We have a new article soon to be published on the power of flowcharts in IT auditing. Flowcharts are especially useful in auditing critical applications and software such as enterprise resource planning (ERP) systems (e.g. Oracle e-Business Suite, SAP) and service oriented architecture systems (SOA). Below is an excerpt from the article relating to the content that can be included in a flowchart:
'Our team of IT auditors, uses Microsoft Visio extensively to create flowcharts and to analyze business processes...
Flowcharts can also be used to clarify controls on data inputs, processing and outputs. Input controls may consist of edit and validation checks. Processing controls may consist of control totals or milestones. Output controls may consist of error checking and reconciliations. An auditor can then identify areas within a business process with weak or non-existent controls.'
Thursday, December 9, 2010
Wednesday, November 17, 2010
US Department Of Defense Creates New Cyber Command
The US Department of Defense recently created a Cyber Command (CYBERCOM) to protect government and military IT infrastructure. Cyber Command was officially launched on October 1, 2010.
This development signifies that the US government recognizes that IT is critical to the defense and economy of the country as a whole. There is also a recognition of the increasing threats against America’s technology infrastructure.
General Keith Alexander has been director of the National Security Agency (NSA) and will now also lead Cyber Command. One idea that General Alexander has proposed is to create a safe zone on the internet dedicated to critical infrastructure including the financial, electric utility and defense industries.
http://fcw.com/blogs/cybersecurity/2010/05/cyber-command-activated.aspx
http://www.securityweek.com/cyber-command-cybercom-reaches-full-operation-capability
This development signifies that the US government recognizes that IT is critical to the defense and economy of the country as a whole. There is also a recognition of the increasing threats against America’s technology infrastructure.
General Keith Alexander has been director of the National Security Agency (NSA) and will now also lead Cyber Command. One idea that General Alexander has proposed is to create a safe zone on the internet dedicated to critical infrastructure including the financial, electric utility and defense industries.
http://fcw.com/blogs/cybersecurity/2010/05/cyber-command-activated.aspx
http://www.securityweek.com/cyber-command-cybercom-reaches-full-operation-capability
Monday, November 1, 2010
Gartner’s 'Top 10 Strategic Technologies for 2011' just released
The recently released ‘Top 10 Strategic Technologies for 2011’ from Gartner Inc. is worthwhile reading. These are technologies that can significantly impact a business. Companies should consider this information in their annual strategic planning.
Technologies such as cloud computing and social networking are on the list as would be expected in light of the huge volume of news published on these topics. Other technologies on the list may be a surprise.
The information is available at:
http://www.gartner.com/it/page.jsp?id=1454221
Technologies such as cloud computing and social networking are on the list as would be expected in light of the huge volume of news published on these topics. Other technologies on the list may be a surprise.
The information is available at:
http://www.gartner.com/it/page.jsp?id=1454221
Monday, October 25, 2010
ISACA Journal article -‘FISMA 2010: What it Means for IT Security Professionals’
The US Federal Information Security Management Act (FISMA) passed in 2002 was the launch of major cybersecurity efforts by the US federal government. This article is an update on FISMA as the ‘centerpiece’ of all US laws to improve cyberdefense. The ‘family’ of National Institute of Standards and Technology (NIST) Special Publications are a direct extension from FISMA and play a big role in the security of US government information assets.
We are big fans of NIST Special Publications and use them extensively in our audits. The article also refers to recent US Government Accountability Office (GAO) reports on the huge increase in attacks on federal information systems in the last few years.
We recommend this article to anyone in the IT audit and security industry whether they work in the government or in the private sector.
References:
ISACA Journal. FISMA 2010: What It Means for IT Security Professionals By Tarak Modi, CISA, CISSP, PMP. http://www.isaca.org/Journal/Past-Issues/2010/Volume-5/Pages/default.aspx
National Institute of Standards and Technology, Computer Security Division, Special Publications. http://csrc.nist.gov/publications/PubsSPs.html
We are big fans of NIST Special Publications and use them extensively in our audits. The article also refers to recent US Government Accountability Office (GAO) reports on the huge increase in attacks on federal information systems in the last few years.
We recommend this article to anyone in the IT audit and security industry whether they work in the government or in the private sector.
References:
ISACA Journal. FISMA 2010: What It Means for IT Security Professionals By Tarak Modi, CISA, CISSP, PMP. http://www.isaca.org/Journal/Past-Issues/2010/Volume-5/Pages/default.aspx
National Institute of Standards and Technology, Computer Security Division, Special Publications. http://csrc.nist.gov/publications/PubsSPs.html
Sunday, October 17, 2010
DarkReading.com is an excellent dashboard on IT security
We have become big fans of the 'Dark Reading' website (www.darkreading.com) on IT security. The site is the result of combining CMP Media's Secure Enterprise and Security Pipeline publications - part of United Business Media's Techweb (www.techweb.com). The mission is basically comprehensive coverage of IT and information security - a 'security dashboard' for IT professionals.
There are specialized webpages on application security, perimeter security, security management and more. We are regular readers of the database security page. Bravo! Pass the good word on this excellent site.
There are specialized webpages on application security, perimeter security, security management and more. We are regular readers of the database security page. Bravo! Pass the good word on this excellent site.
Tuesday, October 5, 2010
2010 Oracle Database surveys – widespread weakness in database security and control
Two new surveys were published recently on data security and database growth. These are 2010 surveys sponsored by Oracle Corporation, conducted by Unisphere Research and published by the Independent Oracle Users Group (IOUG) – see links below.
The surveys found that there is widespread weakness and vulnerability in commercial databases. In spite of government and industry regulations around the world, there is a continuing problem of weak database security and control.
The surveys found that a majority of companies are expecting a data security incident or attack in the next 12 months. Only 30% of companies are encrypting personally identifiable information – the most sensitive data. An even smaller number of companies have controls to prevent privileged users from accessing sensitive data. Companies do not appear to have a good handle on database security.
There is much work to be done. Our opinion at Continental Audit is that this is an urgent issue. A company’s data is its ‘crown jewels.’ It should be protected accordingly.
The surveys can be found at the following URLs:
http://www.ioug.org/tabid/90/Default.aspx
http://www.oracle.com/newsletters/information-indepth/security/oct-10/iougsurvey.html?msgid=3-2401132434
The surveys found that there is widespread weakness and vulnerability in commercial databases. In spite of government and industry regulations around the world, there is a continuing problem of weak database security and control.
The surveys found that a majority of companies are expecting a data security incident or attack in the next 12 months. Only 30% of companies are encrypting personally identifiable information – the most sensitive data. An even smaller number of companies have controls to prevent privileged users from accessing sensitive data. Companies do not appear to have a good handle on database security.
There is much work to be done. Our opinion at Continental Audit is that this is an urgent issue. A company’s data is its ‘crown jewels.’ It should be protected accordingly.
The surveys can be found at the following URLs:
http://www.ioug.org/tabid/90/Default.aspx
http://www.oracle.com/newsletters/information-indepth/security/oct-10/iougsurvey.html?msgid=3-2401132434
Tuesday, September 21, 2010
Economist article on risks to an open, free and global internet
We read an Economist article recently titled 'A Virtual Counter-Revolution' (Economist, Sept 2, 2010 issue, see link below). The article makes the point that although the internet has been a free and open global communication network, there are now powerful forces threatening to 'balkanize' it into proprietary, restricted and controlled digital spaces.
The main culprits are three separate forces. First, governments are setting limits on what is and what is not acceptable. Second, global companies are carving out their own restricted spaces where they control the activity. Third, large telecom carriers are moving to control and prioritize digital traffic.
We encourage our friends and clients to take a look at this interesting article.
http://www4.economist.com/node/16941635
The main culprits are three separate forces. First, governments are setting limits on what is and what is not acceptable. Second, global companies are carving out their own restricted spaces where they control the activity. Third, large telecom carriers are moving to control and prioritize digital traffic.
We encourage our friends and clients to take a look at this interesting article.
http://www4.economist.com/node/16941635
Tuesday, September 14, 2010
IT Audit Standards from ISACA and IIA
We have just updated ourselves on the latest IT audit standards from ISACA and the Institute of Internal Auditors (IIA) – our senior management are members of both organizations.
It is worth mentioning that the ISACA IT Audit and Assurance Standards S10 ‘IT Governance’ and S11 ‘Use of Risk Assessment in Audit Planning’ are subject areas that have presented difficulties to many IT audit shops. IT Governance has gotten a lot of attention in recent years and rightfully so in our opinion. ISACA has volumes of information on this subject.
We encourage industry professionals to review these standards. Not only are these standards required of ISACA members, but they can be seen as ‘best practices.’
http://www.isaca.org/Knowledge-Center/Standards/Pages/Standards-for-IT-Audit-and-Assurance-English-.aspx
It is worth mentioning that the ISACA IT Audit and Assurance Standards S10 ‘IT Governance’ and S11 ‘Use of Risk Assessment in Audit Planning’ are subject areas that have presented difficulties to many IT audit shops. IT Governance has gotten a lot of attention in recent years and rightfully so in our opinion. ISACA has volumes of information on this subject.
We encourage industry professionals to review these standards. Not only are these standards required of ISACA members, but they can be seen as ‘best practices.’
http://www.isaca.org/Knowledge-Center/Standards/Pages/Standards-for-IT-Audit-and-Assurance-English-.aspx
Saturday, July 3, 2010
Recent experience in auditing Oracle and IBM DB2 databases
In recent audits of Oracle and DB2 databases, our Continental IT auditors have seen consistent issues with database monitoring. Vendor best practices call for regular monitoring of response time, throughput and resource utilization. Many companies are not meeting these objectives mainly due to a misunderstanding of these controls. We intend to write an article about our recent experiences that will cover best practices and guidance in implementing strong controls. Stay tuned.
Sunday, May 23, 2010
New article published titled 'Top Ten Sources of IT Security Best Practices'
Our article titled ‘Top Ten Sources of IT Security Best Practices’ was just published by Associated Content (www.associatedcontent.com). We want to write a preview of the article here to highlight this valuable information which can be useful to a wide range of IT professionals.
The sources of IT security best practices are all international and governmental organizations. Each source has a different approach to security, risk and control.
The most comprehensive sources of best practices are the COBIT framework published by ISACA (www.isaca.org) and the ISO 27001 standard on ‘IT Security Techniques’ (www.iso.org). Some of the more specific and technical sources are the Center for Internet Security Benchmarks (www.cisecurity.org) and the Open Web Application Security Projects (www.owasp.org).
The detail on each source is included in the article which can be found at the following link:
www.associatedcontent.com/article/3008988/top_ten_sources_of_it_security_best.html
The sources of IT security best practices are all international and governmental organizations. Each source has a different approach to security, risk and control.
The most comprehensive sources of best practices are the COBIT framework published by ISACA (www.isaca.org) and the ISO 27001 standard on ‘IT Security Techniques’ (www.iso.org). Some of the more specific and technical sources are the Center for Internet Security Benchmarks (www.cisecurity.org) and the Open Web Application Security Projects (www.owasp.org).
The detail on each source is included in the article which can be found at the following link:
www.associatedcontent.com/article/3008988/top_ten_sources_of_it_security_best.html
Wednesday, May 5, 2010
Top 10 sources of IT best practices - upcoming article
We will be publishing a short article soon on the subject of the "top 10 sources of IT best practices". The top ten list will be especially useful to IT auditors who need 'best practice' documentation. So stay tuned for the upcoming article which we hope will add value to the IT and audit communities.
Subscribe to:
Posts (Atom)