IT Governance, Risk, and Compliance

July 23, 2009  4:53 PM

Critical Incident Response Elements – Part I

Robert Davis Robert Davis Profile: Robert Davis

Information technology is completely secure when resources are utilized and accessed as intended under all circumstances. Through delegation, every entity manager assumes responsibility for maintaining an adequate control system that safeguards assets. However, information security managers are typically charged with responding to intrusions negatively impacting organizational information assets. Thus, security incursions transform information security managers into chief threat firefighters directing resources to extinguish security breach flames. To competently perform this security service, two critical incident response elements are necessary: information and organization.

July 20, 2009  7:28 PM

Biometric Technology – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Technology attacks and attendant security compromises are never easily managed. Parallel to the ingenuity of attackers and proportional to the value placed on entrusted information assets, effective security access controls are imperative. Given the current accuracy of automated user identification and authentication processes, no single security system should ever be promoted as infallible. However, there is sufficient merit in most available biometric systems to warrant deployment consideration for information assets protection. Coupled with other access restriction techniques, biometric technology systems can be a formidable deterrent to unauthorized activities that may disable an entity’s information security infrastructure.

“View Part I of the Biometric Technology series here

July 16, 2009  8:31 PM

Biometric Technology – Part III

Robert Davis Robert Davis Profile: Robert Davis

Through the identification or authentication process, decisions are made regarding access. Typically, biometric identification supports physical access controls, while biometric authentication supports logical access controls. With reliance on biometrics for asset protection, security managers must accept humanness features are dynamic, yet reproducible. Consequently, it is difficult to find a single perfect access security system employing physical and/or behavioral traits.

Voices change over time or under abnormal conditions and can be modulated. Handprints can be altered — by a cut or bruise — as well as replicated. Even eyes and ears can undergo biological transformation from one day to the next. Furthermore, behaviors can be affected by emotional or fatigue states. Thus, biometric systems developed for identifying and/or authenticating authorized users that eliminate all potential errors can be prohibitively time-consuming and expensive, especially in high-traffic areas.

“View Part I of the Biometric Technology series here

July 13, 2009  6:25 PM

Biometric Technology – Part II

Robert Davis Robert Davis Profile: Robert Davis

Most information security practitioners accept biometrics as the science employing distinctive human attributes to discern access right validity. Specifically, imparting the Information Systems Audit and Control Association’s definition, biometrics is the process for identifying or authenticating a living person’s identity based on physiological or behavioral characteristics. Delineated, biometrics identification usually involves a one-to-many individual characteristics search utilizing linked data repositories; whereas biometric authentication entails establishing a one-to-one relationship verifying the claim to an identity made by an individual.

“View Part I of the Biometric Technology series here

July 9, 2009  8:20 PM

Biometric Technology – Part I

Robert Davis Robert Davis Profile: Robert Davis

As technological advancements are increasingly immersed in routine human endeavors, few security professionals doubt the criticality for parallel and proportional achievements in information asset protection mechanisms to defend against threats from individuals or groups chasing infamy dreams. Contextually, those engaged in nefarious IT activities vigorously pursue stardom elevation by orchestrating information security attacks that render barriers to obtaining or affecting a targeted object impotent. When an information asset is deemed valuable, authorization through a single access scheme appears woefully inadequate compared to the estimated number of ‘hackers’ or ‘crackers’ probing IT operational defenses. Predictively, considering published organizational information security incidents, two or more authentication factors will inevitably become the security deployment norm, with one architectural authentication factor relying on a biometrically based process; unless superior alternative access control remedies are devised.

July 6, 2009  7:02 PM

Trans-border Communication Protection – Part IV

Robert Davis Robert Davis Profile: Robert Davis

The primary distinguishing feature between IPSec and SSL is their respective OSI reference model protocol communication tier levels. IPSec operates at the network layer of the OSI reference model while SSL operates at the transport layer. Protection mechanism utilization should be determined by information sensitivity. IPSec or SSL can be combined with a VPN to limit data interception, manipulation, and redirection. Standards exist for encryption systems, such as SSL and IPSec, which ensure compatibility among various hardware and software platforms. Comparatively, regarding trans-border privacy issues, SSL VPN can be considered a viable alternative to stand-alone IPSec deployment.

“View Part I of the Trans-border Communication Protection series here

July 2, 2009  8:12 PM

Trans-border Communication Protection – Part III

Robert Davis Robert Davis Profile: Robert Davis

Generally, a VPN is recognized as a confidential data plexus that employs the public telecommunication infrastructure while maintaining privacy through the utilization of a tunneling protocol and security procedures. A VPN can provide remote offices and telecommuters with secure access to the connected local or wide area networks. When a VPN is introduced to the secure protocol privacy protection equation, IPSec and SSL technologies require mobile users to deploy client software on specific computers for utilization enablement.

Concerning secure access, virtual private networking requires a carrier as well as encapsulating protocol to provide tunneling functionality. Therefore, encryption, authentication, and data packaging usually are incorporated in a SSL VPN. Furthermore, below the OSI transport layer, a VPN can provide additional privacy data protection. This has many manifestations, the most popular being IPSec, typically implemented as a protected ‘tunnel’ between two gateway routers. An IPSec ‘vanilla’ VPN only uses the Encapsulating Security Payload (ESP) header record. However, ESP protects against IT communication eavesdropping, forgery, or replay risks.

“View Part I of the Trans-border Communication Protection series here

June 29, 2009  6:52 PM

Trans-border Communication Protection – Part II

Robert Davis Robert Davis Profile: Robert Davis

SSL is a protocol suite enabling in transit security through data encryption, server authentication, and message integrity at four Open Systems Interconnection (OSI) reference model layers. For Internet communications, SSL is normally utilized in conjunction with an entity’s public key infrastructure. Commonly, when the trans-border privacy breach risk is low, the Hyper Text Transfer Protocol Security service is employed with SSL encryption to protect sensitive web packets. Beneficially, where SSL is integrated for required privacy related communication, applications no longer need to implement secure connectivity. Nevertheless, security managers should not interpret SSL deployment as the ‘bullet-proof’ technology that completely defers application communication privacy issues. Specifically, SSL should initiate deployment caution when utilized for mutual application authentication, since there are two different session keys seeking connectivity authorization during bidirectional interfaces. Consequently, each key should be verified before transmitting legally protected data.

Alternatively, IPSec is a protocol suite that enables security at five OSI reference model layers during internetworking communications. The IPSec model is an architecture composed of standard rules for protecting Internet Protocol traffic. These standard rules can be incorporated into transport and tunnel mode encapsulation. Tunnel mode provides two additional header records for sending messages, thus requiring more processing. Neither the application nor the stacking protocol needs to be cryptographically aware, since all designated traffic is encrypted regardless of origin within the entity’s information security perimeter. Possible IPSec issues are network device computational and/or bandwidth overhead.

“View Part I of the Trans-border Communication Protection series here

June 25, 2009  7:43 PM

Trans-border Communication Protection – Part I

Robert Davis Robert Davis Profile: Robert Davis

Legal compliance with local, national and regional privacy requirements is complex and dynamic. Every problem on the local level compounds exponentially when private data is shared across multiple jurisdictions. What data is private, who possess particular data and what laws and regulations apply are by no means transparent. Trans-border communication privacy risks may emanate from sources presumed technologically secure, including the entity’s network architecture and/or application programs. Realization of how vulnerable data is in transit has spurred various, yet unique, technological communication protection solutions. The Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) protocols are two well-known configuration items redressing privacy compliance mandates during information conveyance. However, in-depth security considerations can necessitate transporting messages within a Virtual Private Network (VPN).

June 22, 2009  8:41 PM

Application Protection – Part IV

Robert Davis Robert Davis Profile: Robert Davis

The FCPA impacts IT control requirements of U.S. publicly held enterprises. Section 78m (b), in particular, documents the legislative rules and compliance requirements of internal control evaluation reporting with regard to management’s assessment of internal controls. Section 78m (b) (2) through (5) applies to Securities Exchange Act of 1934 filers. Therefore, the FCPA can affect an organization’s internal control environment by indirectly imposing management’s assurance of an adequate IT control environment with adequate information protection. Based on the Public Company Accounting Oversight Board’s interpretation, the SOX IT control parameter, in effect, is the same as that of the FCPA. Therefore, U.S. Securities Exchange Act of 1934 filers may not be aware of FCPA legal requirements — yet, they should have been performing the necessary FCPA control self-assessments and remedial actions since 1977. Similarly, European Union, OAS, and OECD member countries should be engaging in control self-assessments and remediation of internal accounting controls as they relate to safeguarding information assets to ensure compliance with legal mandates.

“View Part I of the Application Protection series here

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: