Thursday, April 29, 2010

Copiers Can Pose a Risk

How many companies forget to include their copiers in their risk profiles. True, control over print output is a long established feature for most companies, but how about the data on the hard drives of those copiers? Many copiers do have hard drives with a lot of capacity, and they record images of every document copied on the machine. That would include any private and personal documents people might choose to reproduce. Tax returns, payroll records, confidential memos - you name it.

And what happens when a copier is sold or traded? How many companies remember to clean up the hard drive? My bet is a lot don't.

There's an interesting video on CBS news about the experiences of one police department with copiers. It's worth a look.

Tuesday, April 27, 2010

Global Security Survey Shows Change

The annual PriceWaterhouseCoopers global information security survey is starting for the coming year. The survey will be conducted during the months of April - June and then the report will be published in various formats, including in CIO Magazine.

Last year's survey - carried out in 2090 but labelled the 2010 survey, focused on the impact of the recession on security. There was a presumption by many that the recession would lead to a reduction in expenditures on security and according to the survey this didn't tend to happen, although there was a less measurable reduction in innovation and expansion in the security area.

Overall, the survey indicated a growing level of congruence between general management and IS management in their view of and approach to IS security from a strategic perspective. The risks associated with systems security are being seen as important to the welfare of the organization as a whole by general management.

The survey can be downloaded from the PWC site and the questionnaire for the current year can be seen here.

Monday, April 26, 2010

Desktop as a Service

It's no secret that users have changed dramatically over the past ten years or so. While they once had to sit at a computer terminal in the office and log in to gain access to corporate data, now they log in from anywhere -home, airports, meetings in other offices, on their mobile phones and in coffee shops and airport kiosks.

This has presented grave challenges to corporate IT personnel in providing data to their users without compromising security. Security was a lot easier in the old regime. Now it is complicated by the security capabilities and features of mobile devices, wireless networks and outside data providers.

One concept that has gained some traction has been the idea of the Virtual Desktop Infrastructure (VDI). Under this approach, a virtual desktop would be served up on a secure server and made available over secure channels to the users, VDI would provide an opportunity to exercise more controlled control over security.

Companies, however, have found VDI to be difficult and complex to implement.

As a response to this whole set of needs, some companies have begun to offer up the idea of Desktop as a Service (DAAS). They are offering over the internet secure desktops that could be controlled and kept up to date. Mokafive is a leading-edge provider of this service.

DAAS has a lot of potential. Also, there is a bit of irony in that a solution may be coming from the cloud, which started off by greatly complicating the lives of security policy makers and administrators.

An excellent article on this area can be found here.

Friday, April 23, 2010

ISACA Seeking Comments on ED

ISACA has released an Exposure Draft addressing the subject of Monitoring Internal Controls. Predicated on the observation that lack of effective monitoring can lead to a deterioration in controls, the ED is intended to expand upon the monitoring guidance contained in COSO 2009. Comments are due by May 3 and can be submitted by filling out the online questionnaire or by email.

Wednesday, April 21, 2010

High Risk in the Canadian Government Systems

The Auditor General of Canada released her spring report on Monday. In it, she identified a serious lack of spending on government IT systems, with the result that many systems are so obsolete that they carry a considerable risk of interfering with the ability of the affected departments to deliver on their services. These are services on which many Canadians rely, including payment of UI benefits, Canada Pension Plan Payments and Old Age Security. This is indeed a serious state of affairs and one that should not have been allowed to happen. Even the departmental risk assessments have identified these issues for the past several years, but have not had the funds to replace the old and outdated equipment.

Clearly, the Canadian government has been under considerable pressure to limit their IT spending. Not stressed in the AG's report, although it was mentioned, is the fact that whenever an organization is under pressure to reduce or limit its IT spending, the first area to suffer reduction is that of security and control. This is a fact of life. It means that security and control measures are not improved. Moreover, the old equipment simply cannot support the kinds of security measures that are needed in the modern world, where the hackers and crackers are often endowed with state-of-the-art equipment.

In an era when the government is hosting more and more of our private information, this is simply unacceptable. It is an area where IS Assurance providers can play an important role.

For the AG's report on outdated systems, click this link.

Tuesday, April 20, 2010

Extending Controls to Public Hot Spots

With an increasing reliance on portable devices to obtain information, along with the large numbers of business travelers, the exposure of companies to data loss at public access sites is looming as a growing exposure.

Some say its just a matter of time until some spectacular events make the news. Security officers have long been concerned about Wi-Fi and other wireless devices, and some have banned them for a time, but the inexorable growth of wireless has overwhelmed these hopeless attempts to preserve secure systems, and so companies have had to address the issue. So far, however, they have not managed to get a real grip on the situation.

Here are some things they can do, from a recent article in Computerworld:

Steps IT can take to protect data from hot-spot dangers

  • Establish and enforce strong authentication policies for devices trying to access corporate networks.
  • Require employees to use a corporate VPN (virtual private network) and encryption when making a connection and exchanging data; better still, set up employee computers so that devices automatically connect to the VPN and encrypt data after making sure the computer or device hasn't been lost or stolen.
  • Make sure all devices and software applications are configured properly and have the latest patches.
  • Ensure that corporate security policies prevent workers from transferring sensitive data to mobile devices or unauthorized computers.
  • Use air cards, which require a service plan, instead of hot spots for wireless connections.
Strong, well-enforced policies are key to making these things happen.

Monday, April 19, 2010

High Density Server Farms

A new generation of servers is entering data centers with denser racks, making them more susceptible to heat problems. heat has been a constant issue and limiting factor in computing since the beginning. While inroads have been made through redesigned chips and more efficient cooling units, heat is still an issue to be dealt with. Excessive heat raises the prospect of system shutdowns and the consequent loss of service.

Design of data centers is a hot (no pun intended?) issue in systems control. Here's one interesting take on the situation.

Friday, April 16, 2010

Value Management Assurance Reviews

ISACA has released a booklet providing guidance on the conduct of Value Management Reviews. This has long been an important area of IT management and - for not quite as long - an important area of IT Assurance.  The booklet, titled Value Management Guidance for Assurance Professionals: Using Val IT 2.0, "provides guidance on how to use Val IT to support an assurance review focused on the governance of IT-enabled business investments for each of the three Val IT domains—Value Governance, Portfolio Management and Investment Management. It increases the assurance professional’s focus on IT value and, through resulting assurance reviews, raises management’s awareness and understanding of the importance of IT value management."

A pdf copy can be downloaded free from the site.

Wednesday, April 14, 2010

ISACA's April E-Symposium

Registration is now open for the 27 April 2010 e-Symposium.

ISACA e-Symposium:  Fighting Security Threats Head OnDate: Tuesday, 27 April 2010
Time: 11:00 AM - 2:00 PM EDT / 15:00 - 20:00 UTC


e-Symposium Overview

"At this month's live ISACA eSymposium, our speakers are waging war on data security breaches.  Learn about the current tools and techniques hackers are using that compromise computer security, as well as how insider threats can be uncovered using risk analysis.  Also, hear our sponsor, VeriSign, talk about their whitepaper on how to prevent spoofing server-to-server communications.  Join us at this event to learn how to be proactive in detecting and preventing high-profile breaches in your enterprise.  Get a complete program overview and/or register now."

Monday, April 12, 2010

Gartner Security & Risk Management Summit 2010
21 – 23 June 2010 | National Harbor, MD (Washington, DC area)

This year's event will focus on the importance of, as IT security and risk disciplines converge, developing a comprehensive strategy across roles. "To address this priority, the newly expanded Gartner Security & Risk Management Summit brings the entire IT security and risk management team together for a comprehensive strategic update focused on and aligned with business goals. Four complete programs within the conference drill down on Security, Risk Management, Business Continuity Management, and CISO roles to deliver the detailed, role-specific content and networking that is essential to success. Each program offers a full agenda of analyst sessions, keynotes, roundtable discussions, case studies, workshops, and more."

There is more on the Gartner website about this important event.

Tuesday, April 6, 2010

How to Buy an SSL Certificate

SSL Certificates are the standard technique for users to verify who someone says they are and that they own a particular site. Most browsers will flag a site without a valid certificate. But how good is this precaution? Two researchers recently uncovered a way of purchasing a SSL certificate for any site you might choose at random, whether you own it or not. Their method is possible for anyone who has a credit card. Needless to say, this undermines the value of SSL Certificates. Read more here.