Friday, July 29, 2011

Why has Information Security Gained Such a High Profile?

We hear about information security a great deal in the media and companies are focusing on it more strongly in their strategic plans. Why is this?

The first obvious answer lies in the large scale nature of recent attacks on organizations such as Sony, Google, Citigroup and the IMF - the sheer numbers of  people and organizations put at risk because of the exposure of their data to misuse. But to find real answers to the question, it is necessary to look a little deeper. For example, one of the answers is the proliferation of disruptive technologies, like the cloud and smartphones. Another is the mobility of data across platforms. Yet another is the large scale of resources put behind the hacking activities, including allegations of State support for illegal online activity.

These are big issues, and each of them call for particular responses. So how is an organization to respond to this complex and fast moving environment? As a starting point, it seems the approach needs to be a strategic one. Nothing new here, but the strategy needs to be relevant to the challenges inherent in the new environment. Here the issue becomes more complex, especially in an era of tight budgets.

Deloitte Touche recently ran an interview of two of its Principals to discuss these issues. They place a high importance on a multi-dimensional view of the risks and prioritization as part of a strategy. Check it out.

Tuesday, July 26, 2011

The Shifting Ground of Data Security

Several changes in the IT landscape of recent months, even years, has brought fundamental changes in the risk profiles of many organizations. The move to the cloud, of course, has been well documented and discussed from a security perspective. One Wharton Professor argues that the cloud movement has had the effect of placing vast amounts of data within easy proximity of single entry points, making the effort of hacking much more potentially rewarding. And so we have major new groups, backed by organized crime, even perhaps by countries, looking for massive rewards from hacking. Gaining access into a single website can yield huge amounts of useful information for the criminal, such as banking information or credit card data for thousands of people.

At the same time, governments are responding with mega programs, such as that of President Obama late last year.

Individual companies have much at stake and need to employ security precautions at the most effective level. But the question is whether they are doing that, or even trying very hard. Some think they are simply assessing the risks and hoping for the best. (unfounded perhaps but also perhaps needing some more study.) Some think that it has gotten to the point that no company can possibly protect itself.

The new high stakes environment certainly adds risks and should serve to focus the response to those risks, with the knowledge that attacks are likely to be of the highest sophistication and directed to the biggest targets.

This is the new world of IT Security in the age of the cloud. More at the Wharton Site.

Tuesday, July 19, 2011

Cloud Security Alliance Updating Guidance

The Cloud Security Alliance is a group formed to promote best practices in the provision of assurance in the cloud environment. their guidance has achieved a good deal of respectability in its brief life.

Recently, the CSA launched an initiative to find volunteers to update its initial guidance. To help potential volunteers, it released the CSA Cloud controls Matrix, which can be downloaded from its website.

Assurance in the cloud has become a major field and is one where the best of standards are needed. The CSA is one of several sets of guidance being offered for cloud security purposes. Others include ISO 27001/27002, ISACA COBIT, PCI, NIST and the AICPA's new SOC 1 and 2. Hopefully, better security in the cloud will emerge from all this effort.

Saturday, July 16, 2011

Compliance et al

Recently, ISACA conducted a survey of the top business issues facing enterprise It technology. The list is of course directed primarily to the concerns of IT Assurance providers and contains the following issues:
  • Regulatory compliance (Score: 4.6)
  • Enterprise-based IT management and governance (Score: 4.4)
  • Information security management (Score: 4.1)
  • Disaster recovery/business continuity (Score: 3.1)
  • Challenges of managing IT risks (Score: 2.5)
  • Vulnerability management (Score: 2.1)
  • Continuous process improvement and business agility (Score: 2.0)
Compliance has been a big issue since the SOX days, but shows no sign of abating. Assurance providers can expect to spend more of their time in this area for the foreseeable future. Nothing really new or startling in the list, but it does provide a good high level overview of where we are in the world of IT Assurance. See the press release here and the survey here.

Thursday, July 7, 2011

The Welcome End of SAS 70

On June 15, the AICPA released a new set of standards to replace Statement on Auditing Standards #70, fondly known as SAS 70. The old standard had been abused for years, being used for situations for which it was never intended and for which it was not particularly useful. SAS 70 originated in an era when companies began to get their accounts managed by outside organizations, known as service organizations. Auditors of the outsourcing companies were concerned that they did not have access to the systems used by the service organizations and therefore could not assess the risks arising from those systems that might affect their own report. They obtained SAS 70 reports to fill this gap.

SAS 70 was therefore designed for a rather limited purpose - to provide assurance on Internal Controls Over Financial Reporting, but it began to be used for other broader assurance on controls, often extending well beyond the limited scope of the original standard.

Accountants fretted for years about this abuse, but it went on and nothing concrete was every done, other than a little tweaking of the basic standards and some cries of protest from members of the profession who were most involved in the service and who were actually following the standard.

The cloud changed all that. Suddenly companies were outsourcing whole systems and needing assurance on the systems which often extended well beyond financial reporting or even had little or nothing to do with it. The need for a broader standard became clear and pressing.

The AICPA, on June 15, released a new framework SOC (Service Organization Control) which substantially extends the scope of these types of assurance engagements. The hope is that abuses will end and the new standards that follow in this framework will provide the needed service.

So far, there are some challenges in making the transition because company executives are so used to the idea of SAS 70 reports and of obtaining them for situations where they really are not appropriate. So some education is needed as well as a dedication by professional assurance providers to insist on selecting and following the appropriate standards.

For an excellent article on this area by the chair of the AICPA's Information Technology Executive Committee, follow this link.