Tuesday, January 27, 2009

ISO 38500 - An Opportunity for Directors
by Gerald Trites, FCA, CA*CISA/IT

The publication of ISO 38500 in 2008, an International Standard on Corporate Governance of IT (Information Technology) will fill a void that has existed for many years. In most organizations, IT has grown from an isolated glass house unit to a spread-out function, distributed like the networks that began to form the central point of their function. At first, IT managers were isolated from the Board and top management and therefore from the area of corporate governance, which in fact scarcely existed in the early days of IT implementation. In more recent years, however, IT has moved into the C-Suite and has even begun to penetrate the activities of Boards of Directors. Nevertheless, there has been a lot of uncertainty as to how this should be carried out.

ISO 38500 provides a means whereby companies can implement governance over IT, mobilize the Board's oversight of this very important strategic element of their organization and do it in accordance with International Standards.

The standard is framed according to six principles for good corporate governance of IT:
  • Responsibility;
  • Strategy;
  • Acquisition;
  • Performance;
  • Conformance;
  • Human behaviour.
ISO 38500 provides useful guidance for directors in oversight of IT and will be of considerable assistance to those who advise directors. There will be a move to become ISO 38500 certified and indeed, with the pressure these days to show a good governance model to the world, companies would be ill advised to ignore it. The standard is available from the ISO website. There is also a website devoted to it and various commentaries on it on the web, including a particularly good one on Serge Thorn's Blog.

Friday, January 23, 2009

Technology Review: Malware Swipes Millions of Credit Cards

Another major breach of privacy has taken place where malware was injected into the system of a credit card processor and stolen large amounts of information about the credit card holders. Heartland Payment Systems has been notifying their subscribers to watch their accounts closely.
Technology Review: Malware Swipes Millions of Credit Cards

Thursday, January 15, 2009

BBC NEWS | Technology | Who is responsible in the cloud?

Cloud computing brings a new dimension to information systems. Among other things, it means that data is stored in central data centers for global networks. This raises a number of issues related to the storage of data in foreign countries - or the storage of foreign data in local countries. Whose laws protect (or don't protect) that data? Can the US scan all data stored within its boundaries under the Patriot Act regardless of ownership? What about countries that have restrictive laws around the kind of data that can be stored? What about the storage of data from other countries that have no restrictions within Western Country boundaries? Effectively violating local laws. Information systems managers need to concern themselves about these matters. BBC NEWS Technology Who is responsible in the cloud?

Wednesday, January 14, 2009

Critical Fixes Released for Microsoft, Oracle - Business Center - PC World

Microsoft and Oracle have released fixes for their products that are important for system security. IT Assurance providers need to monitor the implementation of these patches. Critical Fixes Released for Microsoft, Oracle - Business Center - PC World

Monday, January 12, 2009

Data Breaches Booming -- Data Breaches -- InformationWeek

Data breaches have increased by 47% during 2008 according to the Identity Theft Resource Center. The financial sector is interesting in that, while it's data breaches only comprise 12% of the total, they have increased by 250% during the year, suggesting they may not be keeping pace with the other sectors. Data Breaches Booming -- Data Breaches -- InformationWeek

Friday, January 9, 2009

The Security Manager Position

ISACA has released a research study dealing with the position requirements of the Security Manager Position. "This report provides a framework for understanding the many, changing and interrelated requirements of the information security manager position and its requirements assigned to professionals at various levels in an enterprise. It identifies the pathways such professionals often take during their careers to reach these positions."Deliverables:

Thursday, January 8, 2009

The McKinsey Quarterly: The Online Journal of McKinsey & Co.

The economic crisis has implications for all aspects of business. The latest McKinsey Quarterly has a collection of articles centering on the management implications of the crisis. Risk management plays a large role in the new management and control over information systems is paramount. The McKinsey Quarterly: The Online Journal of McKinsey & Co.

Wednesday, January 7, 2009

KPMG - Never again? Risk management in banking beyond the credit crisis

This publication by KPMG reveals the results of surveys within the banking industry about os thye manage risk, and points to some dierctions for addressing the shortcomings that still exist in the system.
KPMG - Never again? Risk management in banking beyond the credit crisis: "The credit crisis has forced banks to take a critical look at how they manage risk and has exposed some significant weaknesses in risk management across the financial services industry. The collapse of several high profile banks, the emergency bail out of others, departures of CEOs and CFOs, the hundreds of billions of dollars of write-downs, efforts by banks to raise fresh capital were all signs that something had gone very badly wrong."

Monday, January 5, 2009

Technology Review: Moving Security to the Cloud

Cloud based security may be the way to go in future. It brings in more powerful capability and also puts security up there where the apps and data will be. Early testing indicates, for example, that more viruses can be caught using this approach. Technology Review: Moving Security to the Cloud

Friday, January 2, 2009

Opinion: Security predictions for 2009

In 2009, the growth in use of mobile devices will continue and so security issues around them will grow as well. Expect mobile security and privacy to be big issues in 2009. Opinion: Security predictions for 2009

On the Road to E-discovery Compliance

Data management is a major preoccupation with modern business. An often overlooked aspect of this important area is E-discovery. "E-discovery is the overall process of retrieving, collecting, and producing electronically stored information (ESI) that can be used during a legal proceeding. The American Bar Association defines ESI as any information that is created, stored, or best used with any kind of computer technology." Management needs to develop a process for proper management of the storage and retrieval of sensitive information of this type. This article sets out some good ideas. On the Road to E-discovery Compliance: