Tuesday, March 29, 2011

Controls Over Social Media

As enterprises venture more deeply into the use of social media, they are beginning to see the need for having comprehensive policies and controls over their use by enterprise personnel. Such control systems are viewed as an essential part of the overall control system within the enterprise.

ISACA has released an Audit/Assurance Program for social media. It is intended as a tool that auditors can use in providing assurance relating to the effectiveness of controls over the enterprise’s social media policies and processes.Such a review, the Guide says, will focus on "governance, policies, procedures, training and awareness functions related to social media. Specifically, it will address:

  • Strategy and governance—policies and frameworks
  • People—training and awareness
  • Processes
  • Technology"
The program is constructed such that criteria would be based on COSO, as it is the most common framework in use. Auditors could also extend the program to cover the newer ERM Model. The program is intended to be a starting point for an auditor to develop appropriate programs in the circumstances. A comparison between these two frameworks is included. The guide also includes a maturity model evaluation and is aligned with the COBIT framework.

As the use by enterprises of social media grows, there will be an increased need to take the steps to ensure that the risks of such media are properly mitigated through the use of good control systems. This ISACA Guide is therefore very timely and will be very useful. To obtain it, click this link.

Monday, March 28, 2011

iPhones Security not so Secure

The Fraunhaufer lab based in Darmstadt, Germany, tests a variety of products for security flaws. Among them was a recent test of iPhones and Androids. Both they found were not too difficult to break. In the case of the iPhone, they broke it with five simple steps. They do need possession of the phone. By removing the SIM card, they can gain access to the passwords for the email system, which in turn they find usually provides them with other passwords. They were able to bypass the encryption system completely. The androids were even easier to break. That's just great! (irony). For a report on their test, check this site.

Tuesday, March 22, 2011

The Attack on RSA

RSA, which holds 70% of the market for encryption, recently suffered what they called a major sophisticated attack. Their systems were breached and some of the details of their encryption technology were stolen. At this point, nobody seems to know what exactly was stolen and what the impact might be.

Encryption of data has become the most important technique to preserve the integrity, security and privacy of corporate data. Something that has become both more important and more difficult since the advent of mobile units, cloud computing and data mobility. A breach of sensitive data could be catastrophic for an enterprise.

IT Security professionals are anxiously awaiting more news from RSA about what information was lost and what the implications might be. If the information is so extensive that an attack could be mounted against them, then they will need to change their encryption approach, or bolster it in some way. But at this point, they don't have enough information to be able to act.

It's not an event that inspires confidence in anything, and enterprises are understandably nervous. Here's a report on the breach.

Wednesday, March 16, 2011

Assurance for Cloud-based Systems

Gartner recently released a report entitled Gartner’s Top Predictions for IT Organizations and Users, 2011 and Beyond: IT’s Growing Transparency. In that report, there was a very notable prediction related to assurance. It stated: "By 2015, 80% of enterprises using external cloud services will demand independent certification that providers can restore operations and data."

Many readers will immediately think of the AICPA SAS 70 Reports. However, SAS 70 reports do not explicitly address non-financial controls and could not be counted upon to provide assurance in this respect.

The AICPA recognized this issue and the demand for assurance on Security, Availability, Processing Integrity, Confidentiality or Privacy and released new guidance specifically to deal with these engagements, generically referred to as SOC 2 Reports. SOC 1 reports (under SSAE 16) deal with financial controls and SOC 3 reports deal with the use of Trust Services seals for Service Organizations.

The new guidance, some of which is still in process of preparation, will enable assurance professionals to respond more effectively to the various needs for assurance on service organizations, which includes cloud providers.

Monday, March 14, 2011

KPMG Audit Committee Institute

KPMG established a worldwide network to provide resources and the opportunity for interaction for audit committees. The goal - to encourage better efficiency and effectiveness of audit committees and the corporate reporting process.

Each year, audit committee chairs and members are invited to join sessions where they make presentations and discuss issues. Reports on the proceedings and summary reports on the major issues are issued.

The reports for Winter 2011 from the Canadian Institute can be downloaded from its website. It contains results of surveys on the effectiveness of risk management as well as other timely issues. Well worth monitoring.

Tuesday, March 8, 2011

e-Discovery - Planning is Essential

Retrieval of electronic information as a result of discovery proceedings preparatory to a legal action is now an accepted element of legal proceedings. And given the expectations of courts and litigants regarding the ability to request and receive information, failure to deliver could be catastrophic.

An enterprise needs to identify the information that could be required in discovery proceedings and ensure its retention and security. This requires a careful evaluation of the risks of litigation and the information that could be relevant to such litigation.

When data are retrieved, it is important to preserve its integrity throughout the process. In addition, a company needs to be cognizant of the risk of inadvertently including information that might be linked or embedded that may be superfluous or unnecessary in the particular case.

All of these considerations and more require a carefully constructed system of controls over the designated information. The ISACA white paper "Electronic Discovery" provides an excellent starting point for developing such a system. It can be downloaded here.

Monday, March 7, 2011

Is P2P Encryption the Answer to PCI Compliance?

Point to point encryption is an appealing solution to the issue of control over payment systems. Establishing the first point of encryption within the payment terminal itself ensures that the data are encrypted at the time of the initial transaction. If the final encryption point is set far enough back in the system, the data can be secured throughout its lifecycle.

This, however, is where P2P falls short of its objective. It is usually not practical to maintain the encryption throughout a system because the system components vary and are not all compatible with a single encryption standard.

But even the ability to encrypt at the point of capture is worthwhile, since it reduces the risk of fraud or error at the terminal, which is an important advantage and can reduce the scope of a PCI audit by removing the terminal from the list of components that require detailed evaluation.

So while P2P Encryption may not be the whole answer, it makes a very good starting point, and can be used as a building block for an integrated and comprehensive security system down the road. For a good commentary on P2P, check out this article.

Friday, March 4, 2011

Cloud Security Carries Risk

Security in the cloud raises some delicate issues that don't exist elsewhere. The fundamental issue is that security is the responsibility of an enterprise, even when the security process is outsourced to a cloud provider. The responsibility lies with the enterprise, but the responsibility to actually carry out the security processes lies with the cloud provider.

That means the enterprise needs to ensure that the appropriate security procedures are being carried out but also needs to rely on the cloud provider to exercise those duties responsibly.

As with any outsourcing situation, the nature and strength of the agreement is critical. But the agreement can never completely remove any need for trust between the parties.

This interplay between trust and the need to verify what the provider is doing to meet its responsibilities is at the heart of an insightful article in The E-Commerce Times on Cloud Security.

Tuesday, March 1, 2011

Canadian Government Subjected to a Spear Phishing Attack

In late February, the Canadian Treasury Board and Department of Finance were the subject of a spear phishing attack. Spear phishing is a new technique in which the phishing message appears to come from a trusted person of authority within the organization - in this case within the department. The messages can therefore carry the authority of that person and if they are carefully crafted, their request can seem reasonable and well grounded.

Fortunately, in this case, the security apparatus in place enabled the intrusions to be detected and a lock-down was initiated to protect the data.

The incident points, however to the ever evolving sophistication of fraudulent activity and the need for intense vigilance to combat such activity. For an account of the attacks, check out this article.