Tuesday, November 29, 2011

Securing Employee-Owned Devices

Most enterprises are dealing with the proliferation of EODs in organization, in different ways. Some ban them but a growing number of companies recognize the undeniable productivity benefits of allowing them. That leaves the big question - how to secure them. One approach is to secure the data by encryption, as mentioned in a recent post on this blog. But this isn't always possible either.

Monitoring is a key approach for many companies. They establish a system for identiying the devices that are connecting and then have a system for monitoring them. This allows a degree of flexibility that can help find an optimum level of productivity for the users. This article has more.

Wednesday, November 23, 2011

Why SAS 70 Was Replacd

Earlier in the year, SAS 70 was replaced with a new standard - SSAE No. 16 “Reporting on Controls at a Service Organization,” which provides for the issuance of SOC 1 reports, which deal with controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.

Originally, SAS 70 was intended to be for the use of auditors who report on an organization that used service organizations to administer and run their internal control systems. However, they began to be used widely by IT auditors to report on the IT controls in the systems, and although they weren't intended to be used as general purpose reports, were often widely circulated by organizations who had them carried out to demonstrate their system was well controlled. Often this was for marketing purposes.

Now, service auditor reports for periods ending on or after June 15, 2011are required to conform to the guidance contained in SSAE No. 16. Reports under SSAE No. 16 are referred to as SOC 1 reports, or “Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.”Use of these reports is still restricted to the management of the service organization, user entities and user auditors.

The new standards also provide for SOC 2 and SOC 3 reports. SOC 2 reports are called “Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy” and SOC 3 engagement reports are called “Trust Services Report for Service Organizations.” The latter are available as general purpose reports, which can therefore be released to the public.

The three types of reports are intended to meet the needs that have been indicated for controls based reports, and hopefully will provide IT Auditors with a set of standards that will be useful to them while not compromising the purpose of their reports. For an article on this change, see this link.


Wednesday, November 16, 2011

WiFi Security

Securing WiFi networks is a critical part of most systems. But this area, like other areas has been rapidly changing. also, business needs are different from the needs of personal users, which is often where WiFi security has been focused in the past., For example, businesses need to accommodate the need to authorize new employees and to remove departing ones, which means that system-wide security needs to be flexible enough to accommodate this. Did you know that WEP and WPA are not sufficient for business level security on WiFi networks? Or that 802.11 should be upgraded to 802.11i? This paper highlights a number of do's and don'ts for effective security.

Monday, November 14, 2011

Common Security Issues for Small Business
Something Old, Something New

The Globe and Mail recently published an article entitled "Ten most overlooked security threats for small businesses". It provides an interesting and valuable source for small business to plan their security strategy. On the list, one will find all the old standards, which have been issues since time began - at least computer time. For example, it contains the items "Business interruptions due to backup data issues" and "Physical breaches and theft". But it also contains issues that are more recent in their origin, such as "Breaches caused by connecting (from) infected devices"and "Hijacked domain names". A useful article for many to consider.

Tuesday, November 8, 2011

Bring Your Own Device? Secure the Data

Inevitably there has been a growth in the numbers of personal devices being brought into the workplace. And they are data friendly, such as smart phones and tablets. Some companies are handling this trend as though the devices were company property, despite the fact they have no right to do that and fundamentally their efforts are doomed to failure. .

The answer lies in an approach that has been right for some time even before the infiltration of personal devices. Data Centric Security.

Under data centric security, the focus of the security policies and procedures is the data and not the devices. This has been the right way to go because data is increasingly more mobile and it is difficult if not impossible to know where it is at any time. So the data itself needs to be secure so that it doesn't really matter where it is.

The key to data centric security (no pun intended) is encryption. It's not the only element - attention still needs to be paid to systems - but it's the most important one because with encryption, data cannot be read by unauthorized people no matter where it is. This approach is essential with the proliferation of devices, including storage devices like memory sticks, but even more essential for managing data security in the age of BYOD.

See this article, for example.

Monday, November 7, 2011

PWC Global Security Survey

PWC has released its 14th global survey of the state of security for 2012. This survey is based on the responses of more than 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, VPs and directors of IT and information security from 138 countries.

It shows that the level of confidence in security activities is high, with 72% of the respondents indicating they are  very confident or somewhat confident. On the other hand, the survey shows a degradation in certain security activities, which the report characterizes as troubling. Particular areas that have shown the biggest declines over the past three years are business continuity/disaster recovery planning, annual reviews of privacy policy and accurate inventories of data locations. For the latter, it could be that it is becoming impossible to describe the locations of data, since it moves around so quickly.

For the results of the survey, check out the PWC website.

Friday, November 4, 2011

Cloud-based Backup

One of the more popular cloud based applications, in fact one that preceded the popularity of the cloud itself, is online backup.  Use of services like Carbonite, IDrive, and Mozy have been widely used for years.

But are they safe? We all know about the successes of hackers in getting inside sophisticated and well protected systems. Why couldn't they hack into these services?

It's probably unwise to give a definitive answer in these days of ever more sophisticated hackers. However, there is every reason to suspect that such backups are very safe. The reason is the encryption systems they all use, which are among the best, and give you control over who can decrypt your data.

Time and again, encryption has been proven to be one of the most valuable security tools. Data is no good to hackers if they cannot read it. If they do manage to break into the cloud backup providers system, they also need to break into your computer and steal your encryption keys. A difficult job.

It's much easier for them to break into your computer and steal your unencrypted data, because most people do not encrypt their hard drives. So arguably, your data is safer being backed up in the cloud.

Here's another take on the issue.

Tuesday, November 1, 2011

The UWCISA Biennial Research Symposium

The 2011 Symposium, hosted by the University of Waterloo Centre for Systems Assurance, took place on October 21 - 22, 2011. It was sponsored by the Canadian Institute of Chartered Accountants, Caseware IDEA Inc., ISACA's Toronto Chapter, and the International Journal of Accounting Information Systems.

Attended by numerous noted researchers in the Information Systems Assurance area, the symposium featured several state-of-the-art presentations and timely sessions. 

The Keynote presentation, "Information System Assurance Practices in China: Where they are and where are they going?" was presented by Philip Yang, Partner of PricewaterhouseCoopers in Beijing, China and highlighted the international flavour of the event, which is indeed one of the world's top symposiums in the field.

Topical sessions included those on cloud security, privacy, and green IT. But there were many more. For the program listing and copies of the presentation slides, check this link.