Thursday, January 28, 2010

The Four Principles of Data Governance

There is a high awareness of the fact that data is one of the most important elements of modern business and business systems - and a major focus of establishing good controls. The article referenced below picks up on this theme and lays out four major principles of good data governance. They are (1) clear ownership, (2) value recognition, (3) effective data policies and procedures and (4) data quality. The article expands on these principles. It is on the Information Management site.  

Monday, January 25, 2010

Online Banking - Separate Computer?

The American Banking Association has recommended that small business should use a separate dedicated computer for online banking activities to enable proper security to be followed. The increased activity of hackers focusing on banking has made this a prudent safeguard. However, the other experts caution that if there is a lack of proper security in other parts of the system, then having a separate computer will not really help.

Having said that, the use of a separate computer probably does help in a lot of cases. It just does mean that it needs to be done right - proper segregation from the rest of the system as much as possible, and maintenance of strong controls throughout the system, which should be happening in any event.

For a commentary on the Banking Association recommendation, take a look at this article.

Wednesday, January 20, 2010

The Case for Encryption of Laptops

Sophos has released an interesting white paper making the case for encryption of laptops. It does this by outlining various ways in which unauthorized people can access the data on a stolen laptop even where it is protected by a password. The means are so simple, it makes it clear that encryption is the best and only effective way to protect data on laptops. This is a message that has come from various sources, including the CICA and others. Download the whitepaper from this source.

Friday, January 15, 2010

ISACA Starts a New Newsletter

Something worth watching is ISACA's new newsletter @ISACA. @ISACA is ISACA’s publicly available newsletter. It was launched in January of 2010, replacing ISACA’s long-standing monthly newsletter, Global Communiqué. @ISACA is delivered biweekly via e-mail with the full articles housed on the ISACA web site.
@ISACA includes up-to-date timely news about the goings on at ISACA, new and updated ISACA offerings, and relevant industry news. The first edition of @ISACA can be found at this site.

Tuesday, January 12, 2010

A Major Flaw in SSL

The EITF has taken steps to correct a major flaw in SSL, the security protocol that is used for most web based transactions, but the fix won't be effective for a year or more. That means there is an exposure to watch out for. While the exposure has existed for some time, now it has been publicized and that of course increases the possibility of it being used. On the positive side, exploitation of the bug requires a good deal of technical sophistication, which may be beyond the means of the average hacker. More is explained in this article.

Thursday, January 7, 2010



Analyzing Outsourcing Contracts

Outsourcing has become an important element of many information systems. The contracts that underly outsourcing activity therefore are an important element of good systems management and control. The paper "An Empirical Analysis of Contract Structures in IT Outsourcing" by Yuanyuan Chen and Anandhi Bharadwaj, recently published in the journal  "Information Systems Research" offers up some good analysis of a selection of contracts. Here's the abstract:  

  Outsourcing of information technology (IT) services has received much attention in the information systems (IS) literature. However, considerably less attention has been paid to actual contract structures used in IT outsourcing (ITO). Examining contract structures yields important insights into how the contracting parties structure the governance provisions and the factors or transaction risks that influence them. Based on insights from prior literature, from practicing legal experts, and through in-depth content analysis of actual contracts, we develop a comprehensive coding scheme to capture contract provisions across four major dimensions: monitoring, dispute resolution, property rights protection, and contingency provisions. We then develop an empirical data set describing the contract structures across these distinct dimensions, using a sample of 112 ITO contracts from the Securities and Exchange Commission (SEC) database from 1993 to 2003.
Drawing on transaction cost, agency, and relational exchange theories, we hypothesize the effects of transaction and relational characteristics on the specific contractual provisions, as well as on overall contract extensiveness. Furthermore, we examine how these associations vary under conditions of fixed price and time and materials pricing structures. The results provide good support for the main hypotheses of the study and yield interesting insights about contractual governance of ITO arrangements. The study can be obtained, under a subscription, from this site.
















Sunday, January 3, 2010

Architecture Matters

Software architect Roger Sessions says the cure for IT project failure - which costs the U.S. an estimated $1 trillion a year - is a big dose of simplicity. Complexity of systems arises primarily from a lack of architecture planning, from allowing systems to grow without strong consideration of the architectural implications of the growth. This article addresses this matter.