IT Governance, Risk, and Compliance


February 9, 2013  5:48 PM

Wikipedia: An assessment from a user’s perspective – Part III

Robert Davis Robert Davis Profile: Robert Davis

As conveyed by TechTarget.com, “Identity management (ID management) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity.” In this area, based on my experience, Wikipedia software does not provide adequate mechanisms for user accountability as presented in a position paper by OneName Corporation’s Requirements for a Global Identity Management Service. Specifically, it appears there is no password synchronization defining the one-to-many correspondence that may exist between a user and authorized accounts.

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Hanson, R. (2011, October 13). The Art of Dis-Connecting: Social Networking Risk Management. Presentation to the ISACA Perth Chapter. Converted PDF formatted material available at: www.isaca.org/chapters2/Perth/Documents/Social%20Networking%20Session%20-%20Rob%20Hanson.pdf

Singleton, T. (2012). What Every IT Auditor Should Know About Auditing Social Media. ISACA Journal, 5. Retrived from: http://www.isaca.org/Journal/Past-Issues/2012/Volume-5/Pages/What-Every-IT-Auditor-Should-Know-About-Auditing-Social-Media.aspx

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-management

February 7, 2013  2:55 AM

Wikipedia: An assessment from a user’s perspective – Part II

Robert Davis Robert Davis Profile: Robert Davis

Following the framework outlined in IT Auditing: An Adaptive System, a critical aspect of an IT assessment is the identification of related risks. Though Wikipedia Project Administrators commonly disavow their Internet endeavors are based on a Social Networking System (SNS), their activities appear to fit within an academically accepted definition of Social Media. Thus, there are application inherent risks. “These risk areas are similar to those brought about by other IT, such as inefficiency, wasted investment, insufficient effectiveness and lost opportunity. But, it also has some unique risk areas, including public image damage created by negative comments and postings in social media venues.” Consequently, my first identified weakness was recorded on August 21, 2012 concerning the integrity sub-domain of identity management.

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Hanson, R. (2011, October 13). The Art of Dis-Connecting: Social Networking Risk Management. Presentation to the ISACA Perth Chapter. Converted PDF formatted material available at: www.isaca.org/chapters2/Perth/Documents/Social%20Networking%20Session%20-%20Rob%20Hanson.pdf

Singleton, T. (2012). What Every IT Auditor Should Know About Auditing Social Media. ISACA Journal, 5. Retrived from: http://www.isaca.org/Journal/Past-Issues/2012/Volume-5/Pages/What-Every-IT-Auditor-Should-Know-About-Auditing-Social-Media.aspx

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-management


February 1, 2013  11:31 PM

Wikipedia: An assessment from a user’s perspective – Part I

Robert Davis Robert Davis Profile: Robert Davis

There has been a fair amount of discussion over the last few years regarding Wikipedia. As an educator as well as a professional writer my curiosity peaked on August 21, 2012. So in order to address my concerns objectively, I established a user account to investigate if Wikipedia meets generally accepted criteria for information as produced through their open-source technology.

In conjunction, as a recognized leading compliance expert and specialist, I decided the best approach to this controversial issue would be to apply The Davis Adaptive IT Auditing System. Thus, the ambit of my assistive technology assessment is:

  • Confidentiality as epitomized by the preserving of authorized as well as unauthorized restrictions addressing information access and disclosure.
  • Integrity as represented by protection against improper information modification or destruction.
  • Availability reflecting ensuring timely and reliable information access and use.
  • Effectiveness addressing the accomplishment of stated objectives.
  • Efficiency dealing with the accomplishment of stated objectives economically.
  • Compliance with stated policies and procedures.
  • Reliability as the capability to maintain a specified acceptable level of performance under stated conditions. Minimally, information contained within technology can be considered reliable when completeness, accuracy and validity attributes are independently verifiable as well as user neutral.

Sources:

Boritz, Efrin J. IS Practitioners’ Views on Core Concepts of Information Integrity. Rev. ed. Ontario: University of Waterloo, 2004.


January 31, 2013  2:33 AM

eBook excerpt: Assuring Information Security – Part XV

Robert Davis Robert Davis Profile: Robert Davis

Usually, it is easier to purchase an IT solution addressing IAP than to change a culture.  However; even the most secure system will not achieve a significant degree of protection if utilized by “ill-informed, untrained, careless or indifferent personnel.”  A well-structured information security function, staffed with appropriately qualified individuals, forms the foundation for high-quality performance and is the basis for providing positive IAP assurance to interested parties.

* * * * *

Post Note: Assuring Information Security maybe previewed at the following webpages:

http://www.amazon.com/Assuring-Information-Security-Assurance-ebook/dp/B008CKIIW2

https://itunes.apple.com/us/book/assuring-information-security/id595544134?mt=11

http://www.smashwords.com/books/view/177753

http://www.diesel-ebooks.com/item/SW00000177753/Davis-Robert-E.-Assuring-Information-Security/1.html

http://www.kobobooks.com/ebook/Assuring-Information-Security/book-AYSytKvQ1kmC309Q-dL5Qg/page1.html?s=qoyo_k_kHECzPG2dJeKZBA&r=8


January 26, 2013  1:02 AM

eBook excerpt: Assuring Information Security – Part XIV

Robert Davis Robert Davis Profile: Robert Davis

With respect to IAP, the information security function should:

  • establish processes for provisioning user accounts
  • ensure all entity positions are reviewed for sensitivity level
  • document procedures for friendly and unfriendly terminations
  • install mechanisms for holding users responsible for their actions
  • verify user access is restricted to information assets consistent with ‘least privilege’ principles
  • retain signed human resources statements documenting appropriate background screenings for positions which individuals are employed
  • monitor whether crucial functions are divided among different individuals to disable the necessary authority or access that could result in irregularities or illegal acts
  • evaluate whether crucial functions are divided among different individuals to disable the necessary authority or access that could result in irregularities or illegal acts


January 24, 2013  1:54 AM

eBook excerpt: Assuring Information Security – Part XIII

Robert Davis Robert Davis Profile: Robert Davis

1.3 Entity Employees

“The first line of defense from insider threats is the employees themselves.” – Software Engineering Institute (SEI)

Stakeholders expect managerial personnel to run the entity in accordance with accepted business practices, while maintaining compliance with applicable laws and regulations.  An appropriate managerial tone should be established and communicated throughout the entity, including explicit moral guidance regarding expected behavior.  For IAP, the onus certainly resides with the entity to take adequate precautions when employing individuals and to ensure that, regardless of motive, individuals are reasonably prevented from abusing IT resources.


January 19, 2013  4:35 PM

eBook excerpt: Assuring Information Security – Part XII

Robert Davis Robert Davis Profile: Robert Davis

If management views an IAP program as a methodology for achieving information systems goals and objectives, the adopted processes can enable a series of assessments defining control usefulness and control deployment; while conjunctively correlating effectiveness and efficiency directly linked to managerial and employee responsibility, accountability, and authority. Beneficially, regarding an entity’s direction and purpose; when responsibility, accountability, and authority are properly tailored, communication efficiency is improved through reductions in entropy and misunderstanding. Furthermore, management’s deployed IAP controls monitoring assists in ensuring the established fiduciary relationship with stakeholders is fulfilled. As an entity integrated resource, IT should be deployed as managerially required and with a sufficient level of formality, coverage, and control completeness to allow IAP monitoring.


January 17, 2013  12:01 AM

eBook excerpt: Assuring Information Security – Part XI

Robert Davis Robert Davis Profile: Robert Davis

Roles and responsibilities assignment for providing adequate IAP is typically considered critical to effective and efficient IT security.  However, depending on the entity, IAP management roles and responsibilities may focus solely on IT security or IT and business security.  Roles and responsibilities define relationships among individuals within the entity and have a major impact on control objective achievement.  IAP management responsibilities commonly include:

  • Planning – The security manager should assist in setting objectives and in establishing specific achievable operational goals to accomplish these objectives (Action Plan).  Furthermore, management should evaluate the operational goals selected (Goal Achievement Indicators) and the techniques considered necessary to achieve them (Performance Achievement Indicators).
  • Organizing – The security manager should acquire and manage resources reflective of the entity’s control environment.  To enable available resources integration requires knowledge of the entity’s organizational structures, strategies, systems, skills, personnel, super-ordinate goals and styles.
  • Coordinating – Human resources are normally required to achieve personnel goals and objectives enabling expected job performance.  However, the best planning, organizing, directing and controlling will avail nothing unless capable and sufficient personnel are applied to tasks through a security manager’s active participation in employment practices.
  • Directing – A security manager’s responsibility is to be proactive, not just simply reactive, regarding information security.  Additionally, a security manager should create and maintain communications and sustain assigned personnel momentum toward defined goals achievement within the entity’s control environment.
  • Controlling – Normally the security manager is responsible for security controls establishment, measurement systems, and performance appraisals.  The security manager’s options for control emphasis mixture range between dynamic resources redirection and fine tuning organizational processes.


January 12, 2013  5:59 PM

eBook excerpt: Assuring Information Security – Part X

Robert Davis Robert Davis Profile: Robert Davis

Classically, managers are individuals assigned to and functioning at various responsibility, accountability, and authority levels.  Top-level managers are usually responsible for overall entity direction, accountable to stakeholders, and have the authority to establish measurable and achievable high-level goals ensuring adopted high-level objectives attainment.  Middle-level managers are responsible and accountable for programs or activities coordination.  Simultaneously, these managers are accountable upward regarding entity goals and objectives achievement, and responsible downward as top-level management representatives.  At the lower level management spectrum, managers are generally considered supervisors.  Supervisors are usually responsible for daily operations as well as direct interaction with assigned employees for creating, sustaining, or terminating processes.  Furthermore, supervisors are normally accountable to middle-level management for assigned responsibilities.


January 10, 2013  3:33 AM

eBook excerpt: Assuring Information Security – Part IX

Robert Davis Robert Davis Profile: Robert Davis

In fulfilling addressable COBIT information criteria, an IAP program should include processes and steps for assessing tangible as well as intangible property.  The distinction between tangible and intangible is the physical nature of the property.  Properties having a physical existence — such as buildings and fire extinguishers — are tangible; and properties having no physical existence — such as patent rights and computer programs — are intangible.  Acquired or created information, with ownership rights, should be classified as an intangible asset.  Intangible assets may have explicit or implicit legal protection and retention mandates imposed by governmental entities.  Thus, as with other intangible assets, an entity’s management should provide adequate safeguards to preserve information value as well as comply with applicable information related laws, regulations and standards to fulfill their fiduciary responsibilities.  Consequently, roles for information value delivery and support should be clearly documented for accountability determination.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: