Tuesday, July 28, 2009

The Largest Data Pilferage in History

In January, 2009, Heartland Payment Systems, one of the biggest payments processors in the US, suffered an intrusion into their systems. It was estimated that 100 million credit and debit cards from more than 650 financial services companies may have been compromised.

Such an intrusion would be a nightmare for most companies, but for a payment services company it is catastrophic. People rely on payment processors to keep their information secure and breaches like that can cost the confidence of the customers and the public, leading to a potentially massive loss of business. Normally companies try to keep it quiet, other than the mandatory reporting to law enforcement agencies and regulators.

Heartland handled it differently. They went public and sought to re-organize their industry to combat the crime groups that perpetuate such frauds and ultimately cost the end customers - the people - a lot of money.

They still have lawsuits to handle, and have implemented tighter encryption standards, but they did something that will benefit people down the road - launched a strong countervailing force against cybercrime. A report on their story is on Businessweek.

Saturday, July 25, 2009

E&Y Top 10 Business Risks

Ernst & Young has released its 2009 Business Risk Report, which sets out and discusses the top ten global business risks.

The top 10 risks identified (2008 rankings in parentheses) are:

1.The credit crunch (2)
2.Regulation and compliance (1)
3.Deepening recession (New)
4.Radical greening (9)
5.Non-traditional entrants (16)
6.Cost cutting (8)
7.Managing talent (11)
8.Executing alliance and transactions (7)
9.Business model redundancy (New)
10.Reputation risks (22)

Sums it up nicely. The report is downloadable from their site.

Monday, July 20, 2009

Security in the Cloud

Some security companies, like McAfee, who traditionally have offered security software, are now offering security as a service. Such services are provided on the web for their client companies. In other words, the companies are outsourcing their security.

Intuitively, there are risks of outsourcing security to be managed by others on the web. But controls have improved over the years, and what once would have been unthinkable is now viable.

Not to say that all security should be outsourced. Companies are finding some security srvices are better placed in the cloud than others. For example, many companies have a history of successfully outsourcing their email filtering activities. Monitoring activities can be quite successful in the cloud as well. As can threat assessment, vulnerability identification, traffic monitoring, etc. Other, more personal activities, like password management, are less viable. Some managers argue that complete outsourcing of security is simpoly not viable. Nevertheless, there is a trend here - one that we can expect to continue.

There is a good article on the subject at Technology Review.

Friday, July 17, 2009

Facebook Fails to Meet Canada's Privacy Legislation

This ruling was issued by Canada's Privacy Commissioner following an investigation. The Commissioner recommended that Facebook bolster its settings and simplify controls so users can know what happens to their information once it's posted and make informed decisions about how much information they wish to share.

Canada's Privacy laws are based on the principle of consent, and it is therefore impoortant for any vehicle like FAcebook to be transparent in what information it is gathering and what it is going to do with it. See a press report on PCWorld.

Wednesday, July 15, 2009

Security Professionals Need New Skills
by Gerald Trites, FCA

At a recent Gartner Industry Summit the point was made that security is increasingly being built into IS architecture, and that in future there will be less need for human intervention in the security process. It was also pointed out that the role of auditors will change, with more of their procedures automated. This will mean that routine audit procedures will be done more often by people with lower skills than previously. It also means there will be a demand for more IS auditors with the analytical and communications skills to make sense of the results and communicate them to management and executives in the company. This will be a challenging role to play.

The trend towards automation of the audit function has been clear for some time. What Gartner is forecasting is a major accceleration of this process and a significant shift in the way it is delivered, through mainstream architecture rather than through add-ons and special audit software as in the past. No doubt, however, there will be some demand for analytical software.

IS auditors will be an important part of the management team in future and the increased automation will mean greater involvment in system design and selection as the importance of security continues to permeate into the C-Suite.

A summary of the Gartner Event is found in this linked article.

Monday, July 13, 2009

Software as a Service Underwhelming

A new Gartner Survey in Britain has found the users of SAAS to be less than impressed with their service. Although SAAS has become a common strategic tool, the concerns expressed by those surveyed need to be addressed. A major concern involved service. Respondents said that the service needs to be 24/7 and readily accessible. This seems pretty basic.

Another concern related to costs, which is more complex. Any move to SAAS, especially involving critical functions, by a company is bound to be difficult and potentially expensive. It is often a major system change, and this involves process changes, which involves how people do their jobs, which is always a difficult area within which to achieve change.

Some of the executives said tha transition took longer than they thought it would. However, this is a common complaint of executives when technology changes are made. We heard it for years with ERP implementations. Many SAAS implementations are no less signficant.

SAAS in some form, along with Cloud based systems, will remain a permanent part of the typical architecture, and the users and the vendors need to work together to make it better.

An article on the Gartner Survey is found on the CIO site.

Friday, July 10, 2009

Guidance on Monitoring Internal Control Systems (2009)

COSO has released a new version of its Monitoring Guidance, "which is designed to improve the use of monitoring by helping organizations:

1.Identify and maximize effective monitoring, and

2.Identify and improve ineffective or inefficient monitoring
In both instances, the internal control system may be improved, increasing the likelihood that organizational objectives will be achieved.

The culmination of two years of expert critical debate, the guidance brings together leading practices at large and small organizations and provides in-depth guidance for implementing the monitoring component of COSO's Internal Control—Integrated Framework

Guidance on Monitoring Internal Control Systems details:

COSO's Monitoring Guidance suggests that effective and efficient monitoring is best achieved by:

1.Establishing a foundation for monitoring, including a proper tone at the top, organizational structure and a baseline understanding of internal control effectiveness

2.Designing and executing monitoring procedures that seek to evaluate "persuasive" information about "key controls" addressing "meaningful risks" to organizational objectives

3.Assessing results and reporting them to appropriate parties
The guidance covers these and other topics in an easy-to–read, three-volume set.

The three-volume set includes:

•Volume I: Presents the fundamental principles of effective monitoring and develops the linkage to the COSO Framework

•Volume II: Presents in greater detail the principles outlined in Volume I and provides guidance to those responsible for implementing effective monitoring

•Volume III: Contains examples of effective monitoring
A free summary of the guidance and its intended purpose is posted on the "Excerpts" tab above."

It can be purchased from this site.

Monday, July 6, 2009

New ISACA Guide - An Introduction to the Business Model for Information Security

ISACA, in conjunction with the USC Marshall School of Business Institute for Critical Information Infrastructure Protection,has released an introductory guide, as the first document in a series planned around the Business Model for Information Security. The guide provides a starting point for discussion and future development by defining the core concepts that will help information security and business unit managers to "align security program activities with organizational goals and priorities, effectively manage risk, and increase the value of information security program activities to the enterprise." The project is the first major output from the alliance of ISACA with the Marshall School.

The Guide can be downloaded from the ISACA site.

Thursday, July 2, 2009

The Complexity of Security

In this podcast — the first in a series from Accenture about the challenges facing companies trying to secure their systems — Mac Willson and InformationWeek Editor-at-Large Larry Greenemeier discuss ways in which organizations can improve their information security by implementing properly integrated solutions. By reducing the complexity of their security strategies, companies can achieve better performance. The podcast can be downloaded from the Accenture site.