Wednesday, April 30, 2008

SaaS and Security: Is Your Data Safe?

Software as a Service (SaaS) applications involve using applications resident on the web and often storing our data there as well. SaaS has been big the past several months, but it raises many security and privacy issues along with loss of control over applications and service and support. This means companies using SaaS need to take precautions. This article summarizes some of them. SaaS and Security: Is Your Data Safe?

Tuesday, April 29, 2008

Information Assurance Revolution - By Peter A. Buxbaum - Military Information Technology

The US Department of Defense has launched a new approach to systems assurance. A considerable change from the previous approach, this new one, acronymed "DIACAP", decreases the documentation of system security and takes a system life cycle approach to security evaluation. It also requires annual assessments and continuous system monitoring, something that will become standard in many industries in the future. Information Assurance Revolution - By Peter A. Buxbaum - Military Information Technology

Friday, April 25, 2008

IT Security Skills Falling Short

It's well known that there is a serious shortage of IS personnel. Young people, for whatever reason, just are not going into the area in sufficient numbers. Add to this the fact that those who are working in IS security functions are extremely busy and you have a real problem. A recent study by the Computing Technology Industry Association shows that security professionals just don't have the time to keep up to date with recent trends and techniques in the area. That's not a good sign, given the importance of strong security both for systems integrity and to protect personal privacy. IT Security Skills Falling Short

Monday, April 21, 2008

Downloadable Research Reports - The Institute of Internal Auditors

The Internal Auditors Association (IIA) has long carried out good research. On their website at the following link is a list of downloadable research. It includes a variety of studies, including one on research opportunities in Internal Audit along with a supplement for IT systems. It's a good resource. Downloadable Research Reports - The Institute of Internal Auditors

Friday, April 18, 2008

Web 2.0 Expo Preview: Businesses Waking Up To Web-Enabled Apps -- InformationWeek

We've heard a lot about Web 2 and the Semantic Web. Business has not embraced its potential as yet, partly and maybe mostly because of privacy and security concerns. Business use of the Semantic web would involve making use of web based applications, which have lots of potential both for systems scalability and for grave privacy and security problems. However, there is some thought out there that business is beginning to look more carefully at the potential for good, and how the bad side of it can be controlled. Web 2.0 Expo Preview: Businesses Waking Up To Web-Enabled Apps -- InformationWeek

Virtualization

Virtualization has been a hot topic in IT management recently. It is an extension of the old virtual memory days, where usable memory is created that is not tied to a particular platform. Apply that concept to data, servers, networks, etc and you have a powerful tool for sharing resources and optimising usage. The paper referenced below explores virtualization and its impact on systems, and makes the observation that it can be a help to security as well, because it shields specific resources from the eyes of hackers. It is hard for them to tell which resource they have compromised. Virtualization

Wednesday, April 16, 2008

Cybercrime is in a state of flux

Fast Flux is the new way for cybercriminals to cover their tracks. Somewhat illustrated in the movie "Untraceable" the technique involves fast changing of DNS records on servers and using Peer to Peer rather than command and control, along with encryption to interact with the bots planted in infected PCs. It makes it all but impossible to find and shut down the illicit sites/servers, which translates into higher rates of cybercrime in the future. Cybercrime is in a state of flux

Monday, April 14, 2008

Enterprise@Risk: 2007 Privacy & Data Protection Survey | Security & Privacy | Identity Management | PII | Identity Theft - Deloitte LLP

A few months ago, Deloitte and the Ponemon Institute released their 2007 survey on Privacy and Data Protection. The survey reveals an increasing rate of violations of data and identity theft as well as a growing sophistication in the means being used. The full report is available from this site: http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D182733%2C00.html

Saturday, April 12, 2008

Security 101: E-mail Encryption with PGP and GPG

E-mail represents a significant exposure for many systems. Not only do the messages contain information, but they often have attachments containing significant chunks of corporate data, often sensitive in nature. The answer is often to employ encryption so the messages cannot be read. PGP and GPG are the main contenders, with PGP generally costing more and GPG being open source but not running on all systems. Security 101: E-mail Encryption with PGP and GPG

Thursday, April 10, 2008

Risk Advisory Services - Ernst & Young

Ernst & Young obtained feedback from 150 risk management and IT executives at global financial institutions on Information Technology and Risk Mnagement in the Financial Services Sector. The result was the publication information technology risk management (pdf, 3.4mb) dealing with the role IT plays in an organization’s overall risk management structure. The analysis focuses on four key areas: convergence, common understanding of risks and controls, IT risk management investments and risk reporting. Risk Advisory Services - Ernst & Young

Tuesday, April 8, 2008

Security Checklists

Checklists are at the heart of IS auditing. While they don't provide all the answers, a good checklist provides a guide to the audit procedures to be followed, and helps to make sure that important elements are not forgotten. Good checklists are hard to come by, unless you are part of a very large organization. However, the Information Assurance Support environment (IASE) has a number of useful checklists at the following website, on almost every aspect of IS assurance you can think of, from wireless to RACF to end-user controls. Check it out. Security Checklists

Monday, April 7, 2008

Leading Edge Practices 3-10-08

The ISO 17799 standard, released in 2005 provides a comprehensive approach to IS Security. The IIA website at the following link has a summary of the standard, and more importantly a couple of useful links where more information can be found. Leading Edge Practices 3-10-08

Friday, April 4, 2008

IBM Research | IBM Technical Journals | IBM Systems Journal

The growth of the need for service innovation in the modern economy has led to the publication in IBM Systems Journal of a series of articles on service system analysis, design, implementation and delivery. Very timely material. IBM Research IBM Technical Journals IBM Systems Journal

Tuesday, April 1, 2008

Aberdeen Group: Trusted Computing: Tune In, Turn It On

Aberdeen Group has released a report which shows that best-of-class companies have performed better than average in matters of security. The report can be downloaded free at: Aberdeen Group: Trusted Computing: Tune In, Turn It On