– Last week the GAO found that the FDIC had gotten worse in regards to security on a year over year basis. The highlighted points were the lack of proper change control, software testing prior to implementation, and a lack of adherence to established policies.
The good news is the increased attention of the GAO on security and IT Controls, but it is certainly disheartening to see how bad certain government agencies are governed. Of course this may be a classic situation where the auditors last year knew X and found X problems, and this year knew X+1 and found X+1 problems. Is this a case of the auditors learning more each year about IT Control weaknesses and the organization they are auditing, or has the agency really gotten worse? Any GAO auditor / FDIC official thoughts?
– Homeland Security “Threats and Protection” page. Great information updated daily and vital to anyone concerned about enterprise risk management.
– NIST Updates 3 standards and is looking for feedback:
– Email Security 800-45a
– IDS / IPS 800-94
– Secure Web Services 800-95 (applicable to PCI DSS compliance)
Identity Attacks cost $1.5 Million vs. $2,400 for virus per occurrence:
“Based on an analysis of the damage numbers included in 107 cybercrime cases prosecuted by the U.S. Department of Justice, Trusted Strategies–concluded that the most damaging attacks are those where the offender used stolen usernames and passwords and that such attacks caused on average $1.5 million in damages per occurrence.” … “The study found that an attacker with valid credential could do far more damage than a program that exploited some other flaw to gain control of a system. The average cost of a virus attack to any single company was about $2,400, far lower than the $1.5 million caused by attackers armed with a valid username and password” Referenced: http://www.solidvault.com
Auditor Answers: Maintaining Compliance in Home Offices
“common controls for remote offices include:
* Management documents work-at-home policies and procedures. Employees sign-off on requirements prior to starting work
* Employees acknowledge accountability for sensitive information while it is in their possession
* Employees agree not to use unsecured wireless networks, particularly in airports, coffee shops, and other common points of public access IT provides and supports the hardware (physical machinery, network equipment, etc.) and software (patches, firewalls, VPN clients, spyware monitors, etc.) necessary for employee to reasonably meet work and policy requirements
* Employees destroy or otherwise eradicate any copies of sensitive data they might have stored in physical files, personal computers, portable media, and personal e-mails. Employees attest to information destruction
* Employees return all relevant information upon employment termination
* IT management monitors employee use of computers, protected networks, and other equipment
* A representative of management confirms that physical security controls exist in the home work environment. A representative of IT management confirms that machinery and networks in the home office conform to technical security controls required to meet information protection requirements.
– Completing an internal audit of your organization’s security and privacy efforts in the coming year would be very worthwhile for everyone involved—the board, management, staff, and other stakeholders;
– Having management complete its own “self assessment” would be advisable.
Reference: Dan Swanson’s article on ITC
Some very interesting developments in the world of IT Controls and governance. I will try and post and analyze anything that is valuable. If anyone has any good links, please post a comment or suggestion to help us all grow.