Taking the perspective of a board director will help focus your efforts on what the board is concerned about. Board guidance also tends to be very concise (very focused), i.e. they are great reports to study closely. Finally, getting your unplanned work under control will help make your life better, full stop.

Enjoy.

Good luck and have another great week.

Management Planning Guide for Information Systems Security Auditing

Produced by the National State Auditors Association and the US General Accounting Office.

http://www.gao.gov/special.pubs/mgmtpln.pdf

Information Technology and the Board - ”An Insightful Resource”.

http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D152626%2C00.html

What the Board Needs to Know About IT: Phase II Findings

Maximizing performance through IT strategy

http://www.deloitte.com/dtt/article/0,1002,sid=36692&cid=151800,00.html

Unplanned Work: The Silent Killer
Find out how unplanned work - those activities not mapped to any project, procedure or change request - is undermining the effectiveness of your IT efforts.

http://www.networkworld.com/whitepapers/nww/pdf/Tripwire_Unplanned_Work_Management_Paper.pdf

20 Questions Directors Should Ask About IT (Revised April 2004)

Information technology is a critical part of an organization’s internal control and management information system. Ensuring its integrity is an important responsibility for board members. ITAC has compiled 20 key questions about IT that should be asked about: strategic planning and technology, performance and personnel issues, internal control issues, risk and security, information privacy, e-business, availability policies, and legal issue.

http://www.cica.ca/index.cfm/ci_id/1000/la_id/1

The Federal Government of Canada (GOC) Internal Audit Guides
Audit of Information Technology Security audit guide
http://www.tbs-sct.gc.ca/Pubs_pol/dcgpubs/tb_h4/01guid01_e.asp
Audit of Security audit guide
http://www.tbs-sct.gc.ca/ia-vi/policies-politiques/gas-gvs/gas-gvs_e.asp
Various other GOC internal audit guides
http://www.tbs-sct.gc.ca/ia-vi/common/guides_e.asp

Two of the resources highlighted this week are comprehensive repositories in of themselves, that is, ISACA’s KNET and FFIEC’s Guidance repositories.

Finally, when looking to “recharge” after a tough day, week, month, whatever, visit Neal’s “power snippets” to go back at it the next day.

Enjoy.

Good luck and have another great week.

EDPACS: The EDP Audit, Control, and Security newsletter.
For 35 years, audit, control, and security professionals have turned to EDPACS, The EDP Audit, Control, and Security newsletter, for helpful and timely guidance.
http://www.informaworld.com/smpp/title~content=t768221793~db=all

Information Systems Audit and Control Association (ISACA).

K-NET contains over 6,000 peer-reviewed web site resources pertaining to knowledge covering IT Governance, Assurance, Security and Control. Full access to K-NET is reserved for association members. Reference items are organized into logical categories of interest and concern. Partial access is possible for non members.

http://www.isaca.org/KNET

FFIEC Information Technology Examination Handbook
The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) provides guidance to examiners and financial institutions on the characteristics of an effective information technology (IT) audit function. The examination guidance and procedures in this handbook focuses on IT audit and supplement other, more general, internal and external audit guidance provided by the FFIEC agencies.
http://www.ffiec.gov/ffiecinfobase/html_pages/audit_book_frame.htm

Norwich University Journal of Information Assurance
The NUJIA was created by Norwich University to fill an essential function in the field of information assurance: to publish peer reviewed articles on the practical aspects of information assurance. The mission of the NUJIA is “to advance understanding within the information assurance field by publishing original, high-quality, practical research into the management of information assurance.”
http://nujia.norwich.edu/

Information Systems Security (ISS).
ISS provides essential information for managing the security of a modern, evolving enterprise. It is written for information security managers and other technical managers and staff who are the first-line support responsible for the daily, efficient operation of security policies, procedures, standards, and practices. The journal covers: Access Control; Application Security; Business Continuity and Disaster Recovery Planning; Operations Security; Cryptography; Information Security and Risk Management; Legal, Regulations, Compliance, and Investigations; Physical (Environmental) Security; Security Architecture and Design; and Telecommunications and Network Security. http://www.informaworld.com/smpp/title~db=all~content=g769589197~tab=toc

The Neal Whitten Group specializes in leading the advancement of project management and human resource development by way of products and services of speaking, training, and writing.

http://www.nealwhittengroup.com/ Neal’s “Power Snippets” are truly priceless - http://www.nealwhittengroup.com/snippets.asp

This week’s top choice is Neal’s timeless article regarding learning from project to project; I recommend taking his suggestions to heart as it will quickly improve your results. The other five resources this week touch a variety of subjects, from DR project management to auditing.

Enjoy.

Good luck and have another great week.

Are You Learning From Project to Project?
If you’re among the 99 percent of us who fail this simple test—but shouldn’t—you could be in a position of weakness, to the detriment of your current and upcoming projects.

http://www.nealwhittengroup.com/articles/pmn3-99.asp

ChicagoFIRST is a non-profit association dedicated to addressing homeland security and emergency management issues affecting financial institutions and requiring a coordinated response and is a great place to learn what is needed today, increased private/public joint efforts.
https://www.chicagofirst.org/

The DRJ journal leads the industry by providing extensive thought leadership on BCP, DR, and Crisis Management.

http://www.drj.com/

Auditing BCP and DR efforts - THE resource repository.
Various leading resources to support the auditing of BCP and DR programs.

http://www.auditnet.org/drp.htm

Critical Foundations: Protecting America’s Infrastructures

Final Report from the President’s Commission on Critical Infrastructure Protection (PCCIP)

http://permanent.access.gpo.gov/lps15260/PCCIP_Report.pdf

Early Warning Signs of IT Project Failure: The Dominant Dozen.

The postmortem examination of failed IT projects reveals that long before the failure there were significant symptoms or “early warning signs.”  This article describes the top 12 people-related and project-related IT project risks, based on “early warning sign” data collected from a panel of 19 experts and a survey of 55 IT project managers.

http://www.ism-journal.com/ITToday/projectfailure.pdf

This week’s resources are focused on the challenging and closely related subjects of business continuity planning (BCP) and disaster recovery programs (DRP). Being able to recover from a disaster is critical to an organization’s long term success, as something is going to happen eventually.

Making sure management and IT staff both understand the business requirements for BCP and DR is the first step. Resourcing the program effort is the next step! Read on … (for help).

Enjoy.

Good luck and have another great week.

The Auditor Responds: Short answer – Your BCP and disaster recovery programs should be designed to respond to a wide variety of potential incidents, covering both man-made disasters, such as power-grid or environmental control failures, and natural disasters, such as hurricanes and mass staff outages due to epidemics.

The long answer – http://www.itcinstitute.com/display.aspx?ID=20902.

Business Continuity Planning Standards and Guidelines

Regulatory compliance requirements influence many of the information security practitioner’s roles and responsibilities, including the development of a business continuity plan. In this excerpt from Chapter 1: Contingency and Continuity Planning of “Business Continuity and Disaster Recovery for InfoSec Managers,” John W. Rittinghouse and James F. Ransome outline the regulatory requirements that should be addressed when establishing and maintaining a business continuity plan. 

http://go.techtarget.com/r/458182/4842737

3. Business Continuity Impact Analysis

The Business Impact Analysis (BIA) is the backbone of the entire business continuity exercise or, at least, it should be if handled correctly. Even so, it cannot stand alone and without full support, approval and backing from the highest level of management, the exercise will not achieve its full potential. A well-executed BIA can make the difference between a fully developed, robust business continuity plan, and a mediocre one.

http://www.sorm.state.tx.us/Risk_Management/Business_Continuity/bus_impact.php

Business Impact Analysis - http://www.vccs.edu/its/models/bia.htm

BIA Templates at CCEP - http://www.ccep.ca/ccepbcp3.html

4. Generally Accepted Business Continuity Practices
http://www.drj.com/GAP/

5. Resources regarding the “Insider Threat” issue

Leading resources consolidated by Gideon – truly an excellent repository on an important issue.
http://www.theinsiderthreat.com/

6. FIRST is the global Forum for Incident Response and Security Teams.

FIRST is the premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents - reactive as well as proactive. FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organizations. FIRST aims to foster cooperation and coordination in incident prevention, to stimulate rapid reaction to incidents, and to promote information sharing among members and the community at large.

http://www.first.org/

Enjoy.

Good luck and have another great week.

Dan Swanson
Dswanson_2005@yahoo.com

1. Security awareness for governance, risk, compliance and business
Information security is a vital element of corporate and IT governance and risk management. It minimizes risks to valuable information assets and maximizes compliance with laws, regulations and standards such as ISO 17799/ISO 27001, HIPAA, SOX, data protection/privacy, software copyright and intellectual property protection, banking industry regulations and many more. 
Secure organizations may confidently pursue new business opportunities that would be considered too risky by their insecure peers. Simply put, good security is good business. 
NoticeBored helps build a genuine security culture through security awareness
http://www.noticebored.com/index.html

2. Twelve habits of successful IT professionals.
http://www.educause.edu/ir/library/pdf/erm0613.pdf

3. Schaser-Vartan Books’ new release, Say What You Do, spells out in layman’s terms the often bewildering differences between policies, procedures and standards — topics that have historically been written about in industry jargon. What sets the book apart is its candidly practical approach, focusing on creating policies that really work rather than pushing theories that break down in the real world. “Armed with this book, you should be able to lead a policy development project at your company from the ground up and from the top down without losing your mind,” says co-author and attorney Marcelo Halpern.
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070417005246&newsLang=en

4. Second edition of Guide to Business Continuity Management.
This comprehensive resource guide reviews in detail numerous BCM areas and strategies, including an overview of the regulatory landscape, risk assessment and business impact analysis, program design, business alignment, training, testing, maintenance, and compliance monitoring and auditing. Updates to the second edition of Guide to Business Continuity Management include a special introduction that examines two significant issues in the field of BCM: the continuing difficulties caused by devastating hurricane seasons, and the potential business disruption that an avian flu pandemic could cause. Other additions include industry-specific questions for BCM programs in the manufacturing, retail, healthcare and telecommunications sectors.
http://now.eloqua.com/es.asp?s=361&e=FADCF1F859DE4310969DEB6DFB1726D7&elq=54F37758B1AB48F98DD409D0C10064D7

5. The Canadian Centre for Emergency Preparedness (CCEP)
CCEP is a not-for-profit organization based in Canada & devoted to the promotion of emergency risk management to individuals, communities and organizations, in both government and the private sector, with the aim of reducing the risk, impact and cost of natural, human-induced and technological disasters. CCEP’s objectives are to raise awareness of the increasing risks of disasters, promote the need for sound disaster management practices and disseminate information on the availability of professional expertise and resources, including technology.
http://www.ccep.ca/index.html

Anecdotally, I can tell you that most of what I learn and apply as a security professional (a much more socially acceptable label), doesn’t come from commercial seminars and tradeshows, but rather from attending self-proclaimed “hacker-cons”. There are no vendor talks. You just get the real scoop on the latest in attack techniques and appropriate defense measures. I should point out, that in more than 8 years of attending such events, I have never attended a session that talked about attack methods that didn’t talk about appropriate counter measures. Much like learning martial arts, you must learn the attacks to be able to defend yourself.

What I find most interesting is that even as a regular member of society, the overall hacker movement has generated a number of benefits for me. I have pretty good privacy (PGP) for strong encryption thanks to Phil Zimmerman. I have an operating system with fewer vulnerabilities that are harder to exploit than ever before. I have a wireless connection that someone can’t easily eavesdrop. These sharp, technical minds never take anything for granted and are constantly researching how things work, finding weaknesses and proposing ways to make things better. Without “hackers”, no one would have noticed that AT&T was cooperating with the NSA for illegal wiretaps, and there would be no Electronic Frontier Foundation (EFF) to take them to court and protect individual rights. The list goes on.

I expect that the general public will read a few media extravaganzas on credit card and identity theft and stereotype all hackers. What’s interesting is that even major industry certification bodies don’t seem to really understand this sub-culture. I run an annual security event called SecTor and one of the speakers last year was Johnny Long. The sponsor in question here was ready to pull out because a “hacker” was speaking at the event. Johnny is best known as “the grandfather of google hacking”, a technique he perfected working as a professional penetration tester. Best I can tell, Johnny has only ever used his hacking skills to help folks protect their intellectual property assets by limiting their google exposure, and he runs “ihackcharities.org”, using his skills and industry connections to get much needed support to children in third world countries.

So I encourage you, take a martial arts class and learn to defend yourself on the street, and take a hacker class and learn to defend yourself online. Then use neither skill for evil but do leverage your new understanding and stay safe.

Enjoy.

Good luck and have another great week.

Dan Swanson
Dswanson_2005@yahoo.com

1. Security awareness for governance, risk, compliance and business

Information security is a vital element of corporate and IT governance and risk management. It minimizes risks to valuable information assets and maximizes compliance with laws, regulations and standards such as ISO 17799/ISO 27001, HIPAA, SOX, data protection/privacy, software copyright and intellectual property protection, banking industry regulations and many more.

Secure organizations may confidently pursue new business opportunities that would be considered too risky by their insecure peers. Simply put, good security is good business. NoticeBored helps build a genuine security culture through security awareness
http://www.noticebored.com/index.html

2. Twelve habits of successful IT professionals
http://www.educause.edu/ir/library/pdf/erm0613.pdf

3. Schaser-Vartan Books’ new release, Say What You Do, spells out in layman’s terms the often bewildering differences between policies, procedures and standards — topics that have historically been written about in industry jargon. What sets the book apart is its candidly practical approach, focusing on creating policies that really work rather than pushing theories that break down in the real world. “Armed with this book, you should be able to lead a policy development project at your company from the ground up and from the top down without losing your mind,” says co-author and attorney Marcelo Halpern.
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070417005246&newsLang=en

4. Second edition of Guide to Business Continuity Management
This comprehensive resource guide reviews in detail numerous BCM areas and strategies, including an overview of the regulatory landscape, risk assessment and business impact analysis, program design, business alignment, training, testing, maintenance, and compliance monitoring and auditing. Updates to the second edition of Guide to Business Continuity Management include a special introduction that examines two significant issues in the field of BCM: the continuing difficulties caused by devastating hurricane seasons, and the potential business disruption that an avian flu pandemic could cause. Other additions include industry-specific questions for BCM programs in the manufacturing, retail, healthcare and telecommunications sectors.
http://now.eloqua.com/es.asp?s=361&e=FADCF1F859DE4310969DEB6DFB1726D7&elq=54F37758B1AB48F98DD409D0C10064D7

5. The Canadian Centre for Emergency Preparedness (CCEP)
CCEP is a not-for-profit organization based in Canada & devoted to the promotion of emergency risk management to individuals, communities and organizations, in both government and the private sector, with the aim of reducing the risk, impact and cost of natural, human-induced and technological disasters. CCEP’s objectives are to raise awareness of the increasing risks of disasters, promote the need for sound disaster management practices and disseminate information on the availability of professional expertise and resources, including technology.
http://www.ccep.ca/index.html

This week’s resources discuss all these questions and more.

Enjoy.

Good luck and have another great week.

Dan Swanson
Dswanson_2005@yahoo.com

1. Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately.
http://www.itcinstitute.com/display.aspx?id=1823

2. SCORE
As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. It is a core component of DITSCAP. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Michael Kirby has developed a tool to help generate an SSP. It is available here on an as is basis, SCORE takes no responsibility for your use of the tool”. Try the tool at http://www.sans.org/score/ssp.php

3. Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition (ISACA)
To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.
http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=24572

4. Digital Records Management — What Auditors Should Know
As companies continue to decrease their dependence on paper records, internal auditors need to stay ahead of the game by understanding the necessary ingredients to an effective digital records management program.
http://www.theiia.org/itaudit/index.cfm?iid=496&catid=21&aid=2388

5. Hammer Time: Enforcing Internal Security - by Linda L. Briggs.
Having internal rules and regulations in place regarding compliance is important, as is clearly communicating them to employees. But when infractions occur, as they inevitably will, how should you deal with them?
http://www.itcinstitute.com/display.aspx?id=2403

6. Security breach lists are an interesting read and can be useful for:
* Identifying trends in emerging security threats.
* Providing examples of why a control is necessary.
* Citing real world compromises in presentations, etc.
http://www.efortresses.com/refdocs/2006-Breaches-Matrix.pdf
http://www.privacyrights.org/ar/ChronDataBreaches.htm
http://www.cybercrime.gov/cccases.html

Enjoy.

Good luck and have another great week.

Dan Swanson
Dswanson_2005@yahoo.com

1. CERT®’s Resiliency Engineering Research
The cornerstone of their research is the development of the CERT® Resiliency Engineering Framework. The framework is the foundation for a process improvement approach to security and business continuity. It establishes an organization’s resiliency engineering process: a collection of essential capabilities that an organization performs to ensure that its important assets—people, information, technology, and facilities—stay productive in supporting business processes and services. The framework serves as a foundation from which an organization can measure its current competency, set improvement targets, and establish plans and actions to close any identified gaps. As a result, the organization repositions and repurposes its security and business continuity activities and takes on a process improvement mindset that helps to keep these activities productive in the long run.

2. Governing for Enterprise Security Implementation Guide
This guidance is designed to help business leaders implement an effective program to govern information technology (IT) and information security.

• Article 1: Characteristics of Effective Security Governance (pdf)
• Article 2: Defining an Effective Enterprise Security Program (ESP) (pdf)
• Article 3: Enterprise Security Governance Activities (pdf)

3. The Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world’s leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure. http://www.cerias.purdue.edu/

4. Guide 6: Managing and Auditing IT Vulnerabilities
The IIA has released its sixth guide in its Global Technology Audit Guide (GTAG®) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts.
5. Auditing security using the PCI standard and related guidance - (Because personal information must be protected)
We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist.
http://www.auditnet.org/articles/DSIA200704.htm

6. The CIAO/IIA series of board level security guidance reports
The Institute of Internal Auditors (IIA) has published a series of three board-level guidance reports focusing on information security that focuses on assigning responsibilities to the board, management, and internal audit, and providing guidance to board directors.
• Information Security Management and Assurance: A Call to Action for Corporate Governance

• Information Security Governance: What Directors Need to Know

• Building, Managing, and Auditing Information Security

This week’s question: “How prepared is your organization?” If you have any concerns on the robustness of your disaster recovery, business continuity, and/or your emergency management capabilities, I’d strongly recommend you check out the Canadian Centre for Emergency Preparedness.

Studying for your CISSP? The CCCure.Org web site is the place to go!

Feeling you need to ramp up your security training efforts? Check out ISC2’s comprehensive educational resource guide.

Finally, have you been questioning who is responsible for information security lately? Study the views of an internal auditor.

Enjoy.

Good luck and have another great week.

Dan Swanson
Dswanson_2005@yahoo.com

1. The (ISC)² 2007 Resource Guide for Today’s Information Security Professional - Global Edition provides the latest resources in educational references, year-long events listings and leading industry sponsors all in one handy downloadable reference guide.

2. The Systems Security Engineering Capability Maturity Model (SSE-CMM) was developed to advance security engineering as a defined, mature, and measurable discipline. It describes the characteristics essential to the success of an organization’s security engineering process, and is applicable to all security engineering organizations including government, commercial, and academic.

3. CCCure.Org The CISSP, SSCP, CISM, CISA, ISSPCS, and SANS GIAC GCFW Open Study Guides Web site is dedicated to helping people in achieving their goal of becoming a CISSP, SSCP, CISM, CISA, ISSPCS, or GCFW. Over the years it has become a vast container of resources that can assist you in mastering the domains of the specific Common Body of Knowledge related to each of the above certifications.

4. Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines) and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done — and that the company’s key assets are protected appropriately.

5. The Canadian Centre for Emergency Preparedness (CCEP) is a not-for-profit organization based in Canada & devoted to the promotion of emergency risk management to individuals, communities and organizations, in both government and the private sector, with the aim of reducing the risk, impact and cost of natural, human-induced and technological disasters. CCEP’s objectives are to raise awareness of the increasing risks of disasters, promote the need for sound disaster management practices and disseminate information on the availability of professional expertise and resources, including technology.

6. What Should Your Business Continuity Efforts Focus On?
A Reader Asks: Should your business continuity program (BCP) consider the impacts of emerging threats and changing business practices, and what are the key issues involved today?
The Auditor Responds (Short answer): Your BCP and disaster recovery programs should be designed to respond to a wide variety of potential incidents, covering both man-made disasters, such as power-grid or environmental control failures, and natural disasters, such as hurricanes and mass staff outages due to epidemics.
The long answer: http://www.itcinstitute.com/display.aspx?ID=2090