The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any assessment process, it is important to ensure that policies establish the direction management wants to go with regard to security
When reviewing policies, Thomas R. Peltier in his book about Managing a Network Vulnerability Assessment said that it will be necessary to remember that there are three general types of policies:
General or global policies.
These are high-level policy statements that define the intent of a specific topic and its scope within the Read the rest of this entry »
Popularity: 5% [?]
May 11th, 2008 | Posted in article, implementation | No Comments
- Do you have any security-related policies and standards
- If so, do you want us to review them
- Do you want us to perform a review of the physical security of your servers and network infrastructure
- How many Internet domains do you have
- How many Internet hosts do you have
- Do you want us to map your Internet presence Otherwise, can you provide us with a detailed diagram of your Internet presence, including addresses, host OS types, and software in use on the hosts We will also need addresses in use on both sides of the hosts if they connect to both the Internet and the internal network. Read the rest of this entry »
Popularity: 29% [?]
May 6th, 2008 | Posted in article | No Comments
- Can your tool collect and aggregate 100 percent of all log data from all inscope log sources on the network?
- Are your logs transported and stored securely to satisfy the CIA (Confidentiality, Integrity, Availability) of log data?
- Are there packaged reports that suit the needs of your Sarbanes Oxley projects stakeholders such as IT, auditors, maybe even Finance or Human Resources? Can you create the additional needed reports to organize collected log data quickly?
- Can you set alerts on anything in the logs in order to satisfy the monitoring requirements? Read the rest of this entry »
Popularity: 41% [?]
May 1st, 2008 | Posted in article, system log | No Comments
Let’s put the principles of integrity, confidentiality and availability into practice. Remember, we want to balance integrity and confidentiality (which both restrict access) with availability (which allows access).To do this we use the principle of least privilege. This means that we want to give an individual enough access so they can do their work, but no more.
An important related term is “need-to-know”, This term is used in government to help define what access an individual should be given. Let’s say I’m an FBI agent and I have Top Secret clearance. I gained this clearance by proving I was trustworthy through background checks and several years of service. Say one day I’m bored of my work and decide to look at what other Top Secret cases the FBI is investigating. Because of need-to-know, I can’t simply start browsing through files that aren’t related to cases I’m working on, even though I have Top Secret clearance. If I can’t convince my superiors that I need access to information, I will not be given that access. The same rules should apply in your organization. Just because someone works in accounting doesn’t necessarily mean they need access to all of your organization’s financial information. For example, an employee whose job is to buy inventory to sell likely does not need access to customer’s cardholder data, and should therefore be denied access to it. Read the rest of this entry »
Popularity: 48% [?]
April 28th, 2008 | Posted in article | No Comments
According to the Mortgage Bankers Association, online mortgage originations are expected to grow to $250 billion by 2003 from $4 billion in 1999 (although more recent estimates put that number much lower due to the economic turmoil in the technology sectors).
A number of companies have developed solutions suitable for this space, validating the need for PKI as an infrastructure to support the growing demand for online real estate transactions. Companies such as eVincible, LLC have created XML-based solutions (using PKI) to provide a mechanism for online form creation and signing. The XML format allows for generic formats so that archiving and later validation becomes easy. Software solutions that store and sign forms in a specific format (like MS Word 6.0) will have trouble later validating and/or viewing the document if the original viewer (Word 6.0) is not available. Other companies have solutions tailored specifically to mortgages. For example, Ingeo, a Utah-based company, has solutions that allow for online mortgages to be prepared and recorded. It even has an offering that allows electronic interfacing with government recording offices-all based on using X.509 certificates. Read the rest of this entry »
Popularity: 58% [?]
April 27th, 2008 | Posted in implementation | No Comments
When dealing with on-site auditors or approved scanning vendors, most people fit into one of three groups. Some people are intimated by auditors.They see them as someone with a lot of power, and they hope they will say and do the right things to get by.A second group seems to look at auditors as their enemy.They believe they must wrestle with the auditor and hopefully win in the end.The last set of people treat the auditor like a consultant they’ve brought in to help bring their company into compliance.They respect the auditor’s opinions and keep the auditor in the loop as they work out solutions.This last group will get the most out of their auditor and will have the best overall experience and be able to bring their company into compliance with the least amount of hassle.
As hard as it might be to believe, auditors are there to help you. It’s important to know how to work well with auditors so that your audit will go smoothly and efficiently, and ensure that you get your money’s worth. A good auditor will go over your company’s systems, practices, and policies with a fine-toothed comb, and tell you what you can do to improve your security. Hopefully, your primary goal in becoming Sarbanes Oxley compliant is to have your company become more secure. When you realize that auditors provide you with a valuable service and that you’re both on the same team working towards a common goal, you will have the right attitude. Remember that auditors have moral and professional obligations to follow the guidelines and procedures they’ve been given for the audit. It is not appropriate to ask them to compromise those obligations. Auditors are trained and likely have per formed many audits, and they can give you great advice on what you can do to bring yourself into compliance. Read the rest of this entry »
Popularity: 72% [?]
April 23rd, 2008 | Posted in article | No Comments
If a company does not comply with the Sarbanes-Oxley Act, it will expose itself to the possibility of lawsuits and negative publicity. If a corporate officer, even if unintentionally, files an inaccurate certification, he or she is subject to a fine up to $1 million and 10 years in prison. [SOX IT Compliances, Christian B Lahti, Steve Lanza]
If a corporate officer intentionally files an inaccurate certification, the fine can be as much as $5 million and possible 20 years in prison. When thinking about the severity of the consequences of noncompliance for corporation and corporate officers, we must remember that the intent, although arguably misguided, was to prevent occurrences such as those that happened at MCI and Enron—hence the stiff penalties for those at the top. Read the rest of this entry »
Popularity: 75% [?]
April 23rd, 2008 | Posted in article | No Comments
