Vol. 10, December 10, 2007
To Vista or Not to Vista?
Switching to Windows Vista is a decision that needs to be made carefully. Looking at the risks associated with Microsoft's latest operating system can help organizations make a decision that fits their strategic IT goals.
In addition, senior managers need to consider the current legal landscape with respect to Linux. As Gibbs describes, "there are still licensing, intellectual property, and other legal matters before several courts that have yet to be decided, which may impact an organization's decision to switch over to Linux, although most of the broad cases to date have been decided in favor of the Linux community."
Furthermore, there are strategic risks to consider, especially alignment with organizational goals and core competencies. "The switch to Linux might necessitate a change in the organization's staffing model, IT department skill sets, and an increased capital commitment to the IT budget, especially if the decision is made to become self-supporting," Gibbs continues. "The organization also might need to establish and develop new relationships with a different set of software vendors if pursuing an externally supported Linux environment."
Internal auditors need to consider Vista implementation from two perspectives: as part of the organization's overall risk assessment plan and as part of their audit universe (i.e., the auditor's toolkit), explains Mar. For instance, what risks could the use of Vista introduce to the organization that did not previously exist? Will the audit department deploy Vista as an operating system to perform audit projects? And if so, how will future audit projects be impacted by this change? Answers to these questions, Mar points out, will depend on the IT department's or CIO's strategic direction.
"For the internal auditor, the decision to deploy Vista will probably depend on the CIO or IT department's strategy," says Mar. "Because the CIO may decide to deploy, postpone, or not use Vista, the internal auditor should consider the risks and impact of each option." Additionally, the auditor should contact the organization's software vendor and inquiry about the vendor's future plans to become Vista compatible. According to Mar, if the auditor uses in-house supported tools, the question should be asked of the CIO or IT department regarding the organization's level of support and compatibility. Other questions auditors should ask when deciding whether to deploy Vista include:
As the move to Vista continues around the world, internal auditors need to recommend that senior managers carefully study their situation and weigh all their options. Only then can a decision be made that best meets the organization's current and future IT needs without causing major disruptions in work productivity. As Mar concludes, "Whether the organization will switch over to Vista or use a different operating system such as Linux, the roll-out approach should be the same and be as seamless a process as possible."
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.
If an organization creates, processes, or stores personal information, most if not all data breaches will result in some type of mandatory public disclosure, which can be devastating to the business. In particular, a data privacy breach may lead to loss of customer support, regulatory investigations, and substantial fines. What's more, in many jurisdictions class action lawsuits are becoming the norm for data breaches involving significant numbers of affected individuals.
Given the number and complexity of privacy laws and regulations worldwide, and the severe penalties for violating them, every organization should strive to prevent the improper disclosure or use of personal customer or employee information. However, understanding the compliance requirements of each applicable law can be daunting. To make this task a little easier, internal auditors can help organizations reduce this learning curve by pointing out common compliance areas that overlap different data privacy laws and regulations. This, in turn, will help the organization chose and implement a compliance program that effectively mitigates internal and external security threats and stays up-to-date with the latest regulatory changes.
Establishing an effective data security and privacy compliance program takes time, especially when the organization has to comply with several regulations, some of which may span country boundaries. Part of the task entails learning as much as possible about the different requirements the organization must comply with. Below is a summary of the main laws and regulations companies worldwide could encounter during their day-to-day operations. These include: state-level privacy breach disclosure laws in the United States, the U.S. Gramm-Leach-Bliley Act (GLBA), the U.S. Health Insurance Portability and Accountability Act (HIPAA), Australia's Privacy Law, Canada's Privacy Laws, the European Union (EU) Directive on Data Protection of 1995, the Organization for Economic Cooperation and Development (OECD) Guidelines, and the Payment Card Industry Data Security Standard (PCI DSS).
State-level Privacy Breach Disclosure Laws in the United States
To date, more than 35 U.S. states have adopted security breach disclosure laws. While the details of each law vary slightly from place to place, most of them follow a fairly consistent pattern. First, they offer a definition of the personal information that they apply to. For instance, most state privacy laws offer similar or even identical definitions of personal information. Here is an example from California's Senate Bill 1386 (SB-1386), which was the first state security breach disclosure law to be enacted:
'For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Besides personal information, state laws identify what constitutes a reportable security breach and when an acceptable notification of the breach should take place. A reportable security breach is usually defined as the unauthorized acquisition of digital data that compromises the security, confidentiality, or integrity of the stolen personal information, while an acceptable notification of the breach should take place only when personal information was or is believed to have been acquired by an unauthorized person. For instance, most state laws require an organization that owns or licenses data to directly notify the persons whose data was disclosed. Organizations that do not own or license the disclosed information must also notify the owner or licensor of the data. In cases like these, disclosure of the breach must be made promptly, unless law enforcement requests that the notification be delayed.
Finally, many state privacy laws allow for affected consumers to sue for damages, and some even allow for treble damages. Treble damage provisions typically apply to anyone who has been harmed (e.g., an identity theft victim) as a result of a security breach. Some states offer very limited restrictions on this ability but, in general, if a treble damage provision exists, it applies to any resident of that state who has been harmed by a security breach as defined by the state's privacy law.
This act made many changes to the way financial services firms are organized and regulated. The act also contains language that protects the privacy of an individual's personal information by requiring financial institutions to define their privacy practices, create a privacy notice that explains those practices, and distribute the privacy notice on a yearly basis to customers (i.e., someone who has a long-term or ongoing relationship with a financial institution).
In addition, GLBA requires financial institutions to provide copies of their privacy notice to consumers (i.e., someone who use the organization's services, but does not have an ongoing relationship with the financial institution) if the institution shares data with unaffiliated companies. Note that this provision does not apply if the data sharing is done to provide essential services (e.g., account servicing), is legally required, or is used to market an organization's products and services.
GLBA also gives individuals the right to opt out of certain data sharing arrangements that the financial organization may have established. For example, an individual may be allowed to limit or block the transfer of his or her information to non-affiliated companies for telemarketing, direct mail marketing, or e-mail marketing activities related to the non-affiliated company's products or services. However, a financial institution can still send data to an unaffiliated company that is performing a service on behalf of the financial institution, and the individual can't opt out.
When complying with GLBA, it is important to understand that financial institution is defined broadly; even if an organization is not a bank, it may have to comply with GLBA. This is important to note because certain GLBA provisions require financial institutions to implement safeguards that:
GLBA, however, does not go into much detail about the specific technical, managerial, or operational safeguards that must be implemented. This task is left to the eight federal and state agencies that are empowered to enforce the provisions of GLBA: the U.S. Federal Trade Commission, the Office of the Comptroller of the Currency, the U.S. Federal Reserve Board, the Board of Directors of the Federal Deposit Insurance Corporation, the Director of the Office of Thrift Supervision, the Administrator of the National Credit Union Administration, the U.S. Securities Exchange Commission, and state insurance regulators.
HIPAA affects many aspects of health care, including the privacy and security of private health information. The act's requirements apply to a covered entity, which is defined as an organization that is any of the following: a health plan, a health-care clearinghouse, or a health-care provider who transmits health information in electronic form in connection with a defined list of transactions. According to the act, covered entities must do the following:
HIPAA defines 42 security measures, referred to as implementation specifications, which may be required or optional for implementation. Required specifications include: the creation of a security management process, a risk analysis, enforcement of security policies, data backups, and implementation of a disaster recovery plan that specifies how to recover and restore lost data, among others. (For more information about HIPAA, read "Enhancing HIPAA Security Rule Compliance Efforts" published in ITAudit’s Aug. 10, 2006 issue.)
Australia's Privacy Law
The Australian Federal Privacy Act defines 11 Information Privacy Principles that apply to government agencies (read "Information Privacy Principles" sidebar for more information) and 10 National Privacy Principles (i.e., collection, use and disclosure, data quality, data security, openness, access and correction, identifiers, anonymity, transborder data flows, and sensitive information) that apply to private organizations and health services providers.
According to the act, collected information must be used for a lawful purpose only. Individuals must be informed of the purpose for which the information is being collected, whether the collection is mandated or authorized by law, as well as of any other persons or organizations their information is usually shared with. Furthermore, record keepers must ensure that information is current and complete, establish safeguards to prevent the unauthorized disclosure of collected information, and attempt to ensure that other persons or organizations that receive the information do the same, among other activities.
Canada's Privacy Laws
Canada has a privacy law for the government sector and another for the private sector. The Privacy Act applies to the government sector, while the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the private sector. Because Canada is also a member of the OECD, both of these laws adhere to OECD guidelines.
In essence, the Privacy Act states that no personal information can be collected by a government organization unless it relates directly to an operating program or activity of the same institution. The organization, therefore, should only collect personal information that is intended to be used for an administrative purpose concerning the individual to whom it relates, except where the individual authorizes otherwise. In addition, government organizations need to take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date, and complete as possible. Furthermore, the organization needs to dispose of the personal information in accordance with the regulations and any directives or guidelines issued by the designated minister in relation to the disposal of that information.
On the other hand, the PIPEDA references the Model Code for the Protection of Personal Information, a set of guidelines that also follow the OECD guidelines. According to this act, any organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate under the circumstances. In addition, an organization may, without the knowledge or consent of the individual, use personal information only if:
EU Directive on Data Protection of 1995
In the EU, the most important legislation concerning the protection of private information is the Directive on Data Protection of 1995, which regulates the processing and storage of personal data. While the directive's definitions for the processing and storage of personal data are broad enough to effectively cover nearly every conceivable use of personal information, there are limited exceptions for areas such as national defense or law enforcement. For instance, the directive defines the processing of personal data as any operation that is performed on the data, whether this processing is automated or not.
According to the directive, data may not be processed unless:
The directive also applies to data processors, which are companies or data centers that operate in EU member countries. Interpretation of the rules is left to individual EU member states, which are empowered and directed to implement laws regulating data processing that are compatible with overall EU directives. For additional information about the Directive on Data Protection, visit the EU's law Web site.
After recognizing the need to protect privacy rights, while allowing the free flow of information between its member states, the OECD adopted its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 1980. These guidelines provide a common set of standards that allow the exchange of personal information in the public or private sectors between OECD member countries.
The OECD guidelines, like other privacy standards, define a number of critical terms. These are:
The guidelines then establish a set of eight principles that member states must follow:
The PCI DSS
This standard addresses information security requirements for organizations that process credit card data. More specifically, the standard requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt aggressive security controls that ensure the integrity of customer information. To obtain the compliance certificate, the standard requires organizations to complete a series of 12 steps to be certified annually and checked quarterly. These steps are organized in six categories:
While the compliance requirements for all processors are the same, the audit and verification requirements vary depending on factors such as the number of transactions or accounts processed annually. For example, merchants that process more than 6 million transactions per year, have suffered a security breach that resulted in account data exposure, or are specifically designated by a card issuer (e.g., VISA or MasterCard) must undergo an annual PCI DSS compliance audit and undergo quarterly network vulnerability scans. In addition, credit card service providers, payment gateways, or credit card processors that handle more that 1 million transactions or accounts annually must also undergo an annual PCI DSS compliance audit and undergo quarterly network vulnerability scans.
Although the PCI DSS is a not a law, its effect is much the same. Violations of PCI DSS security requirements can lead major credit card companies to stop doing business with a processor or merchant. This is what happened to CardSystems Solutions after a security breach exposed data on 40 million accounts.(For more information about the standard, read "Is Your Organization Ready for a PCI Standard Audit?" published in the June 10, 2006 issue of ITAudit.)
GETTING TO KNOW THE LAW
In today’s political and economic environment, individuals, states, and nations are increasingly intolerant of improper use or disclosure of private information, whatever the cause. As a result, many privacy protections continue to be enacted as law all over the world reflecting a global desire for personal privacy and a reaction to abuses of privacy, such as identity theft. However, while these regulations aim to protect personal information, their increase in numbers is making compliance efforts quite expensive and complex.
Although the language used varies significantly from country to country, the same basic themes and issues show up time after time in current law, industry standards, and proposed legislation. For instance, organizations are expected to respect individuals' privacy by collecting, using, and disclosing personal data only for legitimate purposes. Organizations are also expected to be open about their practices and to allow individuals to review the data that is collected about them. Last, but not least, organizations are expected to implement effective security safeguards to prevent the improper disclosure of personal information.
As part of their work, internal auditors should familiarize themselves with applicable privacy laws and regulations and recommend that organizations examine regulations that are specific to their industry. Armed with this knowledge, auditors can provide recommendations that can help organizations design and implement compliance programs that meet different regulatory requirements and point out common requirement areas to maximize and simplify compliance efforts.
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.
Regardless of recent improvements in network performance and capacity, it is essential for network administrators to periodically assess the reliability of network technology and its ability to meet business needs. Consequently, network performance assessments can help organizations determine whether the programs, hosts, and applications that are installed on the corporate network function properly. More specifically, these performance audits need to examine the network's bandwidth use, as discussed in the Nov. 10 issue of ITAudit , as well as the company's Internet use, cable performance, and e-mail server activities. To this end, auditors should assess companywide network management activities, including its network's capacity use, change management processes, incident response activities, and log monitoring functions. Following is a discussion of each of these components.
Besides network bandwidth use, violation of Internet use policies can cause network performance problems. Unauthorized network activities typically performed during work hours include:
To determine whether employees are adhering to established Internet use policies, internal auditors and network administrators can sniff (i.e., monitor and analyze) data packet traffic flowing between the organization's gateway and the Internet service provider (ISP). This can be achieved by using a switched port analyzer (SPAN) or placing a hub (i.e., a common connection point for devices in a network) between the ISP and the organization's router or firewall (refer to figure 1 for an example of a hub).
When sniffing traffic, it is important to keep in mind that data packet sniffing can lead to a self DoS due to the large amount of data that is generated and captured during traffic monitoring especially during peak work hours. As a result, auditors should use a filtering configuration, such as capturing data up to 300 megabytes (MBs) or capturing only HTTP, HTTPS, file transfer protocol (FTP), or port-specific traffic. A second solution is to perform a sample sniffing activity (e.g., periodically monitoring network data for a group of clients or users) and generalizing the results of this activity to the entire organization. Finally, the auditor can recommend that the organization obtains an Internet use statistics report from the ISP, if possible.
Additionally, Internet use analyses can detect malware infections in the local area network (LAN) that are the result of inappropriate Internet use or determine if applications residing in the network are using the Internet redundantly. For instance, when a worm is present in the LAN, the worm usually tries to contact a particular Internet protocol (IP) or URL to further damage the network. On the other hand, redundant Internet use occurs when all computers residing in the network individually check for and download updates or patches, which can be avoided by using a centralized patching server.
Finally, Internet use analyses can be used to determine whether the organization needs to upgrade its current Internet bandwidth and speed. To this end, auditors can monitor Internet activity through the use of proxy servers (i.e., servers that reside between a client application, such as a Web browser, and a real server to intercept client requests and forward them to the other server). Proxy servers in use today include open source types, such as SQUID, Privoxy, or Sun Java Web Proxy server, as well as commercially available ones such as Microsoft's Internet Security and Acceleration Server.
Another performance problem leading to network congestion is cable-pair connectivity. In essence, the network may experience a signal loss during a data transfer session if any of the two copper wire pairs (i.e., the four wires required for LAN connections with a transfer speed of no less than 100 MBs per second) is not properly connected end-to-end. Because any signal loss during a data transfer session could result in low network performance, auditors need to determine if the cables are connected properly. To do this, auditors need to use a pair of hardware cable testers, which need to be connected at the two ends of the physical network cable. When conducting the test, all lights must blink on the cable tester. If this happens, then the network cable has perfect point-to-point connectivity.
Auditors need to note that the organization may choose not to use all four cables for network connectivity, such as in the case of a category five (CAT5) cable. In this case, only the lights correlating to the cables that the organization is using should blink on the hardware cable tester. If even one light is not blinking according to the organization’s cable deployment policy, then there is no perfect peer-to-peer connectivity within the LAN. Consequently, audit reports should clearly specify which cables had insufficient network connectivity.
E-MAIL SERVER REVIEW
Many companies implement a private or local mail server for internal and external e-mail use. For instance, the organization may have a single mailbox for all employees that is hosted by an e-mail service provider. The organization will then install a local mail server at their end to retrieve information from this single mailbox, which is then segregated locally based on employee e-mail IDs. Therefore, if an employee wishes to send an e-mail to a co-worker, the e-mail is sent through this local mail server directly to the recipient. Otherwise, the local mail server will forward the e-mail to its parent mail server for further delivery to the intended external recipient.
Key points to look for when reviewing e-mail server performance include:
These key points need to be analyzed and verified manually by the auditor along with the network or system administrator. Also, a cross-verification should be performed by analyzing e-mail server logs. For example, if spam e-mail is congesting the majority of the network's bandwidth, the organization should upgrade its existing spam-filtering solution.
NETWORK ACTIVITY ASSESSMENTS
The auditor also needs to analyze the effectiveness of the processes or activities that are used to manage the network. These activities include the network's capacity use, change management processes, incident response activities, and log monitoring functions.
The network capacity planning process compares the organization's current and future network capacity in terms of their use and efficiency. Any discrepancy between any user requirements and the organization's capacity can lead to inefficient network use. Therefore, the aim of network capacity planning is to resolve this discrepancy.
To plan for current and future use, internal auditors can recommend that network administrators monitor network use logs. For example, if the network administrator notices that the company currently uses 70 percent of its network bandwidth, he or she can request the purchase of more network resources (e.g., switches, cables, PCs, etc.) to management.
Change management is a logical approach that defines the policies, procedures, and controls that need to be used for specific business functions or activities. In terms of network performance, the organization's change management policy needs to document, for instance:
A systematic documentation of all network changes can help administrators to easily manage the network, as well as help management and internal auditors to quickly understand networkwide changes. Change management policies and actions also can enable auditors and administrators to evaluate network problems at a quick glance and determine the causes for network performance issues or, worse, a security breach after a particular change or upgrade is made.
Before a change or upgrade is made to a network component, auditors need to recommend that network or system administrators discuss the activity with a senior executive, such as the chief technology, information, or security officer, to evaluate the impact the change or upgrade can have on various network aspects (e.g., application compatibility, security, and network performance issues). Finally, auditors need to ensure that the change management policy or document is authorized and signed by the senior manager (refer to figure 2 for a sample change management form).
Policy number: (Policy number for this change.)
If a process or service exists, problems will always be associated with the same. This same principle applies to computer networks too. Therefore, companies need to have a standard procedure to handle network problems and provide a quick and efficient solution to those problems. Key items internal auditors need to review when assessing an organization's network incident response plan or document include:
Proactive action is always a better step than reacting to an IT problem. When it comes to network performance, proactive steps apply to monitoring network activities and identifying problems that might affect the organization in the future. One of the best ways to monitor network activities is through data logging. Logs generated can be either from a firewall, managed switch, operating system log, or an application log. For instance, an organization is growing rapidly in terms of its revenue and number of employees within a short period of time. To keep up with this growth, network administrators need to identify the effectiveness of currently used network switches, cables, computer systems, and accessories in keeping up with network performance. Network administrators may also need to update or increase the availability of these and other network components within the next three months so that the company's continuity of flow is not disrupted.
A GOOD MEASURE OF NETWORK OPERATIONS
The use of ongoing performance audits can help IT departments better measure the network's effectiveness and efficiency. To this end, internal auditors need to examine key network functions and components, such as the company's network bandwidth use, the current level of Internet use, the performance of network cables, and e-mail server activities. These network performance audits need to be an ongoing part of the organization's proactive measures to identify any IT system break downs before they hinder the organization's day-to-day activities. Besides collecting and reviewing this information, auditors can examine the network's server memory use and central processing unit (CPU) capacity, which may also hinder network performance.
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.
Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers
While computers and the Internet have made organizations and individuals more efficient, they have also made the entities more vulnerable to fraud, identity theft, and unwanted and unauthorized intrusions. Because of these new risks, organizations and individuals need to understand evidentiary, technical, and legal issues related to digital evidence. Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers by law professor Michael Sheetz provides an introduction to computer forensics in a non-technical manner.
The author, who has 20 years' experience in civilian and military law enforcement in the areas of white collar crime and high-tech investigation, begins with a history and definition of computer forensics in chapter one. According to Sheetz, computer forensics is the study of computers in a manner that is consistent with the rules of evidence and court rules of procedure. The chapter concludes with a history of computer evolution and a description of the hacker community.
In chapter two, the author provides a high-level description of computer processing (i.e., input, storage, processing, and output). A key point mentioned in this chapter is that many electronic devices today, such as cellular phones, MP3 players, iPods, fax machines, printers, USB storage sticks or thumb drives, and digital cameras, are computers with processing units and storage that may hold evidentiary materials.
After describing computer processing, Sheetz discusses the first two steps of the computer forensics process (i.e., reservation and collection of digital evidence) in chapter three. This chapter also discusses the legal concept of admissibility of evidence — a critical step in the computer forensic process — which states that if evidence is not properly preserved, it will not be admitted in court. Hence, the evidence to be presented must be the most reliable and readily available. Although the original source is preferred, steps should be taken to prove that all the evidence seized is not changed from the evidence presented in court. In addition, the author discusses the impact of power-on, boot-up; power-down, shut-down; and routine operating system function on digital evidence preservation.
Next, Sheetz discusses the aspect of analysis and recreation of digital evidence in chapter four. To this end, the author suggests some computer software tools to aid in the analysis process. Investigators typically use these tools on digital images or copies of the original storage devices, thereby preserving the original evidence.
Chapter five goes into more detail by providing information on the final steps of the computer forensics process (i.e., reporting and rendering the opinion). As Sheetz discusses, report writing is made easier if good documentation of the site is made at first contact by capturing details such as photos of the equipment and set up; making diagrams of component connections and cables; and placing tags on each wire, cable, or connector. Furthermore, the report should contain the following sections: an executive summary or abstract, a table of contents, a body or findings section, a conclusion, supporting documents, and appendices. Finally, the chapter discusses the different steps in the trial process (i.e., dispute or offense, complaint-pleading or indictment, service of process, plead or answer the complaint, pretrial motions filings, depositions and interrogatories, demands for production, and the trial).
These five chapters present the basic information on computer forensics. The next two chapters talk about how computers can be used to cause harm. More specifically, chapter six describes some of the threats to computer systems — from the outside and the inside of the organization — which can range from unauthorized use and theft of proprietary data (i.e., customer data, employee data, or intellectual property) to denial-of-access attacks and intentional destruction of equipment. This discussion is continued in chapter seven, which also talks about how computers can be used to cause harm. For instance, computers can be used to prepare a ransom note in an extortion crime or to create fake cash or cash equivalents. Computers also may contain evidence of other crimes, such as financial records of illegal activities, including the selling of drugs or bookmaking.
Chapter eight then describes how computers can be used for computer forensic examinations. The first essential step is to be sure you have proper authority to conduct the search. The author also introduces computer forensic tools and points out particular areas to examine for evidence, such as file storage areas, which may be overlooked during an investigation.
Finally, the book concludes with some of the concerns relating to the presentation of digital evidence in court. As Sheetz points out, while the computer forensic examiner may be highly technically trained and skilled, he or she must remember that the evidence is presented to a jury of peers who may not understand how a computer works. Sheetz also discusses the legal concept of evidence, by describing the various types of evidence and the legal requirements for each category, and provides information on some of the legal complications related to computer systems and some of the laws that attempt to address these issues.
Each chapter ends with a suggested reading list.
Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers provides a good introduction to the area of computer forensics. If you are not aware of the risks associated with the use of computers, then I would highly recommend you start with this book to get a good overview of the subject.
The U.S. Department of Homeland Security (DHS) recently published a draft of the IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development (PDF, 423 KB). Written by DHS' National Cyber Security Division (NCSD), the document is a compilation of the skills and core IT security competencies needed to fight off cyberattacks against the United States.
"The convergence of voice and data communications systems, the reliance of organizations on those systems, and the ongoing threat of sophisticated adversaries and criminals seeking to compromise those systems, underscores the need for well-trained, well-equipped IT security specialists," says Greg Garcia, DHS' assistant secretary for cybersecurity and communications, while speaking at a workshop at Dartmouth College. "These specialists need to be good, innovative chess players, because this really is something of a technological chess match, only check mate is not an option for us."
The NCSD began development of the IT Security EBK in 2003, as the sophistication of hackers, terrorists, and nation states began increasing. It worked with the U.S. Department of Defense, public and private sectors, and members of academia to study how IT security skills could be advanced on a national level to face these growing threats. By studying existing workforce certifications and other domain-based IT security models, the taskforce came up with 14 key competencies that encompass all public and private security roles and functions.
The resulting draft is an umbrella document that links functional perspectives and competencies to IT security roles to provide a national baseline of skills that IT security practitioners must have to carry out their specific roles and responsibilities. However, the EBK is not a set of guidelines and is not meant to represent a standard, directive, or policy, according to the document overview. Instead, the EBK:
Some of the benefits of the IT Security EBK include promoting uniform guidelines to increase efficiency of IT security education, training, and professional development; and providing content guidelines for future skills training and certification. Through this unified approach, the EBK integrated the best practices of a wide variety of IT security stakeholders.
A full copy of the draft can be downloaded from the U.S. Computer Emergency Readiness Team Web site.
Data analysis has benefited internal auditors worldwide for the past 20 years. A new white paper from solutions provider ACL Services Ltd., Best Practices for the Use of Data Analysis in Audit, discusses the state of data analysis in the internal audit profession — referred to as audit analytics — and provides information that can help internal auditors achieve the highest value from data analysis.
According to author John Verver, CISA, vice president of product strategy for ACL, three key issues need to be addressed for auditors to obtain the best value from audit analytics:
"To put it simply, distributing standalone software and arranging for training cannot achieve the maximum benefits," explains Verver. "Best practices are delivered through a managed central server environment that provides optimized and secure data access, plus effective collaboration, knowledge, sharing, sustainability, and efficiency. In each case, the most effective solutions begin with a central server environment that ensures security, accessibility, quality controls, and the long-term sustainability of audit analytics practices."
In terms of data access and management, auditors need to understand existing organizational practices and have access to large volumes of data. To this end, creating and maintaining an audit data repository that consists of sub-sets of companywide data and only represents information needed for the audit is the most common and effective solution. This repository, says Verver, should run in a secure server environment that adheres to data security and management policies and procedures.
"Maintaining the audit repository on a secure server environment is a critical way to ensure data integrity and proper management, and to quickly process large data volumes for both interactive inquires and automated tests," Verver emphasizes. "Server data security is typically far more effective than controls implemented on individual laptops or PCs, which is why server environments are strongly recommended with audit analytics."
To achieve the desired level of quality and control in the audit analytics process, internal auditors need to address challenges pertaining to the reliance on and management and control of data analysis. "Although many audit organizations encourage the use of audit analytics, it is not uncommon for specialists and generalists to be given a relatively free hand in the procedures they perform. This opens up opportunities for a flawed approach, which leads to incorrect conclusions," says Verver. For instance, if the business process being audited is not fully understood, the data fields used for analysis may be invalid for a given audit objective or the data manipulation may be wrong.
To address these challenges, auditors need to develop and manage a central library of standard procedures and tests. This central library can include information on the types of tests that must be performed for all audit analytics and the type of analysis required to achieve a given audit objective. In addition, auditors need to achieve control over the integrity of the audit analytics process and ensure that the analysis is accurate and supports a specific audit objective.
Finally, Verver recommends that audit analytics processes be collaborative, efficient, and sustainable. "In order to achieve more widespread use, knowledge sharing and effective collaboration are critical," he says. "If knowledge is isolated between auditors and information that is difficult to share and lever, the overall benefit can be considerably reduced." For collaboration, efficiency, and sustainability to take place, audit analytics needs to be made a fundamental component of the organization's audit strategy. Furthermore, a centralized system approach that focuses on collaboration, knowledge sharing, and efficient, repeatable processes needs to be established. Areas in which knowledge and information can be shared include projects, data definitions and dictionaries, standard test libraries, and results.
"The decision to implement an efficient and effective audit analytics solution should be a strategic one and not a tactical approach," Verver comments. "This strategic approach requires audit management to engage others in the organization to explain desired outcomes; change existing procedures and protocols; and plan the transition to a more centralized, managed, and secure approach to audit analysis."
To read the full white paper, visit the ACL Web site.
More than 65 percent of IT departments have identified wireless local area network (WLAN) security, vulnerability scanning, and Web application firewalls as additional security investments to be made during the next fiscal year, according to the results of a market survey conducted by Astaro Corp., a unified threat management (UTM) security provider. More than 2,800 IT professionals from industries such as manufacturing, health care, education, and financial services participated in the global market-trend survey and provided information on topics ranging from IT security tools and managed services to key IT challenges and planned investments.
According to the results, 100 percent of the IT professionals surveyed said they rely on firewalls as their first line of defense against external attacks. Other tools used include antivirus software (91.5 percent), anti-spam scanners (90 percent), virtual private networks (VPNs) (81 percent), and intrusion protection systems (74 percent). The survey also found that 70 percent of respondents are concerned with preventing unauthorized users from accessing corporate networks or confidential data. A similar number of respondents — 72 percent — said that identifying possible security vulnerability areas will be the biggest challenge for IT departments over the next five years. Other identified challenges include:
In addition, the survey identifies the security solutions that organizations plan to invest in over the next two years. These solutions include firewalls; virus, spam, and spyware protection software; VPNs; intrusion protection applications; URL content filtering; instant messaging and peer-to-peer control software; and e-mail encryption programs. Finally, 65 percent of respondents identified WLAN security, vulnerability scanners, and Web application firewalls as the top three applications they are interested in investing during the next fiscal year.
"Companies are finding that they can't rely on the basic network security they had in place just a few years ago," says Astaro Chief Executive Officer Jan Hichert. "Network administrators are continuously faced with the task of updating and adding layers of protection in order to keep their networks secure against the latest threats."
To download a full copy of the survey results, visit The IIA's Web site (PDF, 75 KB).
Secret Backdoor Could Be Present in New Encryption Standard
A new random-number encryption standard, called Dual_EC_DRBG, might contain a backdoor for the U.S. National Security Agency.
Security Breach Exposes Data on 25 Million Individuals
British Chancellor of the Exchequer Alistair Darling recently stated that the UK's Revenue and Customs office lost two discs containing the personal information of everybody in the country who claims and receives child benefits.
World Could Face Online War Threat
According to an annual report by security vendor McAfee, approximately 120 countries are developing ways to use the Internet as a weapon to target financial markets. This "cyber cold war" threatens to become one of the biggest threats to security in the next decade.
New Update Enhances Security Features on Apple Operating Systems
Apple released a security update to current and previous versions of its OS X operating system that improves reliability when using VMware's Fusion and synchronization between iPhone and Yahoo address books.
Fixing 10 Security Threats on Virtual Servers
Controlling virtual machines and applying existing processes to virtual machines are two of the 10 ways to address security threats on virtual servers.
Hackers Use Banner Ads to Hijack PCs
New breed of online ads from reputable Web sites are hijacking personal computers and harassing users until they agree to buy antivirus software.
Antivirus Software Could Enhance Network Vulnerabilities
German security experts discussed how vulnerabilities in antivirus software make these programs a threat to corporate network security.
Social Networking Sites Raise Security Threats
Research from a British online organization found that social networking Web sites could increase people's chances of getting their personal information stolen.
Microsoft Issues Important Security Updates
The software company issued two security updates. The first update repairs a critical flaw that opened Windows systems to Web-based attacks, while the second update fixes a vulnerability in Windows Domain Name System servers.
Flaw Affects QuickTime Media Player
A Polish researcher published exploit code for an unknown vulnerability in Apple's QuickTime media player that can be triggered by a call to a real-time streaming server.
Google Removes Web Sites Targeting Searchers
The search engine has purged tens of thousands of malicious Web sites after a software company stated that many search results on Google lead to malicious Web pages that can compromise computer systems.
Tips for Managing GRC Software
Experts offer insight to help organizations make the most of their governance, risk, and compliance tools.
Microsoft Expert Unveils Open Source Strategy
The company's open source expert, Bill Hilf, revealed its open source business model.
Windows XP Outperforms Vista
New tests have revealed that Windows XP has twice the performance of Vista.
Mac Hacking Attempt Is Public Relations Stunt
Alleged AppleMatters.com and iPhoneMatters.com hacks were nothing but hoaxes, while Apple-specific hacking attempts are on the rise.
OTHER IT AND AUDIT NEWS
Internal Auditor Discusses Use of Rules vs. Internal Policies
Auditor discusses the use of internal policies, standards, frameworks, and controls for compliance with the U.S. Sarbanes-Oxley Act of 2002.
Tips to Spot Pirated Software
Because the number of people who innocently purchase or receive pirated software increases during the end of the year, the Software and Information Industry Association is providing tips on how to spot illegal software.
Copyright Enforcement Organization Battles Piracy Front
The Business Software Alliance is targeting small organizations to detect unlicensed software use and piracy by business users.
Foreseeing IT Security Expenses
Coming up with a reasonable estimate of future IT security activities that is based on historical trends can help organizations better estimate how much money they will need in the upcoming year.
News Web Sites to Enhance Search Results
Google, Yahoo!, and other search engines are working to revise a 13-year-old technology to achieve greater control over how search engines index and display Web sites.
Group Releases Ranking of Technology Impact in the Environment
Greenpeace's latest quarterly ranking of electronic vendors, Guide to Greener Electronics, spotlights the difficulty in measuring the environmental impact of technology products.
10 Practices for Better Role-based Access Management
Fostering role-creation collaboration is one of the ways to enhance an organization's identity and access management strategy.
Poor Performance Is Prevalent on Mobile Web Sites
New report discusses how companies such as Google, Facebook, and MapQuest are struggling to perfect their mobile Web sites.
The Institute Releases New Guide on Identity and Access Management
Properly identifying who has access to what information over a period of time is an important aspect of an organization's day-to-day work. Known as identity and access management (IAM), this process touches every part of the organization — from accessing a facility's front door to retrieving corporate financial data. To help chief audit executives (CAEs) and internal auditors understand an organization's IAM activities, The IIA recently released Identity and Access Management as part of its Global Technology Audit Guide (GTAG) series. Written in straightforward business language, each GTAG serves as a ready resource for CAEs and internal auditors on different technology-associated risks related to IT management, control, and security.
"Because identity access and management affects every business unit, internal auditors should understand ways that organizations can control access more effectively," says Sajay Rai, CISSP, CISM, partner in Ernst & Young LLP's Risk Advisory Services Practice and leader of the team who wrote the guide. "The purpose of this GTAG is to provide insight into what identity and access management means to an organization and to suggest internal audit areas for investigation."
As the guide explains, IAM processes are used to initiate, capture, record, and manage the user identities and related access permissions to a company's proprietary information. Therefore, as part of their work, auditors need to play an important role in helping organizations develop effective IAM processes and monitor their implementation. For instance, prior to conducting an IAM audit, auditors need to understand the organization's existing IAM structure, such as the company's business architecture and IAM policies, as well as the laws, regulations, and mandates for which compliance is necessary. When conducting the audit, internal auditors need to document the organization's identity and entitlement process and evaluate existing IAM activity controls.
Besides describing how to go about auditing IAM activities, the guide provides an IAM review checklist auditors can use during the audit. The guide also defines key IAM concepts and activities, such as:
"As an organization changes, so too should its use of identity and access management activities," Rai comments. "Therefore, as changes take place, management should be cautious that the process does not become too unwieldy and unmanageable or expose the organization to undue risk due to improper use of IT assets. As part of their work, internal auditors need to ask business and IT management what identity and access management processes are currently in place and how they are being administered."
To read or download Identity and Access Management, visit The IIA's GTAG page.
As many of you know, starting on Jan. 10, 2008, ITAudit will be available only to members of The Institute of Internal Auditors (The IIA). Because your commitment to ITAudit is extremely important to us, we have extended our special membership offer to ITAudit subscribers until Dec. 31, 2007. If you join The IIA between now and Dec. 31, you will get half off our regular membership price of US $130, giving you access to The Institute's member benefits for just US $65. To download our application form, click here (PDF, 295 KB). For more information about this special offer, visit The IIA's Web site.
This month's feature articles include:To Vista or Not to Vista?
Keeping It Simple — An Overview of Data Privacy Compliance Requirements
Director of Information Security and Business Continuity Planning, AccessData
Auditors can keep organizations from becoming the next big scandal by pointing out common compliance requirements for different data privacy laws and regulations.
Essential Aspects of an Effective Network Performance Audit
Information Security Analyst, NII Consulting
Ongoing assessments of an organization's Internet use, cable performance, e-mail server, and network management activities, can help auditors identify network problem areas before they become too costly to fix.
Also, check out our regular departments for the latest IT and audit information:
Book provides essential information on computer forensics; U.S. government pushes for IT security skills baseline; report discusses how to achieve the best value from data analysis; survey provides insight into future IT security trends.
IT and Audit News
Secret backdoor could be present in new encryption standard; new update enhances security features on Apple operating systems; tips for managing GRC software; internal auditor discusses use of rules vs. internal policies.
Tech Practices Update
The Institute releases new guide on identity and access management.