IT Governance, Risk, and Compliance


March 6, 2009  7:50 PM

Physical Token Protection – Part I

Robert Davis Robert Davis Profile: Robert Davis

Organizationally, information security normally is considered a program enabling and optimizing IT security services for the entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management that complies with applicable laws and regulations. Cascading from the generally accepted risk management goal of adequately addressing threats, opportunities, and weaknesses, a primary security risk assessment objective is to provide recommendations that maximize confidentiality, integrity and availability protection reflective of the operating environment; while sustaining usability and functionality. Though IT security advice generally focuses on enhancing data and information protection, equal attention should be given to physical identification credentials utilized for accessing IT objects.

March 3, 2009  4:05 AM

Peer-to-Peer Networking – Part 2

Robert Davis Robert Davis Profile: Robert Davis

Maybe, experientially, the small branch office with a P2P network has escaped a security incident since deployment. Even so, a functional P2P network unintentionally presents itself as a potential target waiting for someone capable of pulling the threat trigger to introduce a potent security disaster. For instance, at the infrastructure level, attacks can originate from hackers taking advantage of a P2P enabled application to assist spyware or malware in slipping past perimeter defenses and lodging in the background of user devices. In particular, a P2P-agent utilized in communications software can include or hide spyware that collects information about the target system as well as user, then subsequently send compromised information to unauthorized individuals without the legitimate owner’s knowledge. High-Level Data Link Control, Frame Relay, and X.25 protocols have P2P communication modes that can be spyware enabled. Consequently, a P2P network should not be deployed unless effective compensating and mitigating security controls are implemented.

As operational baseline countermeasures to P2P risks, management should document and monitor P2P file-sharing technology to ensure that this capability is not utilized for unauthorized information distribution, display, processing, or reproduction. Furthermore, management should ensure the appropriate encryption is implemented to sustain an adequate telecommunications defense. Lastly, meticulous proactive security risk assessments of P2P networks can prevent inherent IT vulnerabilities from becoming threats requiring incident response resolution.


February 26, 2009  6:49 PM

Peer-to-Peer Networking – Part 1

Robert Davis Robert Davis Profile: Robert Davis

There are a variety of networking architectures available for deployment. Potential candidates include Peer-to-Peer, Client/Server and Master/Slave. However, Peer-to-Peer (P2P) architectures present unique governance issues to the information security manager when comparable network configurations are considered. Flawed implementations, poor legacy security standards, limited user awareness, as well as lax technical security and administrative practices can form especially lethal combinations that may decimate a positive assertion regarding P2P network access protection.

Focusing solely on access vulnerabilities, as most information security professionals are acutely aware, P2P is normally restricted to share-level security (also known as Password-Protected Share). Archetypical share-level assigned password security provisions two mutually exclusive access attributes (read-only and full) to a file, printer or other network object. Share-level security also normally lacks centralized access control capabilities. Specifically, a user ‘access matrix’ is usually absent from P2P architectures for granular authentication or authorization arbitration. Therefore, increased security risks are inherent with P2P deployment compared to other adoptable network configurations.


February 23, 2009  9:26 PM

Legal Compliance Alignment – Part IV

Robert Davis Robert Davis Profile: Robert Davis

When exploring links between national and international arenas, the information security manager will discover international developments decisively impact national laws. Specifically, regional coalitions have enacted IAP related edicts that subsequently were codified in national laws and regulations. Procedurally, most regional coalition IAP decrees are presented as directives to member nations for federal ratification. For this reason, with the assistance of legal counsel, it is strongly recommended that information security managers evaluate all relevant statutory and regulatory mandates; in whatever judicial divisions the entity operates. Beneficially, multiple legal compliance requirements assessments enable entity-centric standard practices for satisfying other expected behavior. Exercises in legal due care can also equip an entity to build a compliance culture where standardization is the norm, and conditionally produce an environment conducive to training employees in IAP. 

Predicatively, laws will continue to be enacted and the regulatory environment will become more complex due to unacceptable conduct remediation. Consequently, entities will continue to be compelled to demonstrate compliance with legal mandates – especially laws governing data retention and privacy – that can differ by hemisphere, country, province, county, city, as well as industry. In this increasingly complex regulatory environment, most entities should balance their focus on compliance imperatives without diminishing anticipated response quality to governmental edicts.


February 19, 2009  8:47 PM

Legal Compliance Alignment – Part III

Robert Davis Robert Davis Profile: Robert Davis

There are numerous global, regional as well as national laws and regulations focusing on information assets protection (IAP) requiring professional consideration. In particular, at the global level, the World Intellectual Property Organization (WIPO) and World Trade Organization (WTO) have constructed legally binding derivative IAP agreements. While regionally, trans-border coalitions adopting or enacting IAP related laws include the Asia-Pacific Economic Co-operation (APEC), the Council of Europe (COE), the European Union (EU), the Organization of American States (OAS), and the Organization for Economic Cooperation and Development (OECD). Lastly, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the U.K. Data Protection Act, the U.S. Digital Millennium Copyright Act (DMCA), and the U.S. Federal Information Security Management Act (FISMA) are clear examples of IAP national legislation that may affect an entity’s control framework.


February 16, 2009  8:00 PM

Legal Compliance Alignment – Part II

Robert Davis Robert Davis Profile: Robert Davis

Simultaneous compliance with multiple laws and regulations can create unique challenges for most entities. Selectively, potential compliance hurdles include distinct internal management groups pursuing equivalent goals; diverse audit perspectives, priorities, and requirements; as well as confusion resulting from redundant controls. For instance, cross-compliance with the Foreign Corrupt Practices Act (FCPA), Sarbanes Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) may generate muddled responses regarding the importance of certain security controls for a U.S. based ‘publicly held’ corporation. To decrease potential negative effects of cross-compliance, management should seek assurance that relevant statutory, regulatory, and contractual requirements are adequately defined and documented for each information system.


February 12, 2009  10:22 PM

Legal Compliance Alignment – Part I

Robert Davis Robert Davis Profile: Robert Davis

Institutionalized information security governance defines the information assets safeguarding perimeter inside which an entity should operate. Whereas, legal compliance management ensures structural boundary segments are sturdy and the entity consistently fulfills its mission within externally imposed demarcation lines. Generally, determining an entity’s legal mandates exceeds the security function’s ambit. Nonetheless, overseeing the design, implementation and monitoring of applicable legal requirements is a security function imperative. Aligning information security governance with legal compliance management allows an entity to enhance cultural ethics while concurrently reducing judicial risks.


February 9, 2009  8:02 PM

How Does Management Support Deploying IT Governance?

Robert Davis Robert Davis Profile: Robert Davis

Depending on your abstraction level, IT governance can be viewed as a framework, methodology, or technique. As a framework, IT governance enables a “system of controls” assisting in assuring organizational goals and objectives are achieved effectively and efficiently. As a methodology, IT governance furnishes a description of the role entity direction and controls play in achieving information systems objectives. Lastly, as a technique, IT governance provides processes and steps that can generate superior financial and/or reputational returns for stakeholders.

If you view IT governance as a framework for assisting in organizational governance, then structurally, IT governance should be implemented as an organizational program with objectives, goals, policies, procedures, standards, and rules designed to accomplish management’s intentions. To drive controls, IT governance should subsequently receive ‘significant program’ status because other program results are directly impacted by IT governance effectiveness results — such as control self-assessment (CSA) and quality control (QC) programs. Furthermore, efficiency of controls should be obtained through models available to assist in deploying IT governance; including The Institute of Internal Auditors’ Systems Auditability and Control (SAC) framework and the Information Systems Audit and Control Association’s Control Objectives for Information and related Technology (COBIT) framework.

Alternatively, if you perceive IT governance as a description for achieving information systems objectives, the adopted IT governance methodology should provide management with a series of assessments defining control usefulness and control deployment — with IT governance effectiveness and efficiency directly related to management’s responsibility, accountability, and authority structure demonstrated. Management usually is concerned with the cost of controls and the benefits that can be derived from controls deployment and utilization while achieving an entity’s strategic direction. Hence, understanding IT governance roles are considered key to managing information systems.

If, however, you assume IT governance provides financial and/or reputational benefits, potential stakeholders are presumed to rely upon governance elements prior to investing their time, talent, and/or money. Therefore, ascertaining IT objectives effectiveness and efficiency, through monitoring, is rudimentary to sound business practices for satisfying stakeholder expectations. In this regard, effectiveness and efficiency evaluation requires measurement against established standards. The performance measures should be established when standards are created or adopted. Techniques utilized for IT governance implementation include capability maturity modeling, budgeting, benchmarking, and gap analysis. Supporting the belief that IT governance is a financial enhancement technique, the Center for Information Systems Research (CISR) has suggested that organizations with exceptional IT governance have higher profits than organizations with inferior governance, given the same strategic objective. Based on financial opportunity, with an organization’s reputation enhanced through demonstrated profitability when employing IT governance, new stakeholders may be attracted to the organization as a corollary benefit.

Whatever your perspective may be, the importance of effective and efficient IT governance cannot be overlooked in the current global high technology environment. Considering what is at stake politically, economically and technically for most organizations; usually justifying IT governance deployment based on one viewpoint narrows suitability and expected benefits. In the final analysis, combining the discussed individual abstraction levels may be the most appropriate support for implementing IT governance.


February 5, 2009  9:38 PM

Access Control Convergence – Part 2

Robert Davis Robert Davis Profile: Robert Davis

Integrated policies improving access control are needed to increase safeguarding capabilities. Furthermore, due to technological and operational diversity, it is critical to have standard processes to control access that will permit economies of scale. Potential candidates for access control convergence include Tokens, Biometrics, Smart Cards and Tracking Systems. When physical and logical penetration protection mechanisms are converged under a unified access control policy, the resulting combination can operate as a baseline, customized to redress entity-centric needs for effective threat countermeasures. Beneficially, regarding operational complexity, access control convergence can simplify security administration. To enable organizational coexistence with technological convergences, an entity’s security function should assume responsibility for implementing and sustaining blended physical and logical controls.

Physical information security is a critical aspect to adequate perimeter and interior controls. Yet, physical controls alone cannot ensure that information assets are protected. For this reason, it is important to establish logical security controls that rebuff information confidentiality, integrity, and availability threats. Both control types should have as their primary objective appropriate asset protection, particularly information in electronic form. Consequently, where feasible, entities should deploy cost-effective processes for protecting the network infrastructure through converged physical and logical security controls.


February 2, 2009  7:38 PM

Access Control Convergence – Part 1

Robert Davis Robert Davis Profile: Robert Davis

Computer technology continues to advance toward a tiered decentralized world of distributed platforms for entering, processing, and retrieving information. Technological implementations are diverse and complex; however, all IT deployments should be protected from unauthorized usage utilizing suitable information asset access controls. Given IT interconnectivity, entities should also protect information assets from unauthorized manipulation to safeguard investments from risks associated with resource misuse. Consequently, information assets access control is typically viewed from two abstraction perspectives: physical and logical security.

Physical security provides tangible assets protection whether an item is at rest or in transit. Sub-categorically, information physical security involves reducing technological vulnerabilities, usually by limiting access to the buildings and rooms where information assets are housed, or by installing mechanical locks on devices. However, physical access controls should address not only the area containing hardware, but also wiring locations utilized to connect system elements, supporting services, backup media, and other items required for IT operational effectiveness.

Distinctively, logical security focuses on safeguarding intangible assets whether data is at rest or in transit. Logical access controls are the manual and electronic policies, procedures, and organizational structures deployed to safeguard symbolic objects. Essential elements for adequate logical access control are identification, authentication, authorization, and accountability.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: