An IIA survey of 895 auditors and corporate managers taken in 2007 indicates that internal audit departments are short on guidance and methods for evaluating IT controls. Almost 80% of respondents indicated that assessing IT general controls is difficult, and 98% said that more detailed guidance consistent with PCAOB AS-5 would be helpful in assessing deficiencies in IT general controls. More than half said that their methodology is not effective or only somewhat effective in identifying and assessing IT risks.
Based on the survey results, the IIA developed two new documents in its Guide to the Assessment of IT Risk (GAIT) series: GAIT for IT General Control Deficiency Assessment and GAIT for Business and IT Risk. The first guide is intended to help managers understand what constitutes a material weakness in IT general controls. It's simple decision chart format and 6-step assessment methodology are designed to make make IT general controls audits more meaningful and better linked to overall internal control objectives.
GAIT for Business and IT Risk ties together the concepts of business risk and IT risk. The idea is to provide a model for identifying key IT controls that contribute to mitigating business risk. The methodology takes a top-down approach that first identifies business objectives, then the risks to completing those objectives, and finally the IT applications and general controls that support the business objectives.
Both guides have linkages to generally accepted standards—COSO's Enterprise Risk Management Integrated Framework and PCAOB's Auditing Standard 5.
►
Monday, May 26, 2008
Tuesday, May 20, 2008
The Estonian Internet War of 2007
Gadi Evron writes in Security Focus of a regional conflict where much of the aggression was virtual.
One year later, Lauri Almann, Estonia’s Undersecretary of Defense, talks with Government Computer News about what has been learned about the nature of the attacks, and the technology measures Estonia is taking to prepare for what Almann believes could be an even more debilitating attack the next time.
►
One year later, Lauri Almann, Estonia’s Undersecretary of Defense, talks with Government Computer News about what has been learned about the nature of the attacks, and the technology measures Estonia is taking to prepare for what Almann believes could be an even more debilitating attack the next time.
►
Monday, May 19, 2008
New Standards for Federal Computing: How Will It Affect You?
The time of reckoning has arrived for Federal agencies, and youe organization might not be far behind. Earlier this year, the Information Security Automation Program (ISAP) - a collaborative of Federal and private entities including the Office of Management and Budget, NIST, Department of Homeland Security, National Security Administration, Air Force and Microsoft - released the core components of the Federal Desktop Core Configuration (FDCC).
The FDCC standardizes configuration settings for Microsoft Windows XP Professional SP-2, Microsoft Windows Vista Enterprise, and Internet Explorer 7.0. The idea behind FDCC is to make management easier and security more bulletproof for the many thousands of desktop and laptop platforms throughout Federal government.
To implement the FDCC requirements, the ISAP developed the National Validation Database (NVD). The NVD is essentially a repository of configuration and security evaluation tools for Windows products. It provides resources to help agencies test, implement, and deploy the Microsoft Windows XP and Vista FDCC baseline. Most of the tools in the NVD are built on the Security Content Automation Protocol (SCAP). SCAP delivers an open and standardized mechanism for automated vulnerability management, measurement, and policy compliance evaluation. A detailed discussion of SCAP is available from NIST.
There are some problems with FDCC, notably addressed in an editorial by Wyatt Kash, the editor of Government Computer News. But the complexity and proliferation of computer systems in the Federal government will push the FDCC forward as a standard that will likely cross public/private sector boundaries, especially given Microsoft’s involvement with it. There’s little doubt that SCAP tools addressing operating systems other than Windows and software products other than operating systems will be coming soon.
Buckle up…
The FDCC standardizes configuration settings for Microsoft Windows XP Professional SP-2, Microsoft Windows Vista Enterprise, and Internet Explorer 7.0. The idea behind FDCC is to make management easier and security more bulletproof for the many thousands of desktop and laptop platforms throughout Federal government.
To implement the FDCC requirements, the ISAP developed the National Validation Database (NVD). The NVD is essentially a repository of configuration and security evaluation tools for Windows products. It provides resources to help agencies test, implement, and deploy the Microsoft Windows XP and Vista FDCC baseline. Most of the tools in the NVD are built on the Security Content Automation Protocol (SCAP). SCAP delivers an open and standardized mechanism for automated vulnerability management, measurement, and policy compliance evaluation. A detailed discussion of SCAP is available from NIST.
There are some problems with FDCC, notably addressed in an editorial by Wyatt Kash, the editor of Government Computer News. But the complexity and proliferation of computer systems in the Federal government will push the FDCC forward as a standard that will likely cross public/private sector boundaries, especially given Microsoft’s involvement with it. There’s little doubt that SCAP tools addressing operating systems other than Windows and software products other than operating systems will be coming soon.
Buckle up…
Monday, May 12, 2008
CompTIA: Mobility Raises Threat Level
A November 2007 CompTIA press release confirms that information security threats and vulnerabilities stemming from ubiquitous computing are on the rise. CompTIA commissioned TNS Prognostics to conduct a study identifying current IT security practices, and highlighting security challenges confronted by organizations of varying sizes and sectors. The study gathered data from 1,070 small, medium and large organizations. According to the report:
- Sixty percent of organizations surveyed said that security issues related to the use of handheld devices for data access and transfer have increased significantly or increased somewhat over the past 12 months
- 55 percent of surveyed organizations said wireless network security issues have increased significantly or somewhat over the past 12 months
- Nearly 80 percent of the organizations allow data access by remote or mobile employees, but just 32 percent have implemented any security awareness training for these workers.
►
Subscribe to:
Posts (Atom)
Posts
