Sunday, June 28, 2009

IFRS Conversion - IT Aspects

It is well known that the conversion to International Financial Reporting Standards (IFRS) coming up by 2011 is a significant undertaking of public companies. The first part of the conversion must be completed by this winter, so the time is approaching. An important part of the IFRS conversion process is dealing with the IT implications. IFRS require maintaining records of items and asset and liability values that most companies have not kept before. This is not an easy matter to deal with, especially in large companies with multiple sets of records and diverse circumstances.

Some guidance is available on this issue. For example, KPMG has released two booklets - The impact of IFRS on technology: A practical introduction and The IT aspects of IFRS conversion.

The Information Technology Advisory Committee (ITAC) of the CICA has released a series of podcasts on the subject, which is available for download from the ITAC website. This unique presentation draws upon the experience with IFRS conversion in Europe.

Thursday, June 18, 2009

More on eDiscovery

Yesterday's post discussed eDiscovery and suggested that appropriate policies need to be established to deal with it. The Institute of Internal Auditors has in their publication IT Audit, an excellent article on the steps that auditors can take to assist with eDiscovery policy formulation. The article includes a detailed list of the activities that companies should undertake and the steps that auditors should perform. Highly recommended.

Tuesday, June 16, 2009

eDiscovery
by Gerald Trites,FCA

The discovery process has long been an essential element of civil proceedings in the courts. It involves presentations of both sides to an action of the evidence they plan to introduce into court prior to the commencement of the court proceedings. Generally, evidence that has not been disclosed in discovery hearings cannot be presented in court.

Recent years have seen a huge increase in the volume of evidence coming out of information systems in electronic form. This phenomenon has raised some issues that IS professionals need to consider in designing and managing their systems. While eDiscovery is essentially a legal issue, the IS professionals can get caught in the middle when being asked to find and produce the information the lawyers want. It's wise to give it some forethought before legal actions occur, consult with the lawyers, and develop a strategy for information that could be the subject of eDiscovery.

eDiscovery proceedings need to distinguish between information that is prepared manually and input and information that is developed as a result of computer processes. Original evidence is generally required. In addition, the quality of the information needs to be considered, and that would include the existence of controls to ensure that the information is not altered in an unauthorized manner. So security and control becomes a very important part of the eDiscovery process. IS professionals could be called into court to testify as to the adequacy of the controls to preserve the integrity of the evidence. Clearly, this is a matter to be thought out in advance, and with the advice of legal counsel.

The operation of systems can also be a factor in eDiscovery. For example, what data is going to be kept, in what form, and if it is slated to be destroyed or overwritten, what timing is appropriate? Data retention policies become very important as well as backup.

eDiscovery is a permanent aspect of information systems management, and appropriate policies need to be developed and incorporated in the corporate IS strategies. The June 09 issue of the ISSA Journal has a good article on the subject, which although based on US law, is helpful in understanding the issues in Canada.

Saturday, June 13, 2009

Risk Intelligence

Deloitte has produced a series of white papers on the subject of risk intelligence, a valuable guide to risk management in this period of economic uncertainty. Risk Intelligence moves beyond the idea of risk management as a process to the concept that the best way to manage risk is to incorporate or integrate all risk mitigation activities into the organization from the Board of directors through the c-suite to the operational and support functions. This is a comprehensive approach that obviously takes considerable planning and careful execution, but one that should pay back strong returns over the longer term.

The series of white papers can be downloaded from the Deloitte site.

Tuesday, June 9, 2009

Security in the Cloud
by Gerald Trites

Many companies have gone into cloud computing, and the recession appears to be prompting more to do so. Cloud computing, if you've been on a desert island, means putting applications and data on an internet service and having the administration done by the service provider. It's outsourcing using the internet. Google, Amazon and others are into providing the service.

Of course, everyone knows that putting things like applications and data on the internet is a risky business. True, major advances have been made in recent years in internet security, but there are still risks that need to be addressed.

In the case of cloud computing, people sometimes make the wrong assumptions, and make some of the same mistakes people have made with outsourcing in general. This includes relying too much on the service provider, assuming they are stable and safe to deal with, assuming they will look after security and we don't have to worry about it.

Wrong!

In any outsourcing activity, the company can pass along the work, the administration and the details, but we can't pass along the responsibility. In the end, when things go wrong, it's the company that will pay the price, not necessarily the service provider.

That means when planning security in the cloud, it needs to be approached by the company in full knowledge that it is its responsibility, almost as though the company were implementing all the security itself. That means reviewing security plans and structure, ensuring that the security provided meets the company's objectives, and generally assuming full responsibility for it.

Many companies have not approached it this way, thinking the service provider will look after it. Well, they will, but maybe not to the extent the company needs it. For an interesting summary of the top six mistakes companies make in implementing cloud security, see this article in InformationWeek.

Wednesday, June 3, 2009

Data Loss

There have been numerous incidents of data loss over recent years, many from lost hard drives, pc's, smart phones, and other mobile or moveable devices. Last month, in May, a particularly notable one took place in Britain, where a hard drive went missing which contained personal information for 500 RAF officers. Indications were that the information was sensitive and could open the officers up to blackmail.

Few precautions appear to have been taken by the RAF to safeguard the data. The incident therefore laid bare some of the lessons that can and should be learned from these incidents. Moveable data is a phenomenon that is common, here to stay and that needs to be addressed by most organizations and companies. Virtually every organization and company handles sensitive and/or personal data of some kind.

The issues needs to be addressed by first clasifying data according to its importance and sensitivity. Then the more sensitive data needs to be encrypted. Finally, Data Loss Prevention techniques need to be considered for adoption. In order to devise these techniques, the company needs to follow the data. Determine where it is and where it is at most risk. The CICA Information Technology Advisory Committee is soon to release a white paper on this topic called Data Centric Security. Watch for it. A summary of the RAF incident is now on the Security Planet Site.