This week’s resource selections are a diverse collection of articlesand leading Web sites. The NIST web site is the world’s mostcomprehensive source for security guidance! The October 2000 articlefor Information Security magazine entitled “Avoiding IS Icebergs”provides an extensive discussion on the need for ongoing auditassurance.
Have another great week.
Dan Swanson
Avoiding IS IcebergsThisarticle explores the audit's assurance role regarding informationsecurity and outlines approaches and methodologies. Imagine you're thecaptain of the R.M.S. Titanic, standing on the bridge as it steamsacross the frigid North Atlantic under a moonless sky. The ship'sarchitect boasted of her invincibility, but you still station hands onthe bow as lookouts for icebergs drifting in the black waters.
Afterchecking your course and issuing instructions to the crew, you retirefor the evening, assured all is well. Several hours later, you'reshocked out of your slumber by terrible vibrations and a horrific wailof buckling metal. Your worst fears are confirmed when you reach thebridge; the ship struck an iceberg despite your precautions.
Atthis point, it doesn't matter how or why it happened; the damage isdone and your ship is going to the bottom. What does this have to dowith information security? The same scenario could happen to anyorganization that deploys security technologies and policies butdoesn't audit its systems and personnel compliance.
Routine,independent reviews of security systems and procedures not only ensurean organization has adequate protections in place, but confirm thatthey are working as designed-and that employees are using themeffectively. Regular audits will highlight an organization's strengthsand weaknesses, and make recommendations for improvement.
Findout more here.
The Computer Security Resource Clearinghouse(CSRC) is designed to collect and disseminate computersecurity information and resources to help managers, systemsadministrators, users, and security professionals better protect theirdata and systems. This site achieves all of the above and more. Whileit would take a lifetime to read everything, I suggest that wheninvestigating any security issues that you are facing, plan to visitthis site first. It's a keysite to bookmark.
Auditing System ConversionsInternalauditors play a valuable role in ensuring that IT investments arewell-managed and have a positive impact on an organization. Theirassurance role supports senior management, the audit committee, theboard of directors, and other stakeholders. Internal auditors need totake a risk-based approach in planning their many activities on ITproject audits. With limited audit resources, auditors must focus onthe highest-risk project areas, while adding value to the organization.Audit bestpractices suggest internal auditors should be involvedthroughout a project's life cycle — not just in post-implementationassessments.
Security at MITInformationsecurity is vital for providing the MIT community with accurate,reliable information to authorized recipients and to preserve importantrecords. Individuals who manage or use this information must protect itfrom unauthorized modification, disclosure, and destruction (per ITpolicy 13.2.2). Information and computer security has become criticalas data is increasingly created, processed, and stored electronically.While security technology has evolved with this trend, it is not theonly tool in the shed. People and their behaviors are an essential linkin the security chain. http://ist.mit.edu/security
The tipping point for board oversight of ITTraditionally,and properly, a company's board of directors has focused on governingthe organisation; that is, the board ensures that the right CEO is inplace, that the right business strategies have been developed, thatperformance is reported regularly and trending properly, and that theright questions are being asked of management.
The board'sagenda is truly endless, and it is absolutely critical that the boardnot micro manage the CEO, attempt to 'manage' the organisation, or haveitems on its agenda that are not focused on the long-term success ofthe organisation. The board shouldrevisit its mandate periodically, reconfirming its roles andresponsibilities.
The Vital Need For Quality Internal Auditing Inthe past few years, massive efforts have been expended to prepare andimplement the requirements of the Sarbanes-Oxley Act, in particularSection 404. While a corporation’s management and board of directorshave always been responsible for internal control, the level ofscrutiny by the investing public and the regulatory bodies has reachednew levels. As a result, today more than ever before an organization’sinternal audit function mustbe robust and contribute to ensuring the accuracy of financialreporting.