Thursday, July 31, 2008

BE - 2008 Survey on the IT Business Balance - Deloitte

"Today, CEOs are still insufficiently aware of the added value of strategic cooperation with the IT department in optimally gearing the IT strategy to the business strategy and managing business risks, such as safety, fraud and privacy. This is one of the remarkable findings of Deloitte’s yearly IT Business Balance Survey." The survey is available at the following site. BE - 2008 Survey on the IT Business Balance - Deloitte

Tuesday, July 29, 2008

SEC: Ex-CFO Used Spreadsheets for Fraud - Accounting - CFO.com

Spreadsheets are used extensively in business - so extensively that they have become a normal part of many organizational information systems. However, control over spreadsheets is particularly problematic because they can be easily manipulated by a single user, and often there are no controls over what the user does to a spreadsheet. In a recent fraud case, the former CFO of a company used spreadsheets to hide his manipulations intended to support false balances he had created in the records. He used white fonts and hidden rows to conceal his entries. It reminds us of a need not only to tighten controls over spreadsheets, but more importantly to limit their use in an information system. If spreadsheets are being used too much, then it means there is a shortcoming in the formal IS software that needs to be addressed. SEC: Ex-CFO Used Spreadsheets for Fraud - Accounting - CFO.com

Monday, July 28, 2008

Saturday, July 26, 2008

Friday, July 25, 2008

AT&T : Enterprise Business : Article : Executive Summary : Quantum Cryptography

Quantum Cryptography is a new method of encryption key transmission that is beginning to be used in Virtual Private Networks (VPNs) This method is based on the concepts of Quantun Mechanics, under which keys are constructed using a protocol that allows key measurement to take place only once, making it supremely difficult to compromise the key. AT&T : Enterprise Business : Article : Executive Summary : Quantum Cryptography

Wednesday, July 23, 2008

Flunking the password test > Security Products, Practices and Infrastructure

In a recent poll, researchers found that one third of the administrators queried said they had used admin passwords to access information they otherwise wouldn't have had access to. It confirms the validity of the long standing procedures of IS Auditors to check on who holds admin passwords, whether the holders are appropriate and how the passwords are used. This is another example of how many of the threats come from within. Flunking the password test > Security Products, Practices and Infrastructure

Tuesday, July 22, 2008

PC World - Business Center: Protect Your Network From Rogue IT Employees

IT Auditors have long known that one of the greatest threats to a system comes from within - disgruntled, careless or misled employees who find a way to gain access to critical areas of the system and do damage. Something like this happened recently at the City of San Francisco, where an employee seized control of the administrative functions of the network. It's something that needs to be a significant focus of every security plan. PC World - Business Center: Protect Your Network From Rogue IT Employees

Monday, July 21, 2008

Opinion: Phishing in the backyard

Phishing has taken a new turn in that phishing messages can come from co-workers and make requests that seem quite plausible given they seem to come from the company. It means companies need to tghten up their security procedures over email and take extra precautions against this new form of Phishing. Opinion: Phishing in the backyard

Saturday, July 19, 2008

E-Commerce News: ID Security

Phishing has become a big problem, not just for individuals surfing the net but for companies trying to maintain a secure system. There is a need for companies to adopt an organized and thorough approach to dealing with it, as part of their overall security strategy. E-Commerce News: ID Security

Tuesday, July 15, 2008

IBM Research | IBM Technical Journals | IBM Systems Journal

The latest issue of the IBM Systems Journal is devoted to responsive systems, - those that include real time and events based systems. Responsive systems pose IS Audit risks because of the nature of the response triggers built into them and the type of processing those triggers initiate. IBM Research IBM Technical Journals IBM Systems Journal

Friday, July 11, 2008

BE - 2008 Survey on the IT Business Balance - Deloitte

A recent survey by Deloitte shows a remarkable lack of coordination between the CEOs and CIOs of companies when it comes to aligning IT and Corporate strategy and managing IT related risks. There's a question as to whether this reflects a lack of awareness of CEOs, which seems difficult to believe, a lack of priority, which may be more probable, or a hesitancy of IT departments to share all the risks with the CEO (quite plausible). BE - 2008 Survey on the IT Business Balance - Deloitte

Thursday, July 10, 2008

Google Employees Warned Of Data Breach At Benefits Company -- Privacy -- InformationWeek

Another potential privacy breach related to outsourced data has reared its head. Google has reported that computers were stolen from its benefits administrator, along with sensitive data pertaining to its employees prior to 2005. The nature and amount of data is sufficient to make identity theft a real threat. This and other cases of the loss of outsourced data means tha IS Auditors must focus on large outsourcing contracts and identify the risks and analyze the safeguards in place to mitigate those risks. Google Employees Warned Of Data Breach At Benefits Company -- Privacy -- InformationWeek

Wednesday, July 9, 2008

Standards Documents Under Exposure

An update of the ISACA Auditing Guideline "Business-to Business E-Commerce Reviews" is up for exposure at the following link. The draft reflects several changes and comments are due by July 31, 2008. Standards Documents Under Exposure

Monday, July 7, 2008

The Six Best Practices of IT Security

Management of Systems Security is one of the basic and most important functions of risk mitigation. This article provides a pertinent summary of the essentials. It places an importance on Applications Security, pointing out that a number of the threats come from this source. The Six Best Practices of IT Security

Friday, July 4, 2008

Information Security Career Progression Survey Results

ISACA has released the results of a survey of the job responsibilities and career progression of those holding its Certified Information Security Manager (CISM) designation. The report provides an illuminating picture of the changing role of information security in organizations. While once viewed as an outgrowth of, and driven by, technology, the survey shows that information security is now driven by business needs, and by general business strategy. Information Security Career Progression Survey Results

Thursday, July 3, 2008

IBM Systems Journal | Vol. 47, No. 2, 2008 - Real-Time and Event-Based Systems

The latest issue of the IBM Systems Journal deals with real time and event based systems. These are more common and present some real issues from an Assurance viewpoint. For example, are programmed response systems set up to respond to the right events, and in the right way? Are they able to recognize those events and interpret them properly? These can be technical issues with very practical implications. IBM Systems Journal Vol. 47, No. 2, 2008 - Real-Time and Event-Based Systems

Wednesday, July 2, 2008

Six hours to hack the FBI (and other pen-testing adventures)

Penetration testing - or ethical hacking - is often a good way for enterprises to test their security and to find unknown threats to their system. This article recounts some experiences of an experienced "pen-tester". The CICA's Information Technology Advisory Committee released a white paper on penetration testing in 2003 which is available for free download at www.cica.ca/itac. The white paper is called Using an Ethical Hacking Technique to Assess Information Security Risk. The article is at: Six hours to hack the FBI (and other pen-testing adventures)