Jun 19 2009 1:09PM GMT
Posted by: Robert E. Davis
Accounting,
Applications,
Financial,
Information Technology,
Laws and Regulations,
Council of Europe,
Sarbanes Oxley Act,
Foreign Corrupt Practices Act,
Organization of American States,
Organisation for Economic Co-operation and Development,
IT,
COE,
SOX,
FCPA,
OAS,
OECD
FCPA control measures for an adequate system of internal accounting controls include maintaining appropriate segregation of duties, allowing only authorized transaction execution, controlling access to assets, and reconciling documented assets to actual assets regularly. Completeness, accuracy, authorization, and accessibility are considered key internal accounting information protection controls that fulfill FCPA legal requirements. These control measures most often interact with — or are deployed through — IT financial applications, thus justifying information security management’s involvement in assessing compliance with the FCPA.
To dispatch FCPA information reliability requirements, an information security manager should identify, understand, test, and document internal accounting security controls for information assets. Essentially, an information security manager should assume responsibility for assessing financial applications for FCPA safeguarding compliance. Technically, application safeguarding controls should be present during input, processing, and output. IT procedures are expected to provide information protection throughout the life cycle of earmarked FCPA financial application systems. Key internal accounting controls can be mapped to information security confidentiality, integrity, and availability control measures. For instance, information security application accuracy controls include input edit and validation routines that ensure information integrity.
“View Part I of the Application Protection series here“
Jun 16 2009 7:06PM GMT
Posted by: Robert E. Davis
Accounting,
Applications,
Financial,
Information Technology,
Laws and Regulations,
Council of Europe,
Sarbanes Oxley Act,
Foreign Corrupt Practices Act,
Organization of American States,
Organisation for Economic Co-operation and Development,
IT,
COE,
SOX,
FCPA,
OAS,
OECD
The FCPA codifies bribery of foreign officials as a criminal offense for U.S. publicly held companies, requires accurate financial-transactions accounting, and amends the Securities Exchange Act of 1934. With regard to accounting, FCPA Section 78m (b) (2) documents managerial responsibility for generating and retaining financial information while presenting transactions accurately and fairly, as well as deploying a “system of internal accounting controls.” Furthermore, FCPA Section 78m (b) (5) has been interpreted as requiring U.S. businesses to create and sustain adequate internal accounting controls regardless of an organization’s cost-benefit analysis ratio. This section of the FCPA therefore decrees preventive and detective controls to avoid financial statement fraud or misrepresentation.
“View Part I of the Application Protection series here“
Jun 12 2009 6:36PM GMT
Posted by: Robert E. Davis
Accounting,
Applications,
Financial,
Information Technology,
Laws and Regulations,
Council of Europe,
Sarbanes Oxley Act,
Foreign Corrupt Practices Act,
Organization of American States,
Organisation for Economic Co-operation and Development,
IT,
COE,
SOX,
FCPA,
OAS,
OECD
Legacy law or regulation replacement is a common occurrence within most governments when circumstances appear to discredit legal mandate enforcement. However, the U.S. Sarbanes-Oxley Act (SOX) of 2002 does not supersede the U.S. Foreign Corrupt Practices Act (FCPA) of 1977. In fact, though tagged legacy enterprise governance legislation by some officials, the FCPA has thrived as the basis for enactment of various internationally recognized legal edicts addressing internal accounting controls that indirectly impact information security management requirements.
Contextually, the FCPA applies to U.S. publicly held companies and was adopted in the 1990s by the Organization of American States (OAS), the Organisation for Economic Co-operation and Development (OECD), and the Council of Europe (COE). Concerning international relevance, the FCPA is a frame of reference for most current IT financial application security best practices. Specifically, details demonstrating this law’s influence are well documented in IT financial application assurance and internal accounting control literature.
Mar 16 2009 7:01PM GMT
Posted by: Robert E. Davis
Information Security Management,
Laws and Regulations,
Service Level Agreement,
IT Security,
Availability,
Confidentiality,
Functionality,
Identification,
Integrity,
Quality,
Token,
Usability,
CIA,
ISM,
SLA
Regarding provisioning physical authentication mediums, an entity’s deployed access control process should clearly define the way encoded identification is delivered to users — within the context of promoting adequate confidentiality, integrity and availability. Specifically, the process to dispense tokenized authentication attributes to users should employ a different delivery channel than the physical item. When physical items are tokenized prior to individual assignment or usage, security management should ensure the identification mechanism remains dormant and protected until the authentication verification enabler reaches the intended owner empowered with activation and usage rights.
As suggested in COBIT Security Baseline: An Information Security Survival Kit; depending on the country, state or industry, information asset usage is subject to various laws and regulations. These laws and regulations need to be known and obeyed to enable appropriate IT security. Domains covered by such rules include privacy, information retention, minimal system protection requirements as well as attestation requirements. Consequently, physical tokenized access items should receive the same protection consideration as other entity information assets.
“View Part I of the Physical Token Protection series here“
Mar 12 2009 6:41PM GMT
Posted by: Robert E. Davis
Information Security Management,
Laws and Regulations,
Service Level Agreement,
IT Security,
Availability,
Confidentiality,
Functionality,
Identification,
Integrity,
Quality,
Token,
Usability,
CIA,
ISM,
SLA
As a corollary requirement, when considering physical tokens, functionality is directly related to capabilities. Consequently, physical token appropriateness should be evaluated based on the set of attributes applicable to the existing set of activities and their specific properties. In other words, determining physical token functionality is a characteristic association ensuring the quality of hardware and/or software products utilized for accessing objects meet intended purpose expectations throughout their life cycle. Adequate physical token functions are those that satisfy stated or implied criteria of users and management. These value drivers emanate from business and governance domain perceptions, where the former is typically focusing on functionality and delivery velocity, while the latter tends to emphasize cost-efficiency, return on investment and compliance.
“View Part I of the Physical Token Protection series here“
Mar 9 2009 6:56PM GMT
Posted by: Robert E. Davis
Information Security Management,
Laws and Regulations,
Service Level Agreement,
IT Security,
Availability,
Confidentiality,
Functionality,
Identification,
Integrity,
Token,
Usability,
CIA,
ISM,
SLA
Information asset usability implies availability to perform requested services as well as transparency. Determining physical token usability necessitates assessing relevant and pertinent services for the access process as well as secure user delivery in a timely, correct, and consistent manner. Whether access control is outsourced to a third party or is maintained internally, the time frame for processing of each user security administration operation should be defined and agreed to by the entity’s representatives through a service level agreement (SLA) that aligns with corresponding service objectives and goals. For example, if providing timely user provisioning is established as a goal, user resets for critical applications should be responded to within the SLA specified time period. Where a SLA does not stipulate the response time, a best practice standard should be adopted and sustained by management to monitor performance achievement.
“View Part I of the Physical Token Protection series here“
Mar 6 2009 7:50PM GMT
Posted by: Robert E. Davis
Information Security Management,
Laws and Regulations,
IT Security,
Availability,
Confidentiality,
Functionality,
Identification,
Integrity,
Token,
Usability,
CIA,
ISM
Organizationally, information security normally is considered a program enabling and optimizing IT security services for the entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management that complies with applicable laws and regulations. Cascading from the generally accepted risk management goal of adequately addressing threats, opportunities, and weaknesses, a primary security risk assessment objective is to provide recommendations that maximize confidentiality, integrity and availability protection reflective of the operating environment; while sustaining usability and functionality. Though IT security advice generally focuses on enhancing data and information protection, equal attention should be given to physical identification credentials utilized for accessing IT objects.