Friday, September 30, 2005

In a Nutshell - SOX - The questions you never asked...

The Sarbanes-Oxley Act
What is it?
- all public companies are required to certify and document internal financial Controls and Reporting

CEOs and CFOs certify the Financial results

Management to assess internal controls and processes that contribute to a financial report step-by-step.

Why Implement
To avoid another Enron scandal... Is this not enough?

How do I comply with SOX?
1. Perform Risk Assessment
2. Implement Workflow
3. Document processes
4. Monitor compliance
5. Test Complaince
6. Repeat steps 1 to 6 next year...

What and who do I use to achieve compliance?
- Hire a knowledgable security/audit company or SOX consultant
- Invest in Technology that supports 'environments of compliance'
- Upgrade your IT Infrastructure
- Implement Third party software (i.e. for document handling)
- Internal Audit groups should work closely with External Auditors

Happy Goverment = Wealthy Stockholders = Strong Confidence = Great Reputation

Added benefit
The CEO and CFO do not go to jail...

Do not fool yourself by merely tweaking the systems you have to comply. Only large firms with a plepthora of systems are allowed to do that...

Security and compliance should not be a 'knee-jerk' response!

Factoid - What is everyone else doing about security?

Corporations will allocate between 4% and 15% of their 2005 budgets in Security.

Companies are buying the following Security solutions services and products:
(in order of importance)
- PC security
- Server security
- Network Security Management software
- Web security tools
- Intrusion Detection appliances
- Application security (includes legacy apps)
- Data and Storage protection
- Remote Access security
- Encryption software

Factoid - Internet Use in Canada

Business and government use of information and communications technologies (Enterprises that use electronic mail):

Private sector in 2005: 76.60%

Public sector in 2005: 99.89%
(Public Educational services, Health care and Social assistance at 100.00%!)

What do you think?
Is the average Canadian's Private and Confidential Data sufficiently protected?

Source: Statistics Canada (2005-5-17)

Fun - They said, We said...

It makes sense...

If your NETWORK is like an EGG (hard on the outside, mushy on the inside)...

... your SECURITY should be like an ONION (Layers of Security)


In a Nutshell - Business Continuity Planning stages

There are 6 stages in Business Continuity Methodology (BCP). They are to be performed in the following order:

- Risk Management efforts

- Business Impact Analysis (BIA)

- Business Continuity Strategic Development

- Business Continuity Plan Development

- Business Continuity Plan Testing

- Business Continuity Plan Maintenance

In a Nutshell - Top 10 Information Security Priorities

in random order...

1. Secure your desktops and servers

2. Secure networks, wireless networks and devices

3. Secure Remote Access to the Corporate Network

4. Install and centrally manage Antivirus protection at the perimeter and entry points to your network

5. Install and Manage Intrusion detection and prevention devices

6. Integrate Information Security and IT infrastructure

7. Develop enforce and update a security architecture

8. Develop, enforce and maintain Information Security Policies

9. Detect and respond to security incidents

10. Secure e-business areas and initiatives

Wednesday, September 14, 2005

In a Nutshell - Achieving and Maintaining Security and Regulatory Compliance

In order to achieve and maintain security compliance and regulatory compliance, a company must follow these basic steps:

1) Translate financial requirements to business managers

2) Performing a site audit to identify security deficiencies and security risks

3) Report findings to Senior Management.

4) Agree and implment a plan together to address most significant risks

5) Strengthen perimeter security as well as harden desktops and servers.

6) Work with your client to implement B2B connectivity using secure transmission methods.

7) Produce formal documentation

8) Last but not least, develop information security policies that can be reusable across the Company.

SECURE SMB assists companies achieve complaince and maintain their security status. Ask how now.

Saturday, August 06, 2005

In a Nutshell - Security Site Audits

Security Site Audits

A security Site Audit will identify security issues and help Executive Management decide what steps are necessary to improve the security posture of the company.

Who needs Security Site Audit services:
- If your company connects to 3rd party vendors
- If your company outsource work to other locations
- If your company transmits data to other locations or companies

What a security company will do for you:
- Audit Security Organization and Security Policies based on industry Standards (ISO 17799, ISF, HIPAA, VISA and more)
 What is the security posture of my partner/3rd party vendor?

- Audit HR policies on Personnel Security
 Review Hiring and background check processes
 Audit the existence of employee training and awareness programs
 Only trustworthy staff should be accessing your information
 Is everyone aware of corporate and security policies?

- Physical Security Site Audit
 Verify perimeter defenses and access controls are in place

- Compliance Checks
 External and internal audits
 Implement regulatory and legal requirements

- Access Control
 Effective Password policies
 Logical and physical data and network separation
 Audit logging
 Encryption methods and Key Management processes
 Secure Production environments

- Development Security
 New technologies and product development
 Secure testing and QA methodologies
 Risk assessment
 Project Management Capabilities

- Asset and Data Classification
 Implement Data Classification schemas
 Determine appropriate security controls for each classification

- Disaster Recovery and Business Continuity planning
 Audit the existence of formal DR BCP plans and effectiveness

- Mergers and Acquisitions
 Value added services when buying or selling a business
 Uncover security concerns that need to be addressed

- Change Management
 Verify security involvement during second most critical phase in application and product lifecycle

- Operations Management
 Secure Data transport
 Effectiveness of Data Backup processes
 Secure Ecommerce development

- Results and reports are based on Security expertise and Industry best practices
- Access to security knowledge and experience that may not reside with client�s staff
- Meet legal and regulatory compliance requirements
- Meet Privacy Requirements
- Perform Due Diligence and Due Care
- External / Independent Assessment from approved Information Security company
- Not vendor specific approach
- Intrusive / Non-intrusive methodologies
- Assist you in implementing required actions to address the findings
- Assist in automating security processes for Company use

Fun Stuff - How to handle an IT Auditor

I started working on this one and it became kind of silly. I also ran out of ideas... Please feel free to add to the list

- - -

How to handle an Auditor

YOU are a Business unit�s Manager for a fairly large company (they still owe you a VP title).

It has been two weeks now since the auditors �evacuated� your boardroom, and the rest of the staff on the floor are happy again, since they do not have to search the other floors for an open boardroom for their meetings.

Well, today�s the day a 30-page audit report just landed on your Inbox (did I fail to mention encrypted, of course) accompanied by a meeting invitation with the Audit Manager.

You double-click the attachment document and it takes about 10 seconds to open.

Once it does, you rush to the Summary page and count how many High Risk items they have located and listed. Then, you're thinking of having a heart attack… but then again…

Auditors are a group of people that everyone just loves as much as their dentist. The profession should be listed as one of the top 10 stress-bearing and stress-producing occupations.

Now, you are called to action and must respond to the report. Well, let me help you out by offering you the following tips:

- Ignore them (this doesn�t work all the time). Auditing groups are comprised of an Audit Manager (he thinks he knows his stuff) and a flock of university (at best) graduates. These kids don�t know what they are talking about, right?

- Challenge them. Auditors know only what you have told them. Am I the only one that gives audit a �yes/no� answer to their questions?

- Bargain with them. Tell them that you do not think these are Severity 1 items because of the controls you have in place. Don�t forget: not all controls need to be physical; they can also be logical and function as good as all other controls.

- Lie to them. Tell them that you have been working on the process document and it is still in draft mode. On top of that, let them know that the staff member is on vacation and, when they return, the PC does not boot and it has to be reimaged again, losing all data and documents.

- Buy some time. If you can�t beat them, ask for 2 years to fix. By that time, they might have given you that VP title and it becomes someone else�s problem.

- Hide the servers. Naa, this doesn�t work at all…

- Escalate. Tell them that you will need to escalate to the Head of the BU and ask for more money to fix the problems but (we) are all aware of the profit earnings warning communicated last week.

- (...when dealing with Internal Audit groups) Ask for an external auditor to verify the findings

- Bring in your boss's boss and intimidate the crap out of the Auditor...

In a Nutshell - Measuring IT Value - How to IT Metrics

Metrics – Measuring IT value

Question since start of mankind:
- How do I measure IT and Security Value?

- More than 80% of companies do not track IT metrics; higher percentage for IT Security departments

- Metrics drive your business revenue and support your business decisions

Why is it so difficult to measure ROI on Information Technology and Information Security?
- Complex departmental integration to IT systems
- Difficult to benchmark:
 absence of knowledge
 absence of tools
 absence of resources
- Out of the box software - difficult and time consuming to configure
- Who develops metrics? Not everyone on the same page…
 IT (too busy)
 CFO/Finance
 CEO/Executive
 Outsourced company
- Numbers can always be challenged by other groups or methods
- Difficulty combining metrics to develop the bigger picture�
- Do you have enough metrics? When do you stop? (Over-sample – Overkill)
- Number of communication challenges when delivering to various corporate levels and groups
- Quantitative vs. Qualitative results?
- Not only do you need to �walk the talk� but you must also �talk the walk�!

Benefits when you talk metrics:
- Achieve Business alignment and metrics guide your business decisions
- Assist Decision makers in doing their job better
- Convince of value and prove Return Of Investment to executives
- Rank higher in the company�s exec�s eyes
- Detrimental change in corporate landscape
- Cost savings
- Scalability
- Revenue driven goals
- Success should always be measured in IT, Business and Financial terms. No single metric provider can take credit of a success

In a nutshell - Distinguish your company from the competition

Here is what sets a company apart from the competition:

- Skill set
- Knowledge base
- Industry leaders
- Business acumen
- Commitment
- Courtesy
- Appreciation

IT Security Factoid

Most companies will increase their IT and security spending in 2005 to comply with recent regulations and laws...
(Who said this?)

In a nutshell - Managing IT Growth

Your company is soaring to new heights and annual revenue appears to be following a geometric or exponential growth.

As an IT executive you need to perform classify your assets:
- Projects
- Network
- Servers
- Desktops
- Applications

IT Challenges you will face:
- Aligning business requirements to IT requirements – Set common goals, milestones and metrics (consider BI, CMS, DRP, BCP)
- Enforcing Security measures and getting executive buy-in (Consider ISO17799)
- Enhance internal IT processes to meet demands and increased staff inflow (Consider ITIL)
- Enhance Project Management processes and deliver quality products on-time and on-budget (consider CMMi)

Key steps to achieve in order:
- Create / modify Strategic plan and formal policies and processes (if your business has put them in place already, please read them and realign your department to meet the same goals)
- Implement Organizational changes (carefully choose your direct reports)
- Make them directly accountable for results
- Keep information flowing to your immediate reports and most importantly upwards to your managers
- Make sure everyone is aware and clear of the company�s goals
- Focus on technology enhancements to allow for growth
- Focus on skill development, training and staff retention

- Happy staff and stakeholders…

(BTW, please let us know your stock symbol…)

Wow ! Am I in a good mood today!!!

In a Nutshell - Content Management

Content Management solutions

- Managing online or enterprise content
- Enable content creators direct access to the website/site, cutting the �middleman�

- Company�s IT staff managed the online presence devoting valuable time and resources
- Leads to inefficiency in maintaining online presence up-to-date when launching new content or products

- To enhance online presence
- Meet specialized requirements

Content Management Solution has to:
- Enhance customer service and user
- Provide a stable platform to host content
- Short “time-to-market “
- Accuracy of content publishing
- Easy to use
- Easy to learn
- Have Mid-Market positioning (not too small – too big)

Might want to address these issues also:
- Provide basic or enhanced document management capabilities
- Provide secure collaboration to organize, share and manage data
- Provide workflow capabilities

- Allow content publishers direct access through implementation of security controls
- Outsource to content management provider
- Purchase and implement Content Management solution

- Increased employee productivity
- Maintain IT department�s control
- Consistent image and branding

Does it need to be complex?

Just because your business has complex demands, it does not mean that you have to have a complex IT environment...

Thought of the Month

Keeping up with Security is my biggest challenge.
They keep moving the finish line on me...

Tuesday, July 26, 2005

Toronto Security Klatch

We salute the Toronto Area Security Klatch, which promotes Information Security awareness here in Toronto, Canada.

Their website can be found at Signup for free with the Toronto Area Security Klatch.

- - -

Toronto's Security User Group TASK - Toronto Area Security Klatch, provides a forum for experts to encourage discussion and share expertise in understanding the latest trends and security threats facing computer networks, systems and data.

Our membership includes Information Security practitioners, managers, network administrators, students, and anyone who is interesting in learning more about securing information.

TASK meets the last Wednesday of each month, and membership is free.

Their Values as presented on their website:
* Shared Expertise
* Practitioner-Focused
* Non-Partisan

- - -

Thank you
Blog Master

Information Security Blog

Welcome to the lauch of the Official Information Security Blog for SECURE SMB and PC SYSWARE Inc.

This idea space will be used to post ideas, thoughts and comments on Information Security issues and trends. You are welcome to send us your comments and thoughts and we will be happy to post them. Please sign our guestbook HERE.

This page is powered by Blogger. Isn't yours?