(No Ratings Yet)
Loading ...Dan Swanson’s Security Resources: #6
Just who is responsible for information security? Are we learning from incidents that have occurred at other organizations? Do we leverage the research that is available from various institutions? Do we take regulations seriously?
This week’s resources discuss all these questions and more.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005@yahoo.com
1. Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately.
http://www.itcinstitute.com/display.aspx?id=1823
2. SCORE
As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. It is a core component of DITSCAP. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Michael Kirby has developed a tool to help generate an SSP. It is available here on an as is basis, SCORE takes no responsibility for your use of the tool”. Try the tool at http://www.sans.org/score/ssp.php
3. Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition (ISACA)
To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.
http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=24572
4. Digital Records Management — What Auditors Should Know
As companies continue to decrease their dependence on paper records, internal auditors need to stay ahead of the game by understanding the necessary ingredients to an effective digital records management program.
http://www.theiia.org/itaudit/index.cfm?iid=496&catid=21&aid=2388
5. Hammer Time: Enforcing Internal Security - by Linda L. Briggs.
Having internal rules and regulations in place regarding compliance is important, as is clearly communicating them to employees. But when infractions occur, as they inevitably will, how should you deal with them?
http://www.itcinstitute.com/display.aspx?id=2403
6. Security breach lists are an interesting read and can be useful for:
* Identifying trends in emerging security threats.
* Providing examples of why a control is necessary.
* Citing real world compromises in presentations, etc.
http://www.efortresses.com/refdocs/2006-Breaches-Matrix.pdf
http://www.privacyrights.org/ar/ChronDataBreaches.htm
http://www.cybercrime.gov/cccases.html
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(2 votes, average: 5.5 out of 10) Loading ...Eats, shoots and phishes
There’s an old writer’s joke about the importance of punctuation that goes like this: A panda walks into a bar. He sits down at a table, orders his food and eats it. Then he pulls out a gun, fires a shot into the ceiling and walks to the door. The bartender yells: “Hey! What do you think you’re doing?!” The panda throws him a well-thumbed dictionary and says, “I’m a panda. Look it up.” The dictionary definition reads: “Panda (n) — a fur-bearing mammal. Eats, shoots and leaves.”
(It’s also the title of a brilliant and funny book by Lynne Truss that any word geek or member of the Facebook group Good Grammar is Hot will appreciate during this gift-giving season.)
Computerworld Canada editor Shane Schick reminded me of this as we were discussing phishing attacks we’d received lately. (He also beat me to coining the title of this post, damn his eyes.)
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(1 votes, average: 10 out of 10) Loading ...Behind the Facebook code
Wanted to pass along a link to CA’s Security Advisor Research Blog, where they conducted an experiment to see what personal information Facebook was collecting by way of its controversial Beacon system, and how. You may recall that Facebook was using Beacon to send out lists of purchases made by Facebook users at certain online retailers to thier Facebook friends, unless they opted out of the program. Turns out that in this experiment, data was still being collected on this CA user even though he had opted out and was not logged in. An intriguing correspondence between he and a Facebook customer support rep is included and is worth a read.
And for more coverage on CA’s findings, check out IT World Canada’s article on the subject.
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(2 votes, average: 5 out of 10) Loading ...Secure in Anne’s World
Flashback to a New York City trip a couple years ago. I was passing through U.S. immigration at Pearson, and getting a look from the border guard that could only be described as “askance.” (If you’ve ever gotten that look from an INS official, you’ll know what I mean.) My paperwork came back to me in a big red clipboard, which, I soon discovered, is Not Good.
I was ushered off to a small, secure anteroom off the immigration hallway, with rows of seating that might accommodate 50-odd, but were on this day pressed into service seating one. A strapping young uniformed lad sat at a computer, maintaining an impressively indifferent attitude to his only, um, customer. He left me to squirm for about 15 minutes before calling me up. Read the rest of this entry »
