Let’s put the principles of integrity, confidentiality and availability into practice. Remember, we want to balance integrity and confidentiality (which both restrict access) with availability (which allows access).To do this we use the principle of least privilege. This means that we want to give an individual enough access so they can do their work, but no more.
An important related term is “need-to-know”, This term is used in government to help define what access an individual should be given. Let’s say I’m an FBI agent and I have Top Secret clearance. I gained this clearance by proving I was trustworthy through background checks and several years of service. Say one day I’m bored of my work and decide to look at what other Top Secret cases the FBI is investigating. Because of need-to-know, I can’t simply start browsing through files that aren’t related to cases I’m working on, even though I have Top Secret clearance. If I can’t convince my superiors that I need access to information, I will not be given that access. The same rules should apply in your organization. Just because someone works in accounting doesn’t necessarily mean they need access to all of your organization’s financial information. For example, an employee whose job is to buy inventory to sell likely does not need access to customer’s cardholder data, and should therefore be denied access to it. (more…)
Popularity: 10% [?]
According to the Mortgage Bankers Association, online mortgage originations are expected to grow to $250 billion by 2003 from $4 billion in 1999 (although more recent estimates put that number much lower due to the economic turmoil in the technology sectors).
A number of companies have developed solutions suitable for this space, validating the need for PKI as an infrastructure to support the growing demand for online real estate transactions. Companies such as eVincible, LLC have created XML-based solutions (using PKI) to provide a mechanism for online form creation and signing. The XML format allows for generic formats so that archiving and later validation becomes easy. Software solutions that store and sign forms in a specific format (like MS Word 6.0) will have trouble later validating and/or viewing the document if the original viewer (Word 6.0) is not available. Other companies have solutions tailored specifically to mortgages. For example, Ingeo, a Utah-based company, has solutions that allow for online mortgages to be prepared and recorded. It even has an offering that allows electronic interfacing with government recording offices-all based on using X.509 certificates. (more…)
Popularity: 14% [?]
When dealing with on-site auditors or approved scanning vendors, most people fit into one of three groups. Some people are intimated by auditors.They see them as someone with a lot of power, and they hope they will say and do the right things to get by.A second group seems to look at auditors as their enemy.They believe they must wrestle with the auditor and hopefully win in the end.The last set of people treat the auditor like a consultant they’ve brought in to help bring their company into compliance.They respect the auditor’s opinions and keep the auditor in the loop as they work out solutions.This last group will get the most out of their auditor and will have the best overall experience and be able to bring their company into compliance with the least amount of hassle.
As hard as it might be to believe, auditors are there to help you. It’s important to know how to work well with auditors so that your audit will go smoothly and efficiently, and ensure that you get your money’s worth. A good auditor will go over your company’s systems, practices, and policies with a fine-toothed comb, and tell you what you can do to improve your security. Hopefully, your primary goal in becoming Sarbanes Oxley compliant is to have your company become more secure. When you realize that auditors provide you with a valuable service and that you’re both on the same team working towards a common goal, you will have the right attitude. Remember that auditors have moral and professional obligations to follow the guidelines and procedures they’ve been given for the audit. It is not appropriate to ask them to compromise those obligations. Auditors are trained and likely have per formed many audits, and they can give you great advice on what you can do to bring yourself into compliance. (more…)
Popularity: 15% [?]
If a company does not comply with the Sarbanes-Oxley Act, it will expose itself to the possibility of lawsuits and negative publicity. If a corporate officer, even if unintentionally, files an inaccurate certification, he or she is subject to a fine up to $1 million and 10 years in prison. [SOX IT Compliances, Christian B Lahti, Steve Lanza]
If a corporate officer intentionally files an inaccurate certification, the fine can be as much as $5 million and possible 20 years in prison. When thinking about the severity of the consequences of noncompliance for corporation and corporate officers, we must remember that the intent, although arguably misguided, was to prevent occurrences such as those that happened at MCI and Enron—hence the stiff penalties for those at the top. (more…)
Popularity: 17% [?]
What do you think about the impact of SOX implementation for infosec governance? Gurpreet Dhillon and Sushma Mishra from Virginia Commonwealth University, USA said that SOX has created challenges and set new standards for IT governance in companies. To fully comply with the law, companies will need to improve information quality to insure transparency and reliability. Investors (individual or institutional) are outsiders for the most part and can only rely on the good faith of corporate insiders for insight into effectiveness of the companies. To protect such investors, SOX attempts to legislate ethics and integrity into the public management process.
Government’s determination to increase corporate responsibility has ushered in new legislation that impacts IT directly. With increased disclosures, new enforcement schemes, and emphasis on corporate accountability, SOX delivers significant reforms and places significant demands on IT. The Sarbanes-Oxley Act has the potential to reshape the role of IT in business. The role of IT governance, within the broader context of corporate governance, demands new attention and efforts on the part of the executives, shareholders, and government. (more…)
Popularity: 29% [?]