Sunday, January 20, 2013

Unauthorized Access to China? Value of IT Audits and Control Frameworks

Various media sites and blogs, including the BBC, picked up on the story reported by this blog about one enterprising individual who decided to apply what all the major manufacturing companies and service companies are doing: outsource work to cheap labour pools in China (and also India). According to the Verizon post, the individual would basically show his face to work and surf the Internet, while the developers in China were doing all the hard work. Although many have attacked him as being lazy and "scamming" the system, the reality is that many enterprises, such as Appledepend on such strategies for their profitability. Regardless of this debate, it ultimately the individual violated his agreement with the company. (I am assuming that he had a standard terms of employment that required him to do the work assigned to him and not to provide his credentials to unauthorized users).

From Information Security Risk and Control perspective, this story is a good one for IT Audit and Security practitioners to highlight the importance of IT control framework, risk analysis and audits. The company that discovered the issue was reviewing the security logs. As Andrew Valentine notes in the original Verizon security blog post that noted the incident: "In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review)." Effectively, the DBIR acted a control framework. It illustrated the importance of best practices to those that read it. And this is ultimately the role of IT Control Frameworks. COBIT, Trust Services and ISO 27001/2, all identify the need to log access and review such access.  COBIT 4.1, published by the Information Systems Audit and Control Association (ISACA), identifies the following control in their framework:

DS5.5 Security Testing, Surveillance and Monitoring
"Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed."

Trust Services, jointly published by AICPA and the CICA, requires the following (See the Security Principle, 3.2(g) on page 10):
 "The information security team, under the direction of the CIO, maintains access to firewall and other logs, as well as access to any storage media. Any access is logged and reviewed in accordance with the company’s IT policies."

ISO 27001/2 requires "Audit logging" under 10.10.1 See page 5 of this sales document from Splunk, a big data company that analyzes logs. ISO keeps this document confidential and so no direct link to the control could be provided.

The other important aspect of this story is that the individuals who read Verizon's DBIR understood how the control related to a specific risk (if you read the report the information security controls identified are linked to the risks they manage). Consequently, to get buy in, IS assurance professionals need to link the IT controls or  frameworks. Presenting controls in isolation fails to illustrate the importance of such controls. It would be interesting if ISACA could either team with Verizon to publish the next report or actually map the report to its framework.

Finally, Verizon's work illustrates the importance of IT audit. Organizations that want to keep on top of security threats and risks need to have competent security and risk professionals that can investigate and analyze risks when the are identified.

Sunday, January 13, 2013

Auditing the Media: Was CNET's CES coverage complete?

As noted in the Tech News Today (TNT) report on Friday, CNET's parent CBS banned its staff from awarding Dish's "Hopper" an award as part of their reporting the Consumer Electronics Show that just wrapped up last week. As reported by CNN, the bottom of CNET's 'Best of 2013' page notes the following:

"The Dish Hopper with Sling was removed from consideration due to active litigation involving our parent company CBS Corp. We will no longer be reviewing products manufactured by companies with which we are in litigation with respect to such products."

Some may point to this as a legal risk management move: CBS had to stop CNET from awarding this to Dish to avoid it being used against them in court. However,  Ayaz Akhtar, a non-practicing lawyer and host of TNT, noted in his commentary on the issue that CNET awarding a prize would have little impact on the course of litigation  (but listen to the show for the proper context and for how he worded this. He's careful to avoid any misrepresentation and it's not an exact quote).

The real issue, in my humble opinion, is to looking at whether media be relied on to report on issues objectively. One could say that due to the lack of independence of CNET on the matter, makes their reporting of CES lack objectivity. This is the standard of care that a financial auditor is held to when auditing a company. For example, auditors are prevented from holding stock in companies that they audit. Should the media be held to the same standard?

For me this incident illustrates how the concepts of financial information integrity are portable to other arenas, such as understanding news coverage. Financial information produced by companies listed on stock exchanges is subjected intense scrutiny and regulation. Accountants/auditors were required to develop a framework to analyze how financial information can be provided to investors in a reliable that enables them to make effective investment allocation decisions. This financial “information production” process is essentially similar to the “information production” process produced by the media: data is gathered, summarized and presented to the user/reader to make a decision. The latter is the key difference. For example, if someone is going to rely on CNET's CES coverage to understand the best products out there, then they could make an erroneous decision because CNET did not cover dish's product.

The following is a list of audit objectives (i.e. completeness, accuracy, etc) that financial information must meet in order to reliable for decision making purposes.

  • Completeness – is the information presented completed, i.e. everything that is out there is included in the medium
  • Accuracy – is the information congruent with the original event
  • Timely – was the information reported in a timely manner, to be useful to the user
  • Validity – does the information faithfully represent the underlying reality that is presented
Another important concept, especially to media coverage, is the one  of "presentation & disclosure – is the presentation of the information impartial. In financial statements, companies may engage in transactions to alter the presentation of items, e.g. bury accounts payable into accounts receivable so the user won't be able to accurately assess the ratio of current assets to current liabilities. Media has a greater ability to do this. And I don't mean to pick on the CNET people because they at least tried to inform the reader about their bias, but the statement they mentioned is at the bottom and not at the top. That is, some readers may miss it.

Overall, it's hard to say whether that the coverage lacked integrity and more specifically was "incomplete". On the one hand, one could argue their analysis was in complete because they excluded Dish's product. However, they did provide full disclosure although it is buried at the bottom. But one can easily search for Dish's product on the Internet and see what other reviewers are saying (e.g. such as PCMag's review). But it does illustrate that media consumers need to be aware of such risks and do their best to understand where corporate conflicts exist and how such coverage can be biased.

Sunday, January 6, 2013

Social Media & Privacy: The Return of the Village

Some of you with connections to the younger folk may have heard of SnapChat. The promise of the application was that it would allow its users to share images that would be deleted within a few seconds of it being transmitted. Another similar app and function is offered by Facebook called Poke. The hope was that, such an app would protect the privacy of the users by maintaining the confidentiality of the messages sent. However, CNET uncovered (based on the blog, BuzzFeed FWD) that it is quite easy to go around the controls:
"an iPhone user simply has to plug the smartphone into a computer, navigate to the phone's internal storage, and find the folders for Snapchat and Poke where the videos are stored locally. The user can then copy the videos from the phone to the computer to sneak a peek at them. In BuzzFeed's testing, this bug applied only to videos; photos didn't appear to show up."

The workaround, if you will, illustrates something that we know that there is always a way around these controls and therefore they offer limited privacy protection at best. The reality is that once something gets online it's out there forever.

I try to make the next generation accounting students aware of the risks during the Masters course I teach at the University of Waterloo by getting them to pull articles on how posting on Facebook can undermine one's career and professional prospects. (here is a blog that compiles social media faux pas that result in one losing one's job). As the then CEO of Sun Microsystems (now owned by Oracle), Scott McNealy stated (back in 1999), "You have zero privacy anyway.Get over it."

Over the summer, I had some time to think about privacy and social media as I was researching the phenomenon. One the thoughts that struck me was that social media actually represents the "Return of the Village". Being an urbanite myself. I am used to leaving in the city or the burbs where people "mind their business". However, that's not how life is in the traditional village. In the village, everybody knows everybody and word gets around quickly about people's affairs. There, just as in the online world, if you don't want anyone to know something don't tell anyone about it. Consequently, privacy has always been limited in a village context. However, as Jeff Jarvis touts in his book Public Parts, there are benefits to living life publicly. In other words, by living in the "online village" we get the benefits of community that were hard to find living in the more individualistic urban setting. A couple examples that illustrate this concept:

When developing a controls strategy around social it is important to keep the human element at the focus of the strategy. As illustrated by SnapChat, technology-centric controls can be easily circumvented. Furthermore, when considering the risks of employees contributing online it is important to remember that
 it is hard to segment one's professional world in the corporate cubicle with one's personal life. Consequently, governance and controls need to address the personnel rather than relying solely on technological solutions, such as data loss prevention tools. For example, Microsoft relies essentially on its people to police themselves and in order to post things that are in-line with Microsoft's corporate culture. In other words, the techno-centric solutions can supplement governance controls but they don't supplant them. 

In terms of protecting oneself from privacy breaches it requires vigilance. Some totally avoid being a social network for just the reason. That being said such people are in the minority (I poll students annually as to whether they are on Facebook: a handful give it up because it is a waste of time. I've found 1 or 2 people who've given it up for privacy reasons). Other try to mitigate such risks through "social controls". For example, in the Facebook Effect, the author notes how colleges have no cellphone and no camera parties to avoid illegal activities for finding their way online. It may seem like weak control because anyone can sneak a camera into the party. What this misses is really that the control is social in nature: people won't take pictures because they wanted to be invited to the next party!

Ultimately, the real test of social media will be how it is used against people who do not conform to the norm. For example, what would happen if employers discriminate against people who support the Occupy Wall Street movement? If the people go along with such discrimination, the social media essentially becomes a way to ensure conformity in society. Conversely, if it such discrimination is opposed, then it would lead to a more open society as the threat of social sanction (e.g. unable to finding employment) is effectively removed.