Tuesday, September 28, 2010

ISACA Knowledge Center

There is a wealth of research available for download from the ISACA Knowledge Center. The site is presently highlighting the following studies:

The Data Leak Prevention paper covers a lot of the same ground as a recent white paper released by the CICA's Information Technology Advisory Committee (ITAC), called Data Centric Security, which is available on the CICA website.

There is a lot of useful information here for all IT Assurance practitioners and the data level works are particularly relevant in this modern mobile world..

Friday, September 24, 2010

Interoperable Security

Security across different platforms is an ongoing problem for administrators. Interoperability is a logical solution to the issue, but is dependent on software developers and is hard to come by.

Recently, a group of developers in Ottawa, who provide software to the government, have pledged to make their software security interoperable. They have even gone so far as to create a group: "Announced Wednesday, the Secure City Technology Alliance aims to capitalize on the increased security concerns since 9/11 for automated surveillance integrated with communications systems."

For more on this, see this article.

Tuesday, September 21, 2010

Single Sign-on for Internet Users

Single sign-on has been a successful way to combat the effects of multiple sign-ons and passwords that not only mean inefficiency but can actually weaken security. while single sign-on has been successful in many organizations for their internal systems, it has been implemented less often for SAAS systems, and internet based systems that link the enterprise and its customers, suppliers and other collaborators.

The white paper linked to this article, although proprietary, provides a good overview of how single sign-on works, including the use of SAML (Secure Assertion Markup Language) to create the background communications between systems that make it all work. The white paper makes an interesting and quick read. It can be downloaded from this site. Secure Internet Single Sign-On 101

Monday, September 20, 2010

US Government Issues Security Guidelines

The US Government has issued some guidelines for securing national systems, which it says could be adapted for private use. The first of three documents, described briefly below, has been released:

The Federal CIO's Guide to the Dynamic Data Center

The Federal Government data center is rapidly evolving to provide new services and capabilities that can greatly enhance the value of the agency's enterprise infrastructure. From a business perspective, it has become abundantly clear that if IT is going to act as a business driver, it is necessary to take control of the data center and leverage its capabilities and potential, making a Dynamic Data Center an organizational asset.

This report is available from this site.

Friday, September 17, 2010

New Challenges to Information Security

The world of information security continues to grow more complex and to evolve quickly. Of course, we hear a lot about the cloud, and the threats to security that it poses. Companies and cloud providers are starting to address this issue more effectively, but then there is a lot more going on in information security that need to be addressed as well.

Some of the trends have been obvious for some time. But being obvious doesn't decrease the threat. For example, the increasing sophistication of tools available to hackers, the increased linkages of company systems with those of customers, suppliers and others, that result in importing the security issues of those others to some extent. Not to mention the integration of mobile computing and all that is implied by that. All of these things work together to create an extremely challenging scene.

Some, perhaps many, professionals are saying that under present technology and systems configurations, it simply is not possible to protect against all threats. Although there is nothing new about this basic fact, it does mean that the importance of risk analysis and cost.benefit analysis of security measures has been growing even more important. And managements and boards need to understand this fact of security management. They shouldn't be asking if the systems are secure, but rather what threats have been identified and how have they been ranked in terms of importance. What are the remaining risks and are they acceptable. Boards need to understand the way threats and risks are managed. For a very good article on the current state of security management, see this article.

Monday, September 13, 2010

Blackberry Security Too Good?

The move by Saudi Arabia and India to challenge the use of the Blackberry on security grounds points to the strong security that the Blackberry has. The Blackberry was one of the first smart phones to employ a good encryption system, which makes transmissions unreadable by all but the intended recipient.

This is good for the parties to the communications, but obviously hampers the work of the police and the security services of a country. Terrorists and criminals can communicate undetected.

The US government had the same problem initially, but since then have worked out compromises and solutions. For a good summary of the issue, check out this article.  

Friday, September 10, 2010

Using Encryption to Prevent Data Leakage

Data loss arising from lost or uncontrolled laptops is an ongoing problem - in fact one that is continuing to grow. An important solution is the use of encryption, but many users don't know how to employ this important tool. This article in E-Commerce Times provides a good summary of considerations in applying encryption to your data on a laptop.

Tuesday, September 7, 2010

What Data Quality Means in Modern Times

 Anitesh Barua, a distinguished teaching professor and lead researcher at the University of Texas in Austin, has released a study which modifies traditional data quality models. "Barua has augmented the old data quality model with new attributes like intelligence, remote accessibility and sales mobility (data accessed through sales apps). He then measured 150 global Fortune 500 companies along these attributes as well as their overall performance to create a series of charts and graphs with which companies can measure certain financial metrics that are key indicators of competitiveness, health and profitability."


For a write-up on the study, click this link.

Friday, September 3, 2010

Security Questions to Ask Your Cloud Provider


NeoSpire's director of security, Sean Bruton, discusses the realities of cloud security and the key questions to ask when assessing a hosted or cloud service provider's claims.


Very timely and insightful. At this link.