Thursday, February 24, 2011

Reducing the Scope of PCI Audits Using Tokenization

The requirements for PCI audits specify that if credit card information is available in a network, then the security of the entire network is in scope. This can be an onerous task, so auditors and companies have sought ways to reduce that scope.

One way that works is to use tokenization, which simply places tokens in a network that reference back (for those with the keys) to the actual data.The data can then be kept in a secure location.

This way, the network that holds only the tokens can be excluded from the scope.

Tokenization is a useful solution to the issue of PCI audit scope. For a detailed paper on this topic, check out this reference. Registration is required to obtain the white paper.

Secure Cryptography for Enterprise Computing

Encryption has never been more important. As an ever-growing number of systems fall prey to malicious attack, encryption provides a last line of defense against data theft and other nefarious activities. In this Deep Dive, renowned security expert and InfoWorld contributing editor Roger Grimes provides a comprehensive guide to the uses, inner workings, weaknesses, and management issues related to encryption. For the white paper, click this link.

Thursday, February 17, 2011

The Growing Integration of Business and IT

Over the past few years, business, traditionally a reluctant courtesan of IT, has come to recognize that IT is fundamentally critical to corporate strategy. And much has changed. While many of the basic elements, such as desktop solutions, servers, multi-processors, laptops and so on are still being used, they have been enhanced and augmented by the Cloud, mobile units, social networking and the concomitant growth in availability of reams of data - unstructured data - that is useful to the enterprise. And so the concept of data visualization grew into prominence as a means of capturing and using these vast amounts of data.

Much has changed in the technology, which has led to big changes in the management issues and in the way data can be used for strategic purposes. For example, the availability of unstructured data, properly visualized, can be used to enhance BI and CRM systems, among others, leading to better marketing and strategic decisions.

Among the major management issues that arise from these changes is that of privacy and security. When data become available through social networks, for example, they are utilized through data visualization and often the privacy that should be awarded these data is not sufficiently considered in configuring its uses. Security management in this new environment is often a nightmare. Not only is there often minimal security around the unstructured data that is used, the security in the platforms and applications is scattered, varying and unreliable. To make it worse, it is often managed by different organizations because of the outsourcing involved. So the job of the security professional and the IS Auditors is made more difficult.

Deloitte has released an excellent white paper reviewing all these changes, and providing expert direction on the strategic implications. Check it out with this link.

Wednesday, February 16, 2011

Security and the Cloud

IBM has released a white paper that explores in some depth the issues around attaining adequate security in the cloud. A significant issue raised is that much of the security in cloud apps is often outsourced, which passes control, but not responsibility, to another party. Also, there is a visibility problem, in that it is often difficult to know just where the data is located, making it difficult to determine what security is in place to protect it.

The paper explores these and other issues, and is a valuable addition to the literature on the subject. In addition, the paper provides a useful explanation as to just what the cloud is and the variations that are in use.

The paper can be downloaded free from this site.

Wednesday, February 9, 2011

Control Over Change Management

To say that change is inevitable is more than a cliche. Nevertheless, it remains a constant factor in the world of IT and of course in the world at large. Coping with change is one of the biggest challenges of management and in IT one of the serious risk exposures. Good control over change management remains a priority for most IT Managements.

But change control cannot be managed in isolation. It is so important and pervasive that it needs to be swept into the bigger management picture.

That's why a paper released in  2009 by IBM remains relevant today. IT sets out 5 CIO challenges that can better be met with better Change Control Management. The paper shows the tight relationship between the CIO's job and change control. For that reason it's worth a read or a re-read. It's on this site.

Wednesday, February 2, 2011

An ISACA Guide on Mobile Security

Few areas in the past few years have challenged security professionals more than the growth of mobile units and their relationship to corporate IT systems. Not only have mobile units become ubiquitous, they had become more powerful and more involved with corporate decision making. So integration and security issues have become significant and even critical.

A guide released by ISACA last year addresses this area. it is intended to help organizations to:

"Implement a systematic approach to security in mobile application development with help from this practical guide. Featuring case studies, code examples and best practices, Mobile Application Security details how to protect against vulberabilities in the latest smartphone and PDA platforms. Maximizie isolation, lockdown internal and removable storage, work with sandboxing and signing, and encrypt sensitive user information. Safeguards against viruses, worms, malware and buffer overflow exploits are also covered in this comprehensive resource.
  • Design highly isolated, secure and authenticated mobile applications
  • Use the Google Android emulator, debugger and third-party security tools
  • Configure Apple iPhone APIs to prevent overflow and SQL injection attacks
  • Employ private and public key cryptography on Windows Mobile devices
  • Enforce fine-grained security policies using the BlackBerry Enterprise Server
  • Plug holes in Java Mobile Edition, SymbianOS and WebOS applications
  • Test for XSS, CSRF, HTTP redirects and phishing attacks on WAP/Mobile HTML applications
  • Identify and eliminate threats from Bluetooth, SMS and GPS services"
The guide is an important one for security professionals and IT Auditors. 

Tuesday, February 1, 2011

Moving Ahead With Risk-Based SecurityManagement

Risk based management of security has been a central tenet of building a security strategy for many years. But some companies do better than others with actually implementing it. They know the principles but get bogged down in the detail.

One of the potential problems is that there is a plethora of frameworks around which to build a strategy. For example, there are AS/NZS ISO 31000:2009, ISO 27005, COSO and OCEG. Choosing a framework can be difficult, And then there;s the perennial question of whether it is the best one for the particular company, Whether it needs to be adhered to strictly. Whether a change can be made later on to one of the others.

This article suggests that companies need to just get on with it - that they should choose the framework that seems to fit most naturally and then not shy away from change or deviation later on if it isn't working out well.

Every security strategy needs to be customized and the choice of a framework is simply a good starting point.