Thursday, October 28, 2010

Preventing and Detecting Employee Fraud


"A former bookkeeper of a Sussex N.B. corner drugstore lands in jail for stealing $250,000 from her employer. Another bookkeeper for a rural group that brought electricity to Alberta farms pleaded guilty to paying herself 20 times her normal wages and pilfering nearly $100,000 from the co-op's coffers. In Saskatoon, an employee with access to a company's direct-deposit payroll system earns 18 months in jail for overpaying herself 48 times within a span of four years, bilking her company of no less than $334,000.

How can these types of frauds be prevented in a small business? By making sure that basic controls are in place - such as division of duties, proper monitoring, and making use of elementary report capabilities of accounting software. Here's a timely article on the matter.

Tuesday, October 26, 2010

Tokenization - A Solution to Data Loss

Many stories in recent years have featured the loss of sensitive data of clients or customers. Often this data involves credit card numbers and the like. Because of the frequency of these events, enterprises have been strengthening their security, particularly as it relates to mobile units, like laptops and smart phones.

A recent trend in protecting sensitive data being held by an enterprise is the use of tokenization. This involves saving the data in a separate secure server, called a vault, and then substituting a random number for the data within the enterprise records. With this approach, the data cannot be found on the records.

Tokenization is increasingly viewed as a useful approach to securing the system against sensitive data loss. To read more, please click here.

Friday, October 22, 2010

Cloud Security Gets Organized


Cloud security has become very important now that companies are outsourcing their critical data. As a result, organizations are forming to discuss the issues and provide guidance and even some standards to improve security in the cloud. One such organization is the Cloud Security Alliance (CSA) which was formed by representatives from a wide swath of the IT industry. None of the big traditional assurance firms are represented in the Alliance, although the Information Systems Audit and Control Association (ISACA) is one of the founding members.


The Alliance is beginning to have an impact. It is having conferences, with one recently held in October and one planned for February, 2011, and has issued guidance, the latest being Version 2.1 of its centerpiece “Security Guidance for Critical Areas of Focus in Cloud Computing” as well as a a paper on Identity and Access Management. Other important projects are underway.


Recently, the CSA took on CloudAudit as one of its projects. CloudAudit is a separate organization whose goal "is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology."


This initiative takes CSA firmly into the automated assurance space. All of this should lead to better security practices in the cloud. 

Wednesday, October 20, 2010

Data Security in the Cloud Begins at the Beginning

Companies that migrate their apps (and their data) to the cloud remain responsible for the security of their data. This simple fact means that security must be a concern from the time that the first negotiations begin for the outsourced service. As this article says,

"It is important to understand:
  • Where the data is being hosted. Data location needs to be part of the contractual agreement.
  • Who is managing data in which locations, including data classification, identity access, privacy and response controls.
  • How data is being segregated. The cloud provider should offer evidence that encryption schemes are in place and tested.
  • Whether data will be accessed beyond the cloud provider's data centers such as the corporate office or remote locations."
Additionally, there should be some assurance available from independent auditors, such as a Service Auditor's report on the system. Lack of availability of such a report should be a show stopper.

Tuesday, October 19, 2010

System Models vs Frameworks

For years, IS risk and assurance specialists have based much of their work on Frameworks. However, last year, ISACA introduced the Business Model for Information Security (BMIS) which is intended to change the way professionals approach information security.

The difference between frameworks and models is that frameworks set out a number of elements that then need to be applied to a particular business, while models define the relationships between those elements. The relationships may not always fit exactly the model of a particular business, but a model does provide, not only a good guide, but also a head start in determining the model for a particular system. A model also enables the professional to achieve a better balance between business needs and security needs, always a delicate balance.

Use of a model rather than a framework for tackling security issues provides a more holistic view of security issues, enabling the source of issues to be identified more quickly.

For an article on models vs frameworks, please click this link. (Registration required)

Friday, October 15, 2010

SPOM

Security Information and Event Management (SIEM) is a set of tools that has been around for some time, and the tools have been widely used. SIEM tools basically gather information from a system on security related matters and report on them. A significant criticism of SIEM has been that it reports on security events after the fact - when the horse is out of the barn.

A new set of security management tools, referred to as Security Posture Management (SPOM) attempts to address the shortcomings of SIEM by actually enabling a manager to input information such as acceptable risk levels and then configure the system to meet these levels. Subsequent monitoring provides analyses of the effects of configuration changes and various events on risk.

SPOM is a significant advance in security management and initiates a line of tools that hopefully will result in better security planning and management. For an article on these tools, please click this link.

Thursday, October 14, 2010

The New Normal Imperative: Secure Mobility

Source: SonicWALL
The economic downtown has forced many companies to rethink the way they approach IT. CIOs are increasingly being asked how they can drive competitive advantage through technology. Many organizations have recognized that workforce mobility and collaboration are important drivers of increased productivity. These forces are creating a new challenge: the need for dynamic security.

In this webcast, Phil Go, CIO of Barton Malow, discusses how this leading national construction firm is tackling these issues, along with the technology he is adopting to ensure mobile security.

Tuesday, October 12, 2010

Wireless Security Ramped Up by PCI Rules

"Beginning Sept. 30, Visa will require merchants and related businesses to conduct wireless security scans to prove compliance with version 1.2 of the PCI Data Security Standard (PCI DSS) which is designed to safeguard cardholder data from wireless threats."

The PCI DSS Wireless Guidelines were published in July 2009 and since then, vendors have been producing  tools to prove compliance. The rules were introduced after the Heartland Security Breach, in which more than 100,000 credit cards were compromised.

Credit Card fraud continues to be one of the most common types of fraud.

Monday, October 4, 2010

Managing privacy risk in the digital age

Information often imposes obligations to the organization, whether because a law or regulation requires it, or fiduciary duty demands it.

Privacy has an impact on the business risks and compliance of every enterprise, and more so for global entities. Management and boards of directors should ensure that their organizations are adequately positioned to manage privacy across the enterprise.

While privacy in earlier years may have been considered more of a marketing hook, focused on customer preferences, privacy in recent years is associated with the potential for abuse — inappropriate access to or exposure of information resulting in identity theft and fraud. This year we add to these alarming concerns the regulatory changes across the globe, as well as the lingering effect of the economic crisis.

- Quoted from Ernst & Young

For a copy of the latest white paper from E&Y on this topic, please click here.