Friday, November 28, 2008

You Won't Get Fired for Outlawing IM - Business Center - PC World

The younger generation that is moving into the workplace now grew up on Instant Messaging. It's been their favourite way of communicating. Naturally, as they enter the workplace, the use of IM is growing quickly, raising the concerns of some security professionals, because of the perceived lack of control around IM and the lack of a trail of communications. Some companies have even banned it, although that must be difficult to enforce. On the other hand, as this article points out, there are productivity gains to be realized from the use of IM, and the a decision to ban it therefore comes at a cost. Security administrators need to think twice before banning IM. Not only are they bucking a trend that likely can't be bucked, they will lower their company's capacity for productivity.. You Won't Get Fired for Outlawing IM - Business Center - PC World

Thursday, November 27, 2008

Opinion: Obama's BlackBerry is no security threat

In the past few weeks, there have been several articles saying that Pres Elect Obama may have to give up his Blackberry for security reasons. In this article Bill Brenner argues that this is not necessary and would reduce the effectiveness of this plugged-in president. The issue is pertinent to many CEO's out there, since their security issues, while perhaps not necessarily matters of national security, are nevertheless potentially as important to their companies and their stakeholders. Should CEO's be banned from having smartphones? The short and long answer is absolutely not. There has always been a conflict between making effective use of technology and the risk-adverse security wing of the technology world. This issue is more evidence of that conflict. The fact is, mobile technology is important, and security needs to keep up and deal with it. It's that simple. Opinion: Obama's BlackBerry is no security threat

Tuesday, November 25, 2008

BearingPoint - The Disconnect Between Security and the Business

A study done for Bearing Point by Forrester shows the relationship between key business drivers and good secuirity policy. It explores, for example, the extent to which corporate culture inhibits strong security. The study provides valuable food for thought for those responsible for corporate systems security. BearingPoint - The Disconnect Between Security and the Business

Thursday, November 20, 2008

Wrinkles in the IFRS Roadmap - Accounting - CFO.com

The move to IFRS in Canada and the US will pose significant systems issues. IFRS involves maintaining different values for some assets,and will require systems changes to generate and carry those values. In many cases, companies also will have to maintain their traditional GAAP records as well, and several companies will be keeping "two sets of books" for some time into the future. For IT Auditors, this poses several issues they will need to deal with. Which set of records will they audit? Are their controls consistent and reliable? Do the IFRS systems contain the data that will be needed to support the kind of judgements that need to be made under the IFRS standards? These are just a few of the issues. Wrinkles in the IFRS Roadmap - Accounting - CFO.com

Tuesday, November 18, 2008

CA Unveils Cloud Management Strategy, SaaS Unit -- cloud-based management -- InformationWeek

CA Unveils Cloud Management Strategy, SaaS Unit -- cloud-based management -- InformationWeek: "CA unveiled Monday a cloud computing strategy that includes management as a service and management of third party cloud computing environments such as Amazon's EC2." This is significant because it extends the SaaS world into management services, particularly various monitoring activities. It could have security and control implications for better or worse, depending on which monitoring services are included and how they integrate with the activities of the people doing the managing.

Monday, November 17, 2008

Security Manager's Journal: Progress at last on the patching front, and a new priority

A solid patch management program is an important component of a vulnerability remediation program. In this article, a security manager explores his experience with this initiative, and how it ties into his overall strategy. Security Manager's Journal: Progress at last on the patching front, and a new priority

Thursday, November 13, 2008

Compliance - CIO Today

Business opportunity in the modern world means getting connected. But this connectivity involves risk. This article explores the relationship between business opportunity and business risk and highlights the means of addressing the risk. Stressing but going beyond the conventional approach of ERM, it points to trends in open source that can lead to better security. Compliance - CIO Today

Wednesday, November 12, 2008

Internal Audit and IFRS

As we move closer to IFRS adoption, all auditors need to recognize that it will be a major project, which will involve risk that needs to be controlled. Moreover, IFRS adoption will include system changes that will need to be controlled. Internal Audit will play a major role in these changes, and needs to be ready. Ernst & Young has released a guide that, while not restricted to IS implications, points to the najor risks that Internal AUdit needs to consider. The guide is at:
http://www.ey.com/Global/assets.nsf/Canada/IFRS_InternalAudit/$file/IFRS_InternalAudit.pdf

Tuesday, November 11, 2008

Control over Laid off employee system privileges

Economic hard times mean more layoffs and we are seeing those now in considerable volume. One of the standard controls in IS systems when employees are laid off is to immediately terminate their system privileges. This applies especially to users with particularly strong privileges, such as system administrators. Most IS auditors have recommended a company establish procedures like this when they are lacking. The times now require a renewed focus on this kind of policy. A recent case in point, involving a New York mutual fund, clearly illustrates the risk to those who do not deal with it proactively. Laid off sysadmin arrested for threatening company's servers

Monday, November 10, 2008

Endpoint Security

Security policy increasingly must deal with mobile units that contain sensitive data and that interact with outside systems. Many companies are using the idea of endpoint security to address this need. "Endpoints are computing devices attached to an organization’s network including PCs, notebooks, handheld computing, or electronic devices with storage, I/O, and/or wireless connectivity, and IP-networked devices with programmable logic controllers used for industrial control
systems and critical infrastructure." This white paper outlines how endpoint security works.
http://akamai.infoworld.com/pdf/whitepaper/WP_CP_Endpoint_Security_25Aug08.pdf

Friday, November 7, 2008

BearingPoint - The Disconnect Between Security and the Business

"A study of enterprises conducted by Forrester Consulting High profile security breaches and regulatory concerns have made security one of the top priorities for business executives. However, security and IT risk management groups struggle to implement effective security within their organizations. BearingPoint commissioned Forrester Consulting to conduct a study of large enterprises in the US, EMEA, and Asia Pacific. The study asked business and security and risk executives about their priorities and challenges for risk, compliance, and security initiatives within their organizations. The major findings of the study suggest that:
Culture, communication, and people are top challenges
Business and IT have different perceptions on security and risk
Internal audit is a strong influencer and regulatory compliance is still important. Respondents unanimously agree that security and risk management is a C-level concern. Download the study to see the results and attend the webinar to engage in a more in depth discussion about security and how it relates to the business." BearingPoint - The Disconnect Between Security and the Business

Thursday, November 6, 2008

Data Center Controls

With growing volumes of data, greater emphasis on data management, cloud computing, movements away from client-server, cost constraints, the traditional role of the data center is changing, leading to new challenges in IS systems management and control. The paper at the following link examines some of these challenges:http://solutions.internet.com/5131_rethinking

Tuesday, November 4, 2008

Annual Meeting Webcasts

Annual Meetings of the Information Systems Security Association were recently held in Colorado. Webcasts of the meetings are available at the following site, including the keynote address. Annual Meeting Webcasts

Monday, November 3, 2008

Public, security experts' e-voting views differ sharply

The US election tomorrow will see the use of e-voting systems across the country. But like any IS systems, there is a need for strong controls to ensure data integrity. Already some of the systems have been accused of vote flipping,and a debate is raging as to whether this arises from user error or system flaws. The point is moot. A good system minimizes the chance of user error. At this point a large percentage of systems experts polled feel that the systems may not be reliable. One hopes they will work well enough to avoid questions about who won, something that has plagued recent elections in the US. We will find out on Tuesday. Public, security experts' e-voting views differ sharply