(No Ratings Yet)
Loading ...Dan Swanson’s Security Resources: #12
Business is about change, and Peter’s change management repository is one of the very best, and certainly well worth regular visits by busy professionals.
Studying what the board is focusing on is always productive, this week additional board studies are highlighted. Finally, regularly check out the CERT security Podcast series, it has had more than 2 million visits since its launch earlier last year, and they continue to expand their repository of learning resources.
Enjoy.
Good luck and have another great week.
Managing Change
There is no management activity more misunderstood, abused and ignored than the act of implementing Change. Some have even suggested that the phrase “Change Management” is an oxymoron. The articles available below have a single purpose, to transform the act of Managing Change from something we dread, to something we approach with skill, insight, wisdom and an increased chance of success.
http://www.technobility.com/docs/menu-managing-change.htm
ISO 27001 CERTIFICATION GUIDES LAUNCHED
IT Governance Ltd has launched the world’s first practical guides to help company directors and IT project managers understand and achieve certification to ISO 27001, the newly published global certification standard for information security management (replaces BS7799 and complements ISO 17799). In the modern corporate governance climate, ISO 27001 certification will increasingly become a prerequisite for winning new business, thereby accelerating the transfer of IT security issues from the data room to the boardroom.
http://www.itgovernance.co.uk/news_detail.aspx?news_id=25
What the Board Needs to Know About IT (The board’s role in leveraging technology as a strategic resource)
In 2006, Deloitte Consulting LLP began a research initiative to explore how boards of directors are approaching information technology (IT). Phase I of this research represents the findings of more than 30 interviews with directors and senior executives. The findings from the Phase I interviews have been captured in the point of view: “What the Board Needs to Know About IT: The Board’s Role in Leveraging Technology as a Strategic Resource.”
You can also download “Bringing IT Into the Boardroom,” which appeared as a supplement to the Fall 2006 issue of Corporate Board Member magazine. Finally, you can learn about the upcoming Phase II research results on the topic of the board and IT by downloading a preview of the survey results, entitled: “Big Conundrum: Phase II Preliminary Findings.”
For more info on the Deloitte initiative, all the above mentioned documents, and “more”, visit: http://www.deloitte.com/dtt/article/0,1002,sid%3D26562%26cid%3D132853,00.html
CERT Launches Podcast Series
The CERT® Program is pleased to announce the launch of its first podcast series, “Security for Business Leaders,” available at http://www.cert.org/podcast. The series will provide both general principles and specific starting points for business leaders who want to launch enterprise-wide security efforts, or who want to ensure that their organizations’ existing security program is as effective as possible. New podcasts will be available every two weeks.
The newest podcast features Rich Pethia, Director of the CERT Program. Other podcast topics include ”Why Leaders Should Care about Security,” “The ROI of Security,” “Proactive Remedies for Rising Threat,” and “Compliance vs. Buy-in.” Podcasters can listen to entire conversations, download PDF transcripts, and investigate additional references in show notes.
“Security for Business Leaders” is the first podcast series for the SEI.
Information Security Oversight: Essential Board Practices, from the National Association of Corporate Directors (NACD).
Learn four steps each board should adopt to avoid the hazards of leaving information inadequately protected from cyber criminals. Review the questions each board should ask to determine inherent risks. Discover the potential liabilities and other woes that might befall corporate boards and management who show too little involvement in safeguarding the security and privacy of corporate-held information. Lessons include identifying vulnerabilities, mitigating damages, establishing controls, educating officers and employees, and resolving issues. Sponsored by KPMG’s Audit Committee Institute and published in collaboration with the Institute of Internal Auditors and the Critical Infrastructure Assurance Office of the U.S. Department of Commerce.
The Language of Compliance
The Language of Compliance is the biggest (3,500+ entries) resource for acronyms, terms, and extended definitions. Authored by Dorian Cougias and Marcelo Halpern it covers the terms found in HIPAA, SOX, GLB, CobiT, ISO 17799 and 27001, BCI, BSI, ISSF, and over 100 other regulatory bodies and standards agencies.
http://www.unifiedcompliance.com/index.html
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #11
Auditing information security helps identify key improvement opportunities while studying leading audit guidance provides a better understanding of what the auditors are looking for, helping make audits more productive (a true win/win).
Taking the perspective of a board director will help focus your efforts on what the board is concerned about. Board guidance also tends to be very concise (very focused), i.e. they are great reports to study closely. Finally, getting your unplanned work under control will help make your life better, full stop.
Enjoy.
Good luck and have another great week.
Management Planning Guide for Information Systems Security Auditing
Produced by the National State Auditors Association and the US General Accounting Office.
http://www.gao.gov/special.pubs/mgmtpln.pdf
Information Technology and the Board - ”An Insightful Resource”.
http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D152626%2C00.html
What the Board Needs to Know About IT: Phase II Findings
Maximizing performance through IT strategy
http://www.deloitte.com/dtt/article/0,1002,sid=36692&cid=151800,00.html
Unplanned Work: The Silent Killer
Find out how unplanned work - those activities not mapped to any project, procedure or change request - is undermining the effectiveness of your IT efforts.
http://www.networkworld.com/whitepapers/nww/pdf/Tripwire_Unplanned_Work_Management_Paper.pdf
20 Questions Directors Should Ask About IT (Revised April 2004)
Information technology is a critical part of an organization’s internal control and management information system. Ensuring its integrity is an important responsibility for board members. ITAC has compiled 20 key questions about IT that should be asked about: strategic planning and technology, performance and personnel issues, internal control issues, risk and security, information privacy, e-business, availability policies, and legal issue.
http://www.cica.ca/index.cfm/ci_id/1000/la_id/1
The Federal Government of Canada (GOC) Internal Audit Guides
Audit of Information Technology Security audit guide
http://www.tbs-sct.gc.ca/Pubs_pol/dcgpubs/tb_h4/01guid01_e.asp
Audit of Security audit guide
http://www.tbs-sct.gc.ca/ia-vi/policies-politiques/gas-gvs/gas-gvs_e.asp
Various other GOC internal audit guides
http://www.tbs-sct.gc.ca/ia-vi/common/guides_e.asp
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #10
I generally highlight publicly accessible resources each week, pointing out leading articles, papers, studies, etc, to support your professional development. This week’s feature item (EDPACS) is a subscription based publication which I have the honor to be the managing editor. There are a few articles available for free download to help your decision-making regarding subscribing.
Two of the resources highlighted this week are comprehensive repositories in of themselves, that is, ISACA’s KNET and FFIEC’s Guidance repositories.
Finally, when looking to “recharge” after a tough day, week, month, whatever, visit Neal’s “power snippets” to go back at it the next day.
Enjoy.
Good luck and have another great week.
EDPACS: The EDP Audit, Control, and Security newsletter.
For 35 years, audit, control, and security professionals have turned to EDPACS, The EDP Audit, Control, and Security newsletter, for helpful and timely guidance.
http://www.informaworld.com/smpp/title~content=t768221793~db=all
Information Systems Audit and Control Association (ISACA).
K-NET contains over 6,000 peer-reviewed web site resources pertaining to knowledge covering IT Governance, Assurance, Security and Control. Full access to K-NET is reserved for association members. Reference items are organized into logical categories of interest and concern. Partial access is possible for non members.
FFIEC Information Technology Examination Handbook
The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) provides guidance to examiners and financial institutions on the characteristics of an effective information technology (IT) audit function. The examination guidance and procedures in this handbook focuses on IT audit and supplement other, more general, internal and external audit guidance provided by the FFIEC agencies.
http://www.ffiec.gov/ffiecinfobase/html_pages/audit_book_frame.htm
Norwich University Journal of Information Assurance
The NUJIA was created by Norwich University to fill an essential function in the field of information assurance: to publish peer reviewed articles on the practical aspects of information assurance. The mission of the NUJIA is “to advance understanding within the information assurance field by publishing original, high-quality, practical research into the management of information assurance.”
http://nujia.norwich.edu/
Information Systems Security (ISS).
ISS provides essential information for managing the security of a modern, evolving enterprise. It is written for information security managers and other technical managers and staff who are the first-line support responsible for the daily, efficient operation of security policies, procedures, standards, and practices. The journal covers: Access Control; Application Security; Business Continuity and Disaster Recovery Planning; Operations Security; Cryptography; Information Security and Risk Management; Legal, Regulations, Compliance, and Investigations; Physical (Environmental) Security; Security Architecture and Design; and Telecommunications and Network Security. http://www.informaworld.com/smpp/title~db=all~content=g769589197~tab=toc
The Neal Whitten Group specializes in leading the advancement of project management and human resource development by way of products and services of speaking, training, and writing.
http://www.nealwhittengroup.com/ Neal’s “Power Snippets” are truly priceless - http://www.nealwhittengroup.com/snippets.asp
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #9
There is an endless source of good resources to support your professional development. The intent of this column is to provide a diverse knowledge base to study from each week – (six items at a time). The two significant challenges many of us face is deciding what to study and where to find the time to do so.
This week’s top choice is Neal’s timeless article regarding learning from project to project; I recommend taking his suggestions to heart as it will quickly improve your results. The other five resources this week touch a variety of subjects, from DR project management to auditing.
Enjoy.
Good luck and have another great week.
Are You Learning From Project to Project?
If you’re among the 99 percent of us who fail this simple test—but shouldn’t—you could be in a position of weakness, to the detriment of your current and upcoming projects.
http://www.nealwhittengroup.com/articles/pmn3-99.asp
ChicagoFIRST is a non-profit association dedicated to addressing homeland security and emergency management issues affecting financial institutions and requiring a coordinated response and is a great place to learn what is needed today, increased private/public joint efforts.
https://www.chicagofirst.org/
The DRJ journal leads the industry by providing extensive thought leadership on BCP, DR, and Crisis Management.
Auditing BCP and DR efforts - THE resource repository.
Various leading resources to support the auditing of BCP and DR programs.
http://www.auditnet.org/drp.htm
Critical Foundations: Protecting America’s Infrastructures
Final Report from the President’s Commission on Critical Infrastructure Protection (PCCIP)
http://permanent.access.gpo.gov/lps15260/PCCIP_Report.pdf
Early Warning Signs of IT Project Failure: The Dominant Dozen.
The postmortem examination of failed IT projects reveals that long before the failure there were significant symptoms or “early warning signs.” This article describes the top 12 people-related and project-related IT project risks, based on “early warning sign” data collected from a panel of 19 experts and a survey of 55 IT project managers.
http://www.ism-journal.com/ITToday/projectfailure.pdf
