology and tools for enterprise architecture developed by the Open Group based on the US Department of Defense Technical Architecture Framework for Information Management. The mapping is available for free download to ISACA members. COBIT Mapping: Mapping of TOGAF 8.1 With COBIT 4.0

Thursday, November 15, 2007

globeandmail.com: There's no single answer to securing online banking

The search for good security in internet applications has been a long and continuing one. Internet banking is a prime example of a high risk application needing strong security. Lately, the banks have been moving to multi-factor authentication, which involves authenticating users by using a variety of different methods, such as passwords, and questions about private matters. It's a technique likely to become more prevalent in a variety of applications. globeandmail.com: There's no single answer to securing online banking

Wednesday, November 14, 2007

E-Commerce News: SOA: Simplifying E-Commerce With SOA for Payments

Service Oriented Architecture (SOA) has been used in recent years for several purposes related to e-commerce systems, most recently with an emphasis on payment systems. This article provides a good description of SOA and how it might fit into a system. E-Commerce News: SOA: Simplifying E-Commerce With SOA for Payments

Monday, November 12, 2007

14th World Continuous  Auditing

The 14th World Continuous Auditing and Reporting Symposium was held at Ruters University on Nov 2 and 3, 2007. The presentations for that important event can be downloaded at the following site: 14th World Continuous Auditing

Saturday, November 10, 2007

IFAC - Risk Based Internal Control

IFAC has released a paper which is comprised of interviews with C-Suite Officers from several major corporations discussing the issues around risk-based internal controls. It is a part of IFAC's continuing work on this subject and is available for free download at:
http://www.ifac.org/Members/DownLoads/Internal_Control_from_a_Risk-based_Perspective_August_2007.pdf

Tuesday, November 6, 2007

E-Commerce News: Security: IBM Places $1.5B Bet on Security Push

IBM has announced plans to spend $1.5 Billion during 2008 to beef up its security offerings. It is keeping pace with the competition, notably Microsoft and Cisco, who have been placing an increased emphasis on security. With a growing tendency among enterprises to integrate the internet into business systems, particularly though the use of mobile devices, security has become a very hot topic in systems development and management. E-Commerce News: Security: IBM Places $1.5B Bet on Security Push

Friday, November 2, 2007

ISO 17799 -- it's a control, not a standard

In this quite thorough commentary on ISO 17799, now ISO 27002, the author points out that it is not a standard but rather a set of recommendations. While this may be splitting hairs - 17799 was set out as a set of best practices -nevertheless, the analysis is interesting and useful as it includes suggestions as to how to implement the - uh - standard. ISO 17799 -- it's a control, not a standard

Tuesday, October 30, 2007

Privacy, Personal Information At Risk On Campuses -- Data Security -- InformationWeek

A new report suggests that little progress has been made in protecting data security and privacy at Universities. CDW government surveyed 151 University IT directors, who indicated this despite the establshed need for better security and privacy and the attention that has been given to this need in recent years. Shortage of funding is given as a prime reason. Privacy, Personal Information At Risk On Campuses -- Data Security -- InformationWeek

Sunday, October 28, 2007

UWCISA Symposium

The University of Waterloo Center for Information Systems Assurance (UWCISA) held its fifth symposium on Information Systems Assurance on Sept 11 - 13, 2007 in Toronto. It was attended by many of the world's foremost thought leaders in the area. The papers and presentations are available at the following link. UWCISA Symposium

Friday, October 26, 2007

The 8 most dangerous consumer technologies

The security of information systems is continually being complicated by the emergence/ integration of small mobile devices like PDAs and Cell Phones and other PC applications, particularly the social networking variety. This article in computerworld summarizes the eight most dangerous technologies. The 8 most dangerous consumer technologies

14th World Continuous  Auditing

The 14th World Continuous Auditing and Reporting Symposium will be held on November 2 - 3 at Rutgers Business School, Newark NJ. 14th World Continuous Auditing

Wednesday, October 24, 2007

European Journal of Information Systems - Table of Contents

The European Journal of Information Systems in their August issue includes a section on Model Driven Systems Development (MDSD) with several papers listed. There is a good explanation of MDSD in the IBM Systems journal at http://www.research.ibm.com/journal/sj/453/balmelli.html This is an important source for those researching in this area. European Journal of Information Systems - Table of Contents

Tuesday, October 23, 2007

Data level assurance is an important area of current research. For example, the CICA is conducting a research study on the subject. One approach to DLA is the use of continuous assurance techniques. Alles, Kogan and Vasarhelji published a paper on this subject last fall, which is available at the following link. http://raw.rutgers.edu/MiklosVasarhelyi/079.pdf

Monday, October 22, 2007

IT Audit - The Institute of Internal Auditors

The Institute of Internal Auditors through its GTAG series issued in February a document describing continuous auditing. It provides a sound overview of continuous auditing which is a technique of growing importance in controls auditing and in all auditing generally, as the need for real time audit reports emerges. IT Audit - The Institute of Internal Auditors

Thursday, October 11, 2007

The Index of Information Systems Journals

Deakin University has an index of Information Systems Journals which can be very useful for research purposes. It is at the following link: The Index of Information Systems Journals

Wednesday, October 10, 2007

ISO - News

The ISO standards comprise an important element of strong quality systems. The standards are now available on CD through the ISO Organization. ISO - News

Tuesday, October 9, 2007

CERT: Secure Systems

CERT, located at Carnegie Mellon University, publishes periodic research reports, studies and papers dealing with systems issues that are comprehensive and useful. Several of them are available from this website: CERT: Secure Systems

Wednesday, October 3, 2007

Rutgers Accounting Web

Continuous Auditing is one of the emerging and important areas involving IS Assurance. A major center of research in this area is the Continuous Auditing and Reporting Lab at Rutgers University, under the leadership of Miklos Vasarhelyi. Information on the Lab, and numerous free papers, can be found at Rutger's Account Web at the following link. It's definitely worth a look. Rutgers Accounting Web

IT Governance Compliance Conference - Overview

The Information Systems Audit and Control Association (ISACA) is holding its annual Governance and Compliance conference in Boston from November 14 - 16. For further details check this link. IT Governance Compliance Conference - Overview

Friday, September 28, 2007

IT Advisory Committee

During the past month, the Information Technology Advisory Committee of the CICA has released two new research studies that are relevant to IS Assurance. These include a second edition of their study "Application of Computer-assisted Audit Techniques" and a second study dealing with XBRL and its effect on information systems, titled "Interactive Data: Building XBRL into Accounting Information Systems". Further details are available on the CICA website at the following link. IT Advisory Committee

Wednesday, September 26, 2007

Welcome to the UWCISA Blog

Welcome to the blog of the University of Waterloo's Center for Information Systems Assurance. This blog will delve into the major issues related to the field of Information Systems Assurance. The coverage of issues will be broad, including not only issues confined strictly to IS assurance but also issues that are related in some way. This would include such matters as IS controls, IS security and technology changes that have implications for assurance. The interpretation of assurance will also be broad, including internal and external assurance and even occasionally IS Quality Assurance. We hope that instructors, students and researchers find the blog to be useful in their studies of the challenging field of IS Assurance.