 |
|
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
Information security accountabilities, roles and responsibilities
The Seattle Times reported a potential compromise of thousands of confidential personal details. “The laptop was grabbed from a Boeing human-resources employee at an airport,” said company spokesman Tim Neale. “The laptop was password-protected and was turned off,” he said. But the file containing the names, Social Security numbers and in some cases, addresses and phone numbers for 3,600 current and former employees was evidently not encrypted, despite a directive issued five months previously to remove or encrypt all sensitive information on laptops. Later: “The Boeing Co. said Thursday that it has fired the employee whose laptop was stolen, putting the personal information about nearly 400,000 retired and current company workers in jeopardy. Files on the stolen computer contained salary information, Social Security numbers, home addresses, phone numbers and birth dates. A person with knowledge of the matter said the employee data were not encrypted, as company policy requires once the data had been downloaded from a server.” Shocking story here. A spreadsheet from George Spafford’s outfit is a simple template to assist in the review of organizational structures and processes for segregation of duties issues. The Police and Justice Act 2006 made Denial of Service attacks illegal under British law and clarified other aspects of computer misuse. The Computer Misuse Act 1990 made it an offence to access a computer or modify data without authority, covering most hacks but not explicitly DoS attacks. Criminal hackers who commit DoS-based extortion, for example, can be held accountable under the Act. Useful yet complementary descriptions by the University of Utah and ISACA explain what is meant by division of responsibilities. ISACA’s audit guideline responsibility, accountability and authority gives clear, formalized, professional guidance to IT auditors and other governance professionals. Management accountability is generally recognized to be a critical governance factor in the success of major IT/development projects, yet an excellent study into project management practices by Computer Weekly and Oxford University found that only half of the projects have a business case. It is difficult to understand how anyone can be held accountable for a project with no business case i.e. no formal definition of the net business benefits the organization anticipates. Ownership & inventory of information assets“The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, how are we going to decide the amount of time, effort or money that we should spend on securing the assets?” Useful paper from Network Magazine, India. NIST says that responsibility for the security of an IT system or asset must be assigned to ‘a single, identifiable entity, and to a single, senior official within that entity’, providing accountability for security failures and establishment of the chain of command that authorizes access to and use of system assets. Motorola’s inventory of critical information assets includes: business plans and strategies; financial information; cost of research, development, and production; new product information, including pricing, marketing plans, and timing; customer lists, terms, and pricing; research and development priorities, plans, and activities; inventions and other technology-related information; unique or exceptional manufacturing processes; facility blueprints, floor plans, or layouts; and employee records and human resources information. Sarbanes-Oxley (SOX), COSO, CoCo, Turnbull & Cadbury, COBIT etc.An ISACA paper outlines ITIL, COBIT and ISO/IEC 17799, and suggests an approach to implementing the three standards as a complementary set. The American Institute of Certified Public Accountants (AICPA) offers advice and a checklist to audit committees on how to handle (and avoid) adverse reports on SOX section 404. The International Federation of Accountants (IFAC) represents 2½ million accountants in 120 countries (what is the correct collective noun - a surplus of accountants maybe?) Their Professional Accountants In Business (PAIB) committee offers free white papers on governance-related topics including a review of current developments in internal control.
SOX-online claims to have the most comprehensive SOX information on the web, including songs and jokes - see, some accountants and auditors are human too! The Institute of Internal Auditors website has a paper discussing the value of Sarbanes-Oxley section 404. The Foundation surveyed 171 chief audit executives and internal audit managers regarding the specific benefits and control improvements associated with Section 404 work and lessons for the future to improve the efficiency and effectiveness of control evaluations. The IIA’s Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners is based on real-world experience by internal auditors and SEC and PCAOB guidance, The European Spreadsheet Risks Interest Group is an academic group researching integrity risks arising from the widespread use of spreadsheets by business people. The website summarizes more than 60 news stories regarding incidents caused by spreadsheet bugs. PwC’s paper The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act also mentions a selection of news stories on spreadsheet incidents, along with basic advice on controlling the development and use of spreadsheets. Ensuring the integrity of accounting/financial management systems is an important part of corporate governance regulations such as and the Turnbull, Higgs and other reports relating to the London Stock Exchange. The regulations refer to internal systems of control, mostly in terms of management roles and responsibilities, and management independence. Information security controls are not specified in detail but may be inferred from the texts. The regulations follow in the wake of major accounting/financial scandals such as Enron along with a whole host of smaller incidents, and will continue evolving indefinitely as people find ever more ingenious ways to persuade others to part with cash. The home page of Sarbanes-Oxley dotcom carries a stream of governance news stories - handy to keep up with recent developments in the field.
|
In 
|
|
|