Twitter Feed
    Share

    Posts Tagged ‘Performance Measurement’

    National Institute of Standards and Technology (NIST) – Security and Privacy Controls for Federal Information Systems and Organizations

    Latest Daft – Comments on SP 800-53, Revision 4 should be sent by March 1, 2013, to sec-cert@nist.gov.

    NIST -Security and Privacy Controls for Federal Information Systems and Organizations

    “…Through the process of risk management, leaders must consider risk to US interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “

    “…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…”

    “…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…”

    — THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE

    Share
    No enterprise is more likely to succeed than one concealed from the enemy until it is ripe for execution. Niccolo Machiavelli Read the rest of this entry »
    Hold a picture of yourself long and steadily enough in your mind's eye, and you will be drawn toward it.. Read the rest of this entry »

    Newly Released IBM X-force 2010 Trend / Risk Report .  Documenting security vulnerabilities and breaches for 2010

    Share

    I was reminded of something today that is one of the biggest issues I see in companies I audit… Negativity.. and Negative People.

    Negativity is the root of many enterprise issues.  It is very expensive, possibly costing companies billions of dollars each year.

    I have conducted hundreds of audits across the fortune 1000, and there always seems to be one or two people who you encounter during the audit that ooze negativity. …. “we can’t do that”… “management does not give me the capability to change that”…. “that will never work”… “write it up… will not change a thing.. I have no authority”

    Change in life.. in an organization, in an individual,  can only come when we shed the negative opinions, negative personalities, and negative people.  Negativity sucks away energy.  If part of the negativity stems from ones attitude or perspective, one needs to commit to at the beginning of each day and each activity to find something positive in yourself and in others around you.

    If the people around you are negative and you can’t change that, either remove yourself from the situation or view it simply as one obstacle you face in pursuing your own potential. Stay focused on your own goals and make the best of the situation.

    Once you replace negative thoughts with positive ones, you’ll start having positive results in yourself and the enterprise.

    Share

    The following article was posted by my peer and fellow Security Consultant John Kyriazoglou , CICA, M.S, B.A(Honours), on the International Cyber Threat Task Force website

    The most critical assets, in the 21st century, for the private and public enterprises, for organizations in general, for the global society, and for the economy (local, national, international) are not of physical nature (equipment, machines, installations, plants), or of financial nature (money, credit or other financing instruments), or of computer software nature.

    The most critical assets are the knowledge and ideas (concepts) that exist in the brains of people, which are stored in computerized systems (personal and corporate), in the modern business environment.

    The computer technology and related infrastructure, the information systems, the network backbone (intranet, extranet, metropolitan, Internet, etc.) and related media technologies give everyone, within a given organizational environment, direct access to what is going on: within the given organization, in the industrial sector to which it belongs, and in the general economy and market in which it operates.

    All these technological components, broadly Information Technology (IT) and the related Information Systems (IS) which operate within its realm enable the modern private and public corporation and/or organization to accrue the following benefits (indicative only):

    (1) Quicker and more effective information for decision-making at all levels,

    (2) Increased competition in all services of the firm,

    (3) Improved production processes and procedures, and

    (4) Higher quality in products and services offered by information systems to customers (and citizens) and society in general.

    Given the rate of development of the information processing and computer manufacturing technologies and processes, a rate without a precedent in the history of man-kind, it is possible now for organizations to transfer almost all of their daily business operations to be carried out by integrated information systems.

    These systems are like medical drugs, either strengthening the organization, or enabling it to cure or resolve a particular problem or operating malfunction.

    But, using the drug analogy, if these systems are not used in a disciplined manner, they can create havoc and many times bring about not the expected results and even catastrophe.

    These integrated information systems must therefore operate within a business environment which is ruled by the rules, policies, regulations and instructions of a corporate governance framework and a related information technology governance framework.

    As Negroponte has said (see Nicholas Negroponte: “Being Digital”, Alfred A. Knopf, N. York, U.S.A., 1995): “The next decade will see cases intellectual property abuse and invasion of our privacy. We will experience digital vandalism, software piracy and data thievery”.

    This has definitely been proven correct. Security incidents and other acts of electronic and computer-based crimes are on the rise (as per www.cert.org and other security-related sites).

    And as the famous Kevin Mitnick has said (see book by Kevin. D. Mitnick and William L. Simor: “The Art of Deception”, Wiley, 2002): “Valuable information must be protected no matter what forum it takes or where it is located. An organization’s customer list has the same value whether in hard-copy form or an electronic file at your office or in a storage box. Social engineers always prefer the easiest to circumvent, least defended point of attack. A company’s offsite backup storage facility is seen as having less risk of detection or getting caught. Every organization that stores any valuable, sensitive, or critical data with third parties should encrypt their data to protect its confidentiality”.

    Also IT auditing will enhance the qualities of information (effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability) according to ISACA (www.isaca.org).

    The answer for managers and leaders of organizations is to plan for this new operating environment with the proper tools, methodologies and resources.

    Never forget that because organizations differ, their control needs also will differ. For example, all groups need change management, but how it’s implemented will depend on the enterprise. Delving into the work instruction level, access controls are needed, but how they are handled on a mainframe vs. a Windows network will vary. The point is that you will need to tune your policies, procedures and work instructions not only to meet the spirit of the controls but also to be feasible in the context of your organization.

    In almost all types of organizations, both private and public, corporate controls denote the set of policies, procedures, techniques, methods, and practices to manage and control their business operations.

    Within this corporate controls governance framework Information Technology controls (or IT controls) are specific actions, usually specified by policies, procedures, practices, etc., performed by persons, hardware or software with the main objective to ensure that specific business objectives are met.

    The overall guiding aim of IT controls relate to the secure processing, confidentiality, integrity, and availability of data and the overall management of the IT function of the organizations.

    IT controls are commonly described in two categories according to various sources (www.isaca.org, www.theiia.org, www.itpi.org): IT General Controls and IT Application Controls.

    IT General Controls are those controls that are applicable to all IT activities (systems, services, issues, processes, operations, etc.) and data for a given organization or IT systems environment. They include controls over such areas as the strategy for IT, systems development, data center operations, data base and data communications infrastructure, systems software support and maintenance, IT security, and ready-made application systems acquisition, development and maintenance.

    IT Application Controls are those controls that are appropriate for transaction processing by individual computerized subsystems, such as financial accounting, personnel administration, customer sales, inventory control, payroll or accounts payable, etc.

    They relate to the processing and storing of data in computer-based files by individual IT applications and help ensure that business transactions occurred, are authorized, and are completely and accurately recorded, stored, processed, and reported.

    Benefits of the existence of IT Controls to business include:

    (1) Understand and control the associated risks of IT systems.

    (2) Improve the process of designing, implementing and auditing new and existing IT systems.

    (3) Increase management’s aptitude to achieve operational goals. With well-controlled, integrated and robust IT systems, you can gain a comparative advantage in a competitive environment, whilst ensuring that information is relevant, accurate and timely.

    (4) Ensure high standards within your IT systems.

    —————————————————————————————————–
    For more information on IT Controls, see the book: ‘IT STRATEGIC AND OPERATIONAL CONTROLS’

    PRINTED VERSION: www.itgovernance.co.uk/products/3066

    E-BOOK FORMAT VERSION: www.itgovernance.co.uk/products/3067

    CUSTOMIZABLE IT AUDIT PROGRAMS AND CHECKLISTS (WORD FORMAT): www.itgovernance.co.uk/products/3143

    AVAILABLE AT THE PUBLISHER, AMAZON and other major bookstores world-wide
    Author: John Kyriazoglou (jkyriazoglou@hotmail.com)
    Publisher: IT Governance Publishing
    ISBN: 9781849280617
    Pages: 686
    Format: Softcover
    Published date: 2 September 2010

    Share