Tuesday, December 30, 2008

Social-networking sites concern cyber-security experts

Gen Y'ers are running into resistance with their new employers about using social networking on the job, some of the employers have banned sites like Facebook and MySpace because of the security risks they carry. Users of these sites often tend to disclose information about themselves or their activities that can compromise corporate security, privacy and secrecy in business activities. Social-networking sites concern cyber-security experts

Monday, December 29, 2008

ISO - News - ISO/IEC standard provides common international framework for RFID frequencies

ISO has updated its ISO 18000 for air interfaces to respond to the growing use of RFID in supply chain interfaces. It's the latest acknowledgement by an important group of the increasing importance of RFID in business systems. ISO - News - ISO/IEC standard provides common international framework for RFID frequencies

Monday, December 22, 2008

Small laptops pose a big security threat

As if there haven't been enough problems with conventional laptops and the loss of sensitive data, now the market is being inundated with newer smaller ultraportables or netbooks. these little machines don't have quite the complex functionality of the others, and therefore can't carry off as high a degree of security. So they are becoming a major security risk. Security officers are going to have to deal with this new challenge soon. Small laptops pose a big security threat

Thursday, December 18, 2008

BearingPoint - The Disconnect Between Security and the Business

BearingPoint - The Disconnect Between Security and the Business: "BearingPoint commissioned Forrester Consulting to conduct a study of large enterprises in the US, EMEA, and Asia Pacific. The study asked business and security and risk executives about their priorities and challenges for risk, compliance, and security initiatives within their organizations.
The major findings of the study suggest that:
- Culture, communication, and people are top challenges
- Business and IT have different perceptions on security and risk
- Internal audit is a strong influencer and regulatory compliance is still important
- Respondents unanimously agree that security and risk management is a C-level concern"

You can download the study free at the above link.

Wednesday, December 17, 2008

ISACA/ITGI Responses to Exposure Drafts from Regulators and Standards Setting Bodies

ISACA's response to OCEG's "Red Book" Exposure Draft is contained on the following link. The Red Book sets out the GRC Capability Model, which takes an integrated and holistic approach to Corporate governance, risk management and compliance. ISACA generally expressed support for the document and a willingness to work with OCEG in further development of the project. Their comments do highlight some inconsistencies in the treatment of IT controls in the Red Book, and recommend a clarification of its message. ISACA/ITGI Responses to Exposure Drafts from Regulators and Standards Setting Bodies

Tuesday, December 16, 2008

Sophos Security Threat Report 2009

Sophos Security Threat Report 2009: "IT security and control firm Sophos has published its Security Threat Report 2009 examining the threat landscape over the last twelve months, and predicting emerging cybercrime trends for 2009."

The report shows that the US now has the highest rate of malware and malicious websites in the world, with organized crime responsible for much of it. Strong steps need to be taken by legislators. the report can be downloaded from this link.

Monday, December 15, 2008

Special report: Celebrating 50 years of the IBM Journals | Introduction

Special report: Celebrating 50 years of the IBM Journals Introduction: "In this report celebrating 50 years of IBM Journals, the editors have examined citation rates, consulted experts in various fields, and reviewed the earlier retrospective issues in light of the present state of the information technology industry. The result is a compilation of significant papers published in the Journals across the wide span of key technical areas which characterize this industry. Each paper is accompanied by comments which indicate its significance. For simplicity, the papers have been placed in the following categories: applications of information technology, storage systems and databases, computing system architectures, computing methodologies, software, hardware design and implementation, device materials and processes, and fundamental science and mathematics."

Wednesday, December 10, 2008

Data theft and data loss prevention (DLP): Keeping sensitive data out of the wrong hands

With the continuing increase in the incidence of identity theft and data loss, companies have had to refocus on their data Loss prevention (DLP) activities. PriceWaterhouseCoopers discusses this issue in a document which can be downloaded at the following link. Data theft and data loss prevention (DLP): Keeping sensitive data out of the wrong hands

Thursday, December 4, 2008

16 WCARS

The 16th World Continuous Auditing symposium was recently held at Rutgers University in Newark, New Jersey. The presentations for the sessions can be found at the following link: 16 WCARS

Wednesday, December 3, 2008

Application Outsourcing: Mapping the Route to Business Transformation and High Performance through IT Outsourcing

IT Outsourcing presents many management control issues, but outsourcing remains a fundamentally attractive option in many cases for improving IT systems. In this article, Accenture stresses the governance, management and control issues that must accompany a good IT outsourcing program.Application Outsourcing: Mapping the Route to Business Transformation and High Performance through IT Outsourcing

Monday, December 1, 2008

Most Cited EJIS Articles : European Journal of Information Systems

To promote some of the finest research and scholarship published in the European Journal of Information Systems, they have compiled a list of the 5 most cited articles that the Journal has published. These articles are now freely available to download at the following link. The papers deal with some of the classic issues in the Information Systems field, including assessing the benefits of IS, and the critical success factors in ERP implementation. Most Cited EJIS Articles : European Journal of Information Systems

Friday, November 28, 2008

You Won't Get Fired for Outlawing IM - Business Center - PC World

The younger generation that is moving into the workplace now grew up on Instant Messaging. It's been their favourite way of communicating. Naturally, as they enter the workplace, the use of IM is growing quickly, raising the concerns of some security professionals, because of the perceived lack of control around IM and the lack of a trail of communications. Some companies have even banned it, although that must be difficult to enforce. On the other hand, as this article points out, there are productivity gains to be realized from the use of IM, and the a decision to ban it therefore comes at a cost. Security administrators need to think twice before banning IM. Not only are they bucking a trend that likely can't be bucked, they will lower their company's capacity for productivity.. You Won't Get Fired for Outlawing IM - Business Center - PC World

Thursday, November 27, 2008

Opinion: Obama's BlackBerry is no security threat

In the past few weeks, there have been several articles saying that Pres Elect Obama may have to give up his Blackberry for security reasons. In this article Bill Brenner argues that this is not necessary and would reduce the effectiveness of this plugged-in president. The issue is pertinent to many CEO's out there, since their security issues, while perhaps not necessarily matters of national security, are nevertheless potentially as important to their companies and their stakeholders. Should CEO's be banned from having smartphones? The short and long answer is absolutely not. There has always been a conflict between making effective use of technology and the risk-adverse security wing of the technology world. This issue is more evidence of that conflict. The fact is, mobile technology is important, and security needs to keep up and deal with it. It's that simple. Opinion: Obama's BlackBerry is no security threat

Tuesday, November 25, 2008

BearingPoint - The Disconnect Between Security and the Business

A study done for Bearing Point by Forrester shows the relationship between key business drivers and good secuirity policy. It explores, for example, the extent to which corporate culture inhibits strong security. The study provides valuable food for thought for those responsible for corporate systems security. BearingPoint - The Disconnect Between Security and the Business

Thursday, November 20, 2008

Wrinkles in the IFRS Roadmap - Accounting - CFO.com

The move to IFRS in Canada and the US will pose significant systems issues. IFRS involves maintaining different values for some assets,and will require systems changes to generate and carry those values. In many cases, companies also will have to maintain their traditional GAAP records as well, and several companies will be keeping "two sets of books" for some time into the future. For IT Auditors, this poses several issues they will need to deal with. Which set of records will they audit? Are their controls consistent and reliable? Do the IFRS systems contain the data that will be needed to support the kind of judgements that need to be made under the IFRS standards? These are just a few of the issues. Wrinkles in the IFRS Roadmap - Accounting - CFO.com

Tuesday, November 18, 2008

CA Unveils Cloud Management Strategy, SaaS Unit -- cloud-based management -- InformationWeek

CA Unveils Cloud Management Strategy, SaaS Unit -- cloud-based management -- InformationWeek: "CA unveiled Monday a cloud computing strategy that includes management as a service and management of third party cloud computing environments such as Amazon's EC2." This is significant because it extends the SaaS world into management services, particularly various monitoring activities. It could have security and control implications for better or worse, depending on which monitoring services are included and how they integrate with the activities of the people doing the managing.

Monday, November 17, 2008

Security Manager's Journal: Progress at last on the patching front, and a new priority

A solid patch management program is an important component of a vulnerability remediation program. In this article, a security manager explores his experience with this initiative, and how it ties into his overall strategy. Security Manager's Journal: Progress at last on the patching front, and a new priority

Thursday, November 13, 2008

Compliance - CIO Today

Business opportunity in the modern world means getting connected. But this connectivity involves risk. This article explores the relationship between business opportunity and business risk and highlights the means of addressing the risk. Stressing but going beyond the conventional approach of ERM, it points to trends in open source that can lead to better security. Compliance - CIO Today

Wednesday, November 12, 2008

Internal Audit and IFRS

As we move closer to IFRS adoption, all auditors need to recognize that it will be a major project, which will involve risk that needs to be controlled. Moreover, IFRS adoption will include system changes that will need to be controlled. Internal Audit will play a major role in these changes, and needs to be ready. Ernst & Young has released a guide that, while not restricted to IS implications, points to the najor risks that Internal AUdit needs to consider. The guide is at:
http://www.ey.com/Global/assets.nsf/Canada/IFRS_InternalAudit/$file/IFRS_InternalAudit.pdf

Tuesday, November 11, 2008

Control over Laid off employee system privileges

Economic hard times mean more layoffs and we are seeing those now in considerable volume. One of the standard controls in IS systems when employees are laid off is to immediately terminate their system privileges. This applies especially to users with particularly strong privileges, such as system administrators. Most IS auditors have recommended a company establish procedures like this when they are lacking. The times now require a renewed focus on this kind of policy. A recent case in point, involving a New York mutual fund, clearly illustrates the risk to those who do not deal with it proactively. Laid off sysadmin arrested for threatening company's servers

Monday, November 10, 2008

Endpoint Security

Security policy increasingly must deal with mobile units that contain sensitive data and that interact with outside systems. Many companies are using the idea of endpoint security to address this need. "Endpoints are computing devices attached to an organization’s network including PCs, notebooks, handheld computing, or electronic devices with storage, I/O, and/or wireless connectivity, and IP-networked devices with programmable logic controllers used for industrial control
systems and critical infrastructure." This white paper outlines how endpoint security works.
http://akamai.infoworld.com/pdf/whitepaper/WP_CP_Endpoint_Security_25Aug08.pdf

Friday, November 7, 2008

BearingPoint - The Disconnect Between Security and the Business

"A study of enterprises conducted by Forrester Consulting High profile security breaches and regulatory concerns have made security one of the top priorities for business executives. However, security and IT risk management groups struggle to implement effective security within their organizations. BearingPoint commissioned Forrester Consulting to conduct a study of large enterprises in the US, EMEA, and Asia Pacific. The study asked business and security and risk executives about their priorities and challenges for risk, compliance, and security initiatives within their organizations. The major findings of the study suggest that:
Culture, communication, and people are top challenges
Business and IT have different perceptions on security and risk
Internal audit is a strong influencer and regulatory compliance is still important. Respondents unanimously agree that security and risk management is a C-level concern. Download the study to see the results and attend the webinar to engage in a more in depth discussion about security and how it relates to the business." BearingPoint - The Disconnect Between Security and the Business

Thursday, November 6, 2008

Data Center Controls

With growing volumes of data, greater emphasis on data management, cloud computing, movements away from client-server, cost constraints, the traditional role of the data center is changing, leading to new challenges in IS systems management and control. The paper at the following link examines some of these challenges:http://solutions.internet.com/5131_rethinking

Tuesday, November 4, 2008

Annual Meeting Webcasts

Annual Meetings of the Information Systems Security Association were recently held in Colorado. Webcasts of the meetings are available at the following site, including the keynote address. Annual Meeting Webcasts

Monday, November 3, 2008

Public, security experts' e-voting views differ sharply

The US election tomorrow will see the use of e-voting systems across the country. But like any IS systems, there is a need for strong controls to ensure data integrity. Already some of the systems have been accused of vote flipping,and a debate is raging as to whether this arises from user error or system flaws. The point is moot. A good system minimizes the chance of user error. At this point a large percentage of systems experts polled feel that the systems may not be reliable. One hopes they will work well enough to avoid questions about who won, something that has plagued recent elections in the US. We will find out on Tuesday. Public, security experts' e-voting views differ sharply

Tuesday, October 28, 2008

16th WCAS

16th WCAS: "16th World Continuous Auditing & Reporting Symposium will be held November 7-8th 2008 at the Rutgers Business School, Room 123, Lecture Hall, Ackerson Hall
180 University Avenue, Newark, NJ"

Monday, October 27, 2008

Desktop Virtualization Drives Security, Not Just Dollar Savings -- Desktop Virtualization

While desktop virtualization (VDI) has been gaining in usage, it is only beginning to attract the attention of security professionals. yet, with all the problems that have been experiencedwith laptops going missing - stolen or lost, that contain sensitive information, it may provide an ideal solution. VDI allows the operating system and core applications to be stored on a central server and accessed from a PC remotely. The process in hardware indepenedent and can enable central storage of data and still allow users to load their favourite applications on the server. The best of all worlds. Desktop Virtualization Drives Security, Not Just Dollar Savings -- Desktop Virtualization

Thursday, October 23, 2008

Technology Review: The Flaw at the Heart of the Internet

A DNS expert has found a vulnerability in the basic structure of the internet that will undermine a lot of the security around the system. The ability to bypass DNS lookups could be a boon to Phishers. IS Auditors will have to give some thought to how they will deal with this new issue in terms of testing. Technology Review: The Flaw at the Heart of the Internet

Saturday, October 18, 2008

Arek: Service-Oriented Architecture

Service Oriented Architecture (SOA) is becoming widely used to restructure systems for higher performance and greater accuracy and reliability. At the following link, Accenture describes how SOA was used to develop a better pension-earnings system for Arek, which runs a centralized pension registry in Finland. Arek: Service-Oriented Architecture

Tuesday, October 14, 2008

Tough economic climate can heighten insider threat

Some of the biggest risks to business systems come from inside the company. This is always true, because of the privileged access that insiders have. However, in tough economic times, this risk is even higher and it calls for additional vigilence by systems security personnel. Tough economic climate can heighten insider threat

Friday, October 10, 2008

Exposure Comments

A summary of all of the comments received to date on COSO's June exposure draft on Guidance on Monitoring Internal Control Systems cna be found at the following link: Exposure Comments

Thursday, October 9, 2008

E-Commerce News: Enterprise IT: IBM Enlarges Sphere of Influence in the Cloud

Social Networking is working its way into IT systems in various ways. Generally, Facebook and Facebook look-alikes are not mainstream vehicles for business systems. IBM has come out with a new tool - Bluehouse - that will likely be mainstream. It is a social networking site that is used in the growing cloud computing space. There will be more tools like this in future. E-Commerce News: Enterprise IT: IBM Enlarges Sphere of Influence in the Cloud

Wednesday, October 8, 2008

Technology White Papers from WebBuyersGuide

Technology White Papers from WebBuyersGuide: "You need accurate, trustworthy data to meet today's GRC requirements. What will it cost your organization if your auditors receive incorrect information? What if your regulatory reports are inaccurate? Download this white paper today to explore the critical role data quality plays in GRC, and how Informatica can help ensure complete and trusted information for GRC. With advice and knowledge from real-world customer success stories, this White Paper will help you to understand how to satisfy regulatory data audit and documentation requirements, minimize IT project risk, and reduce the cost of producing timely and trusted data for GRC."

Tuesday, October 7, 2008

IBM Systems Journal | Vol. 47, No. 3, 2008 - SOA: From Modeling to Implementation

IBM Systems Journal Vol. 47, No. 3, 2008 - SOA: From Modeling to Implementation: "As many businesses, applications, and platforms make the transition to a service-oriented architecture (SOA), significant changes are required in business process design as well as in modeling and solution development. To this end, innovative techniques, tools, and methodologies from a variety of SOA deployments are being developed for use in future solutions. This issue contains eight papers which describe challenges and insights related to modeling, testing, and governance, which have emerged from SOA engagements in a variety of industries."

Monday, October 6, 2008

Vendors rush to fix bug that could crash Internet systems

A recently discovered bug in TCP-IP is causing a number of vendors to adopt remedial measures. TCP-IP, the core of Internet communications is vulnerable to denial of service attacks because of the bug or bugs. Microsoft says it is investigating, but hasn't taken any action yet. Vendors rush to fix bug that could crash Internet systems

Monday, September 29, 2008

PCI Compliance: Does It Equal Security?

The standards of the Payment Card Industry have been driving some new spending on security and the question has come up as to whether that actually imporves security. Generally, anything that encourages attention to security is a good thing. Of that there can be little doubt. PCI Compliance: Does It Equal Security?

Thursday, September 25, 2008

Apple's iPhone A Tight Fit For The Enterprise -- iPhone -- InformationWeek

With all the recent hype about the iPhone, inevitably there has been some analysis as to how it would fit into business systems. This article explains the limitations involved in making it a controlled part of the system. Apple's iPhone A Tight Fit For The Enterprise -- iPhone -- InformationWeek

Monday, September 22, 2008

CGEIT Certification

CGEIT Certification: "ISACA recognized this shift in emphasis in 1998, and formed the IT Governance Institute (ITGI) to focus on original research, publications, resources and symposia on IT governance and related topics. To support and promote this significant body of work, ISACA and the ITGI are proud to offer a certification program for professionals charged with satisfying the IT governance needs of an enterprise."

Friday, September 19, 2008

Monday, September 15, 2008

Open phones are more vulnerable, security execs say

Already seriously challenged by mobile devices, security administrators now have to cope with increased security risks from mobile phones because of a movement towards open source operating systems on the devices. Open systems raise the possibility of hacker meddling in those phones and therefore can provide a gatwway into some systems. Open phones are more vulnerable, security execs say

Friday, September 12, 2008

Radical Desktops Deliver Power To The People. But What About IT? -- Tomorrow's Desktop

Cloud computing, Virtualization and the like are changing the way IT departments deliver capability to the users. It'll give them more flexibility and will have major implications for systems management and security. A new challenge for systems assurance. Radical Desktops Deliver Power To The People. But What About IT? -- Tomorrow's Desktop

Thursday, September 11, 2008

The ISSA Journal

The ISSA Journal for August 08 contains a lead article that explores how established silos impede the management of security risk in contemporary systems. It's a timely message, given the expansion of modern systems through varying platforms and numerous kinds of mobile devices. The ISSA Journal

Monday, September 8, 2008

The key to data security: Separation of duties

Separation of duties has been a key aspect of good controls for many years - in finance pretty well since controls began. In the world of IT, however, it has not been so well recognized, although auditors have been pushing it for years in their recommendation letters. This article looks at this issue, and supports the use of good separation of duties for IT security. The key to data security: Separation of duties

Friday, September 5, 2008

Security ROI: Fact or fiction?

ROI is often suggested as a measure of the worth of security measures, especially by some vendors. But it's a flawed concept and could result in bad security decisions because security is not an investment and should not be treated as such. This article expands on this view. Security ROI: Fact or fiction?

Thursday, September 4, 2008

Aberdeen Group: The 2008 Email Security Report

A new Aberdeen Group report focuses on the risks to information security posed by email. It is well known that the risks are considerable. The report explores the issues in some depth and then applies a PACE model to addressing those risks. Aberdeen Group: The 2008 Email Security Report

Sunday, August 31, 2008

A Windows Vista FAQ | Dell - Technology Brief | Web Buyer's Guide

Windows Vista was developed primarily for enhanced security, which is one of the reasons why it can be so annoying to its users and one of the reasons why implementation has been slow. However, companies are now starting to move to Vista in greater numbers, and finding that the move presents some important issues. It's not a move that should be taken lightly. The new security measures affect applications as well as the OS itself, and so all applications need to be fully tested before going live. In this Technology Brief from Dell, the planning considerations for a Vista implementation project are discussed and some useful suggestions made to help smooth the way. A Windows Vista FAQ Dell - Technology Brief Web Buyer's Guide

Thursday, August 28, 2008

Top Ten Critical Risks

E&Y has prepared an analysis of the impact of the critical risks expected to affect businesses in 2008, prioritized by industry sector. Download the study at the following URL:
http://www.ey.com/Global/assets.nsf/International/EY_Strategic_Business_Risk_2008/$file/EY_Strategic_Business_Risk_2008.pdf

Monday, August 25, 2008

Memory Stick With 84,000 Prisoner Records Lost In U.K. -- Storage Security -- InformationWeek

It's happened again. A loss of large amounts of personal data - this time data on 84,000 prisoners in the UK and 33,000 police records. Again, the loss stemmed from data stored on a memory stick that was in the hands of a contractor. The contract even forbad storing data on portable units like memory sticks, but it was done anyway. This is one of the chief challenges of contemporary data management - setting up security procedures that trace the movements of data and cover all the places in which it is stored or through which it moves - security procedures that follow the data. Memory Stick With 84,000 Prisoner Records Lost In U.K. -- Storage Security -- InformationWeek

Friday, August 22, 2008

Aberdeen Group:Do Consultants Improve Application Security?

The Aberdeen Group conducted a survey to address the question as to whether the employment of consultants for applications security actually results in improvements in that security. For the report, please visit the following link. The results do intify a number of interesting correlations showing that consultants generally do have a positive impact. But it's hard to know whether that is because of the contributions of the consultants or because the employment of consultants simply reflects an enhanced effort on the part of the company to address their security concerns. Aberdeen Group:Do Consultants Improve Application Security?

Tuesday, August 19, 2008

The Information Future of the Corporate Board

The purpose of information systems is to help sound decisions to be made. The directors are an important part of the decision-making process, yet they often don't get the best information on a timely basis. There is an information asymmetry at work. Also, IS auditors usually report to the Board in some fashion, whether directly or through general auditors and therefore form part of the information system. This absence of direct information coming from within the formal information system to the directors places additional responsibility and liability on the auditors and is therefore a matter of concern to them. Accenture has begun a new series of "research notes" to explore the informaton future of the board and discuss the implications. The first note s at the following link. The Information Future of the Corporate Board

Monday, August 18, 2008

IBM Systems Journal | Vol. 47, No. 2, 2008 - Real-Time and Event-Based Systems

"Due to the growing demands for responsiveness in business processes, command-and-control systems, and embedded systems, the deployment rate of responsive systems is increasing. This issue of the Journal is dedicated to responsive systems, a class of systems that includes real-time and event-based systems. An introductory paper, authored by the issue coordinators, is followed by ten papers that cover platforms, middleware, and development support for responsive systems." This trend fits well with the movement of external Financial and Business Reporting to a real time/events based paradigm. This will continue for the next few years and have a major impact on systems development. IBM Systems Journal Vol. 47, No. 2, 2008 - Real-Time and Event-Based Systems:

Friday, August 15, 2008

ITIL – Insight into Breaking Down IT Silos

The new Version 3 of ITIL is out. ITIL has been gaining ground as a vehicle for better control across an organization as well as for focusing control management in the areas where it will be most effective. ITIL – Insight into Breaking Down IT Silos

Tuesday, August 12, 2008

Aberdeen Group:Making Progress in PCI Compliance: Assessing Risk

"Aberdeen research has shown that Best-in-Class companies conduct vulnerability and risk assessments more frequently and more broadly than their Industry Average and Laggard counterparts. They also prioritize and remediate the most critical vulnerabilities found as a result of assessment scans more quickly, reducing their window of exposure for security issues by a factor of 1.7. Aberdeen's June 2008research on PCI DSS and Protecting Cardholder Data revealed that Best-in-Class organizations are between 40% and 90% more likely than lagging companies to conduct regular vulnerability and risk assessments for all system components in their card processing environment, as part of a sustainable approach to assessment, prioritization, remediation, and management." Aberdeen Group:Making Progress in PCI Compliance: Assessing Risk

Monday, August 11, 2008

Technology Review: Internet Security Hole Revealed

A researcher has discovered a flaw in the domain name system that could open the way for a greater incidence of fraud, including more effective phishing attacks. It's yet another area where IS professionals need to be aware. Technology Review: Internet Security Hole Revealed

Saturday, August 9, 2008

globeandmail.com: Hackers mull physical attacks

The advent of powerful smart phones that can tap into wireless networks pose a security risk for companies. They can even be used as a sort of trojan horse, placed within a company secretly to check out its networks. If any of them are unsecured, look out! Once again, it points to the need to ensure that all wireless networks are encrypted. globeandmail.com: Hackers mull physical attacks

Wednesday, August 6, 2008

Laying the Foundation for ERP Implementation Success

ERP implementation has long been a minefield for trouble, and experience has shown that good control practices can make all the difference. Internal auditors can help in this area, and this article outlines how this is so. Laying the Foundation for ERP Implementation Success

Thursday, July 31, 2008

BE - 2008 Survey on the IT Business Balance - Deloitte

"Today, CEOs are still insufficiently aware of the added value of strategic cooperation with the IT department in optimally gearing the IT strategy to the business strategy and managing business risks, such as safety, fraud and privacy. This is one of the remarkable findings of Deloitte’s yearly IT Business Balance Survey." The survey is available at the following site. BE - 2008 Survey on the IT Business Balance - Deloitte

Tuesday, July 29, 2008

SEC: Ex-CFO Used Spreadsheets for Fraud - Accounting - CFO.com

Spreadsheets are used extensively in business - so extensively that they have become a normal part of many organizational information systems. However, control over spreadsheets is particularly problematic because they can be easily manipulated by a single user, and often there are no controls over what the user does to a spreadsheet. In a recent fraud case, the former CFO of a company used spreadsheets to hide his manipulations intended to support false balances he had created in the records. He used white fonts and hidden rows to conceal his entries. It reminds us of a need not only to tighten controls over spreadsheets, but more importantly to limit their use in an information system. If spreadsheets are being used too much, then it means there is a shortcoming in the formal IS software that needs to be addressed. SEC: Ex-CFO Used Spreadsheets for Fraud - Accounting - CFO.com

Monday, July 28, 2008

Saturday, July 26, 2008

Friday, July 25, 2008

AT&T : Enterprise Business : Article : Executive Summary : Quantum Cryptography

Quantum Cryptography is a new method of encryption key transmission that is beginning to be used in Virtual Private Networks (VPNs) This method is based on the concepts of Quantun Mechanics, under which keys are constructed using a protocol that allows key measurement to take place only once, making it supremely difficult to compromise the key. AT&T : Enterprise Business : Article : Executive Summary : Quantum Cryptography

Wednesday, July 23, 2008

Flunking the password test > Security Products, Practices and Infrastructure

In a recent poll, researchers found that one third of the administrators queried said they had used admin passwords to access information they otherwise wouldn't have had access to. It confirms the validity of the long standing procedures of IS Auditors to check on who holds admin passwords, whether the holders are appropriate and how the passwords are used. This is another example of how many of the threats come from within. Flunking the password test > Security Products, Practices and Infrastructure

Tuesday, July 22, 2008

PC World - Business Center: Protect Your Network From Rogue IT Employees

IT Auditors have long known that one of the greatest threats to a system comes from within - disgruntled, careless or misled employees who find a way to gain access to critical areas of the system and do damage. Something like this happened recently at the City of San Francisco, where an employee seized control of the administrative functions of the network. It's something that needs to be a significant focus of every security plan. PC World - Business Center: Protect Your Network From Rogue IT Employees

Monday, July 21, 2008

Opinion: Phishing in the backyard

Phishing has taken a new turn in that phishing messages can come from co-workers and make requests that seem quite plausible given they seem to come from the company. It means companies need to tghten up their security procedures over email and take extra precautions against this new form of Phishing. Opinion: Phishing in the backyard

Saturday, July 19, 2008

E-Commerce News: ID Security

Phishing has become a big problem, not just for individuals surfing the net but for companies trying to maintain a secure system. There is a need for companies to adopt an organized and thorough approach to dealing with it, as part of their overall security strategy. E-Commerce News: ID Security

Tuesday, July 15, 2008

IBM Research | IBM Technical Journals | IBM Systems Journal

The latest issue of the IBM Systems Journal is devoted to responsive systems, - those that include real time and events based systems. Responsive systems pose IS Audit risks because of the nature of the response triggers built into them and the type of processing those triggers initiate. IBM Research IBM Technical Journals IBM Systems Journal

Friday, July 11, 2008

BE - 2008 Survey on the IT Business Balance - Deloitte

A recent survey by Deloitte shows a remarkable lack of coordination between the CEOs and CIOs of companies when it comes to aligning IT and Corporate strategy and managing IT related risks. There's a question as to whether this reflects a lack of awareness of CEOs, which seems difficult to believe, a lack of priority, which may be more probable, or a hesitancy of IT departments to share all the risks with the CEO (quite plausible). BE - 2008 Survey on the IT Business Balance - Deloitte

Thursday, July 10, 2008

Google Employees Warned Of Data Breach At Benefits Company -- Privacy -- InformationWeek

Another potential privacy breach related to outsourced data has reared its head. Google has reported that computers were stolen from its benefits administrator, along with sensitive data pertaining to its employees prior to 2005. The nature and amount of data is sufficient to make identity theft a real threat. This and other cases of the loss of outsourced data means tha IS Auditors must focus on large outsourcing contracts and identify the risks and analyze the safeguards in place to mitigate those risks. Google Employees Warned Of Data Breach At Benefits Company -- Privacy -- InformationWeek

Wednesday, July 9, 2008

Standards Documents Under Exposure

An update of the ISACA Auditing Guideline "Business-to Business E-Commerce Reviews" is up for exposure at the following link. The draft reflects several changes and comments are due by July 31, 2008. Standards Documents Under Exposure

Monday, July 7, 2008

The Six Best Practices of IT Security

Management of Systems Security is one of the basic and most important functions of risk mitigation. This article provides a pertinent summary of the essentials. It places an importance on Applications Security, pointing out that a number of the threats come from this source. The Six Best Practices of IT Security

Friday, July 4, 2008

Information Security Career Progression Survey Results

ISACA has released the results of a survey of the job responsibilities and career progression of those holding its Certified Information Security Manager (CISM) designation. The report provides an illuminating picture of the changing role of information security in organizations. While once viewed as an outgrowth of, and driven by, technology, the survey shows that information security is now driven by business needs, and by general business strategy. Information Security Career Progression Survey Results

Thursday, July 3, 2008

IBM Systems Journal | Vol. 47, No. 2, 2008 - Real-Time and Event-Based Systems

The latest issue of the IBM Systems Journal deals with real time and event based systems. These are more common and present some real issues from an Assurance viewpoint. For example, are programmed response systems set up to respond to the right events, and in the right way? Are they able to recognize those events and interpret them properly? These can be technical issues with very practical implications. IBM Systems Journal Vol. 47, No. 2, 2008 - Real-Time and Event-Based Systems

Wednesday, July 2, 2008

Six hours to hack the FBI (and other pen-testing adventures)

Penetration testing - or ethical hacking - is often a good way for enterprises to test their security and to find unknown threats to their system. This article recounts some experiences of an experienced "pen-tester". The CICA's Information Technology Advisory Committee released a white paper on penetration testing in 2003 which is available for free download at www.cica.ca/itac. The white paper is called Using an Ethical Hacking Technique to Assess Information Security Risk. The article is at: Six hours to hack the FBI (and other pen-testing adventures)

Wednesday, June 25, 2008

Patch Management - Network World

Patch management is always an issue in managing systems. Should new patches be installed? Will they work with specific systems? How to keep track of them - the installed and uninstalled. Besides the basic management issues, there are the control issues. Patches involve changing the system, and need to be subjected to controls that recognize this feature and maintain good control over pre and post installation systems as well as during the installation. This is something that can't be taken for granted, as exposures can arise from poorly controlled patches. Patch Management - Network World

Tuesday, June 24, 2008

UNITED STATES: Cybercrime

Cybercrime is changing fast, through the use of sophisticated techniques such as fast flux, which involves rapid changing of IP addresses for illicit websites along with the use of encryption for transmissions. Training is available in several venues for those who wish to keep up with this challenging area. One possible source is that of the Computer Crime Research Center, which runs an ongoing program of training throughout the US. A summary is at the following site. UNITED STATES: Cybercrime

Friday, June 20, 2008

ISACA e-symposia and Webcasts

ISACA runs a series of webcasts on various matters of interest to IS Assurance and audit personnel. Coming up on June 25th, for example, is one on Security Privacy and Trust. The series also contains one on the features of online CoBit. It's a useful way to help to keep up to date and to gain CPE hours. ISACA e-symposia and Webcasts

Wednesday, June 18, 2008

Data Centric Security

Data moves throughout an organization and it is difficult to cover all the points at which it may be lost with security procedures. Research shows that the best way is to adopt an information or data centric security structure, so that the various points of leakage can be identified and considered in the overall security processes. An Aberdeen white paper on the subject can be found at the following link:
http://www.aberdeen.com/c/report/market_alert/5224-MA-websense-voltage-security.pdf

Thursday, June 12, 2008

Cyber Terrorism Threat Growing, EU Agency Says - Yahoo! News

The European Network and Information Security Agency (ENISA) recently released a report that urges European countries to make greater efforts on internet security. Among other things, the report points out that there are more people using the internet than ever before, but few of them know anything about internet security. Also, there are significant assets at risk, particularly in the event of a terrorist assault on the system. Cyber Terrorism Threat Growing, EU Agency Says - Yahoo! News: "European Network and Information Security Agency"

Wednesday, June 11, 2008

IBM Systems Journal | Vol. 47, No. 1, 2008 - Service Science, Management, and Engineering

IBM Systems Journal Vol. 47, No. 1, 2008 - Service Science, Management, and Engineering: "Recognizing the growing significance of service innovation in the global economy, many in academia and industry have suggested that there is a need for a new science of service systems whose chief goal is the development of efficient and scalable methods for service system analysis, design, implementation, and delivery. This issue presents 14 papers on a variety of aspects of service science, management, and engineering in an effort to help define and promote research in this emerging multidisciplinary field."

Tuesday, June 10, 2008

Technology for Small Business

Cloud computing is gaining some popularity with small business as well as large. It offers convenience for people on the road because they can access their apps and data from any computer that has access to the internet. They don't have to take their laptop with thm and find a suitable connection. Also, from a security perspective, despite the concerns often expressed about having data resident on outside systems, cloud computing may be an answer to the current problems with the security of mobile units, like pc's, handhelds and smartphones. The security issues may in fact be less severe and ultimately more controllable. It's like any outsourcing activity - you need to know the service provider and to become familiar with their security procedures. Technology for Small Business

Friday, June 6, 2008

What makes a Cybercriminal tick? This article is written from the perspective of a systems attacker and provides some insight into this question. Also, the article provides a good description of some of the technoques that Phishers use, and why they do it.
http://www.issa.org/Downloads/Journal%20Feature.pdf

Thursday, June 5, 2008

Smart phones 'bigger security risk' than laptops

A new survey of 300 IT professionals indicates that smart phones are seen as a greater security risk than laptops. The reason - smartphone users just don't use the password features. Also, there is, of course, a greater risk of loss. Smart phones 'bigger security risk' than laptops

Wednesday, June 4, 2008

globeandmail.com: Watchdog urges firms to lock up customer digital data

Jennifer Stoddard, Privacy Commissioner of Canada, has released her annual report on PIPEDA (http://www.privcom.gc.ca/information/ar/200708/2007_pipeda_e.asp) and has urged companies to take greater care with the private information they currently hold in potentially insecure platforms such as laptops. It was also reported that work is underway to draft legislation that will require companies to report breaches of security with regard to their data. Security over data help on laptops and handhelds continues to dominate the news and points to the need for this area to remain a major element of an organization's security strategy. globeandmail.com: Watchdog urges firms to lock up customer digital data

Monday, June 2, 2008

Bank loses tapes with data on 4.5M clients

It's happened again. Backup tapes containing private data for (this time) 4.5 million customers were lost by a bank. Bank of New York Mellon - rather their backup outsourcer - Archive America lost the tapes while they were in transit. Once again, they were not encrypted. This time, the loss was not even reported to customers for three months. The case shows - again - that, while companies can outsource key functions, they cannot outsource the responsibility that goes with them. They need to have strong monitoring and management processes for their outsourced activities. Also, the case again demonstrates the need for data encryption for data in transit - something that should be considered for every corporate security policy. Bank loses tapes with data on 4.5M clients

Crimes in cyber space

As internet exposure has become a greater risk factor for companies in recent years, so cyber insurance has grown in its importance as a risk mitigation tool. Cyber insurance covers the exposures arising from cyber crime. From 2002 - 2006, gross premiums from cyber insurance more than tripled. Crimes in cyber space

Friday, May 30, 2008

Orphaned User Accounts Run Wild in Enterprises

For decades IT auditors have included steps in their programs to determine if their client routinely closes user accounts for departing employees. However, a recent study shows that this elementary step is often not carried out and there is an abundance of orphaned accounts in many organizations. They represent a security risk that needs to be addressed by those organizations. Maybe auditors need to tighten up their procedures on them as well. Orphaned User Accounts Run Wild in Enterprises

Thursday, May 29, 2008

OpenSSL Vulnerability Shows Open-Source Process Weaknesses

Recent research has revealed a significant security exposure in some open source Linux systems. The problem springs from a flaw in the random number generator of OpenSSL, which enables hackers to access encrypted data within the systems. The flaw reduces the extent to which SSL can be repied upon is such systems and emphasizes the need for compensating controls. OpenSSL Vulnerability Shows Open-Source Process Weaknesses

Wednesday, May 28, 2008

COBIT Control Practices: Guidance to Achieve Control Objective for Successful IT Governance, 2nd Edition

COBIT Control Practices: Guidance to Achieve Control Objective for Successful IT Governance, 2nd Edition: "This publication provides guidance on the risks to be avoided and value to be gained from implementing a control objective, and instruction on how to implement the objective." The publication and appendices are available for free download from the ISACA site by clicking the above link.

Monday, May 26, 2008

Volume 32 Number 2

The June issue of MIS Quarterly is a special Issue devoted to research on Information Systems offshoring. Among the many useful aspects of the Issue is a ranked listing of issues related to offshoring, such as the effect of cultural differences, impact on strategy, effect of distance, etc. The Issue provides an excellent source for practitioners who are considering offshoring or their offshoring policies and for academics interested in researching this important area of interest. Volume 32 Number 2

Sunday, May 25, 2008

Group releases credit-card software standard

Plastic cards proliferate our world and many of them have magnetic strips on them that are used to store private information. This has played a role in some of the most dramatic instances of system failure where the privacy of sensitive information has been breached, such as those at Hannaford Bros and the TJX Companies. The PCI Security Standards Council has released a new standard that will hopefullly improve on that situation by limiting the type of information stored on the magnetic strips for credit cards. Of course, credit card fraud in one the the biggest menaces facing commerce - online and offline - today. The new standard can be downloaded at https://www.pcisecuritystandards.org/pdfs/04-15-08.pdf and there is a sumary of it at the following link: Group releases credit-card software standard

Friday, May 23, 2008

Enterprise Risk Services - Risk Management - Focus On - Deloitte Touche Tohmatsu

Deloitte has provided a valuable source of information in its website on risk mitigation strategy. The section of their site includes a number of small books and articles on the subject, which should be helpful to many organizations interested in comprehensive risk mitigation strategies. Deloitte refers to such organizations as "risk intelligent enterprises." Enterprise Risk Services - Risk Management - Focus On - Deloitte Touche Tohmatsu

Monday, May 12, 2008

Technology Review: Archiving E-mail Effectively

Email messages created in an organization are legally recognized as documents and therefore need to be treated as such, including measures to safeguard them, preserve their integrity and archive them so they can be available if needed. This has been a problem with conventional software, but new archiving software may help to make it better. Technology Review: Archiving E-mail Effectively

Thursday, May 1, 2008

Kroll Inc. - News Room

Kroll has released a report that points to the increased level of risk of fraud and theft among companies using expanded global supply chains, which normally involve extensive outsourcing. Cargo theft has become a major issue, and the report identifies a number of red flags to help identify potential problems, many of which are not new. Overall, however, the report points to the need for tightening of the internal controls over global supply chain systems. Kroll Inc. - News Room

Wednesday, April 30, 2008

SaaS and Security: Is Your Data Safe?

Software as a Service (SaaS) applications involve using applications resident on the web and often storing our data there as well. SaaS has been big the past several months, but it raises many security and privacy issues along with loss of control over applications and service and support. This means companies using SaaS need to take precautions. This article summarizes some of them. SaaS and Security: Is Your Data Safe?

Tuesday, April 29, 2008

Information Assurance Revolution - By Peter A. Buxbaum - Military Information Technology

The US Department of Defense has launched a new approach to systems assurance. A considerable change from the previous approach, this new one, acronymed "DIACAP", decreases the documentation of system security and takes a system life cycle approach to security evaluation. It also requires annual assessments and continuous system monitoring, something that will become standard in many industries in the future. Information Assurance Revolution - By Peter A. Buxbaum - Military Information Technology

Friday, April 25, 2008

IT Security Skills Falling Short

It's well known that there is a serious shortage of IS personnel. Young people, for whatever reason, just are not going into the area in sufficient numbers. Add to this the fact that those who are working in IS security functions are extremely busy and you have a real problem. A recent study by the Computing Technology Industry Association shows that security professionals just don't have the time to keep up to date with recent trends and techniques in the area. That's not a good sign, given the importance of strong security both for systems integrity and to protect personal privacy. IT Security Skills Falling Short

Monday, April 21, 2008

Downloadable Research Reports - The Institute of Internal Auditors

The Internal Auditors Association (IIA) has long carried out good research. On their website at the following link is a list of downloadable research. It includes a variety of studies, including one on research opportunities in Internal Audit along with a supplement for IT systems. It's a good resource. Downloadable Research Reports - The Institute of Internal Auditors

Friday, April 18, 2008

Web 2.0 Expo Preview: Businesses Waking Up To Web-Enabled Apps -- InformationWeek

We've heard a lot about Web 2 and the Semantic Web. Business has not embraced its potential as yet, partly and maybe mostly because of privacy and security concerns. Business use of the Semantic web would involve making use of web based applications, which have lots of potential both for systems scalability and for grave privacy and security problems. However, there is some thought out there that business is beginning to look more carefully at the potential for good, and how the bad side of it can be controlled. Web 2.0 Expo Preview: Businesses Waking Up To Web-Enabled Apps -- InformationWeek

Virtualization

Virtualization has been a hot topic in IT management recently. It is an extension of the old virtual memory days, where usable memory is created that is not tied to a particular platform. Apply that concept to data, servers, networks, etc and you have a powerful tool for sharing resources and optimising usage. The paper referenced below explores virtualization and its impact on systems, and makes the observation that it can be a help to security as well, because it shields specific resources from the eyes of hackers. It is hard for them to tell which resource they have compromised. Virtualization

Wednesday, April 16, 2008

Cybercrime is in a state of flux

Fast Flux is the new way for cybercriminals to cover their tracks. Somewhat illustrated in the movie "Untraceable" the technique involves fast changing of DNS records on servers and using Peer to Peer rather than command and control, along with encryption to interact with the bots planted in infected PCs. It makes it all but impossible to find and shut down the illicit sites/servers, which translates into higher rates of cybercrime in the future. Cybercrime is in a state of flux

Monday, April 14, 2008

Enterprise@Risk: 2007 Privacy & Data Protection Survey | Security & Privacy | Identity Management | PII | Identity Theft - Deloitte LLP

A few months ago, Deloitte and the Ponemon Institute released their 2007 survey on Privacy and Data Protection. The survey reveals an increasing rate of violations of data and identity theft as well as a growing sophistication in the means being used. The full report is available from this site: http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D182733%2C00.html

Saturday, April 12, 2008

Security 101: E-mail Encryption with PGP and GPG

E-mail represents a significant exposure for many systems. Not only do the messages contain information, but they often have attachments containing significant chunks of corporate data, often sensitive in nature. The answer is often to employ encryption so the messages cannot be read. PGP and GPG are the main contenders, with PGP generally costing more and GPG being open source but not running on all systems. Security 101: E-mail Encryption with PGP and GPG

Thursday, April 10, 2008

Risk Advisory Services - Ernst & Young

Ernst & Young obtained feedback from 150 risk management and IT executives at global financial institutions on Information Technology and Risk Mnagement in the Financial Services Sector. The result was the publication information technology risk management (pdf, 3.4mb) dealing with the role IT plays in an organization’s overall risk management structure. The analysis focuses on four key areas: convergence, common understanding of risks and controls, IT risk management investments and risk reporting. Risk Advisory Services - Ernst & Young

Tuesday, April 8, 2008

Security Checklists

Checklists are at the heart of IS auditing. While they don't provide all the answers, a good checklist provides a guide to the audit procedures to be followed, and helps to make sure that important elements are not forgotten. Good checklists are hard to come by, unless you are part of a very large organization. However, the Information Assurance Support environment (IASE) has a number of useful checklists at the following website, on almost every aspect of IS assurance you can think of, from wireless to RACF to end-user controls. Check it out. Security Checklists

Monday, April 7, 2008

Leading Edge Practices 3-10-08

The ISO 17799 standard, released in 2005 provides a comprehensive approach to IS Security. The IIA website at the following link has a summary of the standard, and more importantly a couple of useful links where more information can be found. Leading Edge Practices 3-10-08

Friday, April 4, 2008

IBM Research | IBM Technical Journals | IBM Systems Journal

The growth of the need for service innovation in the modern economy has led to the publication in IBM Systems Journal of a series of articles on service system analysis, design, implementation and delivery. Very timely material. IBM Research IBM Technical Journals IBM Systems Journal

Tuesday, April 1, 2008

Aberdeen Group: Trusted Computing: Tune In, Turn It On

Aberdeen Group has released a report which shows that best-of-class companies have performed better than average in matters of security. The report can be downloaded free at: Aberdeen Group: Trusted Computing: Tune In, Turn It On

Friday, March 28, 2008

Information Systems Security Home (Index) Page

IS Security publications standby, Auerbach Publications, has a website that showcases various publications in the area that are very useful for research. The site is at: Information Systems Security Home (Index) Page

Thursday, March 27, 2008

Canadian Conference on IT Audit, Governance and Security

The annual Canadian Conference on IT Audit, Governance and Security is soon to take place at the Toronto Hilton. The conference is sponsored by the CICA, ISACA and IAA. The full program is up on the conference's exclusive website. It promises to be a worthwhile event. Canadian Conference on IT Audit, Governance and Security

Wednesday, March 26, 2008

Hackers Seize on Excel Vulnerability - CIO.com - Business Technology Leadership

With the proliferation of spreadsheets in accounting information systems, it is interesting to note that hackers can exploit weaknesses in them to gain access to other elements of the system. That is happening now, with a current and likely short term flaw in Microsoft's Excel spreadsheet. Patches are available but many have not yet installed them. Spreadsheets are very convenient for accumulating and working with data, and are widely used in systems, particularly to perform end-of-cycle routines, such as preparation of financial statements. They are used so widely and make it so difficult to leave an audit trail that some have referred to the phenomenon as "spreadsheet hell" Hackers Seize on Excel Vulnerability - CIO.com - Business Technology Leadership

Monday, March 24, 2008

Vulnerability Remediation

CERT is a leader in vulnerability remediation. In its site, CERT provides an excellent summary of its approach to this important area, largely in the context of large scale development projects, but in a way that applies to all systems development. The site also provides a number of useful publications in the area. Vulnerability Remediation

Thursday, March 20, 2008

Technology Review: The Technology That Toppled Eliot Spitzer

Eliot Spitzer got caught because he was shuffling money around through wire transfers to pay for his "dates". The money laundering software of his bank picked up on the transfers and flagged them. Most of the banks are running such software, which analyzes bank transfers to look for anything out of the ordinary. The software has obvious assurance implications. Technology Review: The Technology That Toppled Eliot Spitzer

Wednesday, March 19, 2008

Cisco's Ironport has released a report on current security trends. Spam rates high as a continuing, growing and destructive phenomenon. You can download the report at http://www.computerworld.com/pdfs/ironport_security
_report_wp.pdf

First you have to fill out one of those annoying forms. But the content is good.

Friday, March 14, 2008

PC World - Business Center: KPMG Expert: Wi-Fi Security Still Too Complicated

The 802.1x protocol is a security protocol that can be used to protect wireless networks by controlling access to the ports in use. It takes the security over wireless networks a step beyond WEP and therefore helps to counter the vulnerabilities of that system. However, a KPMG study shows that few companies are using it, because of the complexity of implementation and lack of awareness. PC World - Business Center: KPMG Expert: Wi-Fi Security Still Too Complicated

Wednesday, March 12, 2008

Taming the Extended Ecosystem: 10 Best Practices for Managing Mobile Devices | News | Mobile Enterprise Magazine

Mobile devices have presented a whole new set of security and control challenges that most companies are trying hard to deal with. This article sets out a number of issues that should be taken into account in developing a good control system over these devices. Taming the Extended Ecosystem: 10 Best Practices for Managing Mobile Devices News Mobile Enterprise Magazine

IBM Systems Journal | Vol. 47, No. 1, 2008 - Service Science, Management, and Engineering

Service Innovation has been an area of growing importance in the glpobal economy and one that firms need to come to grips with in their systems design and delivery efforts. This issue of the Ibm Systems Journal contains eight articles on this important new field. IBM Systems Journal Vol. 47, No. 1, 2008 - Service Science, Management, and Engineering

Thursday, March 6, 2008

SIS Taps Mobiles To Reduce Credit Fraud -- Identity Theft -- InformationWeek

In the continuing effort to find ways to counter credit card fraud and identity theft, SIS has come up with a technique that matches a person's cell phone location with the location of their card being used and denies the transaction if the two don't match. Presumably people could run into trouble if they don't take their cell phones with them. SIS Taps Mobiles To Reduce Credit Fraud -- Identity Theft -- InformationWeek

Wednesday, March 5, 2008

The top 10 risks for business in 2008 - Strategic business risk - AABS - Ernst & Young

Ernst & Young recently released their study on the top ten business risks in 2008. The top risk - regulatory and compliance risks. This reflects the pressure that business is under and a good deal of it centers around their information systems, through the emphasis by regulators on high quality internal controls. The top 10 risks for business in 2008 - Strategic business risk - AABS - Ernst & Young

Monday, March 3, 2008

Verisign compared to other services in Research Brief

In a research brief recently published by Aberdeen Group, it was found that Verisign users were bettter able to reduce fraud incidence as compared to other managed security services. It was also better for protecting account holder data. See the full report at: http://www.aberdeen.com/c/report/research_briefs/4962-RB-verisign-bolstering-user-confidence.pdf

Friday, February 29, 2008

PCI Compliance Among Retailers Growing

Data show that compliance with standards in the Payment Card Industry (PCI Standards) which were established in late 2006, are increasingly being met by retailers across the country. The standards represent a move by the industry to protect the data stored in payment card systems from crackers. A summary of the standards can be found at the site http://www.pcicomplianceguide.org/ which contains a useful guide. PCI Compliance Among Retailers Growing

Tuesday, February 26, 2008

The Good and Bad of Tagalong Technology

Various mobile "consumer" devices, like Blackberries and iPhones can connect with and synch with corporate networks, creating essentially unauthorized networks. The result can be a sharp decline in security. Some companies, however, are taking the step of limiting the devices that their personnel are allowed to connect to the network. We'll see more of this until the makers of the consumer devices incorporate appropriate security features to make them safer as corporate network expensions. The Good and Bad of Tagalong Technology

IBM SJ 46-4 | Changing the corporate IT development model: Tapping the power of grassroots computing

Auditors and controls experts have long stressed the need for users to be involved in development activities. If you take this to an extreme and have them drive the process, without the expensive traditional structure, then you have grassroots computing - a recently fashionable technique that puts the people who use the system in the drivers seat when development activities take place. It's an idea that seems to work for many. However, there does need to be some structure and control around the activity to keep it from going off the rails. It becomes a question of balance without sacrificing the essential idea. IBM SJ 46-4 Changing the corporate IT development model: Tapping the power of grassroots computing

Tuesday, February 19, 2008

Some research has shown that as much as three quarters of a company's business critical data can be in the form of email archives. The problem is aggravated by the ability to create pst files, which often can circumvent server size limits. this encourages employees to save their data as past files. We know that the use of email has exploded in recent years. Also it has been widely known that more and more critical and sensitive data is often included in emails. So it is no surprise that research is beginning to show the extent to which data is stored in email archives. The implications for systems are clear - we need to formalize approaches to the use, maintenance and security over email systems and make sure they are subject to the same high levels of integrity as other aspects of the business systems.
http://www.computerworld.com/pdfs/messagelabs_death_to_pst_pdf.pdf

Friday, February 15, 2008

Security Training White Paper: Ten Ways Hackers Breach Security 2/6/2007

The ways is which hackers attack systems are an important element of the risks that go into controls determination. In this global Knowledge white paper, 10 of them are explored and explained clearly. Security Training White Paper: Ten Ways Hackers Breach Security 2/6/2007

Monday, February 11, 2008

How to protect yourself at wireless hot spots

Employees on the move may be tempted to log into hot spots such as internet cafes and hotels when they're on the move. This can create a serious risk for the company, expecially if there happens to be sensitive informatin on the laptop. There are various precautions that the company and the employee can take, such as using encrypted email and encrypted memory sticks. Security of data while in motion on laptops and other mobile media is an area of growing concern and one that needs to be addressed by most companies. How to protect yourself at wireless hot spots

Friday, February 8, 2008

Journal Article

In a recent paper in the Journal of the Association of Information Systems (JAIS) titled "A Contngency Model for Requirements Development", the authors synthesize a wide swath of literature and map out a model that links requirements development to risk profiles and risk resolution. The linkage to risk is of particular interest to IS Assurance. Journal Article

Thursday, February 7, 2008

2007 Global Information Security Survey - Risk Advisory Services - Ernst & Young

Ernst & Young has released their annual survey of Information Security. In this edition, they take an approach of linking it more fully to the achievement of overall business objectives, something that is often not given due consideration. 2007 Global Information Security Survey - Risk Advisory Services - Ernst & Young

Tuesday, February 5, 2008

Opinion: Security policy in the age of compliance

Setting a security policy that is both reasonable and covers off the major risk areas is a difficult task. There is evidence that employees will ignore policy that they don't see as necessary. But the security policy is an important element of a secure system, and one that is also important to IS Auditors. This article covers these issues and is the concluding part of a series of articles centered around the "Age of Compliance" Opinion: Security policy in the age of compliance

Friday, February 1, 2008

The Institute of Corporate Directors and KPMG's Audit Committee Institute recently released their 2nd annual survey of audit committee members. The survey explored such questions as how effective is your audit committee (a majority said it is effective) and what are the major issues facing your coimmittee. The list of major issues was topped by risk Management and Internal Control, followed by Accounting judgements and issues. It appears the emphasis on internal controls over the past few years is continuing. You can download the report at:
http://www.icd.ca/Docs/AC_Survey_07_Web.pdf

Thursday, January 31, 2008

ISO - News

Discussions at the recent World Economic Conference in Davos Switzerland focussed heavily on the need for coordinated responses to the worlds major issues, such as the climate, security and nutrition. There was much discussion about the idea of collaborative innovation as a reasonable response to these issues. Indeed, collaborative innovation has been experiencing a rise in use for the past few years, through collaborative commerce, as so named by the Gartner Group, or through the Wiki-World of Don Tapscott. Companies are tapping into the potential of collaborative innovation as means to work towards their own prosperity and survival, by involving customers, suppliers and even competitors. Collaborative innovation has major implications for systems security and for IS Assurance. In order for collaboration to work well, the collaborators must be tied together through their systems. We have been seeing this and will see much more of it in the future. The ISO has been setting some standards that are relevant. The IS Assurance world needs to be involved as well. ISO - News

Tuesday, January 29, 2008

The Top Ten Risks for Business in 2008 - Strategic Business Risk - AABS - Ernst & Young

Ernst & Young has released a report that lists the top ten risks facing business. The report, released after a massive research effort, lists regulatory and compliance risk as the greatest risk. This will be no surprise to those numerous executives who have struggled to comply with the demands of Sarbanes-Oxley and, in Canada, both SOX and the similar CSA rules. It has been a huge drain on corporate resources, which some say has been a case of overkill. It has, however, focused management on systems, and led to many systems improvements, which has been a good thing. Risk - AABS - Ernst & Young

Friday, January 25, 2008

Enterprise Infrastructure > Systems Management > Don’t confuse POS with QOS

Quality of Service deals with a variety if issues, including network congestion. It is an area of increasing importance in systems management as are all quality issues. But QOS means different things to different people. This article sets out some of the concepts in use. Enterprise Infrastructure > Systems Management > Don’t confuse POS with QOS

Thursday, January 24, 2008

New Developments

Late last fall, the FTC released three new reports dealing with identity theft. With more than 8 million US residents the victim of identity theft in 2006, it is a serious and growing problem. Of the three reports, one of them identifies red flags that should be watched for in determining whether identity theft is occurring. New Developments

Monday, January 21, 2008

TMT Security Survey 2007 - Technology, Media & Telecommunications - TMT - Security - Deloitte Touche Tohmatsu

Deloitte Touche Tohmatsu recently released its 2007 comprehensive survey of security and risk elements in over 100 technology, media and telecommunications companies worldwide. The survey covers a wide array of issues, ranging from digital rights management to the role of security officers to security governance generally. The study points to several areas to which attention needs to be paid. TMT Security Survey 2007 - Technology, Media & Telecommunications - TMT - Security - Deloitte Touche Tohmatsu

Thursday, January 17, 2008

European Journal of Information Systems - Table of Contents

The European Journal of Information Systems released an issue for December, 2007 in the area of Healthcare Information Systems Research. Most of the papers and articles are available for free download. They include one on RFID and several other vry relevant studies. European Journal of Information Systems - Table of Contents

Monday, January 14, 2008

Enterprise Wireless LAN Security & WLAN Monitoring

In November, AirDefense conducted a survey of 3000 retail outlets in New York City and found that 81% of the devices they encountered could be compromised through wireless networks that were not encrypted. Wireless remains a major hole in the security of systems, not through any defect in the wireless systems themselves, but rather through a defect in the thinking of their owners. Enterprise Wireless LAN Security & WLAN Monitoring

Friday, January 11, 2008

E-Commerce News: BPM & BPO: Keys to BPO Success: Accountability, Monitoring

The Aberdeen Group has released a survey of 170 Companies that have outsourced their Business Process Activities to Global BPO Service Providers and have drawn some interesting conclusions as to the reasons for their success. The reasons range from keeping costs low to better accountability. This article provides a summary and it is interesting reading. E-Commerce News: BPM & BPO: Keys to BPO Success: Accountability, Monitoring

Wednesday, January 9, 2008

Five steps to evaluating business continuity services

Many organizations have been outsourcing their business continuity needs. This article sets out five key considerations in evaluating service providers in this area along with a host of other valid points to consider. Five steps to evaluating business continuity services

Tuesday, January 8, 2008

E-Commerce News: Enterprise IT: Mobile Devices: Sitting Ducks for Hackers

Smart phones are increasingly being used for business purposes, even those that were not intended for more than casual personal use. They often have capabilities like business type applications and wi-fi connectivity, all of which makes them a security nightmare, one that promises to keep on going indefinitely. E-Commerce News: Enterprise IT: Mobile Devices: Sitting Ducks for Hackers

Friday, January 4, 2008

IBM Systems Journal | Vol. 46, No. 4, 2007 - IT-Enabled Business Transformation

The latest issue of the IBM Systems Journal sets out some innovative programs being used in IBM, including the implementation of SOA, voice reognition is applications and a collaborative innovation program. All areas that are top priority for many companies these days. IBM Systems Journal Vol. 46, No. 4, 2007 - IT-Enabled Business Transformation

Thursday, January 3, 2008

globeandmail.com: Record data breaches in 2007, groups say

Several interest groups have reported that 2007 was a record year in the breach of private information. They say that companies are reacting, rather than being proactive, to these events. While security is being increased, hackers are staying ahead of the game and exploiting any new vulnerabilities in systems, such as those evident in some wireless systems, which are proliferating. globeandmail.com: Record data breaches in 2007, groups say