Sunday, December 27, 2009

Moving to the Cloud

There seems little doubt that the nexus of computing is moving to the cloud. Over the past few years, this has been the most prominent trend in the world of information systems. There is absolutely no reason why this should not be a dominant trend in the next decade.

Cloud computing offers up high end computing power with minimal investment. It takes some, perhaps a lot of the cost of an information system off the balance sheet. It offers up computing power far in excess of that which any companies can afford. This will be critical in the new era of data management, when more and more data will be freely available for analysis in advanced form and using advanced tools.

In short, the economics of cloud computing will drive systems in that direction. For more on this point, please refer to this article.

Monday, December 21, 2009

The 10 Greatest Risks Facing Business

Ernst & Young released a publication earlier in the year outlining the 10 greatest risks businesses would face in 2009.

The top 10 risks identified (2008 rankings in parentheses) were:
  1. The credit crunch (2)
  2. Regulation and compliance (1)
  3. Deepening recession (New)
  4. Radical greening (9)
  5. Non-traditional entrants (16)
  6. Cost cutting (8)
  7. Managing talent (11)
  8. Executing alliance and transactions (7)
  9. Business model redundancy (New)
  10. Reputation risks (22)
Now that we are at the end of the year, it is interesting to look back and see how close they were. Was the deepening recession one of the major risks? Was the credit crunch number one? How serious is radical greening?

One thing is clear. Regardless of the specific ranking, all of the items on the list were indeed major sisks during the year AND are relevant to 2010 as well, albeit not necessarily in the same order.

The actual report is a good read and is available for free download from the E&Y site.

Wednesday, December 16, 2009

The Relationship Between IT and Business

Deloitte has recently released its 2009 survey related to the balance between IT and Business. There are several findings, but one of the most interesting is the opportunity that the recession has presented for IT to makes its presence felt in the boardroom. Some IT departments are taking advantage of this opportunity. See the report at this site.

Monday, December 14, 2009

Mobile Security

Mobile devices have become such an integral part of many systems that they must be taken into account in planning a security and control strategy for the company. But the security infrastructure for mobile devices is often elementary and untried, creating a serious issue for IT managers. CIO Magazine has a thorough article on this issue, worth checking out.

Friday, December 11, 2009

Ethics and Information Systems Development

Volume 10, Issue 11 of the Journal of the Association for Information Systems is a special issue on Ethics. The following article is of particular interest to the IS auditor:

Ethical Information Systems Development: A Baumanian Postmodernist Perspective
Sutirtha Chatterjee, Suprateek Sarker, and Mark Fuller

The abstract reads as follows:

"The paper offers a critique of traditional methodical approaches to Information Systems Development (ISD), arguing that a number of assumptions (for example, universality and rationality) underlying these approaches lead to incomplete ontological and epistemological considerations, and thereby contribute to IS failures in many cases. The paper proposes that ethical analysis undertaken in conjunction with traditional ISD approaches may be a way to address some of the limitations experienced during traditional ISD. Drawing upon ideas from postmodern ethics formulated by Zygmunt Bauman, the paper argues that increased focus on the moral responsibility of key ISD players (such as the team of analysts) may improve the ISD process. Finally, this paper suggests how, consistent with the postmodern stance, such moral responsibility can be implemented in the context of ISD. The paper concludes with the contributions and future implications of this research."

The paper can be downloaded here.

Wednesday, December 9, 2009

Security Can't be Discounted
Published November-17-09 by Deloitte

Deloitte has published the first in a planned series of global studies on security. This first publication, came out of a study of security practices followed by Consumer business organizations around the world. The inaugural study reveals that:
  • "Information security is still considered primarily a technology infrastructure issue – 51 percent of respondents identify their top security initiative for 2009 as security infrastructure improvement.
  • Respondents acknowledge that their people (including third parties) are the weakest link yet there is little focus on security awareness or training. Managing insider threats received a low 10 percent ranking when respondents were asked about their organization’s top security initiatives for 2009.
  • Business continuity and disaster recovery, neglected in the past, are now moving to the forefront. Disaster recovery is the second most mentioned security initiative for 2009.
  • Consumer business organizations have a “last one to adopt” approach when it comes to security technology. When asked which category best describes their organization’s adoption of security technology, 52 percent of respondents state that they are “late majority”, meaning that they are content to use technology that is “proven”.
  • Security budgets took a hit. In 2009, “lack of sufficient budget” is the barrier most mentioned by 54 percent of respondents, and 26 percent of respondents had their security budgets reduced."
Not surprisingly,the study found a high degree of pressure to reduce costs in these recessionary times. A large number of security budgets have been reduced. The companies seemed to ignore the dictum that recessionary times are actually when security must be made stronger and smarter because of a higher number of disgruntled employees.

The study can be downloaded from the Deloitte site.

Thursday, December 3, 2009

Implementing and Continually Improving IT Governance

Implementing and Continually Improving IT Governance enhances, expands and improves on the content of the prior ISACA IT Governance Implementation Guide Using COBIT® and Val IT™, 2nd Edition publication. It incorporates valuable references to cutting edge research from the recent ISACA publications The Val IT™ Framework 2.0 and The Risk IT Framework, as well as from the recently issued ISO/IEC 38500 standard on IT governance.
This guide provides an approach for implementing IT governance in such a way that the implementation team can get started in an effective and efficient manner. The objective is to provide a good practice approach for implementing and maintaining effective IT governance based on a continual improvement life cycle that should be tailored to suit the enterprise’s specific needs. Subjects covered in the guide include: More at the ISACA site.

Tuesday, December 1, 2009

Social Networks and Scamming

Social networks have been cause for concern from a security and privacy viewpoint since their beginnings. Now those concerns are being reignited and heightened because of the emergence of tools that were designed for finding information on various networks, but in fact are useful to scammers for finding the users of the various sites. They can use this information to focus their phishing expeditions for the"most effective" results. Its an unintended consequence. An article in Computerworld describes this issue in more detail and also discusses some of the tools that are out there for free download.

Friday, November 27, 2009

Those Old Hard Drives

A great deal of effort has been spent by companies in recent years to stem the leakage of data from their systems, or the risk of it. Much of the risk has come from the variety of hardware now connected in one way or another to the corproate systems. This includes a plethora of laptops and the stories of lost laptops containing sensitive data are legion. There is another aspect to laptops that does not get quite as much attention. That is the fact that they are retired from corporate use with increasing frequency, largely because of the decline in pricing and the increase in power of the newer units.

When laptops are retired, they are sometimes simply sold or given away to employees or even to outsiders. When this happens, a responsible IT department will take proper steps to make sure that sensitive data is removed before the old computer is retired. Here is where the problem can arise.

Simply erasing files will not get rid of them. Pretty well every IT person and many, if not most, non-IT people know this. Even reformatting the drives will not necessarily get rid of the data. The safest way to obliterate data is by having the drive degaussed. This is an old technique going back to mainframe days, which involves making use of a special magnet to erase the drive by changing the electronic fields that hold the data. It is a time tested and the most effective way to make sure that computers do not retain any data. It is a necessary component of the processs that should be followed in retiring computers from corproate service. For some more information, check out this article.

Tuesday, November 24, 2009

iPhone Security

The popularity of any technology helps to determine its susceptibility to hackers, viruses and other intrusions. A platform that is widely used simply makes it worthwhile to take the time to construct the means of intrusion. The iPhone is no exception, although in this case the story begins with illegally altering the smartphone's structure to free it from the Apple storefront.

Many cell phones and smartphones are is some ways tied into proprietary systems, and there are many users who take steps to "unlock" them or, in the case of iPhones, "jailbreak" them. These are somewhat different concepts, but nevertheless similar in their alteration of the basic configuration of the units. The problem that the procedures open up for the users is that the units are them exposed to risks that they were never designed for. In the case of the iPhone, this risk has shown itself in the spread of a new worm, called "Duh", that focuses on stealing online banking data. The cost could be tremendous, both for the immediate user and for other systems that the particular smartphone might be tied into. Read more in this article.

Wednesday, November 18, 2009

Using ERM to Manage Emerging Risks

PricewaterhouseCoopers released, earlier in the year, an interesting booklet on emerging risks for enterprises and how traditional Enterprise Risk Management (ERM) techniques can be used to manage them. This differs considerably from the management of traditional risks. For example a particularly difficult but important element of dealing with emerging risks is identifying the risks. For this, the study looks first to the global risks developoed by the World Economic Forum. Enterprises need to consider how these megatrends might present risks for their enterprise. For example, one of the risks of the WEF is coastal flooding brought about by climate change. If an enterprise owns coastal properties. ERM techniques would suggest that the risk of their being flooded be monitored and measured such that if the risk begins to exceed enterprise risk tolerances, then action needs to be taken. In this way ERM techniques bring a measure of discipline and rigor to the process. The PWC study is worthwhile reading for any ERM practitioners. It is downloadable free from the PWC website.

Monday, November 16, 2009

DNS Security

Since the world wide web began to be used, the issue of domain name fraud has been a concern. This type of fraud lures users into sites that steal their information by emulating a site that they would normally use and that they trust. For example, they might go to a site thinking they are at their bank site, but in reality are at a site that is stealing their password and bank access numbers.

Implementation of a security system that addresses this type of activity had been feasible for some time. However it requires changes in the server systems, and therefore has met with some resistance. Now however, Verisign is coming out with a system, based on adding encrypted data to a site that validates it as a real site. It's about time, some would say. Read more in this article.

Wednesday, November 11, 2009

SOA Security Using VPN's

Service Oriented Architecture (SOA) has been around for a few years now and has presented security challenges to users. Usually based on Web Services, SOA comes in a variety of configurations and platforms. And yet, critical applications are sometimes run using SOA.

One useful approach to securing SOA is to make use of simple VPNs. VPNs can be used to route service requests and thereby provide authentication and encryption techniques to protect the transmissions. They can be an important element of SOA security. For more on this approach, see this article on the CIO site.

Monday, November 9, 2009

Computer and Communications Security Conference

The 16th annual conference on Computer and Communications Security is being held this week (Nov 9 - 13) in Chicago. The conference program, features sessions and workshops on most of the current major issues in computer security. They include Cloud Security, RFID, Digital Rights Management, Privacy, mobile devices, and many other topics.

This first day, Microsoft announced a new security tool, called Ripley, which is designed to enhance control over development projects by cloning the application to enable monitoring of activity on servers during the development process. This approach seeks to address the issues around possible poor controls at the server level, which is becoming more common with collaborative and cloud projects.

Friday, November 6, 2009

eMail Security

Control over eMail is a huge and growing concern that many organizations need to deal with. Training, acceptable use policies, strategies for record keeping ad retention, security and training are just some of the thorny problems that need to be faced down. Computerworld has released a white paper that addresses these concerns and is worth a read. The paper can be downloaded free from this page (after completing a short form).

Tuesday, November 3, 2009

Cloud Computing & Security

ISACA has released a new white paper on cloud computing with a security perspective. There has been a great deal of material written on cloud computing, but a publication by ISACA is noteworthy because of its knowledge bases and its expertise in the security and controls area. The paper sets out concisely and clearly the characteristics of cloud computing and the related security concerns, pointing out that these concerns are not new nor peculiar to the cloud. To download the paper, go to this link.

Sunday, November 1, 2009

A New Honeypot Project for Better Internet Security

Honeypots have been used for a long time to help to deter hacker attacks. They are designed to attract hackers or divert them from their real objective and document their characteristics and actions.


A student named Rist built the honeypot, called Glastopf through the Google Summer of Code (Gsoc) 2009 program, where student developers write code for open-source projects.

"Unlike other Web honeypots that use templates posing as real Web apps, Glastopf basically adapts to the attack and can automatically detect and allow an unknown attack. Glastopf uses a combination of known signatures of vulnerabilities and also records the keywords an attacker uses when visiting the honeypot to ensure it gets indexed in search engines, which attackers often use to find new targets. The project uses a central database to gather the Web attack data from the Glastopf honeypot sensors installed by participants who want to share their data with the database."

For more on this interesting project, see this writeup.

Wednesday, October 28, 2009

Wireless Security

Security over wireless networks continues to be an issue and yet is an increasingly important part of overall network security. Over the past few years, wireless security has made some great strides and companies need to be aware of the best techniques for securing their wireless networks. Generally that boils down to using WPA2, rather than its forebears - WEP and WPA. For some reason a lot of people are not aware of the significant improvements brought about by WPA2. Here's a great overview of he issue.

Monday, October 26, 2009

Hardware Authentication

There has been some interest lately in the idea of hardware authentication. This involves the use of software that identifies a particular computer by such means as the serial number of its hard drive or other components, the bad sectors on the drive and even the major applications installed. The idea is to reduce the need for passwords for authentication.

The fundamental problem with hardware based authentication is that it is based on identification of a particular computer and not a particular user. There are situations when users are separated from the computers they normally use, and this would mean that someone else who has access to their computer could log into their services. It would also mean if they are on another computer, they could not log into their own services. This would apply whether or not the computer has been stolen.

The idea is fundamentally flawed, however there might be some usefullness of it as a supplement to passwords. Particularly where extra tight security is warranted. The banks use some of this now, thus the occasional question when logging into online banking asking whether this is the computer you normally use. There are situations where hardware authentication could actually strengthen security, but not where it substitutes for passwords. Technology Review has a write up on this issue.

Thursday, October 22, 2009

Keeping up in a Wireless World
by Gerald Trites

The number of wireless devices continues to grow almost daily, the latest being a plethora of e-readers. like the Kindle, which can connect to WiFi or G3 networks. Of course smart phones continue to grow smarter and more complex, with concomitant growth in functionality. Maintaining security and control in this environment is challenging.

Richard Schaeffer, Director, Information Assurance Directorate (IAD), National Security Agency (NSA), recently gave an interview in which he acknowledged this complexity and difficulty. He points out that the challenge is multifaceted. One important point he makes is that there is a pressing need to keep up with new technologies and quickly develop policies to deal with them. This requires vigilence and a fluid organization that can quickly move with the times. It's not so much understanding the technologies that is the issue, although this is important, but understanding the vulnerabilities they carry with them, and learning how to address these vulnerabilities.

Also, the new technologies work across a variety of platforms, so there is an unprecedented need for policies that reach across these platforms as well.

The interview presents an intriguing look at high end security policy and how it is being shaped by modern technology. There is a write-up on it here.

Thursday, October 15, 2009

More Secure Cloud Computing

Amazon is releasing a beta version of its cloud computing system that addresses a long standing issue with the cloud - security. The new system enables the integration of virtual servers in the cloud with real servers within an organization's system in earth. This makes it possible to decide where particular information is going to be stored and therefore enables the organization to store its sensitive information within its more secure real servers, rather than in the cloud. This could have been done in previous systems, but was much more awkward to achieve, and therefore not a practical solution. The new system is a useful advance in the security of cloud computing. For more, see this article.

Thursday, October 8, 2009

Largest Phishing Case Ever

The FBI has announced that 52 people have been charged in a major phishing case that spanned several continents and took over two years to complete. Investigators say that "Operation Phish Phry" demonstrates the growing complexity and sophistication of international crime rings in planning and executing cyberfraud.

Phishing has been a major means of defrauding innocent people for several years now. It causes major difficulties for system admmininistrators, who have some responsibility to try to protect their users from falling victim to phishing scams. However, there is only so much they can do, not only because the volume of phishing messages is large and the sophistication is growing but also because in the end the success of a phishing expedition depends to some extent on the gullibility of the phishing message recipients. More on Operation Phish Phry at this site.

Thursday, October 1, 2009

Symposium on Information Integrity & Information Systems Assurance

The  tremendously successful UWCISA Bi-Annual Symposium is under way from October 1 - 3 in Toronto. For information on the program, the papers to be presented and the presenters, see the UWCISA website. This year is better than ever, with a wide range of topics being covered by top international scholars.

Tuesday, September 29, 2009

The Telus-Rotman IT Security Study
by Gerald Trites

Telus and the Rotman School of Management have released a major survey of the state of IT Security in Canada. Based on interviews of more than 300 Canadian IT specialists, the survey led to the conclusion that overall, Canadian IT Security compares well with that of the US and other parts of the world. The reason for this is that Canadian firms and organiaations have invested heavily in security over recent years because of PCI and PIPEDA concerns. Nevertheless, the survey indicates that Canadian organizations may not have achieved as great satisfaction from their investments as yet. The survey showed that the level of maturity of security implementation in Canada lags behind all of the US, Europe and Asia.

The survey concluded that there should be more attention to such matters as performance metrics, utili\zation of such metrics in performance evaluation, and encryption techniques at the database and other levels of storage.

The study is down loadable from the Telus website. The survey is the first in a series anticipated to number four more.

Enterprise Risk Management - A Balance

"Enterprise risk management and enterprise performance management are really two sides of the same coin. To achieve balance between the two, companies must fully integrate risk management with their operating model, performance goals and decision-making frameworks—the layers of day-to-day accountability within the organization as well as the bigger rules and governance structures by which it operates."

The economic downturn has revealed weaknesses in the traditional ERM controls approach, and this article on the Accenture site explores some alternatives.

Friday, September 25, 2009

Extending Enterprise Risk Management (ERM)

Earlier in the year, PricewaterhouseCoopers released a white paper detailing an extended approach to enterprise risk management.

"Extending Enterprise Risk Management (ERM) to address emerging risks looks at how organisations identify, assess, and manage risks; what techniques they are using as the basis for determining response strategies that align with their strategy; and risk appetite and tolerance.
The paper proposes a 4-step framework organisations can use to better protect themselves and even further their strategies and objectives by embedding this discipline into their risk management culture:
  • Identify emerging risks relevant to the organisation
  • Assess the risk’s significance, interconnectedness with other risks, and implications to the business
  • Determine risk response strategies, considering collaboration with external parties
  • Routinely monitor emerging risks through effective use of indicators"
The paper can be downloaded from the PWC site.

Tuesday, September 22, 2009

Patch Management

A recent report released by the Sans Institute finds that unpatched client side applications are a major security risk. It came in at number one.

The main issue with unpatched applications is that hackers devote special attention to known security flaws in widely used applications, like Microsoft Office and Quicktime. The manufacturers know this and continually issue updates to deal with the identified risks. But if the users don't install those updates, their systems remain at risk.

Maintaining regular and up to date applications patches is a crucial aspect of good control and security. Most administrators realize this, but not everyone has an effective program for patch management. See this article in CIO.com.

Wednesday, September 16, 2009

Cloud Security

More companies and organizations have been moving into cloud computing for budgetary reasons, hoping to save costs. But one major concern is holding many of them back from a greater commitment - security. However, although there is concern out there, there also is a lack of action. Not much is being done about it. While it's true that a Cloud Security Alliance (CSA) was formed last year, consisting of numerous major companies, progress by that group has been slow. They have conducted a survey of security concerns and potential solutions, and have issued some preliminary guidance, but that guidance has never been finalized or updated. Companies themselves have been withholding support of the cloud rather than adddressing the issues.

Cloud computing is likely a permanent feature of the information systems landscape and there is a real need for systems security oriented organizations to get in there and provide some guidance. Also, there is a real need for companies who are moving into the cloud to help the industry to find and adopt the solutions that are necessary to stop security issues from being a barrier to adoption. More on this at InformationWeek.

Sunday, September 13, 2009

Cyber Insurance - A Valuable Risk Management Tool

There are those who say that the traditional means of obtaining assurance on financial information and systems no longer works well and that the best approach is to buy insurance. Others say that such insurance would be prohibitively costly.

The provision of cyber insurance has nevertheless been growing in recent years. Cyber insurance is insurance against loss from cyber crime, such as network breaches, hacking, malicious viruses, etc.

I does not releive the buyer company of all responsibility to maintain a secure system, but does offer up some mitigation for losses arising from cyber crime activities. Volume has more than tripled from 2002 to 2006 (laatest figures available) which indicates a strong interest out there and a growing recognition of the need for this insurance.

Wednesday, September 9, 2009

The Dangers of the Cloud

New research supports what everyone has feared - there are dangers to data in using cloud computing. Specifically, the research, carried out by a team from the University of California and MIT, have uncovered methods by which servers being shared in the cloud could be targetted by using techniques referred to as cross-VM hacking. The perps would set up a VM in proximity to the target server and then launch their attacks from there.

The research, thankfully, also identifies some approaches to mitigation, including setting up VM such that they can only be populated by trusted sources. Elementary, perhaps, but something that needs to be addressed in cloud computing.

The paper is available online and is definitely worth some study time.

Monday, September 7, 2009

Controls Monitoring Guidance - COSO

COSO has released new Guidance on Monitoring Controls. "The COSO board recognizes that management's assessment of internal control often has been a time-consuming task that involves a significant amount of annual management and/or internal audit testing. Effective monitoring can help streamline the assessment process, but many organizations do not fully understand how to take full advantage of this important component of internal control. COSO’s Monitoring Guidance is designed to improve the use of monitoring. . ." The Guidance book is available at this site.

Thursday, August 27, 2009

Moveable Data and Encryption
by Gerald Trites, FCA

There has been a great deal of emphasis in recent years on the idea that data moves around systems. At one time, many years ago, data was fixed in one place, usually on disks in a glass house, but since the advent of networks in the 1980s, this has changed substantially. More recently, change has taken place again, with the growth of portable handheld units, like the Blackberry and smart phones. These new portable devices are extremely powerful and can handle a lot of data. Also, there has been a trend to wireless networks, so data is literally flying through the air.

When data is on the move, the security issues become much more difficult to manage. In other words, it becomes much more difficult to prevent hackers from grabbing the data, literally from out of the air. Also, even common laptops have presented a risk of data loss, since they are so portable and can easily be forgotten or stolen. Stories abound in the press of these kinds of data loss events.

All this means that encryption has become a central method of protecting data. Companies that do not have an encryption policy that focuses on moving data are putting themselves at risk. Not only is the risk one of losing sensitive information to competitors, but there is a risk of losing information about their customers or employees that is private and puts the company at risk of legal action.

So encryption is a necessity. But simple encryption is not enough. Much research goes into finding methods to break encryption codes. People have always been challenged by the activity of breaking codes, since the earliest times in history. Many argue that the code breakers at Bletchley Park during the second world war essentially made victory possible because of their success in breaking German codes. By inference, it then follows that the Germans lost the war because of inadequate data security. Much is at stake with good data security.

The wireless data encryption (WPA) that is used for wireless networks is a good example of encryption that does not do the job. It has been broken several times, most recently by a group of Japanese academics. That means that the WPA system is not adequate for high security. Companies need to use at least WPA 2 in order to be secure.

Encryption policy is a must in a modern company. The policy must not only cover the data on the move, it must deal with the question of the adequacy of the encryption methods acvailable and what level of security is needed in the company.

Monday, August 24, 2009

Securing Embedded Computing Devices

In a video, Kevin Fu, a software engineer and assistant professor of computer science at the University of Massachusetts, Amherst, explains some issues around securing embedded systems, such as RFID tags from would-be hackers. The video is on the Technology Review site.

Friday, August 21, 2009

Free Gartner Research

Gartner research is generally expensive, but they do publish some free research on their website. Research under various categories are there, and the one most relevant to this blog is probably Security and Risk Management. The webpage on this topic contains papers dealing with "Key Issues for Risk and Security Roles, 2009", which covers the role of the CISO and other related roles. "In 2009, program creation, maturity and maintenance will be critical concerns for stakeholders".

There is also a paper on "Security in 2013 and Beyond", in which they categorize future security as a "Perpetual Arms Race" between the enterprise and hackers. "Enterprise security planners should expect attackers to continue to undermine their defenses for the foreseeable future, forcing them to continually change their responses."

The page also includes a paper on "Critical Capabilities for Security Information and Event Management Technology". Finally there is a podcast on "Security Information & Event Management Use Cases".

Gartner Research is good stuff, and the website is well worth monitoring.

Wednesday, August 19, 2009

World's Largest Identity Theft Case

US Courts have charged three men for perpetrating the largest ID theft case in history, one which potentially affected some 130 million people. The men broke into the systems of Heartland Payment Systems and planted programs that captured the credit card data of customers as it was being entered. The information therefore related to active accounts. The security breach has not yet been explained, but in broad terms, the approach used is one of the oldest methods favoured by hackers and numerous variations of the method have been used. It points to a need for strong safeguards against unauthorized intrusion and the need for monitoring systems to ensure that here are not activities related to unauthorized programs and program changes. A summary of the case as it stands is included in this Globe and Mail article.

Monday, August 17, 2009

E-Mail and Social Media
Security Concerns


A recent survey carried out by Proofpoint, which included responses from over 220 employees of 1000 companies, shows that e-mail security is a top concern. One of the major reasons is because of the cost of e-discovery, which is happening with increasing frequency. Social Media also raises similar concerns, and there are several reports in the survey about misuse of social media, such as Facebook and Youtube.

Companies are addressing these concerns in part by issuing new corporate policies regarding employee use of email and social media. there are also reports that they are cracking down on compliance by firing those who violate the policies.

An article discussing these findings can be found on this site, which also points to a study on e-discovery.

Friday, August 14, 2009

The Business Case for Security

The recession has sparked a reduction in IT spending as everyone knows. Quite often, spending reductions have a tendency to hit security and control first, which is a mistake, but something that strangely often happens. As a result CIO's are often faced with a need to build a business case for their security programs and particularly their new initiatives. This is not always an easy task.

The operative word is "business". If the other C suite executives are going to be persuaded to contribute scarce resources to a security plan, they need to hear a business case. How the plan will help them to achieve the company's goals. So aspects of security like - it serves to minimize shut downs of service, which can cost big money in lost revenues and lost customers - need to be highlighted. Security helps to protect valuable property as well, which can be critical to an organization, particularly intellectual property. That's another useful and valid argument.

An article in Computerworld this month sets out five catagories of arguments like this. It's something that could be helpful to any number of CISs these days.

Monday, August 10, 2009

Modern web attacks

Sophos has a number of papers interesting to the IS professional and researcher. "This paper provides an overview of modern malware that uses the web to attack victims. Example attacks are used to illustrate some of the tricks and techniques used by hackers. The roles of "attack sites" and compromised sites are discussed together with some of the technologies that can be used to provide protection."

This paper is very relevant to any IS professional who needs to help launch safeguards against malicious attacks. Such attacks are becoming increasingly frequent and serious. To download this paper, go to the Sophos Website.

Friday, August 7, 2009

Twitter's Denial of Service Attack

There has been much analysis of Twitter's recent DofS hacker attack that brought down its servers for a few hours. DofS attacks are one of the most common types of hacker attack and have been for years. So most high profile sites have installed software or otherwise engaged protection from them. There are lessons to be learned from the Twitter attack. For some businesses, and outage of their IS service for several hours can be disastrous and cost them customers and a great deal of business and money. Prevention is paramount and strong preventive measures need to be in place. For a quick analysis of the Twitter attacks, check out this article in CIO Magazine. Also, for a more detailed view of Dof S attacks, the Wikipedia article is worth a look. Finally, CERT has an archived document that is quite informative.

Tuesday, July 28, 2009

The Largest Data Pilferage in History

In January, 2009, Heartland Payment Systems, one of the biggest payments processors in the US, suffered an intrusion into their systems. It was estimated that 100 million credit and debit cards from more than 650 financial services companies may have been compromised.

Such an intrusion would be a nightmare for most companies, but for a payment services company it is catastrophic. People rely on payment processors to keep their information secure and breaches like that can cost the confidence of the customers and the public, leading to a potentially massive loss of business. Normally companies try to keep it quiet, other than the mandatory reporting to law enforcement agencies and regulators.

Heartland handled it differently. They went public and sought to re-organize their industry to combat the crime groups that perpetuate such frauds and ultimately cost the end customers - the people - a lot of money.

They still have lawsuits to handle, and have implemented tighter encryption standards, but they did something that will benefit people down the road - launched a strong countervailing force against cybercrime. A report on their story is on Businessweek.

Saturday, July 25, 2009

E&Y Top 10 Business Risks

Ernst & Young has released its 2009 Business Risk Report, which sets out and discusses the top ten global business risks.

The top 10 risks identified (2008 rankings in parentheses) are:

1.The credit crunch (2)
2.Regulation and compliance (1)
3.Deepening recession (New)
4.Radical greening (9)
5.Non-traditional entrants (16)
6.Cost cutting (8)
7.Managing talent (11)
8.Executing alliance and transactions (7)
9.Business model redundancy (New)
10.Reputation risks (22)

Sums it up nicely. The report is downloadable from their site.

Monday, July 20, 2009

Security in the Cloud

Some security companies, like McAfee, who traditionally have offered security software, are now offering security as a service. Such services are provided on the web for their client companies. In other words, the companies are outsourcing their security.

Intuitively, there are risks of outsourcing security to be managed by others on the web. But controls have improved over the years, and what once would have been unthinkable is now viable.

Not to say that all security should be outsourced. Companies are finding some security srvices are better placed in the cloud than others. For example, many companies have a history of successfully outsourcing their email filtering activities. Monitoring activities can be quite successful in the cloud as well. As can threat assessment, vulnerability identification, traffic monitoring, etc. Other, more personal activities, like password management, are less viable. Some managers argue that complete outsourcing of security is simpoly not viable. Nevertheless, there is a trend here - one that we can expect to continue.

There is a good article on the subject at Technology Review.

Friday, July 17, 2009

Facebook Fails to Meet Canada's Privacy Legislation

This ruling was issued by Canada's Privacy Commissioner following an investigation. The Commissioner recommended that Facebook bolster its settings and simplify controls so users can know what happens to their information once it's posted and make informed decisions about how much information they wish to share.

Canada's Privacy laws are based on the principle of consent, and it is therefore impoortant for any vehicle like FAcebook to be transparent in what information it is gathering and what it is going to do with it. See a press report on PCWorld.

Wednesday, July 15, 2009

Security Professionals Need New Skills
by Gerald Trites, FCA

At a recent Gartner Industry Summit the point was made that security is increasingly being built into IS architecture, and that in future there will be less need for human intervention in the security process. It was also pointed out that the role of auditors will change, with more of their procedures automated. This will mean that routine audit procedures will be done more often by people with lower skills than previously. It also means there will be a demand for more IS auditors with the analytical and communications skills to make sense of the results and communicate them to management and executives in the company. This will be a challenging role to play.

The trend towards automation of the audit function has been clear for some time. What Gartner is forecasting is a major accceleration of this process and a significant shift in the way it is delivered, through mainstream architecture rather than through add-ons and special audit software as in the past. No doubt, however, there will be some demand for analytical software.

IS auditors will be an important part of the management team in future and the increased automation will mean greater involvment in system design and selection as the importance of security continues to permeate into the C-Suite.

A summary of the Gartner Event is found in this linked article.

Monday, July 13, 2009

Software as a Service Underwhelming

A new Gartner Survey in Britain has found the users of SAAS to be less than impressed with their service. Although SAAS has become a common strategic tool, the concerns expressed by those surveyed need to be addressed. A major concern involved service. Respondents said that the service needs to be 24/7 and readily accessible. This seems pretty basic.

Another concern related to costs, which is more complex. Any move to SAAS, especially involving critical functions, by a company is bound to be difficult and potentially expensive. It is often a major system change, and this involves process changes, which involves how people do their jobs, which is always a difficult area within which to achieve change.

Some of the executives said tha transition took longer than they thought it would. However, this is a common complaint of executives when technology changes are made. We heard it for years with ERP implementations. Many SAAS implementations are no less signficant.

SAAS in some form, along with Cloud based systems, will remain a permanent part of the typical architecture, and the users and the vendors need to work together to make it better.

An article on the Gartner Survey is found on the CIO site.

Friday, July 10, 2009

Guidance on Monitoring Internal Control Systems (2009)

COSO has released a new version of its Monitoring Guidance, "which is designed to improve the use of monitoring by helping organizations:

1.Identify and maximize effective monitoring, and

2.Identify and improve ineffective or inefficient monitoring
In both instances, the internal control system may be improved, increasing the likelihood that organizational objectives will be achieved.

The culmination of two years of expert critical debate, the guidance brings together leading practices at large and small organizations and provides in-depth guidance for implementing the monitoring component of COSO's Internal Control—Integrated Framework

Guidance on Monitoring Internal Control Systems details:

COSO's Monitoring Guidance suggests that effective and efficient monitoring is best achieved by:

1.Establishing a foundation for monitoring, including a proper tone at the top, organizational structure and a baseline understanding of internal control effectiveness

2.Designing and executing monitoring procedures that seek to evaluate "persuasive" information about "key controls" addressing "meaningful risks" to organizational objectives

3.Assessing results and reporting them to appropriate parties
The guidance covers these and other topics in an easy-to–read, three-volume set.

The three-volume set includes:

•Volume I: Presents the fundamental principles of effective monitoring and develops the linkage to the COSO Framework

•Volume II: Presents in greater detail the principles outlined in Volume I and provides guidance to those responsible for implementing effective monitoring

•Volume III: Contains examples of effective monitoring
A free summary of the guidance and its intended purpose is posted on the "Excerpts" tab above."

It can be purchased from this site.

Monday, July 6, 2009

New ISACA Guide - An Introduction to the Business Model for Information Security

ISACA, in conjunction with the USC Marshall School of Business Institute for Critical Information Infrastructure Protection,has released an introductory guide, as the first document in a series planned around the Business Model for Information Security. The guide provides a starting point for discussion and future development by defining the core concepts that will help information security and business unit managers to "align security program activities with organizational goals and priorities, effectively manage risk, and increase the value of information security program activities to the enterprise." The project is the first major output from the alliance of ISACA with the Marshall School.

The Guide can be downloaded from the ISACA site.

Thursday, July 2, 2009

The Complexity of Security

In this podcast — the first in a series from Accenture about the challenges facing companies trying to secure their systems — Mac Willson and InformationWeek Editor-at-Large Larry Greenemeier discuss ways in which organizations can improve their information security by implementing properly integrated solutions. By reducing the complexity of their security strategies, companies can achieve better performance. The podcast can be downloaded from the Accenture site.

Sunday, June 28, 2009

IFRS Conversion - IT Aspects

It is well known that the conversion to International Financial Reporting Standards (IFRS) coming up by 2011 is a significant undertaking of public companies. The first part of the conversion must be completed by this winter, so the time is approaching. An important part of the IFRS conversion process is dealing with the IT implications. IFRS require maintaining records of items and asset and liability values that most companies have not kept before. This is not an easy matter to deal with, especially in large companies with multiple sets of records and diverse circumstances.

Some guidance is available on this issue. For example, KPMG has released two booklets - The impact of IFRS on technology: A practical introduction and The IT aspects of IFRS conversion.

The Information Technology Advisory Committee (ITAC) of the CICA has released a series of podcasts on the subject, which is available for download from the ITAC website. This unique presentation draws upon the experience with IFRS conversion in Europe.

Thursday, June 18, 2009

More on eDiscovery

Yesterday's post discussed eDiscovery and suggested that appropriate policies need to be established to deal with it. The Institute of Internal Auditors has in their publication IT Audit, an excellent article on the steps that auditors can take to assist with eDiscovery policy formulation. The article includes a detailed list of the activities that companies should undertake and the steps that auditors should perform. Highly recommended.

Tuesday, June 16, 2009

eDiscovery
by Gerald Trites,FCA

The discovery process has long been an essential element of civil proceedings in the courts. It involves presentations of both sides to an action of the evidence they plan to introduce into court prior to the commencement of the court proceedings. Generally, evidence that has not been disclosed in discovery hearings cannot be presented in court.

Recent years have seen a huge increase in the volume of evidence coming out of information systems in electronic form. This phenomenon has raised some issues that IS professionals need to consider in designing and managing their systems. While eDiscovery is essentially a legal issue, the IS professionals can get caught in the middle when being asked to find and produce the information the lawyers want. It's wise to give it some forethought before legal actions occur, consult with the lawyers, and develop a strategy for information that could be the subject of eDiscovery.

eDiscovery proceedings need to distinguish between information that is prepared manually and input and information that is developed as a result of computer processes. Original evidence is generally required. In addition, the quality of the information needs to be considered, and that would include the existence of controls to ensure that the information is not altered in an unauthorized manner. So security and control becomes a very important part of the eDiscovery process. IS professionals could be called into court to testify as to the adequacy of the controls to preserve the integrity of the evidence. Clearly, this is a matter to be thought out in advance, and with the advice of legal counsel.

The operation of systems can also be a factor in eDiscovery. For example, what data is going to be kept, in what form, and if it is slated to be destroyed or overwritten, what timing is appropriate? Data retention policies become very important as well as backup.

eDiscovery is a permanent aspect of information systems management, and appropriate policies need to be developed and incorporated in the corporate IS strategies. The June 09 issue of the ISSA Journal has a good article on the subject, which although based on US law, is helpful in understanding the issues in Canada.

Saturday, June 13, 2009

Risk Intelligence

Deloitte has produced a series of white papers on the subject of risk intelligence, a valuable guide to risk management in this period of economic uncertainty. Risk Intelligence moves beyond the idea of risk management as a process to the concept that the best way to manage risk is to incorporate or integrate all risk mitigation activities into the organization from the Board of directors through the c-suite to the operational and support functions. This is a comprehensive approach that obviously takes considerable planning and careful execution, but one that should pay back strong returns over the longer term.

The series of white papers can be downloaded from the Deloitte site.

Tuesday, June 9, 2009

Security in the Cloud
by Gerald Trites

Many companies have gone into cloud computing, and the recession appears to be prompting more to do so. Cloud computing, if you've been on a desert island, means putting applications and data on an internet service and having the administration done by the service provider. It's outsourcing using the internet. Google, Amazon and others are into providing the service.

Of course, everyone knows that putting things like applications and data on the internet is a risky business. True, major advances have been made in recent years in internet security, but there are still risks that need to be addressed.

In the case of cloud computing, people sometimes make the wrong assumptions, and make some of the same mistakes people have made with outsourcing in general. This includes relying too much on the service provider, assuming they are stable and safe to deal with, assuming they will look after security and we don't have to worry about it.

Wrong!

In any outsourcing activity, the company can pass along the work, the administration and the details, but we can't pass along the responsibility. In the end, when things go wrong, it's the company that will pay the price, not necessarily the service provider.

That means when planning security in the cloud, it needs to be approached by the company in full knowledge that it is its responsibility, almost as though the company were implementing all the security itself. That means reviewing security plans and structure, ensuring that the security provided meets the company's objectives, and generally assuming full responsibility for it.

Many companies have not approached it this way, thinking the service provider will look after it. Well, they will, but maybe not to the extent the company needs it. For an interesting summary of the top six mistakes companies make in implementing cloud security, see this article in InformationWeek.

Wednesday, June 3, 2009

Data Loss

There have been numerous incidents of data loss over recent years, many from lost hard drives, pc's, smart phones, and other mobile or moveable devices. Last month, in May, a particularly notable one took place in Britain, where a hard drive went missing which contained personal information for 500 RAF officers. Indications were that the information was sensitive and could open the officers up to blackmail.

Few precautions appear to have been taken by the RAF to safeguard the data. The incident therefore laid bare some of the lessons that can and should be learned from these incidents. Moveable data is a phenomenon that is common, here to stay and that needs to be addressed by most organizations and companies. Virtually every organization and company handles sensitive and/or personal data of some kind.

The issues needs to be addressed by first clasifying data according to its importance and sensitivity. Then the more sensitive data needs to be encrypted. Finally, Data Loss Prevention techniques need to be considered for adoption. In order to devise these techniques, the company needs to follow the data. Determine where it is and where it is at most risk. The CICA Information Technology Advisory Committee is soon to release a white paper on this topic called Data Centric Security. Watch for it. A summary of the RAF incident is now on the Security Planet Site.

Sunday, May 31, 2009

Ethical Hacking

A practitioner of ethical hacking writes a great overview of the ethical hacking process and how companies can get the most out of it. The article appears in the May issue of the Information Systems Security Association Journal.

Monday, May 25, 2009

White House Disk Lost

A portable hard drive containing private information of members of the Clinton White House has been reported lost. Ironically, the drive was being used to re-copy the information to safeguard it against loss.

It is yet another example of the use of removable media to store sensitive data. And it would appear that the data was not encrypted.

The case illustrates once again the risks associated with the use of portable media to store data. Where such use is necessary, appropriate precautions should be takem, principally encryption.

There is an article on the data loss at eSecurity Planet and a Q&A at the National Archives site.

Saturday, May 23, 2009

Web 2.0 - The Security Challenges
by Gerald Trites

Web 2.0 applications, like facebook, twitter, blogs, wikis and the like have been infiltrating into corporate systems, much to the dismay of the security administrators. Conflict between content availability and security is an old issue, but Web 2.0 has brought a whole new meaning to the difficulties being faced by the administrators.

One of the issues is that facebook originated as a medium of personal interaction. It was never intended for, nor initially used as, a means of business interaction. So one of the trends happening is that there is a growing mixture of personal and business life in the use of social media at work. This of course also concerns the employers.

But it's a trend that one can find in many areas of modern life and points to a deeper issue. The lines between personal and business life are becoming increasingly blurred. People work at home and at the office. They text personal messages during the day and it doesn't matter whether they are supposed to be working or not. There are new management issues here for employers, and new management techniques are required.

From a security point of view, administrators are facing a losing battle in many respects. They cannot stop the incursion of social media into the office. Nor can they really control the content. They could, perhaps, but the cost would be very high, both financially and in terms of employee morale and pushback. The development of specific business oriented applications could help, but would not necessarily gain acceptance. It's a scenario that is yet to play out to a conclusion.

Thursday, May 21, 2009

Browser Insecurity

Common sense tells most of us not to do functions like online banking when on a wireless system while travelling. A research team at Microsoft has uncovered a set of unexpected reasons to support this caution. They determined that most browsers have flaws in their communications protocols when connected through a proxy, such as happens when a wireless network is being used. Their conclusion is that significant improvements are needed in browser connections. This finding has serious implications for system security and for corporate security policy, especially for travelling road warriors.
The research is reported at this website.

Thursday, May 7, 2009

Cloud Computing and Moving Data
by Gerald Trites

There continues to be progress in the Cloud Computing arena, with a new application recently out, called Cloudkick, which enables the movement of data between Cloud applications run by different vendors, such as Amazon and Google. This will address one of the big concerns that many companies have, that is having their data tied up with one company. This means there can be a stronger element of competition in the Cloud, which is presently dominated by Amazon, Google and Microsoft.

The other side of the coin, however, is that the easy movement of data may complicate the control issues that have dominated IT management with regard to the movement of data across organizations, between applications and between companies. Also, data has moved on different platforms, notably small mobile devices, amaking it very difficult to avoid occasional data loss and the resultant privacy concerns. This movement of data has also given rise to the issues of data level security and data level assurance.

It's nice to be able to move data around, for sure, but IT security administrators have to be cognizaant of the risks involved, and address them appropriately.

Friday, May 1, 2009

Accenture has published a white paper to outline how the financial indistry should respond to the financial crisis, based on possible ouitcomes of the London G20 Summit held in April, 2009. Among their suggestions, and a theme that runs through the report, is an emphasis on risk management designed to protect revenues. This in itself is not remarkable, but they go further and emphasize that risk management must be treated as an integral part of the organizational management, and not as just a compliance function. This would entail organizational and cultural changes in the banks, but changes that would place a greater role on risk management in ongoing strategic and managerial decisions. It's a good sound paper, that also provides a number of examples of sound risk management by banks in other (non US) countries, including Canada, whose financial system has weathered the crisis more successfully. The white paper is downloadable from the Accenture site.

Tuesday, April 28, 2009

The Disconnect Between Security and Business
by Gerald Trites

In September, 2008, Bearing Point released a study done on its behalf by Forrester Consulting which is posted on Bearing Point's website.

The study was based on a survey of 175 respondents from business and IT during the summer of 08. The results are useful and sadly predictable. The point of the study was to show the extent to which Security and Business personnel differ in their views of, and roles in, security. Of course, one would expect differences, but also since security is generally recognized as such a critical area from a business point of view, one should also expect some congruence in views.

The study indeed found a high degree of agreement on the governance aspects of security, with over 90% believing that security is a C-Level concern and both groups agreeing that security is important from a business viewpoint.

The study also found, however, that there is a communications gap between the two groups, one that is exacerbated by the culture within the business.

The study has real strategic value for companies trying to establish a more effective organizational approach to security and finding an appropriate balance between security needs and business constraints.

Sunday, April 26, 2009

Phishing and Smishing
by Gerald Trites, FCA

Phishing is old hat, having been around for a long time and having become transparent and easy to avoid. But is it? New techniques are starting to have their impact. Phishers are becoming more sophisticated. And the are starting to use SMS, which gives rise to Smishing.

It would be nice if we could find an easy to get away from these criminals who perpetuate the phishing plague. But it seems they have lots of resources, and considerable skill in developing new techniques to keep ahead of the opposition. The latest techniques are civered in this recent article.

New techniques have gotten away form he old ploy of strange folks in Nigeria and other places needing to transfer their money to your account. Anyone who get caught in that one any more almost deserves it. Almost.

The phishing plague is something that needs to be controlled, so security professionals need to keep on top of it and to develop those new techniques that will protect the users. It's not an easy job.

Tuesday, April 21, 2009

Single Sign-on
by Gerald Trites, FCA

As the need for security has grown in the face of identify theft, viruses and unwanted intruders, the number and scope of applications implementing passwords has grown immensely. It means that within many companies employees need to remember a large number of passwords. Of course, in many cases, they cannot remember them all, and therefore need to record them somewhere. And so they write them on sticky notes, in little notebooks hidden away in a drawer, in files on their computer, in software applications like Roboform that host all the passwords they need to know, and are themsleves proctectd by a single password. Or they store them on their PDA or smartphone.

The fact is that because of the inability of a normal human being to remember a large number of passwords, especially when they need to be changed every month or so, the proliferation of passwords is a growing security risk. Thus the need for single sign-on.

But single sign on can't work in a secure manner just by giving everyone a single password to gain acccess to the whole system. That would seriously erode security. Instead single sign involves a whole review and definition of the systems needs of the users, through a process known as identity management.

Carefully implemented, identity management can improve the overall security of the company's systems and at the same time simplify the lives of the users, while making it possible to open up new areas of information for more users.

Such an approach was taken by New York Transit with their applications and a short case study was written up by the provider - Novell, which highlights the benefits of this approach to a single sign-on environment.

Thursday, April 16, 2009

Privacy and Security in Website Development
by Gerald Trites

A company website is a face the company puts forward to the world, and needs to reflect the best possible policies the company could follow. This particularly applies to privacy and security, but many company websites do not reflect the practices, particularly those of small companies.

It's true that many websites have privacy policies stated on them, for example, but the question is - do they really follow those policies? Are the policies an important part of the way they do business or just something they copied from some other site to give the best impression.

How many companies actually show a trust certificate on their site, to demonstrate they are paying attention to best practices in website security. How many actually take the steps to ensure they are compliant with PCI standards if they accept credit cards. True, for some cards, such as Visa, they are required to comply. However this is not always the case. Issues like this are raised in a recent article in the E-Commerce Times on building websites for small business.

These matters are important, particularly in an era of increasing incidence of identify theft and data loss. Ultimately, it can even make the difference in the viability of a company. Stating the right policies is important. Following them is even moreso.

Monday, April 13, 2009

Major Cybersecurity Bill Introduced In Senate -- Cybersecurity -- InformationWeek

A major new bill has been introduced into the US Senate to place unprecedented emphasis on cybersecurity. The bill includes provision for appointment of a National Cybersecurity Advisor reporting directly to the President.

The bill calls for a unified and coordinated approach to security,and supports the formation of partnerships and new research into the area. There is an article on the proposals at the following link:
Major Cybersecurity Bill Introduced In Senate -- Cybersecurity -- InformationWeek

Thursday, April 9, 2009

Guidance on Monitoring Internal Control Systems (2009)

Guidance on Monitoring Internal Control Systems (2009)

"The COSO board recognizes that management's assessment of internal control often has been a time-consuming task that involves a significant amount of annual management and/or internal audit testing. Effective monitoring can help streamline the assessment process, but many organizations do not fully understand how to take full advantage of this important component of internal control. COSO’s Monitoring Guidance is designed to improve the use of monitoring by helping organizations:

  1. Identify and maximize effective monitoring, and
  2. Identify and improve ineffective or inefficient monitoring"

Saturday, April 4, 2009

Compensating Controls
by Gerald Trites

Many of us who have worked in the field in controls work have from time to time been impressed and even amazed at the skill of some people in designing systems sontrols. We recognize in these times just how much of an art form good systems design can be.

The feature article in the Information Systems Security Association (ISSA) Journal this month recognizes this artistry as it relates to the design of compensating controls. When we discover vulnerabilities in a system, one of the first things we do is to look for compensating controls. If there are none, then the vulnerability must be addressed directly, hopefully by changing the system in some way to remove the problem or at least mitigate it. If this proves not to be possible or practical, then we must design a compensating control.

This raises issues, including developing a control that is going to be sustainable and one that will actually mitigate the existing vulnerability. Sometimes, compensating controls are developed that involve more work, but do not actually address the vulnerabilolity.

Compensating controls are not necessarily the most efficient way of dealing with an issue, but they can be effective and necessary. The article, which is available online, discusses these and other issues around compensating controls, in an entertaining and informative way.

Tuesday, March 31, 2009

ISACA Model Curriculum for Information Systems Management
by Gerald Trites, FCA

Last year, ISACA released a model curriculum for Information Systems Management. For several years, their model curriculum for information systems audit and control has been a guiding force in information systems education. The new curriculum promises to do the same for the management side, something that is needed and will be useful.

The Management curriculum is based on the structure of the exam for the Certified Information Systems Management (CISM) designation. That includes:

  • Information security governance
  • Information risk management
  • Information security program development
  • Information security program management
  • Incident management and response
The information security governance domain is divided into two topic areas; information security governance and development of an information security strategy.

The information risk management domain is divided into two topic areas that have from five to seven subtopics each. This domain focuses on the management and assessment of risk in an enterprise.

The information security program development domain includes information regarding the development of a formal security program, including information security management responsibilities, the importance of obtaining senior management’s commitment to the program, defining the program and implementing the program.

The information security program management domain includes subject matter such as policies, outcomes of effective management and measuring the information security program.

The Curriculum offers a series of figures that can serve as forms for implementation. They include an Alignment Grid, which provides a form to map an academic program to the model curriculum.

Copies of the Model Curriculum can be downloaded from the ISACA site.

Thursday, March 26, 2009

Cloud Computing: Understand the Risks - BusinessWeek

Increasingly, organizations and people are placing their data on cloud servers. Most cloud service providers do have security in place, some of it very good, usually based on encryption. So that means the security of the cloud provider needs to be assessed before it is even used. Then it means recognizing that even though the provider may have good security, it's not likely to be absolutely flawless, so the risk of exposing particular types of data needs to be assessed before sending it off. In this process, some of the most sensitive data within the organization may be found to be too sensitive to take the chance, and should be kept on home servers. Cloud Computing: Understand the Risks - BusinessWeek

Monday, March 23, 2009

Server Gated Cryptography
by Gerald Trites

I this world of growing internet usage and mobile users, there has been an increased emphasis on encryption as a means of protection from intrusion and viruses. It has long been the fact that 56 bit encryption is no longer adequate. However, some parts of systems, like some browsers, do not automatically support the more approproate 128 bit encryption. One possible solution is to enmploy server gated certificates. such certificates are issued by a server when it receives a request from the internet. The SGC certificate goes to the requester, who is them prompted to offer up a full encryption menu, inlcuding the 1287 nit variety. The host server can then accept the 128 bit version, thus ramping up the level of encryption form what it would otherwise have been. There is a good white paper at Infoworld explaining Server-Gated Cryptography and its benefits. It's worth a read.

Monday, March 16, 2009

The New US CIO

Vivek Kundra recently outlined his priorities, which as expected are in line with those set out with President Obama in his campaign. Since Kundra is the first US CIO, he is moving into some uncharted territory.

One of his challenges will be to achieve a balance between information availability and security - that classic balancing act of the IS professional. The president's agenda clearly includes having systems that make information more easily available and also enbcourage and facilitate public participation in the governance process. Obama has already fought a battle over his Blackberry on the same issue, and achieved a qualified win. Similar issues will arise with the new CIO. An article on his latest announcements is found here.

Wednesday, March 11, 2009

Guidance on Monitoring Internal Control Systems (2009)

The COSO board has released a new Guide on Monitoring Guidance, designed to improve the use of monitoring by helping organizations:
- Identify and maximize effective monitoring, and
- Identify and improve ineffective or inefficient monitoring

As stated in the accompanying release, the Guide is the culmination of two years of expert critical debate, guidance brings together leading practices at large and small organizations and provides in-depth guidance for implementing the monitoring component of COSO's Internal Control—Integrated Framework

COSO's Monitoring Guidance suggests that effective and efficient monitoring is best achieved by:
- Establishing a foundation for monitoring, including a proper tone at the top, organizational structure and a baseline understanding of internal control effectiveness
- Designing and executing monitoring procedures that seek to evaluate "persuasive" information about "key controls" addressing "meaningful risks" to organizational objectives
- Assessing results and reporting them to appropriate parties

See the following link for availability and purchasing procedures:
Guidance on Monitoring Internal Control Systems (2009)

Tuesday, March 10, 2009

Mobile Devices - Part of the Corporate System
Gerald Trites, FCA, CA*IT/CISA

The fact is that most people now have cell phones and/or PDAs like Blackberrys. The cell phones are getting smarter too, which means they have the capability to handle email, access the internet and run a number of applications that can process data.

Cell Phone and PDA owners usually like to use their devices and increasingly have been wanting their employers to give them access to corporate data. For productivity reasons, the employers often want to provide the data. The problem that arises is that there is a security risk. To confound the problem, the mobile devices are normally (not always) owned by the individuals rather than the company, making it difficult to install and enforce corporate security policies. So we have a situation where the two players - the employee and the employer - have a single desire (effective use of corporate data), but conflicting goals (the employee wants to use their own device to their own ends while the employer wants to use the device to achieve business objectives safely and efficiently.

The answer may be found in game theory - specifically the classic prisoners dilemma, in which two prisoners are separated and asked which is guilty. If one betrays on the other and the other is silent, the silent one gets the maximum penalty. If both betray each other, then they both get a lesser penalty. If both remain silent, they both get a very minor charge and soon go free.

Since nether knows what the other is doing, the rational course is to betray the other, because this way each will be assured of minimizing their penalty. However, clearly the best outcome for them is to both remain silent. Thus cooperation is the best way to handle the situation, but in the case of the prisoners dilemma, cooperation is impossible.

In the case of the mobile units, cooperation is possible and this is the best way in which to proceed. This means the employer develops policies in cooperation with the employees and encourages them to accept the security safeguards, which may be passwords and encryption. If the employees are involved, there wil be a greater chance they will accept the security measures and not disable them.

So this is a new challenge for IS departments. Mobile devices are becoming a very important part of the information system. Maintaining security over the data, which can be sensitive, means working with the users closely to achieve the goals of both the employers and the employees. Accenture has produced a great article on this approach, which is available at their site.

Sunday, March 8, 2009

Controlling the Cloud
Gerald Trites, FCA, CA*IT/CISA

Cloud computing has been growing continually for the past couple of years. Although outsourced computing is nothing new, the growth of the cloud is because of the increased viability of the Internet as a business computing platform combined with the advent of new Cloud Platform providers, including notably Amazon, Google, IBM and Microsoft.

The term Cloud computing refers to the use of the Internet as a computing platform, together with open source and freeware applications that are used on a pay-as-you-go basis. As a result, cloud computing offers the enterprise greater scalability and flexibility than conventional solutions. This enables the enterprise to respond more quickly to changing environmental issues and business opportunities.

From a management viewpoint, the cloud presents issues of control. The internet itself, of course, always presents control issues, although many of these have been addressed by most companies over the past few years. In the Cloud, however, these issues become more serious, because the use of the internet is more pervasive. Also, cloud solutions have had to introduce high level security solutions in order to meet the standards expected of most major companies. Accenture has issued a white paper on cloud computing that addresses many management and control opportunities and issues.

One of the issues that continues to exist, however, is a lack of independent auditor opinions or other certifications of the control systems in place over cloud solutions. While some vendors are trying to step up to the plate, others have been slow, and this has slowed the pace of cloud systems development. Internet based vendors, like Amazon and Google have been slow to formalize their processes to the point that such opinions and certifications can be given. This will change, but in the meantime it represents a challenge and an opportunity for IS auditors.

Thursday, March 5, 2009

NYPD faces ID theft risk after data stolen from pension fund

A recent case of a data breach by an erstwhile trusted employee of the NYPD points to a couple of interesting points. First, it again highlights the risk companies suffer from employees who become disgruntled in some way. In these troubled economic times, employees are more likely to become so especially if they are laid off. In addition, it is noteworthy that the department did not know if the data were actually stolen or otherwise distributed to others. However, in May 2007, they had implemented a data encryption policy, and in the circumstances of this case, it was determined that employees after that date were not at risk. Therefore this case reinforces the importance of adopting an encryption policy. NYPD faces ID theft risk after data stolen from pension fund

Tuesday, March 3, 2009

Enhanced E-mail Retention Efforts Needed

eMail is incrasingly being seen as a major part of the information systems. Indeed, several studies show that significant information is being retained in email/ this means that retention strategy becomes an important systems policy. "To help government organizations enhance their e-mail communication programs, the U.S. Government Accountability Office (GAO) released Federal Records: Agencies Face Challenges in Managing E-mail (PDF, 200 KB), which summarizes the current state of e-mail policies in four agencies of contrasting size and structure."

See the write up at: http://www.theiia.org/itaudit/new-developments/new-developments-6-10-08/enhanced-e-mail-retention-efforts-needed/

Wednesday, February 25, 2009

IT Auditing in Difficult Economic Times
by Gerald Trites, FCA

It is well known that difficult economic times presents additional challenges for auditors. As a result, in December, the PCASB issued a guidance document called "Audit Considerations in the Current Economic Environment" which identifies a number of issues that auditors need to be particularly aware of. Many of these items relate to accounting issues, such as the adequacy of allowances for losses and valuation issues. They also cover controls over disclosures. In addition to these financial accounting issues, however, the document makes a point of possible breakdowns in internal controls, either directly relating to lay-offs and firings and the resultant discontent among the employees, and also less directly as a result of staff cutbacks and the resultant possible loss of division of duties - always a key element of good internal controls. This means that IT auditors, not just generalist auditors, need to be particularly aware of these control issues. For more on this matter, see this article in the CFO site.

Tuesday, February 24, 2009

Most fired workers steal data on way out the door, survey shows

A recent survey published by Ponemon Institute has found that 59% of workers who are fired, laid off or who quit take corproate data with them. Concern about ex-employees somehow violating the system has long been a classic concern of IS auditors. However, the more recent emphasis on data security and privacy adds some important context to this concern, and the new study indicates that this area needs to be addressed in audits. Most fired workers steal data on way out the door, survey shows

Sunday, February 22, 2009

Monitoring Control Systems

It takes time to set up a good control system. But it can be a waste of time if the issues identified by the system never get reported to management, such that meaningful corrective action never takes place. What is required is a good monitoring system., that results in these issues being reported effectively and on a timely basis. Setting up a monitoring system that works is an essential part of a control system. The AICPA has published a booklet "Guidance on Monitoring Control Systems" that can be helpful in this process. The booklet can be purchased from the AICPA site.

Thursday, February 19, 2009

IT governance in practice: Insight from leading CIOs

IT governance in practice: Insight from leading CIOs: "Insight from leading CIOs

PricewaterhouseCoopers has interviewed a number of CIOs worldwide to obtain their views on IT governance, their experience in implementing IT governance, and what it takes to make IT governance work.

They report that from their "interviews it is evident that most organisations recognise the importance of IT governance. However, a 'holistic' view that considers all dimensions of IT Governance is not widely found. The concept of IT governance as an umbrella framework encompassing a wide spectrum of arrangements, including the measurement of benefits, has yet to emerge."

They have included in their report some examples of best practices they have identified."

Wednesday, February 11, 2009

IT Risk Management
by Gerald Trites

Earlier in February, ISACA released an Exposure Draft setting out a framework for IT Risk Management. The framework takes Cobit a step further, by going beyond the means for managing risk to addressing the governance and management of IT Risk from end to end. The document is 92 pages long, and addresses the area in a comprehensive manner.

The ED begins by defining IT Risk as distinct from business risk. To quote, "IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related events that could potentially impact the business. It includes both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives as well as uncertainty in the pursuit of opportunities."

The document then goes on to develop principles related to risk management and risk governance and uses these principles to set forth the key building blocks of IT Risk management.

The actual framework is built around the central ideas of governance, evaluation and response. Comments will be received for 45 days. IT Auditors should take careful note of this ED, as it is certain to play a signficant role in future engagements, both as a tool for the use of the auditors and as a tool that will be used by management and other stakeholders to manage IT risk.

The Exposure Draft can be downloaded from the ISACA site.

Monday, February 9, 2009

Sustainable IT
by Gerald Trites

Sustainable IT is much more than a buzzword. And more than trendy. For auditors, it means exactly what the term says - ensuring that corporate IT systems are sustainable in the medium and long term. That the systems - and therefore the host enterprise - can survive.

IS Auditors and auditors generally have always been concerned about the sustainability of enterprises; about their ability to remain operational. Going concern is a concept that goes back many decades. But while the going concern concept is usually activated because of economic concerns, it increasingly will be activated, in future, because of environmental concerns. This has already happened because of major disasters, such as floods, earthquakes and fires. But major disasters can creep up on us and this is what is starting to happen with IT systems.

IT systems are environmental concerns because of several factors, including notably:

1. High power usage,
2. High use of paper, and
3. Disposal if used and outdated parts, like computers, disks, wires, routers, etc.

Reports have been coming in of power grids being overtaxed because of the growth and proliferation of data centers. The city of London, for example, is reported to have been curtailing new data centers in anticipation of the 2012 Olympics.

With storage space being relatively cheap, and increased storage and processing taking place on the Internet, the need for more data centers will grow considerably over the next few years. The current grid cannot tolerate much in the way of such growth.

The capacity of computer systems to waste paper is legendary, and ironic in view of the widesprad talk about the paperless office a few years ago. And while there has been some recycling activity of old computer parts of late, the effort is pitifully small in comparison to the need.

So IT Auditors have a need to review the sustainability program of the systems they review. As a minimum, they need to consider whether the power consumption of the systems is being adequately planned, with power friendly devices and power saving programs. They also need to consider if there is a good print control program, that ensures that printing is done only when necessary. And they need to ensure that the equipment that is retired is done so in an environmental responsible manner - recycled where possible.

Moreover, IT systems can be used, though the use of video and audio conferencing, as a means to reduce business travel, and consequently reduce the energy consumption involved with such travel.

Such reviews are often seen as a useful value-added service of IT auditors. But they are much more than that. They should be viewed as a central and essential part of routine audits, directed to whether the company can really survive into the future.

KPMG, among other firms, has released a paper on this topic which is downloadable from their website and explains these ideas. There is also an article on their website that offers some useful commentary. Deloitte also has a paper on the subject on their site.