Tuesday, March 31, 2009

ISACA Model Curriculum for Information Systems Management
by Gerald Trites, FCA

Last year, ISACA released a model curriculum for Information Systems Management. For several years, their model curriculum for information systems audit and control has been a guiding force in information systems education. The new curriculum promises to do the same for the management side, something that is needed and will be useful.

The Management curriculum is based on the structure of the exam for the Certified Information Systems Management (CISM) designation. That includes:

  • Information security governance
  • Information risk management
  • Information security program development
  • Information security program management
  • Incident management and response
The information security governance domain is divided into two topic areas; information security governance and development of an information security strategy.

The information risk management domain is divided into two topic areas that have from five to seven subtopics each. This domain focuses on the management and assessment of risk in an enterprise.

The information security program development domain includes information regarding the development of a formal security program, including information security management responsibilities, the importance of obtaining senior management’s commitment to the program, defining the program and implementing the program.

The information security program management domain includes subject matter such as policies, outcomes of effective management and measuring the information security program.

The Curriculum offers a series of figures that can serve as forms for implementation. They include an Alignment Grid, which provides a form to map an academic program to the model curriculum.

Copies of the Model Curriculum can be downloaded from the ISACA site.

Thursday, March 26, 2009

Cloud Computing: Understand the Risks - BusinessWeek

Increasingly, organizations and people are placing their data on cloud servers. Most cloud service providers do have security in place, some of it very good, usually based on encryption. So that means the security of the cloud provider needs to be assessed before it is even used. Then it means recognizing that even though the provider may have good security, it's not likely to be absolutely flawless, so the risk of exposing particular types of data needs to be assessed before sending it off. In this process, some of the most sensitive data within the organization may be found to be too sensitive to take the chance, and should be kept on home servers. Cloud Computing: Understand the Risks - BusinessWeek

Monday, March 23, 2009

Server Gated Cryptography
by Gerald Trites

I this world of growing internet usage and mobile users, there has been an increased emphasis on encryption as a means of protection from intrusion and viruses. It has long been the fact that 56 bit encryption is no longer adequate. However, some parts of systems, like some browsers, do not automatically support the more approproate 128 bit encryption. One possible solution is to enmploy server gated certificates. such certificates are issued by a server when it receives a request from the internet. The SGC certificate goes to the requester, who is them prompted to offer up a full encryption menu, inlcuding the 1287 nit variety. The host server can then accept the 128 bit version, thus ramping up the level of encryption form what it would otherwise have been. There is a good white paper at Infoworld explaining Server-Gated Cryptography and its benefits. It's worth a read.

Monday, March 16, 2009

The New US CIO

Vivek Kundra recently outlined his priorities, which as expected are in line with those set out with President Obama in his campaign. Since Kundra is the first US CIO, he is moving into some uncharted territory.

One of his challenges will be to achieve a balance between information availability and security - that classic balancing act of the IS professional. The president's agenda clearly includes having systems that make information more easily available and also enbcourage and facilitate public participation in the governance process. Obama has already fought a battle over his Blackberry on the same issue, and achieved a qualified win. Similar issues will arise with the new CIO. An article on his latest announcements is found here.

Wednesday, March 11, 2009

Guidance on Monitoring Internal Control Systems (2009)

The COSO board has released a new Guide on Monitoring Guidance, designed to improve the use of monitoring by helping organizations:
- Identify and maximize effective monitoring, and
- Identify and improve ineffective or inefficient monitoring

As stated in the accompanying release, the Guide is the culmination of two years of expert critical debate, guidance brings together leading practices at large and small organizations and provides in-depth guidance for implementing the monitoring component of COSO's Internal Control—Integrated Framework

COSO's Monitoring Guidance suggests that effective and efficient monitoring is best achieved by:
- Establishing a foundation for monitoring, including a proper tone at the top, organizational structure and a baseline understanding of internal control effectiveness
- Designing and executing monitoring procedures that seek to evaluate "persuasive" information about "key controls" addressing "meaningful risks" to organizational objectives
- Assessing results and reporting them to appropriate parties

See the following link for availability and purchasing procedures:
Guidance on Monitoring Internal Control Systems (2009)

Tuesday, March 10, 2009

Mobile Devices - Part of the Corporate System
Gerald Trites, FCA, CA*IT/CISA

The fact is that most people now have cell phones and/or PDAs like Blackberrys. The cell phones are getting smarter too, which means they have the capability to handle email, access the internet and run a number of applications that can process data.

Cell Phone and PDA owners usually like to use their devices and increasingly have been wanting their employers to give them access to corporate data. For productivity reasons, the employers often want to provide the data. The problem that arises is that there is a security risk. To confound the problem, the mobile devices are normally (not always) owned by the individuals rather than the company, making it difficult to install and enforce corporate security policies. So we have a situation where the two players - the employee and the employer - have a single desire (effective use of corporate data), but conflicting goals (the employee wants to use their own device to their own ends while the employer wants to use the device to achieve business objectives safely and efficiently.

The answer may be found in game theory - specifically the classic prisoners dilemma, in which two prisoners are separated and asked which is guilty. If one betrays on the other and the other is silent, the silent one gets the maximum penalty. If both betray each other, then they both get a lesser penalty. If both remain silent, they both get a very minor charge and soon go free.

Since nether knows what the other is doing, the rational course is to betray the other, because this way each will be assured of minimizing their penalty. However, clearly the best outcome for them is to both remain silent. Thus cooperation is the best way to handle the situation, but in the case of the prisoners dilemma, cooperation is impossible.

In the case of the mobile units, cooperation is possible and this is the best way in which to proceed. This means the employer develops policies in cooperation with the employees and encourages them to accept the security safeguards, which may be passwords and encryption. If the employees are involved, there wil be a greater chance they will accept the security measures and not disable them.

So this is a new challenge for IS departments. Mobile devices are becoming a very important part of the information system. Maintaining security over the data, which can be sensitive, means working with the users closely to achieve the goals of both the employers and the employees. Accenture has produced a great article on this approach, which is available at their site.

Sunday, March 8, 2009

Controlling the Cloud
Gerald Trites, FCA, CA*IT/CISA

Cloud computing has been growing continually for the past couple of years. Although outsourced computing is nothing new, the growth of the cloud is because of the increased viability of the Internet as a business computing platform combined with the advent of new Cloud Platform providers, including notably Amazon, Google, IBM and Microsoft.

The term Cloud computing refers to the use of the Internet as a computing platform, together with open source and freeware applications that are used on a pay-as-you-go basis. As a result, cloud computing offers the enterprise greater scalability and flexibility than conventional solutions. This enables the enterprise to respond more quickly to changing environmental issues and business opportunities.

From a management viewpoint, the cloud presents issues of control. The internet itself, of course, always presents control issues, although many of these have been addressed by most companies over the past few years. In the Cloud, however, these issues become more serious, because the use of the internet is more pervasive. Also, cloud solutions have had to introduce high level security solutions in order to meet the standards expected of most major companies. Accenture has issued a white paper on cloud computing that addresses many management and control opportunities and issues.

One of the issues that continues to exist, however, is a lack of independent auditor opinions or other certifications of the control systems in place over cloud solutions. While some vendors are trying to step up to the plate, others have been slow, and this has slowed the pace of cloud systems development. Internet based vendors, like Amazon and Google have been slow to formalize their processes to the point that such opinions and certifications can be given. This will change, but in the meantime it represents a challenge and an opportunity for IS auditors.

Thursday, March 5, 2009

NYPD faces ID theft risk after data stolen from pension fund

A recent case of a data breach by an erstwhile trusted employee of the NYPD points to a couple of interesting points. First, it again highlights the risk companies suffer from employees who become disgruntled in some way. In these troubled economic times, employees are more likely to become so especially if they are laid off. In addition, it is noteworthy that the department did not know if the data were actually stolen or otherwise distributed to others. However, in May 2007, they had implemented a data encryption policy, and in the circumstances of this case, it was determined that employees after that date were not at risk. Therefore this case reinforces the importance of adopting an encryption policy. NYPD faces ID theft risk after data stolen from pension fund

Tuesday, March 3, 2009

Enhanced E-mail Retention Efforts Needed

eMail is incrasingly being seen as a major part of the information systems. Indeed, several studies show that significant information is being retained in email/ this means that retention strategy becomes an important systems policy. "To help government organizations enhance their e-mail communication programs, the U.S. Government Accountability Office (GAO) released Federal Records: Agencies Face Challenges in Managing E-mail (PDF, 200 KB), which summarizes the current state of e-mail policies in four agencies of contrasting size and structure."

See the write up at: http://www.theiia.org/itaudit/new-developments/new-developments-6-10-08/enhanced-e-mail-retention-efforts-needed/