PCI Compliance Among Retailers Growing

Data show that compliance with standards in the Payment Card Industry (PCI Standards) which were established in late 2006, are increasingly being met by retailers across the country. The standards represent a move by the industry to protect the data stored in payment card systems from crackers. A summary of the standards can be found at the site http://www.pcicomplianceguide.org/ which contains a useful guide. PCI Compliance Among Retailers Growing

The Good and Bad of Tagalong Technology

Various mobile "consumer" devices, like Blackberries and iPhones can connect with and synch with corporate networks, creating essentially unauthorized networks. The result can be a sharp decline in security. Some companies, however, are taking the step of limiting the devices that their personnel are allowed to connect to the network. We'll see more of this until the makers of the consumer devices incorporate appropriate security features to make them safer as corporate network expensions. The Good and Bad of Tagalong Technology

IBM SJ 46-4 | Changing the corporate IT development model: Tapping the power of grassroots computing

Auditors and controls experts have long stressed the need for users to be involved in development activities. If you take this to an extreme and have them drive the process, without the expensive traditional structure, then you have grassroots computing - a recently fashionable technique that puts the people who use the system in the drivers seat when development activities take place. It's an idea that seems to work for many. However, there does need to be some structure and control around the activity to keep it from going off the rails. It becomes a question of balance without sacrificing the essential idea. IBM SJ 46-4 Changing the corporate IT development model: Tapping the power of grassroots computing

Some research has shown that as much as three quarters of a company's business critical data can be in the form of email archives. The problem is aggravated by the ability to create pst files, which often can circumvent server size limits. this encourages employees to save their data as past files. We know that the use of email has exploded in recent years. Also it has been widely known that more and more critical and sensitive data is often included in emails. So it is no surprise that research is beginning to show the extent to which data is stored in email archives. The implications for systems are clear - we need to formalize approaches to the use, maintenance and security over email systems and make sure they are subject to the same high levels of integrity as other aspects of the business systems.
http://www.computerworld.com/pdfs/messagelabs_death_to_pst_pdf.pdf

Security Training White Paper: Ten Ways Hackers Breach Security 2/6/2007

The ways is which hackers attack systems are an important element of the risks that go into controls determination. In this global Knowledge white paper, 10 of them are explored and explained clearly. Security Training White Paper: Ten Ways Hackers Breach Security 2/6/2007

How to protect yourself at wireless hot spots

Employees on the move may be tempted to log into hot spots such as internet cafes and hotels when they're on the move. This can create a serious risk for the company, expecially if there happens to be sensitive informatin on the laptop. There are various precautions that the company and the employee can take, such as using encrypted email and encrypted memory sticks. Security of data while in motion on laptops and other mobile media is an area of growing concern and one that needs to be addressed by most companies. How to protect yourself at wireless hot spots

Journal Article

In a recent paper in the Journal of the Association of Information Systems (JAIS) titled "A Contngency Model for Requirements Development", the authors synthesize a wide swath of literature and map out a model that links requirements development to risk profiles and risk resolution. The linkage to risk is of particular interest to IS Assurance. Journal Article

2007 Global Information Security Survey - Risk Advisory Services - Ernst & Young

Ernst & Young has released their annual survey of Information Security. In this edition, they take an approach of linking it more fully to the achievement of overall business objectives, something that is often not given due consideration. 2007 Global Information Security Survey - Risk Advisory Services - Ernst & Young

Opinion: Security policy in the age of compliance

Setting a security policy that is both reasonable and covers off the major risk areas is a difficult task. There is evidence that employees will ignore policy that they don't see as necessary. But the security policy is an important element of a secure system, and one that is also important to IS Auditors. This article covers these issues and is the concluding part of a series of articles centered around the "Age of Compliance" Opinion: Security policy in the age of compliance

The Institute of Corporate Directors and KPMG's Audit Committee Institute recently released their 2nd annual survey of audit committee members. The survey explored such questions as how effective is your audit committee (a majority said it is effective) and what are the major issues facing your coimmittee. The list of major issues was topped by risk Management and Internal Control, followed by Accounting judgements and issues. It appears the emphasis on internal controls over the past few years is continuing. You can download the report at:
http://www.icd.ca/Docs/AC_Survey_07_Web.pdf