The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any assessment process, it is important to ensure that policies establish the direction management wants to go with regard to security
When reviewing policies, Thomas R. Peltier in his book about Managing a Network Vulnerability Assessment said that it will be necessary to remember that there are three general types of policies:
General or global policies.
These are high-level policy statements that define the intent of a specific topic and its scope within the (more…)
Popularity: 30% [?]
According to the Mortgage Bankers Association, online mortgage originations are expected to grow to $250 billion by 2003 from $4 billion in 1999 (although more recent estimates put that number much lower due to the economic turmoil in the technology sectors).
A number of companies have developed solutions suitable for this space, validating the need for PKI as an infrastructure to support the growing demand for online real estate transactions. Companies such as eVincible, LLC have created XML-based solutions (using PKI) to provide a mechanism for online form creation and signing. The XML format allows for generic formats so that archiving and later validation becomes easy. Software solutions that store and sign forms in a specific format (like MS Word 6.0) will have trouble later validating and/or viewing the document if the original viewer (Word 6.0) is not available. Other companies have solutions tailored specifically to mortgages. For example, Ingeo, a Utah-based company, has solutions that allow for online mortgages to be prepared and recorded. It even has an offering that allows electronic interfacing with government recording offices-all based on using X.509 certificates. (more…)
Popularity: 14% [?]
What do you think about the impact of SOX implementation for infosec governance? Gurpreet Dhillon and Sushma Mishra from Virginia Commonwealth University, USA said that SOX has created challenges and set new standards for IT governance in companies. To fully comply with the law, companies will need to improve information quality to insure transparency and reliability. Investors (individual or institutional) are outsiders for the most part and can only rely on the good faith of corporate insiders for insight into effectiveness of the companies. To protect such investors, SOX attempts to legislate ethics and integrity into the public management process.
Government’s determination to increase corporate responsibility has ushered in new legislation that impacts IT directly. With increased disclosures, new enforcement schemes, and emphasis on corporate accountability, SOX delivers significant reforms and places significant demands on IT. The Sarbanes-Oxley Act has the potential to reshape the role of IT in business. The role of IT governance, within the broader context of corporate governance, demands new attention and efforts on the part of the executives, shareholders, and government. (more…)
Popularity: 29% [?]
There are a lot of definitions of IT risk, below is the definition of IT risk from Sarbanes Oxley perspective. But, before let you know that every business venture is basically risky. In new business ventures and new product development, there are unknown factors and their impacts on the venture are equally unknown. The unknown factors could be favorable or unfavorable. There is a probability that one may either gain or lose. However, a loss may hurt the venture. Here are some of the definitions:
1. Risk is the probability of suffering loss.
A refinement of this definition is to include goals, gains, or opportunities in the statement. Perhaps it is implied and obvious that risks are connected with gains. Nevertheless, if risks are divorced from the associated goals, then one sees just a set of problems. A risk list should not be reduced to a problem list. Risks have a much broader role to play. (more…)
Popularity: 6% [?]
During Sarbanes Oxley compliances the auditor should perform a walkthrough against internal control. So what is walkthrough? Michael Ramos in his book about SOX implementation said that basically a walkthrough is a procedure in which trace a transaction from its origination through the company’s information processing system, and all the way to its reporting in the financial statements. Although inquiries of company personnel are a major component, a walkthrough is more than just inquiry. Think of a walkthrough as
- Corroborative inquiry, in which auditor ask questions of client personnel and then obtain corroborating evidence to support their answers
- A test of one, in which auditor take a single transaction and perform detailed procedures to test the operating effectiveness of the controls for processing that transaction
The company is not required to perform walkthrough procedures; however, it is in management’s best interests to do so.
Sometimes, the company’s documentation of its information processing stream does not match the reality of what actually happens on a daily basis. Companies that perform tests of controls based only on what has been documented often run into testing exceptions when they discover that documentation of the information stream and related controls was not accurate.
The walkthrough procedure will allow auditor to confirm their understanding of key elements of the information processing stream and related controls before auditor begin detailed test work. The walkthrough can help auditor evaluate the effectiveness of the design of internal control for each major transaction. While performing the walkthrough, auditor also may obtain evidence about the operating effectiveness of controls.
Popularity: 41% [?]