IT Governance, Risk, and Compliance » Control System

Wikipedia: An assessment from a user’s perspective – Part VI

Robert Davis — Thu, 21 Feb 2013 04:11:43 +0000

Based on my careful analysis of the factors associated with information reliability, there is a medium-to-high inherent risk of a researcher conveying unreliable information through citing Wikipedia material due to inadequate identity management issues. Contextually, according to About.com, “In most cases, you should stay away from Internet information that doesn’t list an author… If the author is named, you will want to find his/her web page to:
• Verify educational credits
• Discover if the writer is either published in a scholarly journal
• Verify that the writer is employed by a research institution or university”

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Davis, Robert E. (2008). IT Auditing: Assuring Information Assets Protection. Mission Viejo: Pleier. CD-ROM.

Fleming, Grace (2012), “Internet Research Tips: Finding Reliable Internet Sources,” About.com, < http://homeworktips.about.com/od/researchandreference/a/internet.htm >, accessed September 17, 2012.

KnowThis.com, “Research Validity and Reliability,” < http://www.knowthis.com/principles-of-marketing-tutorials/marketing-research/research-validity-and-reliability/ >, accessed September 17, 2012.

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-ma…

U.S. GAO. (2002). Assessing the Reliability of Computer-Processed Data. Rev. ed. Washington, D.C.: Government Printing Office.

Wikipedia: An assessment from a user’s perspective – Part V

Robert Davis — Sun, 17 Feb 2013 00:02:15 +0000

To provide an appropriate answer to this foundational question regarding Wikipedia an assessor must take into consideration the primary traits of reliability. Therefore, as previously stated in Wikipedia: An assessment from a user’s perspective – part 1 as well as documented in IT Auditing: Assuring Information Assets Protection, minimally, information contained within technology can be considered reliable when completeness, accuracy and validity attributes are independently verifiable as well as user neutral. In other words, information reliability requires representational faithfulness to ensure assertions and supporting purported events are in agreement.

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Davis, Robert E. (2008). IT Auditing: Assuring Information Assets Protection. Mission Viejo: Pleier. CD-ROM.

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-ma…

U.S. GAO. (2002). Assessing the Reliability of Computer-Processed Data. Rev. ed. Washington, D.C.: Government Printing Office.

Wikipedia: An assessment from a user’s perspective – Part IV

Robert Davis — Thu, 14 Feb 2013 13:45:50 +0000

Wikipedia is often been presented as a great research resource; however it is also a public forum, where any authorized user can make a declaration or an assertion. “If you find an article that provides relevant information for your research topic, you should take care to investigate the source to make sure it is valid and reliable. [Academically, this] is an essential step in maintaining sound research ethics.” Thus, an important question concerning any published work classified as encyclopedic material is: How valid and reliable is documented information?

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Davis, Robert E. (2008). IT Auditing: Assuring Information Assets Protection. Mission Viejo: Pleier. CD-ROM.

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-ma…

U.S. GAO. (2002). Assessing the Reliability of Computer-Processed Data. Rev. ed. Washington, D.C.: Government Printing Office.

Wikipedia: An assessment from a user’s perspective – Part III

Robert Davis — Sat, 09 Feb 2013 17:48:10 +0000

As conveyed by TechTarget.com, “Identity management (ID management) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity.” In this area, based on my experience, Wikipedia software does not provide adequate mechanisms for user accountability as presented in a position paper by OneName Corporation’s Requirements for a Global Identity Management Service. Specifically, it appears there is no password synchronization defining the one-to-many correspondence that may exist between a user and authorized accounts.

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Hanson, R. (2011, October 13). The Art of Dis-Connecting: Social Networking Risk Management. Presentation to the ISACA Perth Chapter. Converted PDF formatted material available at: www.isaca.org/chapters2/Perth/Documents/Social%20Networking%20Session%20-%20Rob%20Hanson.pdf

Singleton, T. (2012). What Every IT Auditor Should Know About Auditing Social Media. ISACA Journal, 5. Retrived from: http://www.isaca.org/Journal/Past-Issues/2012/Volume-5/Pages/What-Every-IT-Auditor-Should-Know-About-Auditing-Social-Media.aspx

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-management

Wikipedia: An assessment from a user’s perspective – Part II

Robert Davis — Thu, 07 Feb 2013 02:55:57 +0000

Following the framework outlined in IT Auditing: An Adaptive System, a critical aspect of an IT assessment is the identification of related risks. Though Wikipedia Project Administrators commonly disavow their Internet endeavors are based on a Social Networking System (SNS), their activities appear to fit within an academically accepted definition of Social Media. Thus, there are application inherent risks. “These risk areas are similar to those brought about by other IT, such as inefficiency, wasted investment, insufficient effectiveness and lost opportunity. But, it also has some unique risk areas, including public image damage created by negative comments and postings in social media venues.” Consequently, my first identified weakness was recorded on August 21, 2012 concerning the integrity sub-domain of identity management.

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-management

Wikipedia: An assessment from a user’s perspective – Part I

Robert Davis — Fri, 01 Feb 2013 23:31:51 +0000

There has been a fair amount of discussion over the last few years regarding Wikipedia. As an educator as well as a professional writer my curiosity peaked on August 21, 2012. So in order to address my concerns objectively, I established a user account to investigate if Wikipedia meets generally accepted criteria for information as produced through their open-source technology.

In conjunction, as a recognized leading compliance expert and specialist, I decided the best approach to this controversial issue would be to apply The Davis Adaptive IT Auditing System. Thus, the ambit of my assistive technology assessment is:

Confidentiality as epitomized by the preserving of authorized as well as unauthorized restrictions addressing information access and disclosure.
Integrity as represented by protection against improper information modification or destruction.
Availability reflecting ensuring timely and reliable information access and use.
Effectiveness addressing the accomplishment of stated objectives.
Efficiency dealing with the accomplishment of stated objectives economically.
Compliance with stated policies and procedures.
Reliability as the capability to maintain a specified acceptable level of performance under stated conditions. Minimally, information contained within technology can be considered reliable when completeness, accuracy and validity attributes are independently verifiable as well as user neutral.

Sources:

Boritz, Efrin J. IS Practitioners’ Views on Core Concepts of Information Integrity. Rev. ed. Ontario: University of Waterloo, 2004.

Right-sizing IT Controls – Part VIII

Robert Davis — Tue, 03 May 2011 21:33:49 +0000

Deploying key IT governance practices enhance an entity’s ability to meet control objectives for cost, functionality, and quality. Yet, regardless of the IT control techniques and automated tools available, the best possible means of regulating entity activity is, and always has been, selection of high-quality employees that value ethical conduct. If entities are organizational formations providing good people a place to work, then the best path to right-sizing IT controls is supplying diligent subordinates with justified resources needed to achieve their specific IT control goals.

“View Part I of the Right-sizing IT Controls series here“

Right-sizing IT Controls – Part VII

Robert Davis — Fri, 29 Apr 2011 20:28:08 +0000

An entity’s controlling and monitoring activities should reflect management’s strategy for ensuring an adequate IT control system. Consequently, IT policies, directives, standards, procedures, and rules should have a one-to-one or one-to-many correspondence with the assessed effectiveness and efficiency in addressing managements risk appetite. Within this context, IT control policies and directives are commonly considered high-level governance documentation while standards, procedures, and rules are commonly considered detail-level governance documentation. Since IT managers plan, direct, and support technology deployments; an IT manager’s duties should include establishing departmental policies, procedures, and standards for ensuring the right-sizing of IT controls.

“View Part I of the Right-sizing IT Controls series here“

Compliance through Automation: Continuous Monitoring – Part VIII

Robert Davis — Mon, 18 Oct 2010 12:48:21 +0000

Since management is responsible for the entity’s controls, they should have the means to determine, on an ongoing basis, whether selected controls are operating as designed. Continuous monitoring typically addresses management’s responsibility to assess the adequacy and effectiveness of controls. It enhances managerial capabilities and entity-level controls, while striving to enable maintaining acceptable performance levels. Furthermore, with the ability to identify and correct control problems on a timely basis, automated continuous monitoring enriches an entity’s compliance program. Nonetheless, the key to a successful deployment of automated continuous monitoring is process ownership by personnel assigned responsibility for responding to reported exception conditions.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part VII

Robert Davis — Thu, 14 Oct 2010 15:21:57 +0000

Continuous monitoring allows management to have greater insight into the entity’s current state of compliance. Typically, for IT, continuous monitoring involves ongoing automated testing of selected datum within a given process area against a suite of control protocols. Management can utilize this information to set or reset process guidelines, rules and tests; through applied analytics identifying performance gaps or unusual events that may suggest control failures. This type of continuous monitoring can exist in IT hardware, firmware or software enabled to observe and record automated activities. Therefore, automated continuous monitoring provides a timely feedback mechanism for management to ensure that configuration items and controls are operating as designed and datum are processed appropriately.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“