Wednesday, December 29, 2010

ROBO Priorities

"A study conducted by industry analyst Enterprise Strategy Group found that the top three IT priorities for remote office / branch office (ROBO) locations were driven by business priorities: to improve information security, ensure regulatory compliance, and enhance disaster recovery. However, the many choices in data protection technologies and approaches, coupled with a wide range of vendors to choose from, can make data protection planning a daunting endeavor."


A white paper released by HP drills deeper into these challenges and the considerations for a better way to approach data protection. It explains the set  up and use of ROBO sites for backing up and safeguarding data in a variety of situations, from small business with the ROBO site consisting of some mobiles and laptops to very large duplicated data centers linked by online access through archives on disk or tape.

A good overview of an important area. You can download the white paper here.

Tuesday, December 28, 2010

The Emerging World of Internet TV

There is another security threat looming and its a big one. Before long, all electronic devices will be connected to the internet, including refrigerators, stoves, microwaves, home security systems and TV's. Some of them already are. This year will see a boom in Internet TV. Apple TV. Google TV. And various manufacturers like Sony and Samsung are rushing to come out with internet enabled TV.

This trend has been predicted for many years, but now it is actually coming to fruition.

What does this mean for IT Audit? First off, the new applications don't necessarily place much consideration on security. So the new connections often contain holes that can be exploited by hackers. To the extent they get connected to the internet, then hackers can have a highway into a corporate system. This already happens with the much ignored area of online printers and fax machines. Soon it will happen with the TV in the staff lounge or the refrigerator in the lunch room. Seeking out these security holes and plugging them will be the job of the security professionals, and checking up on them the job of the IT auditors. This article explains some of the ramfications.

It's an exciting new era!

Friday, December 24, 2010

The Top Ten Security Stories of 2010

It has been an active year in the IT world, with lots of new security implications for companies to consider. Mobile devices continue to proliferate, cloud computing continues to take off into the stratosphere, threats from insiders (such as disgruntled employees and former employees wrought by hard economic times) have increased,  Wikileaks has shattered all our illusions about privacy, Botnet gangs have grown and become more visible and so on and on. There are big implications for governments in ensuring the security and privacy of their systems and also for private businesses, who are having to implement new policies on the fly to cope with the rapidly changing landscape.

It makes the work of IT Auditors challenging to say the least. And points to the pressing need for those auditors to stay on top of emerging IT trends. For Informationweek's take on the top 10 security stories of 2010, check out this link.

Monday, December 20, 2010

IBM Releases its 2010 Global Risk Study

IBM Global Business Services has released its 2010 global Risk Study, in which it asked 560 IT managers and CIOs in all types of companies all over the world to talk to us about IT risk — what their biggest obstacles are, where their biggest challenges lie, where they see the greatest potential for adding business value.

A majority felt their organization is making progress with risk, but 82% felt that their level of risk mitigation is less than expert. some of the biggest risk areas were quite predictable, given the trends in IT. Social media was regarded as a risk area, as was cloud computing and mobile computing.

Mounting regulatory demands was cited as a source of a growth in the need to perform well in managing risk. Many felt, however, that although IT has become a core area for all businesses, management of IT risk has not kept pace with this fact.

The study has many predictable outcomes, but this does not undermine the fact that there is much to be done in managing IT risk as the world of business quickly becomes more automated, and more susceptible to failure from poor management of IT Risk. To download the report, click this link.

Thursday, December 16, 2010

Data Integrity

The AICPA Trust Services/Data Integrity Task Force is charged with the job of updating and maintaining the Trust Services Principles and Criteria (TSPC) and creating a framework of principles and criteria to provide assurance on the integrity of information.

The Task Force has recently developed an Audit Guide, Reporting on Controls Over a Service Provider’s System Relevant to the Security, Availability Processing Integrity, Confidentiality or Privacy of User Entities Information- An Application of the Trust Services Principles and Criteria.  For more on the guide, click here.

Also, it's worth checking out the AICPA page on the Task Force at this link.

Friday, December 10, 2010

E-Mail is the Big Security Culprit

A new report from software vendor Awareness Technologies points to personal email services like Gmail, Hotmail and Yahoo Mail as being "increasingly responsible for the accidental or deliberate loss of customer and corporate data."

Some companies ban such personal email services, but many do not. These services are all web based, and subject to a high degree of pressure from hackers, who have developed techniques to capture login IDs and passwords and then go in and seize the data either in the body of the messages or in attachments to them.

The findings resulted from a survey of data breaches at more than 10,000 sites. The survey also indicated that most of the data breaches could be traced back to the fault of employees, who were either poorly trained or gullible enough to fall for phishing expeditions.

One approach is to ban the use of personal email services on corporate computers, but this doesn't work well in today's environment since many employees mix their personal and business accounts. In addition, they often use their own personal computers or other devices for business purposes, and this is a growing trend.

Another approach is to embrace the use of personal email services and train the employees in their proper use and awareness of the threats that exist.

Since breaches arising from personal email services now outnumber those arising from the abuse of USB ports, previously the leader, email controls are more important than ever before.

For a report on the Survey, please check out this link.

Wednesday, December 8, 2010

The Need for Continuous Auditing and Continuous Controls Monitoring

When the foundations of modern auditing were formed, many years ago, the world was a simpler place. Most businesses operated out of one or two locations. They had a manufacturing plant or a retail outlet. Their inventories could be observed and their accounts receivable were due from regular customers who were not far away and could be contacted quite easily. The idea of balance sheet auditing reflected these facts and the idea formed that if you get the opening balances right and the closing balances right, then everything in between must be right. Only classification issues remain. This concept became the core of auditing and remnants of it remain to this day.

Then businesses grew more complex. And they went global. Now auditors were faced with the prospect of auditing assets like inventories in all, sometimes very remote, parts of the world. Even though the audit firms tried to grow so they could do global audits, they had trouble keeping up. It just wasn't practical to observe and confirm a majority of those assets and liabilities.

The recognition grew that reliance needed to be placed on internal controls to gain assurance that the assets and liabilities were being properly controlled while they were out of sight. And so the idea of controls based auditing gained prominence.

Over the past twenty years or so, the auditing profession, through its standards, has tried to find a good balance between the need to examine balances and the need to examine controls. Arguably it has never found a good and viable balance.

Add to the mix an increasingly sophisticated technology environment, with controls issues that most auditors do not understand, incredibly complicated accounting standards, and you have a recipe for disaster. And disasters have happened, with auditors being blamed and paying huge settlements and some CEOs and CFOs going to jail. Some informed observers have concluded that the modern global corporation is virtually unauditable.

A reasonable answer to this seemingly inpenetrable conundrum has been the idea of continuous auditing (CA). CA, the argument goes, enables auditors to gain that ongoing assurance they need that the controls to safeguard the assets and record the liabilities are in place and operating properly. CA is accompanied by the idea of Continuous Controls Monitoring (CCM). The idea is that the there is a good CCM system in place that the auditors monitor and receive exception reports whenever anomolies enter into the system. With this information they can identify issues on a timely basis, and act on them without waiting for the year end audit.

This is a good concept but then there is the reality that good CCM systems have been few and far between, so CA has not achieved the level of acceptance that it deserved and that is needed to address the continuing and very real issues around the auditability of a modern corporation..

A good deal more effort needs to be placed on the development and deployment of good CCM systems - systems that will enable the auditors to do the job that is demanded of them in the 21st century. With current technology, such systems are feasible, and are being developed. Selection of such systems has become a critical process.  A recent article in the ISACA journal (subscription needed) outlines a ten factor model for evaluating CCM systems. CA and CCM is a solution to the auditing dilemna that is long overdue, is now feasible and needs to be acted upon.
    

Monday, December 6, 2010

Wikileaks - A Call for Security Review

It is widely known by now that the sensitive data given to Wikileaks and then the world was originally obtained by Private Bradley Manning, who downloaded the data to CDs and then passed them over to Wikileaks. A cursory look at this occurance leads one to observe that it is probably that some of the most basic tenets of information security were not being followed by the military.

The principle of need-to-know and least privilege form the foundation of any security system. This means people are only given access to the information they need to do their jobs. In addition to the fact of access, the level of access should also be guided by these principles. virtually all systems provide for setting access levels as needed. The system will provide, for example, that the users having access to the information can do one or more of the following - read, copy, create, edit. For example, one user might be able to read only, while another might be able to edit it.

We know that Private Manning had access to the information and had the ability to read it and copy it. In addition, the drives on his computer were not disabled to prevent information being copied and removed, as happened in this case.

The question then is - did Pvte Manning need to have these access rights in order to do his job. We don't know, but logic would indicate that he likely did not.    

Whether or not he did have that need, the situation is a wake-up call for businesses to review their access privileges and consider whether the access provided to their information, especially the more sensitive variety, is in accordance with the basic principles of good security systems. Failure to establish such compliance could be very expensive in the age of Wikileaks. Check out this excellent article on this topic.

Friday, December 3, 2010

Mobiles are Computers
And Deserve the Same Level of Security

With the proliferation of mobile units attached to corporate systems, IT personnel are losing control of their systems. Mobile units, like smart phones, iPads and the like are not cell phones; they are powerful computers. The problem is that a great many organizations have not yet recognized this simple fact, even though they know it.

Security for mobile devices has not reached anything like the level of sophistication of other more mature computers. So the exposure is considerable. Here are the major threats:

Mobile Threat - Mobile Security Solution
Malware - Antivirus and antispam features
Loss and theft -  Ability to lock, locate, wipe and restore
Direct attack -  Firewall technology
Data communications interception -  VPN and encryption solutions
Exploitation and misconduct - Filtering capabilities

Many organization's need to conduct more rigorous risk analyses for their mobile devices and begin the process of implementing the appropriate solutions. While many of those solutions are still rudimentary, nevertheless the threats cannot be ignored. This white paper explores this area at a relatively high level.

Wednesday, December 1, 2010

Smishing and Vishing

As if there weren't enough threats plaguing the average cyber-citizen, now there are some new ones. The FBI has recently issued a warning to shoppers for the holiday season. Smishing is the same as the familiar phishing we encounter every day on the internet. The difference is that smishing takes place using SMS text messages. And of course, those are growing in popularity, beyond the ranks of the under 25's, for whom texting is an obsession.

Vishing is also similar to phishing, but makes use of voicemail. Not as trendy, but potentially effective for the naive and uninformed.

So take care over the holidays - and beyond - watch out for smishing and vishing! For more, check out this link.

Tuesday, November 30, 2010

Some Basics on Data Protection

Verizon recently released a report in which it concluded that data security has not improved since it began its current series of surveys in 2008. It's a short time, but nevertheless, one would hope that there would have been some improvement, especially in view of the widely reported data breaches that have occurred during that period.

Even more surprising is the series of recommendations they put forward. These are recommendations that IT Auditors and security experts have been making for many years. A panel from Computerworld put together  four basic points:

1. Don't just log, monitor - Logging by itself accomplishes nothing; the results need to be monitored.
2. Tweak your network configuration - constant addition of new applications and upgrades can change the system by adding in unexpected defaults. These need to be reviewed and perhaps changed.
3. Educate your users - User understanding of the system its security routines is critical. As is the development of a strong security culture.
4.  Document and monitor access privileges - So fundamental. Security management needs a record of which users have access to sensitive data or functionality and those users need to be monitored. The current Wikileaks case, where a soldier in a remote base downloaded confidential documents to CDs is a case in point.

The Verizon report said that 64% of the data breaches could have been prevented with the use of these simple procedures. When will we ever learn?? Click this link for a report on these four security measures.

Monday, November 29, 2010

Security Holding up Cloud Adoption

The recently announced second annual Mimecast Cloud Barometer Survey, conducted by Loudhouse Research, finds that 74 percent of IT departments surveyed point to the trade-off between cost and IT security, and 62 percent indicate a risk in storing data on servers outside the business. For Canadian companies, the situation is complicated by the US Patriot Act. Most Cloud providers are US based, and many hold their data on servers in the US, which gives the authorities access to it under that act. There are concerns that this violates the provisions of the Canadian Privacy Act (PIPEDA). In any event it adds to the risk for Canadian companies and has contributed to slow cloud adoption, particular in the BI area.

Thursday, November 25, 2010

COSO Announces Project to Modernize Internal Control - Integrated Framework

Last week, the COSO committee announced that it would be updating the COSO framework. "The Committee of Sponsoring Organizations of the Treadway Commission (COSO) today (sic) announced a project to review and update the COSO Internal Control - Integrated Framework (Framework). This initiative is expected to make the existing Framework and related evaluation tools more relevant in the increasingly complex business environment so that organizations worldwide can better design, implement, and assess internal control."

The intention is to update the guidance to reflect changes in the environment, such as technological changes and regulator expectations, but not to change the fundamental principles of the framework. PwC has been hired to support the update, which is expected to be released in 2012. For the announcement, click this link.

Wednesday, November 24, 2010

Honeypots

Often a very useful and efficient intrusion detection device, honeypots have been around for a long time, but now are getting more sophisticated and complex.  Honeypots are devices (often just an old pc), connected to the internet or a network, which contain features designed to lure hackers. For example, they might contain fake bank login information of credit card information resident in places where hackers might look.

Software is available for honeypots, which not only sets up the lures, but also detects and records the activities of intruders. Any intruders are deemed to be suspicous.

Most systems connected to the internet should have honeypots. They are simple to install and cost effective to run, having virtually no maintenance cost.

For a series of excellent articles on honeypots as well as some reviews of current honeypot software, check out this link.

Sunday, November 21, 2010

Virtualization and the Cloud

The spread of cloud computing, particularly in the form of Infrastructure as a Service (IAAS), has been accompanied by a growth in virtualization. There has been a great deal written about the security implications of each, but not so much on the implications of both taken together, yet this is a common occurance.

CA has released a white paper that addresses this area. The white paper suggests the following:


"A comprehensive solution for privileged access management is required in order to mitigate the risks associated with the new breed of security considerations and satisfy auditors. Service providers delivering Infrastructure-as-a-Service will need to provide premium visibility and control features to their customers if they want to attract the enterprise market.

An effective solution must ensure limitations on privileged users performing authorized operations on the virtualization infrastructure. This reduces the risk associated with over-privileged accounts or external intrusions which may compromise the gateway to guest images. Machine-to-machine protection through network isolation should be supplemented by access enforcement amongst them."

A copy is available from this link. (Free registration required)

Monday, November 15, 2010

5 tips for effective cloud security


Security in the cloud remains a serious concern for many companies, particularly those who have private or sensitive information on their systems about customers. Overcoming that concern takes some foresight and planning. This article points out the following considerations:

·        1.  Find out as much as you can about a software-as-a-service provider's security measures and infrastructure. If you are going with an infrastructure-as-a-service provider, ask what tools it can provide you to protect your virtual environment.
·        2. Encrypt data at rest and in transit; otherwise, don't put sensitive information in the cloud.
·        3, Divvy up responsibilities between your administrators and the service provider's administrators, so no one has free access across all security layers.
·        4. Check whether a vendor has been accredited as meeting SAS 70 Type 2 and ISO 27001 security standards. If you are an international company, check for European Safe Harbor accreditation as well.
·        5. Go with a high-end service provider with an established security record. "You get what you pay for," says Gartner analyst Jay Heiser.

    
      For the Article, click this link.



Friday, November 12, 2010

IT Internal Audit Effectiveness

An IT Internal Audit department always has the risk of becoming mired in routine computer control functions, which don't change very much and are generally quite controllable anyway. Auditing conventional computer controls by rote can lead to a very ineffective IT audit function.

What is more important is to align the audits with the overall risk assessments of the enterprise. The IT audit function has a lot to offer in this area. It is an interactive process, with the auditors using the risk assessment as a guide and also providing input on areas where it can be improved.

Deloitte has published a series of CEO reports, one of which deals with the effectiveness of an IT Internal Audit (IT IA) function. The booklet provides numerous examples of risk areas that should be considered for inclusion in the audits, They include contract compliance, green IT, adaptability readiness, and readiness for upcoming regulatory changes. The guide also suggest strategies for using continuous monitoring techniques to improve the audits.

It is an excellent guide and is available on the Deloitte website for free download.

Thursday, November 11, 2010

Personal Use of Enterprise Related Mobile Devices

The use of mobile devices has proliferated in organizations, with some of them being owned by the enterprise and others owned by the individual employees. Either way, many of them are being used for personal purposes in addition to enterprise work. This is a matter of concern to organizations, partly because of the time that can be consumed through such activities on the job and partly because of the increased risk that such activities pose for increased phishing attacks on the organization, which carries the risk of loss of sensitive data.

A recent ISACA survey - 2010 Shopping on the Job - showed that 26% of companies surveyed in Canada believe that employees will use their work-related mobile devices for shopping to the tune of 1 - 2 hours during the coming Christmas season. The cost of this in lost time is perhaps $1500 - $2000, according to the survey.

A majority of companies have a policy with regard to personal use of such devices, but very few prohibit it. Probably a recognition of the unforceability of such a rule.

Mobile devices are common now, and growing in their use. Every company should at least have in its risk assessment a consideration of the risks related to mobile devices and specifically, personal use of them. Then appropriate policies can be developed. The results of the ISACA survey and the related white papers can be downloaded from the ISACA site.

Wednesday, November 10, 2010

The Importance of Logs

Most auditors are well aware of the importance of logs. However, many of their clients are not, and usually need to be reminded periodically.

Much of the literature on security breaches deals with prevention. And prevention is important, no question about that. However, breaks cannot always be prevented, and when they do occur, logs are critical to determine what happened, what vulnerabilities led to the success of the attack, and what can be done to prevent another one.

Logs often present an issue to system operators or management because they can slow down a system, and response time is even more important than it used to be, since users have little or no patience with slow responses. The issue, therefore, is to balance the security needs of the company with system performance.

When logs are turned on, they need to be configured to identify the systems for which data is to be gathered, specify the level of security to be used for key components of the system and establish the level of detail to be recorded for events.

The level of security and the level of detail gathered are crucial to the potential drag on system performance. They therefore need to be set according to the security strategy of the company and so as not to gather unnecessary data. So well planned configuration is the key. This article discusses this issue and provides some useful guidance.

Tuesday, November 9, 2010

Cloud Security

Security in the cloud has been a hot topic ever since that regime began. Many feel that security can be good. However, the mere question being asked in certain circumstances can be a business problem in itself. For example,

"I believe if you set it up correctly, the cloud can be as secure as anything else," says the CTO of a financial services startup. "But we don't want to have to waste time communicating to potential customers that the public cloud is secure. It's a conversation you don't want to have."

As a result of this concern, the company opted out of the cloud and went with a private co-location facility. While they felt that the security in the Amazon service they were using could be configured to be as secure as anything else, they feared the questions in customers minds could cost them business, and made their decision accordingly. For the full story, please see this article.

Thursday, November 4, 2010

The Responsibility is Yours

A new section of the Homeland Security Department in the US has launched a public campaign stressing that internet security begins with you - the user. The campaign is part of the President's efforts to improve on internet security, which increasingly is being regarded as a matter of national security.

The trouble is, telling people that they have some responsibility in an age when people refuse to accept responsibility for almost everything, is a tough message to get out. However there is a lot of validity to it. Just yesterday, there was another report of data being found in a dumpster. There have been several others this year. For example, medical records and some info from Macy's. How may times does this need to happen before companies implement and enforce proper data disposal procedures? It is one of the oldest problems in the age of computers (and even pre-computers), and yet hasn't yet been solved. Is there hope? Here's an article about the Homeland Security campaign.

Monday, November 1, 2010

Social Networking and Security - Are they compatible?

The question of the compatibility of good IT security and social Networking has been extensively discussed over the past couple of years and recently it was a big issue at the Interop NY 2010 Convention in New York City. Some of the sessions are quite instructive about the do's and don'ts of security in the social networking environment. One of them, Ben Rothke, Senior Security Consultant at British Telecom, began with the observation that the issue cannot be avoided because social networking has now gone mainstream.

He presented six steps to mitigate the risks. Of course, they include proper organization for social networking security, including setting up a specific security team, planning and identifying the risks inherent in the particular social networking systems being used. good common sense. There is a report on these ideas at this link.

Thursday, October 28, 2010

Preventing and Detecting Employee Fraud


"A former bookkeeper of a Sussex N.B. corner drugstore lands in jail for stealing $250,000 from her employer. Another bookkeeper for a rural group that brought electricity to Alberta farms pleaded guilty to paying herself 20 times her normal wages and pilfering nearly $100,000 from the co-op's coffers. In Saskatoon, an employee with access to a company's direct-deposit payroll system earns 18 months in jail for overpaying herself 48 times within a span of four years, bilking her company of no less than $334,000.

How can these types of frauds be prevented in a small business? By making sure that basic controls are in place - such as division of duties, proper monitoring, and making use of elementary report capabilities of accounting software. Here's a timely article on the matter.

Tuesday, October 26, 2010

Tokenization - A Solution to Data Loss

Many stories in recent years have featured the loss of sensitive data of clients or customers. Often this data involves credit card numbers and the like. Because of the frequency of these events, enterprises have been strengthening their security, particularly as it relates to mobile units, like laptops and smart phones.

A recent trend in protecting sensitive data being held by an enterprise is the use of tokenization. This involves saving the data in a separate secure server, called a vault, and then substituting a random number for the data within the enterprise records. With this approach, the data cannot be found on the records.

Tokenization is increasingly viewed as a useful approach to securing the system against sensitive data loss. To read more, please click here.

Friday, October 22, 2010

Cloud Security Gets Organized


Cloud security has become very important now that companies are outsourcing their critical data. As a result, organizations are forming to discuss the issues and provide guidance and even some standards to improve security in the cloud. One such organization is the Cloud Security Alliance (CSA) which was formed by representatives from a wide swath of the IT industry. None of the big traditional assurance firms are represented in the Alliance, although the Information Systems Audit and Control Association (ISACA) is one of the founding members.


The Alliance is beginning to have an impact. It is having conferences, with one recently held in October and one planned for February, 2011, and has issued guidance, the latest being Version 2.1 of its centerpiece “Security Guidance for Critical Areas of Focus in Cloud Computing” as well as a a paper on Identity and Access Management. Other important projects are underway.


Recently, the CSA took on CloudAudit as one of its projects. CloudAudit is a separate organization whose goal "is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology."


This initiative takes CSA firmly into the automated assurance space. All of this should lead to better security practices in the cloud. 

Wednesday, October 20, 2010

Data Security in the Cloud Begins at the Beginning

Companies that migrate their apps (and their data) to the cloud remain responsible for the security of their data. This simple fact means that security must be a concern from the time that the first negotiations begin for the outsourced service. As this article says,

"It is important to understand:
  • Where the data is being hosted. Data location needs to be part of the contractual agreement.
  • Who is managing data in which locations, including data classification, identity access, privacy and response controls.
  • How data is being segregated. The cloud provider should offer evidence that encryption schemes are in place and tested.
  • Whether data will be accessed beyond the cloud provider's data centers such as the corporate office or remote locations."
Additionally, there should be some assurance available from independent auditors, such as a Service Auditor's report on the system. Lack of availability of such a report should be a show stopper.

Tuesday, October 19, 2010

System Models vs Frameworks

For years, IS risk and assurance specialists have based much of their work on Frameworks. However, last year, ISACA introduced the Business Model for Information Security (BMIS) which is intended to change the way professionals approach information security.

The difference between frameworks and models is that frameworks set out a number of elements that then need to be applied to a particular business, while models define the relationships between those elements. The relationships may not always fit exactly the model of a particular business, but a model does provide, not only a good guide, but also a head start in determining the model for a particular system. A model also enables the professional to achieve a better balance between business needs and security needs, always a delicate balance.

Use of a model rather than a framework for tackling security issues provides a more holistic view of security issues, enabling the source of issues to be identified more quickly.

For an article on models vs frameworks, please click this link. (Registration required)

Friday, October 15, 2010

SPOM

Security Information and Event Management (SIEM) is a set of tools that has been around for some time, and the tools have been widely used. SIEM tools basically gather information from a system on security related matters and report on them. A significant criticism of SIEM has been that it reports on security events after the fact - when the horse is out of the barn.

A new set of security management tools, referred to as Security Posture Management (SPOM) attempts to address the shortcomings of SIEM by actually enabling a manager to input information such as acceptable risk levels and then configure the system to meet these levels. Subsequent monitoring provides analyses of the effects of configuration changes and various events on risk.

SPOM is a significant advance in security management and initiates a line of tools that hopefully will result in better security planning and management. For an article on these tools, please click this link.

Thursday, October 14, 2010

The New Normal Imperative: Secure Mobility

Source: SonicWALL
The economic downtown has forced many companies to rethink the way they approach IT. CIOs are increasingly being asked how they can drive competitive advantage through technology. Many organizations have recognized that workforce mobility and collaboration are important drivers of increased productivity. These forces are creating a new challenge: the need for dynamic security.

In this webcast, Phil Go, CIO of Barton Malow, discusses how this leading national construction firm is tackling these issues, along with the technology he is adopting to ensure mobile security.

Tuesday, October 12, 2010

Wireless Security Ramped Up by PCI Rules

"Beginning Sept. 30, Visa will require merchants and related businesses to conduct wireless security scans to prove compliance with version 1.2 of the PCI Data Security Standard (PCI DSS) which is designed to safeguard cardholder data from wireless threats."

The PCI DSS Wireless Guidelines were published in July 2009 and since then, vendors have been producing  tools to prove compliance. The rules were introduced after the Heartland Security Breach, in which more than 100,000 credit cards were compromised.

Credit Card fraud continues to be one of the most common types of fraud.

Monday, October 4, 2010

Managing privacy risk in the digital age

Information often imposes obligations to the organization, whether because a law or regulation requires it, or fiduciary duty demands it.

Privacy has an impact on the business risks and compliance of every enterprise, and more so for global entities. Management and boards of directors should ensure that their organizations are adequately positioned to manage privacy across the enterprise.

While privacy in earlier years may have been considered more of a marketing hook, focused on customer preferences, privacy in recent years is associated with the potential for abuse — inappropriate access to or exposure of information resulting in identity theft and fraud. This year we add to these alarming concerns the regulatory changes across the globe, as well as the lingering effect of the economic crisis.

- Quoted from Ernst & Young

For a copy of the latest white paper from E&Y on this topic, please click here.

Tuesday, September 28, 2010

ISACA Knowledge Center

There is a wealth of research available for download from the ISACA Knowledge Center. The site is presently highlighting the following studies:

The Data Leak Prevention paper covers a lot of the same ground as a recent white paper released by the CICA's Information Technology Advisory Committee (ITAC), called Data Centric Security, which is available on the CICA website.

There is a lot of useful information here for all IT Assurance practitioners and the data level works are particularly relevant in this modern mobile world..

Friday, September 24, 2010

Interoperable Security

Security across different platforms is an ongoing problem for administrators. Interoperability is a logical solution to the issue, but is dependent on software developers and is hard to come by.

Recently, a group of developers in Ottawa, who provide software to the government, have pledged to make their software security interoperable. They have even gone so far as to create a group: "Announced Wednesday, the Secure City Technology Alliance aims to capitalize on the increased security concerns since 9/11 for automated surveillance integrated with communications systems."

For more on this, see this article.

Tuesday, September 21, 2010

Single Sign-on for Internet Users

Single sign-on has been a successful way to combat the effects of multiple sign-ons and passwords that not only mean inefficiency but can actually weaken security. while single sign-on has been successful in many organizations for their internal systems, it has been implemented less often for SAAS systems, and internet based systems that link the enterprise and its customers, suppliers and other collaborators.

The white paper linked to this article, although proprietary, provides a good overview of how single sign-on works, including the use of SAML (Secure Assertion Markup Language) to create the background communications between systems that make it all work. The white paper makes an interesting and quick read. It can be downloaded from this site. Secure Internet Single Sign-On 101

Monday, September 20, 2010

US Government Issues Security Guidelines

The US Government has issued some guidelines for securing national systems, which it says could be adapted for private use. The first of three documents, described briefly below, has been released:

The Federal CIO's Guide to the Dynamic Data Center

The Federal Government data center is rapidly evolving to provide new services and capabilities that can greatly enhance the value of the agency's enterprise infrastructure. From a business perspective, it has become abundantly clear that if IT is going to act as a business driver, it is necessary to take control of the data center and leverage its capabilities and potential, making a Dynamic Data Center an organizational asset.

This report is available from this site.

Friday, September 17, 2010

New Challenges to Information Security

The world of information security continues to grow more complex and to evolve quickly. Of course, we hear a lot about the cloud, and the threats to security that it poses. Companies and cloud providers are starting to address this issue more effectively, but then there is a lot more going on in information security that need to be addressed as well.

Some of the trends have been obvious for some time. But being obvious doesn't decrease the threat. For example, the increasing sophistication of tools available to hackers, the increased linkages of company systems with those of customers, suppliers and others, that result in importing the security issues of those others to some extent. Not to mention the integration of mobile computing and all that is implied by that. All of these things work together to create an extremely challenging scene.

Some, perhaps many, professionals are saying that under present technology and systems configurations, it simply is not possible to protect against all threats. Although there is nothing new about this basic fact, it does mean that the importance of risk analysis and cost.benefit analysis of security measures has been growing even more important. And managements and boards need to understand this fact of security management. They shouldn't be asking if the systems are secure, but rather what threats have been identified and how have they been ranked in terms of importance. What are the remaining risks and are they acceptable. Boards need to understand the way threats and risks are managed. For a very good article on the current state of security management, see this article.

Monday, September 13, 2010

Blackberry Security Too Good?

The move by Saudi Arabia and India to challenge the use of the Blackberry on security grounds points to the strong security that the Blackberry has. The Blackberry was one of the first smart phones to employ a good encryption system, which makes transmissions unreadable by all but the intended recipient.

This is good for the parties to the communications, but obviously hampers the work of the police and the security services of a country. Terrorists and criminals can communicate undetected.

The US government had the same problem initially, but since then have worked out compromises and solutions. For a good summary of the issue, check out this article.  

Friday, September 10, 2010

Using Encryption to Prevent Data Leakage

Data loss arising from lost or uncontrolled laptops is an ongoing problem - in fact one that is continuing to grow. An important solution is the use of encryption, but many users don't know how to employ this important tool. This article in E-Commerce Times provides a good summary of considerations in applying encryption to your data on a laptop.

Tuesday, September 7, 2010

What Data Quality Means in Modern Times

 Anitesh Barua, a distinguished teaching professor and lead researcher at the University of Texas in Austin, has released a study which modifies traditional data quality models. "Barua has augmented the old data quality model with new attributes like intelligence, remote accessibility and sales mobility (data accessed through sales apps). He then measured 150 global Fortune 500 companies along these attributes as well as their overall performance to create a series of charts and graphs with which companies can measure certain financial metrics that are key indicators of competitiveness, health and profitability."


For a write-up on the study, click this link.

Friday, September 3, 2010

Security Questions to Ask Your Cloud Provider


NeoSpire's director of security, Sean Bruton, discusses the realities of cloud security and the key questions to ask when assessing a hosted or cloud service provider's claims.


Very timely and insightful. At this link.

Monday, August 30, 2010

Security and Risk Analysis Skills Becoming More Important


In an article in ITBusiness.ca, entitled "5 most sought-after IT skills of the future", the author points to the profile of contemporary computer uses, observing that while users are increasingly tech savvy, they know nothing about security. At the same time, security risks, and particularly privacy risks, are growing.


As the article states, "Since we're spending more and more time online, verifying users' identities and protecting privacy will be big challenges by 2020, because fewer interactions will be face-to-face, more personal information may be available online, and new technologies could make it easier to impersonate people, according to a report by PricewaterhouseCoopers.


"Teleworkers will also represent a larger portion of the workforce, opening up a slew of corporate security risks.


"We're in a dangerous place," because many employees are tech-savvy, yet they "don't understand the first thing about data security," Foote explains. "That will change in 2020," when companies will cast an even wider net over data security -- including the data center, Internet connectivity and remote access, he predicts."


Accordingly, the conclusion is reached that there will be a major demand for security professionals in the future.


The article also names risk management as one of the areas with a high demand in the future, for quite similar reasons, but also because of the growing impact of IT on general business risks.


You can check out the article at this site.

Friday, August 27, 2010

CloudAudit

Cloud computing has become a critical part of many systems from all sorts of viewpoints. Risk and security has been a major concern, and it is gradually being addressed. The question of auditing cloud systems is being addressed in some quarters, but is way behind what is needed.

A new standards organization - cloudaudit.org - supported by some 250 organizations involved in the cloud, has begun to establish standards for cloud audits. While the standards so far are far from completed, there is now enough to work with, and some organizations have begun to do so. Here is an overview article on cloudaudit.

Thursday, August 26, 2010

Vulnerability disclosures and Attacks Rise

A recent IBM report points out that vulnerability disclosures have increased during the past year as have certain kinds of attacks. Obfuscated attacks, which allow malicious code to be hidden, are up 52%.  Web apps account for 55% of the disclosed vulnerabilities. For a write up on the report, see this article.

Monday, August 23, 2010

Leveraging a Maturity Model to Achieve Proactive Compliance

This is a very thorough white paper by Symantec - timely and comprehensive.  Here is an excerpt from the introduction:

This paper examines how organizations can use a Capability Maturity Model to help achieve proactive compliance. It explores how an organization can move from the lower levels of the model, where the focus is typically on process alignment and mechanisms for assessing risk, to the higher levels where the needs of CIOs, CISOs and Compliance Managers are met through a combined focus on system availability, data security and compliance. Drawing on recent research from the IT Policy Compliance Group, the benefits of such operational excellence are quantified. Each level of the Capability Maturity Model is described, including recommendations for moving up to the next level. Guidelines are also provided for solutions to be adopted at each level in support of these recommendations. Finally, this paper highlights how
one Fortune 500 company realized significant cost-savings in the areas of audit scoping, preparation and testing as it moved towards adopting a truly proactive approach to compliance.

To download the paper, follow this link.

Friday, August 20, 2010

Security Concerns are Hampering Mobile Commerce

KPMG has released their annual survey on mobile commerce, which this year shows that there only 19% of the subjects surveyed are comfortable with using their mobile devices for the purchase of goods. The survey covered 300 people and found only 8% actually use their phones for the purchase of goods. Interestingly, the survey found that older people are less concerned about security, but then they use fewer mobile applications.

Security of mobile devices is a constant concern of systems administrators and IS auditors as well.

Here's a write-up on the KPMG survey.

Wednesday, August 18, 2010

ISACA e-Symposium:  Security, Privacy and eSecurity in the Cloud
Join ISACA on 24 August 2010, 11:00AM - 2:00PM EDT / 15:00 - 18:00 UTC, for the opportunity to earn up to 3 FREE CPE hours.
At this month's live e-Symposium we will be exploring security and privacy in the cloud, and discussing the IT and legal requirements for reviewing electronic data.  Join us on Tuesday, 24 August  to have all your questions answered by our experts, and hear them talk about relevant issues surrounding cloud computing at an exclusive round-table discussion following their presentations. For a complete program overview and to register, please click here.
e-Symposium Frequently Asked Questions (FAQs)
All live events are archived for on demand viewing. Detailed information on the ISACA e-Symposium—including registration information, on-demand (archive) viewing instructions, and an explanation of CPE credits—can be found by visiting the ISACA webcasts page and clicking on the "FAQ" link located in the left navigation pane.
If you are interested in presenting at a future e-symposium, sponsoring an e-symposium, or if you have suggestions for e-symposia topics, please contact us.
We hope you join us on 24 August for this FREE educational event!
Making VOIP Secure

VOIP has taken off in recent years as a technology for communications, but the means of making it secure have had trouble keeping up. VOIP has known insecurities, related to such aspects as buffer overflows and packet header issues. Making a VOIP application secure can be important to an organization.

This link sets out nine different steps that can be taken  to secure VOIP. The article also offers an excellent overview of the vulnerabilities of VOIP and how to address them.

Monday, August 16, 2010

Report Criticizes U.S. Network Security Abilities


"The Homeland Security Department's inspector general has issued a report that criticizes the U.S. Computer Emergency Readiness Team, saying the agency must share information about threats and trends more quickly and in greater detail with other federal departments so they can better protect themselves from a cyberattack."


Cyber Security has become a priority of the Obama administration in the face of ramped up activity by foreign governments and organized crime. this report will be taken seriously as a base on which to build a stronger security infrastructure. For more, click this link.

Friday, August 13, 2010

It's Not Just Printers That Pose a Risk

Recently, we ran a post pointing to the ever present potential of risk posed by printers attached to a system. While long a concern, this risk has grown along with the growth in the memory capacity and processing capability of printers.

But a recent interview with an expert points out that printers are not the only concern. "Network-attached peripherals include postage machines, UPS (Uninterruptible Power Supply) systems, Point-of-Sales systems, digital signs, security cameras, proximity readers, facility management systems, power, lighting, HVAC, and alarms."

Read more on InformationWeek.

Wednesday, August 11, 2010

Virtualization Carries its Risks

A common strategy for many organizations has been to virtualize its servers, by creating servers that are not tied to a particular piece of hardware. Virtualization provides a measure of flexibility and scalability, but also includes risks that need to be managed. For example, server administration software can allow a single administrator to create new servers. So a company could lose control of even the number of servers it is running. Also, while the virtual servers are not tied to particular hardware, they are in fact resident on some hardware somewhere. The question is whether that hardware is secure.

Questions like this need to be addressed in managing the control environment for a virtual server environment. This article provides a good summary of the issues.

Tuesday, August 10, 2010

Outsourcing Security Requires Careful Thought

Companies are outsourcing all kinds of apps and of necessity they need to outsource some of the security that goes with them. The question of which security services can be outsourced is one requiring careful thought. Those that require constant servicing or update, for example, may be better kept in-house.
for a thoughtful overview on this issue, check out this article.

Thursday, August 5, 2010

Data Retention Policies - A Dichotomy

An interesting statistic came out of a recent study put out by Symantec, based on a June 2010 survey of 1,680 senior IT and legal executives in 26 countries, conducted by Applied Research. A key finding showed that 87% of the executives felt that they should have a data retention policy but only 46% of them actually had one. Given the importance of data retention in these litigious times, that's amazing. One might assume that the executives are being hindered in doing what they think is right, either by budgets or by corporate policies. Too bad. Data retention is critical to an organization today, and a lack of appropriate policies will be costly in the long run. For a run-down on the study, see this link.

Wednesday, July 28, 2010

Hackers say Browsers are a Source of Private Data

Good hackers are always worth listening to. They generally have a very high skill level and love to talk about their conquests, which means they are a good source for identifying vulnerabilities in systems. At the Black Hat conference this week in Las Vegas, which is a conference of highly skilled hackers, a speaker pointed out that browsers can be used to obtain private information such as bank account login information if the "Auto Complete" function is turned on. It takes a special tool to extract the information, but nevertheless, one assumes that the tools are not hard for the hackers to obtain. It's well known that the history files in browsers present a similar risk, but the Auto Complete function is not as well known.

Useful people, those hackers! See a writeup on this presentation at this site.

Monday, July 26, 2010

Information Leakage

Increased use of a variety of new and powerful electronic units, like mobile smart phones and printers with hard drives point to a growth in the problem of information leakage. An organization can have reasonably good systems controls and procedures and yet be subject to information leakage because the new advanced devices bring in exposures that were never considered when the policies were put into place because they either didn't exist or weren't present in the system at that time.This short article in ISACA Now points to a few of the exposures and stresses the importance of awareness.

What information leakage means is increased vigilence is necessary when adding a device to a system. Vigilence to watch for features of the new device that can drain off information and then inadvertently expose it to unauthorized persons. It also means reviews with the objective of identifying information leakage risks and exposures.

Friday, July 23, 2010

ISSA International Conference Coming Up

The ISSA International Conference is scheduled for Sept 15th to 17th in Atlanta, Ga. The theme is Connect and Collaborate.

In the words of the organizers:

The CONNECT & COLLABORATE theme of the 2010 International Conference can be meaningful to information security professionals in a variety of ways: The world is becoming more CONNECTed and we must embrace this free exchange of information, yet maintain the safeguards to protect confidential data and personal privacy. We COLLABORATE in internal work groups to construct effective security while fostering productivity in the new world of mobile devices.  As Information Security professionals we are asked to CONNECT many different disciplines ranging from technical to legal compliance. And we COLLABORATE as a professional community sharing our hard won knowledge and valuable lessons learned through programs like the ISSA International Conference to deter breaches and cybercriminals.

For registration and more information, check out the site.

Wednesday, July 21, 2010

Deloitte Survey Focuses on Cyber-Warfare

Deloitte has released its 2010 Financial Services Survey, which heralds a new era in information security. The survey focuses on the fact that the major security threats are now coming not from kids in the basement but from organized crime and other countries with subversive intentions. These groups are pouring immense resources into their efforts.Of course, that raises the stakes for security professionals, and the survey is beginning to reflect some of this reality. For example, more companies have their chief security officer reporting directly to the CIO.

The survey is comprehensive and part of it reports on the top security issues for 2010. These include governance and budgets (no surprise there). Some of the companies are raising their budgets, however, despite the recession, although some of this reflects a coming out of the recession, such as companies in Canada, where the recovery has been strong and earlier than in many other countries.

The survey is a must read for security professionals. It can be downloaded from the Deloitte site, and on the same page there is also a 20 minutes discussion of the results.

Tuesday, July 20, 2010

Using the Cloud to Address Cloud Security

The cloud has raised security concerns to higher levels, and become the focus of a new generation of hackers. But the cloud, through the use of viral computers, has tremendous computing capacity as well - capacity that can be used to fight the hackers. A new service does just that.

"The service, known as WPA Cracker, is one of the first hacking services to rely on cloud computing. WPA Cracker went live on Monday--it uses pay-as-you go cloud computing resources to search for an encrypted WiFi Protected Access (WPA) password from 135 million different possibilities, says creator and hacker Moxie Marlinspike. Normally the task would take a single computer about five days, but WPA Cracker uses a cluster of 400 virtual computers and high-performance computing techniques. It takes only 20 minutes, he says."

The cloud is a logical venue for a security dogfight. But new services like this one will benefit all users, whether in the cloud or not. For an interesting article on WPA Cracker, see this site.

Thursday, July 15, 2010

Dangers of Outsourcing

Although there are constant reminders out there, many companies still don't seem to realize that while you can outsource IT functionality, you can't outsource security, much less responsibility for it. A recent Gartner Report shows that this is one of the vague areas in many outsourcing contracts.

Lawleaf, a web-based financial services company, outsourced its IT functions - obviously very critical to its operations - and suffered a massive SGL injection attack that compromised its systems and almost put it out of business. It makes an interesting case study, which is outlined at this site.

Wednesday, July 14, 2010

Training Staff in Mobile Computing

Mobility is the new standard business practice. There is no getting away from it. It's convenient and makes staff more productive. But there are risks, and no matter how many controls have been put into place, such as required VPNs and skeleton laptops, the staff themselves need to take precautions from having the data or the hardware hijacked.

These precautions range from simply taking care of the actual hardware to prevent it being stolen to not doing business over public networks to turning off wireless and bluetooth functions when they are not in use.

It's important that staff be trained in this usage and, to the extent possible, that compliance procedures be put in place. For an excellent article on the precautions that should be considered, follow this link.

Friday, July 9, 2010

SSL Configuration in Critical

Almost every website out there uses SSL in some way for security. In fact, its used so much and has such a good reputation, that people tend to ignore it and don't pay attention to its shortfalls - or at least shortfalls in the way in which it is installed.

There is scope for a periodic review of any SSL installation, to see which version of SSL is used (whether it's up to date), configuration weaknesses in the type of Web server being used and configuration issues such as cipher suites and protocol support.

Not only can such a review improve security, it can avoid scaring customers away with false security messages, such as invalid certificates.

For an article on this idea, check out this link.

Wednesday, July 7, 2010

2010 Survey of 250 Professionals

A survey done in 2010 by nCircle of 250 security professionals finds that the leading security concern for 2010 is meeting security compliance requirements, and more than 94 percent of respondents said they expect security breaches to increase in 2010. On the positive side, more than 66 percent of respondents feel their executives are more aware of security issues than they were a year ago.

The survey covers a wide range of security concerns, from cloud computing to mobile computing to social networks. It's a very contemporary view of the current IT security scene. You can download the report from this site.

Friday, July 2, 2010

Point of Sale Systems Pose a Threat

Hackers have been exploiting point of sale systems that store credit card data and also are connected to the Internet. this is done by guessing the password that is used for remote administration of the system or else exploiting known bugs in the particular system.

A recent casualty is Destination Hotels & Resorts, a high-end chain best known for its resort hotels in destinations such as Vail, Colorado; Lake Tahoe, California; and Maui, Hawaii. Hackers may have stolen the credit card numbers of guests who have stayed there. How many is anybody's guess, apparently. Similar episodes have occurred at Wyndhams, another big hotel chain. For a report on the latest, see this link.  

It points to the need for good security over such systems, including strong access control over admin accounts and staying on top of system bugs and the related vulnerabilities.

Tuesday, June 29, 2010

Preparation  for Audits is Critical

All auditors know that preparation and planning for an audit is essential to running a smooth audit. It's also essential for the client to prepare because they are always asked for information, data and reports that they need to dig up and that are sometimes hard to get. A little planning can make things easier for both auditor and client.

The auditor can help with the client's planning activities. While its true that the client should know, after a couple of audits, what the auditor will want, nevertheless it is a sad fact of life that they don't always keep track of it and so every audit becomes a scramble to answer the auditors' requests.

Therefore the auditors need to provide the client with advance notice of their needs. While this is fundamental, it is sometimes overlooked, and especially in IT audits, can lead to frustrating delays in the audit and frustration for all involved. For more on this topic, click here.

Monday, June 28, 2010

Cyber War

There's a new role for IS Auditors - Helping to prevent a global cyber war. it's no secret that hacker organizations and cyber terrorists have gone global and that countries are increasingly vulnerable to attacks that could disable many of their key infrastructure elements, like transportation, media, etc.

This is a risk that needs to be addressed and is being addressed by major departments and organizations responsible for national security. Many of the traditional techniques of IS Auditors, such as risk and threat analysis are fundamental to implementing the necessary preventative measures. Check out the linked set of articles, and in particular the security video at the bottom of the linked page.

Thursday, June 24, 2010

The ISACA Knowledge Center

ISACA has a Knowledge Center on its website of which some who are involved in IS Assurance may not be aware. Here is the link. The Knowledge Center contains a wealth of information about over 100 topics that can be searched on the site. It also enables members to discuss with other members such topics, their experiences and IS Assurance generally. it's a useful resource for IS Assurance Professionals.

Tuesday, June 22, 2010

The Internet Fraud Alert Center


"Microsoft has spearheaded the formation of the Internet Fraud Alert center, to be managed by the National Cyber-Forensics & Training Alliance. The coalition aims to combat cybercrime, malware, fraud and the misuse of personal data. The data-protection group will serve as a specific process for reporting discoveries of stolen data caches." See this website for more.


Monday, June 21, 2010

Web Bug from http://isaca.informz.net/isaca/data/images/shim.gif
Web Bug from http://isaca.informz.net/isaca/data/images/shim.gif
ISACA's Virtual Seminar and Tradeshow is Tomorrow
Time is running out to register for ISACA's Vrtual Seminar and Tradeshow:  Building a Better GRC Program.  
When: TOMORROW (Tuesday, 22 June 2010), 9:00am – 4:00pm (EDT) (13:00 GMT)
Where:  Your computer
Learn how to get the most out of your GRC strategy by aligning business and corporate governance of IT, and earn up to 4 CPE hours by attending this FREE educational event.
At this online, all-day event you can participate in educational sessions presented by knowledgeable speakers. Plus, you can explore the exhibit hall in between sessions where you can visit exhibitor booths, and interact with sponsors, other ISACA members, and ISACA staff.
Click here for tips on registering, checking your system, and to contact support.
Share Via: Share on Facebook Share on LinkedIn Shared on Twitter
Web Bug from http://isaca.informz.net/isaca/data/images/shim.gif

Friday, June 18, 2010

Reporting Lost Credit Cards

When credit card numbers are lost or compromised, there needs to be a way to report them to banks and outlets so they won't be used illegally. In the past, a program called Cardcops has been used for this purpose.

Microsoft is now promoting the use of a new program, which it hopes will be successful because of its speed in reporting, which is often important in cases of fraud. See this write-up on the new program.

Thursday, June 17, 2010

Cloud Security - A New Approach to Risk Management

The advent of cloud computing has caused security professionals to revisit their risk assessment profiles. There is more risk, this is clear, and therefore there needs to be a closer evaluation of which risks are acceptable and which are not. That;s one difference caused by the cloud.

But it runs a lot deeper than that. Cloud computing means that the enterprises are outsourcing the basic infrastructure to an outside party, therefore they no longer control the infrastructure. Many of the traditional security measures focus on the infrastructure. Also, the ability of the user enterprise to test the system is often limited.

This new environment means that there must be more attention paid to the applications being used. Which in turn means the security professionals need to have a greater understanding of their business and how those needs translate into applications deployment.

This is a challenging arena, and many of the answers are being worked out. Recently, at the RSA Conference in San Francisco, a panel addressed these issues. A transcript and podcast of the discussion can be found on this website.  

Wednesday, June 16, 2010

Including Corporate Secrets in Risk Analysis

Companies usually have secrets that are valuable to them. Coca Cola's recipe, for example. Or earnings projections. This can be distinguished from custodial information, such as payroll data. In a new RSA study, the relative worth of corporate secrets is examined and the attention given to them by corporate security programs is measured. It was found that companies pay less attention to secrets even though they are generally worth more to the company than private custodial data. The research points the way to a different focus on corporate risk analysis. For a download of the paper, click this link.