The Telus-Rotman IT Security Study
by Gerald Trites
Telus and the Rotman School of Management have released a major survey of the state of IT Security in Canada. Based on interviews of more than 300 Canadian IT specialists, the survey led to the conclusion that overall, Canadian IT Security compares well with that of the US and other parts of the world. The reason for this is that Canadian firms and organiaations have invested heavily in security over recent years because of PCI and PIPEDA concerns. Nevertheless, the survey indicates that Canadian organizations may not have achieved as great satisfaction from their investments as yet. The survey showed that the level of maturity of security implementation in Canada lags behind all of the US, Europe and Asia.
The survey concluded that there should be more attention to such matters as performance metrics, utili\zation of such metrics in performance evaluation, and encryption techniques at the database and other levels of storage.
The study is down loadable from the Telus website. The survey is the first in a series anticipated to number four more.
Tuesday, September 29, 2009
Enterprise Risk Management - A Balance
"Enterprise risk management and enterprise performance management are really two sides of the same coin. To achieve balance between the two, companies must fully integrate risk management with their operating model, performance goals and decision-making frameworks—the layers of day-to-day accountability within the organization as well as the bigger rules and governance structures by which it operates."
The economic downturn has revealed weaknesses in the traditional ERM controls approach, and this article on the Accenture site explores some alternatives.
Friday, September 25, 2009
Extending Enterprise Risk Management (ERM)
Earlier in the year, PricewaterhouseCoopers released a white paper detailing an extended approach to enterprise risk management.
"Extending Enterprise Risk Management (ERM) to address emerging risks looks at how organisations identify, assess, and manage risks; what techniques they are using as the basis for determining response strategies that align with their strategy; and risk appetite and tolerance.
The paper proposes a 4-step framework organisations can use to better protect themselves and even further their strategies and objectives by embedding this discipline into their risk management culture:- Identify emerging risks relevant to the organisation
- Assess the risk’s significance, interconnectedness with other risks, and implications to the business
- Determine risk response strategies, considering collaboration with external parties
- Routinely monitor emerging risks through effective use of indicators"
The paper can be downloaded from the PWC site.
Tuesday, September 22, 2009
Patch Management
A recent report released by the Sans Institute finds that unpatched client side applications are a major security risk. It came in at number one.
The main issue with unpatched applications is that hackers devote special attention to known security flaws in widely used applications, like Microsoft Office and Quicktime. The manufacturers know this and continually issue updates to deal with the identified risks. But if the users don't install those updates, their systems remain at risk.
Maintaining regular and up to date applications patches is a crucial aspect of good control and security. Most administrators realize this, but not everyone has an effective program for patch management. See this article in CIO.com.
The main issue with unpatched applications is that hackers devote special attention to known security flaws in widely used applications, like Microsoft Office and Quicktime. The manufacturers know this and continually issue updates to deal with the identified risks. But if the users don't install those updates, their systems remain at risk.
Maintaining regular and up to date applications patches is a crucial aspect of good control and security. Most administrators realize this, but not everyone has an effective program for patch management. See this article in CIO.com.
Wednesday, September 16, 2009
Cloud Security
More companies and organizations have been moving into cloud computing for budgetary reasons, hoping to save costs. But one major concern is holding many of them back from a greater commitment - security. However, although there is concern out there, there also is a lack of action. Not much is being done about it. While it's true that a Cloud Security Alliance (CSA) was formed last year, consisting of numerous major companies, progress by that group has been slow. They have conducted a survey of security concerns and potential solutions, and have issued some preliminary guidance, but that guidance has never been finalized or updated. Companies themselves have been withholding support of the cloud rather than adddressing the issues.
Cloud computing is likely a permanent feature of the information systems landscape and there is a real need for systems security oriented organizations to get in there and provide some guidance. Also, there is a real need for companies who are moving into the cloud to help the industry to find and adopt the solutions that are necessary to stop security issues from being a barrier to adoption. More on this at InformationWeek.
Sunday, September 13, 2009
Cyber Insurance - A Valuable Risk Management Tool
There are those who say that the traditional means of obtaining assurance on financial information and systems no longer works well and that the best approach is to buy insurance. Others say that such insurance would be prohibitively costly.
The provision of cyber insurance has nevertheless been growing in recent years. Cyber insurance is insurance against loss from cyber crime, such as network breaches, hacking, malicious viruses, etc.
I does not releive the buyer company of all responsibility to maintain a secure system, but does offer up some mitigation for losses arising from cyber crime activities. Volume has more than tripled from 2002 to 2006 (laatest figures available) which indicates a strong interest out there and a growing recognition of the need for this insurance.
There are those who say that the traditional means of obtaining assurance on financial information and systems no longer works well and that the best approach is to buy insurance. Others say that such insurance would be prohibitively costly.
The provision of cyber insurance has nevertheless been growing in recent years. Cyber insurance is insurance against loss from cyber crime, such as network breaches, hacking, malicious viruses, etc.
I does not releive the buyer company of all responsibility to maintain a secure system, but does offer up some mitigation for losses arising from cyber crime activities. Volume has more than tripled from 2002 to 2006 (laatest figures available) which indicates a strong interest out there and a growing recognition of the need for this insurance.
Wednesday, September 9, 2009
The Dangers of the Cloud
New research supports what everyone has feared - there are dangers to data in using cloud computing. Specifically, the research, carried out by a team from the University of California and MIT, have uncovered methods by which servers being shared in the cloud could be targetted by using techniques referred to as cross-VM hacking. The perps would set up a VM in proximity to the target server and then launch their attacks from there.
The research, thankfully, also identifies some approaches to mitigation, including setting up VM such that they can only be populated by trusted sources. Elementary, perhaps, but something that needs to be addressed in cloud computing.
The paper is available online and is definitely worth some study time.
The research, thankfully, also identifies some approaches to mitigation, including setting up VM such that they can only be populated by trusted sources. Elementary, perhaps, but something that needs to be addressed in cloud computing.
The paper is available online and is definitely worth some study time.
Monday, September 7, 2009
Controls Monitoring Guidance - COSO
COSO has released new Guidance on Monitoring Controls. "The COSO board recognizes that management's assessment of internal control often has been a time-consuming task that involves a significant amount of annual management and/or internal audit testing. Effective monitoring can help streamline the assessment process, but many organizations do not fully understand how to take full advantage of this important component of internal control. COSO’s Monitoring Guidance is designed to improve the use of monitoring. . ." The Guidance book is available at this site.
COSO has released new Guidance on Monitoring Controls. "The COSO board recognizes that management's assessment of internal control often has been a time-consuming task that involves a significant amount of annual management and/or internal audit testing. Effective monitoring can help streamline the assessment process, but many organizations do not fully understand how to take full advantage of this important component of internal control. COSO’s Monitoring Guidance is designed to improve the use of monitoring. . ." The Guidance book is available at this site.
Subscribe to:
Posts (Atom)