This week's resource selections are a diverse collection of articles
and leading Web sites. The NIST web site is the world’s most
comprehensive source for security guidance! The October 2000 article
for Information Security magazine entitled “Avoiding IS Icebergs”
provides an extensive discussion on the need for ongoing audit
assurance.
Have another great week.
Dan Swanson
Avoiding IS Icebergs
This
article explores the audit's assurance role regarding information
security and outlines approaches and methodologies. Imagine you're the
captain of the R.M.S. Titanic, standing on the bridge as it steams
across the frigid North Atlantic under a moonless sky. The ship's
architect boasted of her invincibility, but you still station hands on
the bow as lookouts for icebergs drifting in the black waters.
After
checking your course and issuing instructions to the crew, you retire
for the evening, assured all is well. Several hours later, you're
shocked out of your slumber by terrible vibrations and a horrific wail
of buckling metal. Your worst fears are confirmed when you reach the
bridge; the ship struck an iceberg despite your precautions.
At
this point, it doesn't matter how or why it happened; the damage is
done and your ship is going to the bottom. What does this have to do
with information security? The same scenario could happen to any
organization that deploys security technologies and policies but
doesn't audit its systems and personnel compliance.
Routine,
independent reviews of security systems and procedures not only ensure
an organization has adequate protections in place, but confirm that
they are working as designed-and that employees are using them
effectively. Regular audits will highlight an organization's strengths
and weaknesses, and make recommendations for improvement.
Find
out more here.
The Computer Security Resource Clearinghouse
(CSRC) is designed to collect and disseminate computer
security information and resources to help managers, systems
administrators, users, and security professionals better protect their
data and systems. This site achieves all of the above and more. While
it would take a lifetime to read everything, I suggest that when
investigating any security issues that you are facing, plan to visit
this site first. It's a key
site to bookmark.
Auditing System Conversions
Internal
auditors play a valuable role in ensuring that IT investments are
well-managed and have a positive impact on an organization. Their
assurance role supports senior management, the audit committee, the
board of directors, and other stakeholders. Internal auditors need to
take a risk-based approach in planning their many activities on IT
project audits. With limited audit resources, auditors must focus on
the highest-risk project areas, while adding value to the organization.
Audit best
practices suggest internal auditors should be involved
throughout a project's life cycle — not just in post-implementation
assessments.
Security at MIT
Information
security is vital for providing the MIT community with accurate,
reliable information to authorized recipients and to preserve important
records. Individuals who manage or use this information must protect it
from unauthorized modification, disclosure, and destruction (per IT
policy 13.2.2). Information and computer security has become critical
as data is increasingly created, processed, and stored electronically.
While security technology has evolved with this trend, it is not the
only tool in the shed. People and their behaviors are an essential link
in the security chain. http://ist.mit.edu/security
The tipping point for board oversight of IT
Traditionally,
and properly, a company's board of directors has focused on governing
the organisation; that is, the board ensures that the right CEO is in
place, that the right business strategies have been developed, that
performance is reported regularly and trending properly, and that the
right questions are being asked of management.
The board's
agenda is truly endless, and it is absolutely critical that the board
not micro manage the CEO, attempt to 'manage' the organisation, or have
items on its agenda that are not focused on the long-term success of
the organisation. The board should
revisit its mandate periodically, reconfirming its roles and
responsibilities.
The Vital Need For Quality Internal Auditing
In
the past few years, massive efforts have been expended to prepare and
implement the requirements of the Sarbanes-Oxley Act, in particular
Section 404. While a corporation’s management and board of directors
have always been responsible for internal control, the level of
scrutiny by the investing public and the regulatory bodies has reached
new levels. As a result, today more than ever before an organization’s
internal audit function must
be robust and contribute to ensuring the accuracy of financial
reporting.