T2P Global News Feeds

Does SAS 70 certification mean better data center security?

2009-11-05T22:15:44Z

People charged with data center physical security have the daunting responsibility of minimizing internal and external vulnerabilities and deciding which technologies and strategies should be deployed.

EA and IT Governance: a Systemic Approach

2009-11-09T12:15:49Z

... Enterprise Architecture (EA) is much debated. IT Governance is generally viewed as an integral part of corporate governance and EA considered as a collection of artifacts to be governed within ITG, but there are also views that IT Governance is a ...

Leveraging the Power of Change Auditing - InformationWeek

2009-11-05T15:44:35Z

Leveraging the Power of Change Auditing
InformationWeek
With the reliance on technology to conduct business, interact with customers, and meet auditing requirements, “store doors” need to remain open at all times ...
Public Sector Security: Leveraging Enterprise Infrastructure IntegrityInformationWeek

all 10 news articles »

The importance of internal audits

2009-11-06T14:23:00Z

This week`s resource selections originate from a monthly internal audit column I write for Jim Kaplan, for going on more than three years now.

Each month in Jim’s internal audit newsletter (http://www.auditnet.org/) I highlight leading audit and security resources to assist auditors and security practitioners.

Have another great week.

Dan Swanson

Disaster Recovery (DR) and Business Continuity Planning (BCP) resources

This web page provides resources and articles on the subject of DR and BCP that you can use for reviews and planning for audits in this area. http://www.auditnet.org/drp.htm

Auditing IT Initiatives “Thought Leadership”- Particularly Useful When an IT Project Failure is NOT An Option!

Some key questions to consider:

- Does the proposed IT solution work & will it meet the needs of the organization?

- Does the security aspect of the IT solution work?

- Will the privacy of the organization’s information be maintained?

- Will the staff know how to perform “productively” and accurately?

- Have we done everything necessary to be prepared?

- Are we ready to implement and how do you know it'll work?

Some leading resources to assist your “readiness” assessment effort are available here.

http://www.auditnet.org/articles/DSIA200702.htm

Auditing for Fraud “Thought Leadership” - Because bad things are happening

Some companies have significantly lower levels of misappropriation of assets and are less susceptible to fraudulent financial reporting than others. Why? Because they aggressively take steps to prevent and detect fraud, end of story (it’s that simple). At these exemplary companies, management is responsible for designing and implementing systems and procedures for the prevention and detection of fraud—and, along with the board of directors, for ensuring a culture and environment that promotes honesty and ethical behavior.
http://www.auditnet.org/articles/DSIA200703.htm

Security Management resources

A variety of information security management resources have been gathered at this one web page
http://www.auditnet.org/SecurityMgmt.htm

Auditing Risk Management is strongly recommended

Some resources to assist your risk management efforts are available at this one web page.

http://www.auditnet.org/articles/DSIA200701.htm

Auditing security using the PCI standard and related guidance - (Because personal information must be protected)
We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist.
http://www.auditnet.org/articles/DSIA200704.htm

Creating a pandemic response for your disaster recovery plan

2009-11-09T14:07:21Z

As more and more people are affected by the H1N1 flu, companies need to include a pandemic response into their DR plans.

Modern data backup and recovery system considerations

2009-11-09T15:10:04Z

In this book excerpt, Iearn about tape vs. disk storage, the difference between full versus incremental backup, and disaster recovery vs. backup.

Five ways to boost business intelligence

2009-11-08T22:34:26Z

Learn how in-database analytics, in-memory analytics, BI appliances, data virtualization and operational BI can boost the performance of your business intelligence applications.

Eight free IT outsourcing templates

2009-11-09T22:21:58Z

Get help structuring our next outsourcing deal with our link library of templates spelling out the best way to arrange SLAs and RFPs.

Laissez-Faire Access Control

2009-11-09T12:59:47Z

Recently I wrote about the difficulty of making role-based access control work, and how reasearch at Dartmouth showed that it was better to let people take the access control they need to do their jobs, and audit the results. This interesting paper, "Laissez-Faire File Sharing," tries to formalize the sort of access control.

Abstract: When organizations deploy file systems with access control mechanisms that prevent users from reliably sharing files with others, these users will inevitably find alternative means to share. Alas, these alternatives rarely provide the same level of confidentiality, integrity, or auditability provided by the prescribed file systems. Thus, the imposition of restrictive mechanisms and policies by system designers and administrators may actually reduce the system's security.
We observe that the failure modes of file systems that enforce centrally-imposed access control policies are similar to the failure modes of centrally-planned economies: individuals either learn to circumvent these restrictions as matters of necessity or desert the system entirely, subverting the goals behind the central policy.

We formalize requirements for laissez-faire sharing, which parallel the requirements of free market economies, to better address the file sharing needs of information workers. Because individuals are less likely to feel compelled to circumvent systems that meet these laissez-faire requirements, such systems have the potential to increase both productivity and security.

Think of Wikipedia as the ultimate example of this. Everybody has access to everything, but there are audit mechanisms in place to prevent abuse.

Consent will be required for cookies in Europe

2009-11-09T16:50:02Z

An editorial at Out-Law.com written by Struan Robertson, editor:

The fate of Europe’s cookie law became improbably entwined with a debate over file-sharing. To cut a long story short, it broke free. On 26th October, it was voted through by the Council of the EU. It cannot be stopped and awaits only the rubber-stamp formalities of signature and publication.

The vote’s result was announced by way of a whisper. It featured at the tail end of an 18-page Council press release (PDF) that first had to address fishing quotas, train driving licences and a maritime treaty with China. I’m afraid we missed it.

There was no attempt to bury this news – but the hushed tones of its reporting were consistent with the media attention it has received to date. There has been almost no fuss about this little law, despite the harm it could do to advertising, the lifeblood of online publishing. It also threatens to irritate all web users by appearing at every new destination like an over-zealous security guard.

Privacy, Security Laws Impede Health Data Sharing, Experts Say - iHealthBeat

2009-11-09T19:57:31Z

Privacy, Security Laws Impede Health Data Sharing, Experts Say
iHealthBeat
The Federal Information Security Management Act and HIPAA privacy rules make it difficult to share electronic health records among federal agencies and ...

The Real Time Infrastructure Ultimatum

2009-11-06T18:15:00Z

As virtualization entered the data center it became an accidental standard bearer for network automation. The power of virtualization helped to drive a cultural (including x as a service) shift in expectations, just as Nicholas Carr was declaring war on traditional “old world” IT with the help of Google, Amazon and a host of other cloud (and not so cloud) players.

Secure Enterprise Clouds

2009-11-07T22:30:00Z

There is so much waste in the data centers of Fortune 1000 companies today that a CIO – as an officer of the company – could be considered in breach of their fiduciary duty to stockholders given the dollars in question. Of course that requires costs transparency, so sadly most are safe for now. It seems that every new technology innovation brings the promise of greater efficiencies and cost savings but in reality tends to leave a mess of ‘legacy’ infrastructure on the floor that results in a net higher TCO than the CIO had in the first place. So what does this have to do with Cloud Computing? While there is no shortage of companies trying to ply their wares as the ideal enabler for Cloud, I am surprised by the lack of attention from vendors that have the most to gain – the Cloud providers themselves. If I put on my CIO shoes here are the things I care about:

DOD approves new credentials for security professionals

2009-11-09T23:16:40Z

InfoSec News: DOD approves new credentials for security professionals: http://defensesystems.com/articles/2009/11/04/dod-approves-new-security-certification.aspx
By Kathleen Hickey Defense Systems Nov 05, 2009
The Defense Department has approved new credentials for information security professionals. The directive is expected to result in more than [...]

Cybercriminals down five British police forces in a year

2009-11-09T23:16:29Z

InfoSec News: Cybercriminals down five British police forces in a year: http://www.theregister.co.uk/2009/11/05/police_breaches/
By Chris Williams The Register 5th November 2009
In the last year five British police forces have suffered major computer failures lasting three days or more as a result of malicious internet attacks. [...]

Securing The Cyber Supply Chain

2009-11-09T23:16:11Z

InfoSec News: Securing The Cyber Supply Chain: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221600499
By J. Nicholas Hoover InformationWeek November 7, 2009 (From the November 9, 2009 issue)
Security pros draw a line at the firewall--what happens "out there" [...]

Hackers blacked out Brazil: Report

2009-11-09T23:16:04Z

InfoSec News: Hackers blacked out Brazil: Report: Forwarded from: Simon Taplin <simon.taplin (at) gmail.com>
http://www.timeslive.co.za/scitech/article184124.ece
Nov 7, 2009 11:02 AM | By AFP
Massive power outages in Brazil in 2005 and 2007 that impacted millions were caused by cyber hackers attacking control systems, the US [...]

Data Breach Bills Clear Senate Panel

2009-11-09T23:14:50Z

Legislation Heads for a Senate Vote
The Senate Judiciary Committee approved two companion bill that would require businesses and government agencies to notify individuals of security breaches involving their sensitive personally identifiable information.

Interior Fails Big Time in FISMA Audit

2009-11-09T23:14:44Z

IG Blames Lack of CIO Oversight, Under-Qualified Personnel
Serious flaws significantly negate the benefit of $182 million spent on IT security and the efforts of the 677 employees and contractors fully devoted to information security across the department, the IG said.

GAO-10-2, Information Technology: Agencies Need to Improve the Implementation and Use of Earned Value Techniques to Help Manage Major System Acquisitions, October 8, 2009

2009-11-05T23:00:00Z

In fiscal year 2009, the federal government planned to spend about $71 billion on information technology (IT) investments. To more effectively manage such investments, in 2005 the Office of Management and Budget (OMB) directed agencies to implement earned value management (EVM). EVM is a project management approach that, if implemented appropriately, provides objective reports of project status, produces early warning signs of impending ...