Tuesday, June 29, 2010

Preparation  for Audits is Critical

All auditors know that preparation and planning for an audit is essential to running a smooth audit. It's also essential for the client to prepare because they are always asked for information, data and reports that they need to dig up and that are sometimes hard to get. A little planning can make things easier for both auditor and client.

The auditor can help with the client's planning activities. While its true that the client should know, after a couple of audits, what the auditor will want, nevertheless it is a sad fact of life that they don't always keep track of it and so every audit becomes a scramble to answer the auditors' requests.

Therefore the auditors need to provide the client with advance notice of their needs. While this is fundamental, it is sometimes overlooked, and especially in IT audits, can lead to frustrating delays in the audit and frustration for all involved. For more on this topic, click here.

Monday, June 28, 2010

Cyber War

There's a new role for IS Auditors - Helping to prevent a global cyber war. it's no secret that hacker organizations and cyber terrorists have gone global and that countries are increasingly vulnerable to attacks that could disable many of their key infrastructure elements, like transportation, media, etc.

This is a risk that needs to be addressed and is being addressed by major departments and organizations responsible for national security. Many of the traditional techniques of IS Auditors, such as risk and threat analysis are fundamental to implementing the necessary preventative measures. Check out the linked set of articles, and in particular the security video at the bottom of the linked page.

Thursday, June 24, 2010

The ISACA Knowledge Center

ISACA has a Knowledge Center on its website of which some who are involved in IS Assurance may not be aware. Here is the link. The Knowledge Center contains a wealth of information about over 100 topics that can be searched on the site. It also enables members to discuss with other members such topics, their experiences and IS Assurance generally. it's a useful resource for IS Assurance Professionals.

Tuesday, June 22, 2010

The Internet Fraud Alert Center


"Microsoft has spearheaded the formation of the Internet Fraud Alert center, to be managed by the National Cyber-Forensics & Training Alliance. The coalition aims to combat cybercrime, malware, fraud and the misuse of personal data. The data-protection group will serve as a specific process for reporting discoveries of stolen data caches." See this website for more.


Monday, June 21, 2010

Web Bug from http://isaca.informz.net/isaca/data/images/shim.gif
Web Bug from http://isaca.informz.net/isaca/data/images/shim.gif
ISACA's Virtual Seminar and Tradeshow is Tomorrow
Time is running out to register for ISACA's Vrtual Seminar and Tradeshow:  Building a Better GRC Program.  
When: TOMORROW (Tuesday, 22 June 2010), 9:00am – 4:00pm (EDT) (13:00 GMT)
Where:  Your computer
Learn how to get the most out of your GRC strategy by aligning business and corporate governance of IT, and earn up to 4 CPE hours by attending this FREE educational event.
At this online, all-day event you can participate in educational sessions presented by knowledgeable speakers. Plus, you can explore the exhibit hall in between sessions where you can visit exhibitor booths, and interact with sponsors, other ISACA members, and ISACA staff.
Click here for tips on registering, checking your system, and to contact support.
Share Via: Share on Facebook Share on LinkedIn Shared on Twitter
Web Bug from http://isaca.informz.net/isaca/data/images/shim.gif

Friday, June 18, 2010

Reporting Lost Credit Cards

When credit card numbers are lost or compromised, there needs to be a way to report them to banks and outlets so they won't be used illegally. In the past, a program called Cardcops has been used for this purpose.

Microsoft is now promoting the use of a new program, which it hopes will be successful because of its speed in reporting, which is often important in cases of fraud. See this write-up on the new program.

Thursday, June 17, 2010

Cloud Security - A New Approach to Risk Management

The advent of cloud computing has caused security professionals to revisit their risk assessment profiles. There is more risk, this is clear, and therefore there needs to be a closer evaluation of which risks are acceptable and which are not. That;s one difference caused by the cloud.

But it runs a lot deeper than that. Cloud computing means that the enterprises are outsourcing the basic infrastructure to an outside party, therefore they no longer control the infrastructure. Many of the traditional security measures focus on the infrastructure. Also, the ability of the user enterprise to test the system is often limited.

This new environment means that there must be more attention paid to the applications being used. Which in turn means the security professionals need to have a greater understanding of their business and how those needs translate into applications deployment.

This is a challenging arena, and many of the answers are being worked out. Recently, at the RSA Conference in San Francisco, a panel addressed these issues. A transcript and podcast of the discussion can be found on this website.  

Wednesday, June 16, 2010

Including Corporate Secrets in Risk Analysis

Companies usually have secrets that are valuable to them. Coca Cola's recipe, for example. Or earnings projections. This can be distinguished from custodial information, such as payroll data. In a new RSA study, the relative worth of corporate secrets is examined and the attention given to them by corporate security programs is measured. It was found that companies pay less attention to secrets even though they are generally worth more to the company than private custodial data. The research points the way to a different focus on corporate risk analysis. For a download of the paper, click this link.

Monday, June 14, 2010

Passwords May Actually Compromise Security

A new Study presented at Harvard's "Economics of Information Security" workshop last week shows how passwords can compromise security. They point out that people often re-use passwords and that hackers can obtain the passwords often kept in plain text for low value sites. Some users use the same passwords for their high value sites, like Paypal and internet banking.

The study also points out that there are better ways of securing data now, such as more-secure protocols or federated identity systems but that people expect passwords, so they have a psychological value. The study is an insightful look at passwords. Companies should be looking at better ways to establish security, as there is increasing evidence that passwords don't work well. For a summary of the paper, see this article.

Thursday, June 10, 2010

Spreadsheet Risks

Everyone knows of the risks involved with the use of spreadsheets within information systems. Not only are there known risks but it is difficult to control them, since many spreadsheets are used by individuals who are operating outside of an established control structure - or to put it another way, established control structures usually don't cover spreadsheets.

There is a European site which addresses  the risks of spreadshseet usage, and offers up some useful topics of discussion and useful tools. Its worth a look.

Tuesday, June 8, 2010

The Deepwater Horizon Disaster - Lessons for IT Risk Management

It is an understatement to say that the BP Deepwater oil spill is a major disaster, for the people in the area, for the environment and for BP itself. While we are a long way from having a clear understanding as to why it happened, there is growing evidence that it could have been prevented if more effective safeguards had been put into place in the beginning,. We see this happening often in the IT world, where major projects are taken on, management pushes for it to go live without adequate attention to the risk management aspects and then things go wrong.

There is a strong likelihood that the Disaster will bring down BP as it has already involved a loss of lives and  brought down the economic futures of so many people.

It is a risk management failure of the first magnitude and it points, even this early, to several clear lessons for managements. For one thing, there is a need for a business to organize itself so as to give some clear clout to the risk management functions within its team. This means more than giving nominal titles to those people, but rather meaningful means of enforcing their will on overly keen managements when major projects are under way. Separate public risk management reports would be helpful. It also would be useful for companies to combine their risk management functions for IT and the rest of the organization. IT is getting increasingly difficult for many companies to separate them anyway. And the established expertise of IT risk management personnel would be a help. Some companies have done this, but many have not.

With the scale of major projects taking place in the world today, and the potentially disastrous effects of failure, there needs to be a substantial ramping up of the importance of the risk management function within businesses. The professionals are available for this purpose. We should use them. For an article on the BP Deepweather Risk Management click this link.
 .

Friday, June 4, 2010

Attacking RFID Chips

There has been much attention given in recent years to the question of the security risks of RFID chips. The Canadain Privacy Commissioner has come down hard on them. Corporate IT Security personnel have been searching for ways to make them more secure.

The security of RFID chips is important because they are so pervasive and often contain private or sensitive information. Even information such as product prices can be critical to secure, because of the need for intregrity of the information used in processing sales.

So a thorough review of the security risks of RFID chips as well as the methods intruders might utilize in attacking them, is very timely.

Such a review is found in the article "Attacking RFID Systems" by Pedro Peris-Lopez, Julio Cesar Hernandez-Castro,Juan M. Estevez-Tapiador, and Arturo Ribagorda.


The article is comprehensive and covers a range of methods that could be used by hackers to attack RFID chips. Very useful.

Thursday, June 3, 2010

The Hazards of ERP Implementation Consulting

Marin County, California has launched a legal action against Deloitte, alleging that the latter misrepresented their knowledge of SAP and failed to deliver on their contractual obligations. Deloitte, on the other hand, says the system was working properly when they finished their assignment and that they met all their contractual obligations. Which one has the strongest case will be determined in the courts. However, the case points to the difficulties of ERP Consulting. Very complex, time consuming and difficult to measure the outcomes. The time and resources to complete the implementation are often under-estimated. Here's an article on the legal action.

Wednesday, June 2, 2010

Learning From Service Failures

Not many professionals write about their failures, but Gene Marks does. He runs a small IT consulting and advisory company and is brutally honest about his client service failures. They are failures most IT professionals encounter from time to time, and - truth be known - a great many IT professionals have at one time or another been responsible for. Knowing when to speak out about such matters as putting the wrong person on a job in time to prevent the damage is a skill often born of experience. Same with knowing the value of firm quotes given up front to a client.

Marks' article, linked here, is good food for thought for all IT professionals out there. Learning from past mistakes, whether ones own or the mistakes of others is a necessary part of growing.