IT Compliance and Controls

Lack of alignment between business and technology services is a proven epidemic.  It is attributable to obvious security / fraud instances and causes greater damage to the competitive nature of every business that leverages technology.  An interesting napkin fact - nearly a third of IPOs over the past 12 months were for businesses that are solely technology company (i.e., they are not making a widget in a factory but have digital assets and such services).  Businesses that have the right technology, deployed in a manner that is optimal for operations, and delivers the necessary value are more competitive and a byproduct is less susceptible to frauds and security incidents.

According to Francois Coallier of the ISO subcommittee, “ISO/IEC 38500 will help the governing body to evaluate, direct and monitor the use of IT. It will assist directors in assuming conformance with obligations – regularly, legislation, common law, contractual – concerning the acceptable use of IT and to have a proper corporate governance of IT.”

The framework (yes another one) is broken out into principles (so don’t expect specific tactical guidance or how-tos) that establish decision making flows:  Responsibility, Strategy, Acquisition, Performance, Conformance, and Human Behavior.

It is a total of 16 pages, so an astonishingly short read for such an important subject.   Similar to how BS 7799 became ISO 17799…AS8015-2005 - Australian Standard for Corporate Governance of Information and Communication Technology (ICT) is the origin for ISO 38500 (a nice write up here - thanks for the link Serge).  Calvin Powers wrote a nice article describing the standard and provided a nice cross analysis between the ITGI’s recent release of their own Val IT.   Also check out Serge Thorn’s take of this standard release

Call to Action:  Purchase the standard and commit to having your organization’s governance process baselined against this latest release.  For each variance, determine if the concerns raised by this standard and others are addressed.

There are numerous other references, so what are you favorites?

Best,

James DeLuccia

Silos throughout an organization are natural as an organization is initially created due to the entrprenuerial situation where any one individual maintains a dozen or so roles.  As the organization grows however the organization must continually redefine and restructure the objectives and responsibilities of the staff.  This is especially important as the competitive landscape has increased, and the need to maintain shareholder confidence by providing proper control environments.  (The cost of NOT integrating these control environments is discussed here)  A study from Deloitte identified the following underlying risks and a contributing cause to the risk management meltdowns within the financial sectors:

“Good intentions are not enough to ensure a shift in operating culture. Clarity on who owns what process in an integrated governance and control architecture is therefore critical. It appears a prime source for the losses incurred by many major banks in the recent credit crunch was the inability of those institutions, in many instances, to link risk and control functions together.

Our research highlights fragmentation across major financial firms in who has responsibility for integrating governance, risk and control systems. Just 41 per cent of firms stated their audit committees or boards of directors have overall control of governance and controls. Less than half (47 per cent) have undertaken consolidation of governance and controls across borders and operational units in the past three years.”

Best,

James DeLuccia

A recent article raised the point that SOX expense by companies was declining (as it should with the full adoption of AS5 across all filers and it being in place for over 6 years!), and that according to analysts that Governance expenses were on the rise and the new focus of enterprises.  Yes and not for the reasons stated, or perhaps not only for the reasons stated.  Unfortunately parties that have read this article have misunderstood the intent or that SOX fits into a mature Governance environment.  So, to imply that the control safeguards documented and matured within businesses as a result of SOX are worthless is incorrect.

It is important to realize that organizations follow a general maturity lifecycle, and a large dose of regulation that requires documentation and validation (such as SOX, et al) is part of that cycle.  It is certainly not the end, as businesses are adaptive and complex systems that are constantly in a change of flux.  So, without expounding on this lifecycle I will simply highlight that the absorption of the regulations and mandated controls into a corporate culture is natural.  In fact it is best practice to integrate the controls of many regulations along with business objectives to ensure an effective, efficient, and always agile operation.

In summary - Costs associated directly with a specific regulated response within an organization will alwawys decline - simple economics.  Regulations must be incorporated into the culture or “genetic makeup” of the organization.  Without this harmonization across the international enterprise businesses will become uncompetitive and lose market share - only to be replaced by those who are mature.

Best regards,

James DeLuccia

There have been recent success in research efforts (mostly academic and theory in origin and a few recently progressing into the more exploitative POC) to identify weaknesses that exist in everything from Firewire connections to the magnetic cards used to access secure facilities.  These proofs of concepts highlight the necessity of a well deployed control environment.  It provides evidence of something we have taken for granted over the years, and lessons without being caught in the press or in courts is a lesson worth taking with pride and passion.

To recap:
Physical access to a device with a firewire port can lead to rewriting certain pieces of code, and allowing you to bypass the authentication protocols of the device.  This works in both the Microsoft platforms, and the OS X.  This is an attack at the hardware itself, so it applies to every system with such a port!  This includes desktops, laptops, and most importantly servers.

Disk encryption can be overcome if the system is stolen (as an example) and was left in standby mode.  This is the result of being able to attack the memory of the system.  There was also a recent demonstration of reading the RAM from your system using an alternate operating system.

Finally due a manufacturing error in the vastly integrated and seems by a primary provider has exposed over 2 billion electronic access cards.

As these exploits have come out over the past few weeks I felt stronger conviction that the practices endorsed by the PCI SCC the FFIEC, and others are dead on.   Given the above threats here are some common best practices that neutralize the above:

Physical Access attacks are always king when compromising systems.  Regardless of safeguards in place a stolen system will be breached and if the thief has any saviness will promptly find a buyer for the data on its new fortunes.  Therefore we must prepare and safeguard ourselves.  The Firewire / Disk Encryption / Standby Mode / RAM Reader attacks may be addressed with the following controls:

• Systems should be configured securely and with least services.  Specifically disabling through bios or drivers the unnecessary hardware (USB drives, Firewire, that extra DHCP configured network port).
• Keep all portable devices on persons, and this may require establishing a policy for remote devices that requires the associates to maintain proximity to the device (i.e. don’t leave your device in your airport chair while you run “real quick” to throw out your coffee… seen at least one of these cases everytime I am at the airport)
• Limit the data that is on portable devices, period.  Embrace virtualization, remote computing, and data management initiatives that ensure - if that laptop is “lost” the impact can be mitigated in minutes and not hours.
• Supervise all visitors to your data center - including contractors, interns, and anyone else!

The threat to the card readers is huge, but not unmanageable.  In fact you already have controls in place to mitigate this threat simply by having a mature control environment.  Specifically:

• Monitor the access attempts by users with these cards and ensure that the behaviors match user patterns & comply with policies.  (I.e. Is a user accessing 2 locations that are 50 miles apart in the same 20 minute period?)
• Establish Badge in and Badge out procedures - users must badge in and badge out of areas, thereby eliminating the ability for a stolen card to be used to access the facility if the user is already inside.  This also provides a second layer of monitoring - If the compromised user cannot access the office they will call the support desk and this should trigger an investigation.
• Release a communication to all personnel who have access to issue, and reset these badges to ensure that someone doesn’t “fix” an access problem without vetting the situation.
• Create triggers on access logs that occur in near-real time to report any violations and using email escalation procedures to elevate as necessary.

The need for a mature and complete control environment is evident as new (and old) attack vectors and fraud methods are developed.  Consider the lessons of the past, and take this opportunity to ensure the effectiveness of these controls.

Best regards,

James DeLuccia IV

Upcoming Speaking Engagements:

• Please join me at RSA 2008 for my session on: Emergence of international regulatory synergies
• Please join me in Boston, for the Association of Certified Fraud Examiner’s Conference with my session on:  Worst and Best IT Management Practices

On Sunday a foreign government enforced its sovereign right to censor its citizens, and consequently caused a global outage (2 hours) to the most popular video side in the planet, run by the most sophisticated global internet company - Google.  The lessons here resonate with the need for organizations to consider all aspects of risk to their globalized operations.  Especially strong consideration must be taken on basic assumptions taken on the stability of the current medium of choice.  The takeaway is consider operations resiliency and the infrastructures you depend on to deliver services - the cables that transfer the data, the routers that support your packets, and all the countries and systems in between.

Many great articles have been published on this topic and can be found here:

• BBC News Article
• A nice articulation of the instability that makes up the essence of the internet
• WSJ Article

For fun, after investigating the outage on Sunday and seeing subsequent news articles I thought some back of the napkin calculations would be interesting and wanted to share them.

Google’s YouTube had approximately 257,000 visitors in the month of January which comes to about 345 customers an hour.  (According to Compete.com, and highlighted at this article).

Given that Google serves ads on every page while a video is played, a better statistic related to revenue generated by ads is the total number of videos streamed.  For December, 3.314 Billion videos… Broken down by the hour (not perfect this is a napkin) ~ 4.454 Million videos shown an hour.  (Comscore report  )

So the impact of the outage was a hit to approximately 690 customers (not very many at all) and the lost steaming of 8.908 million videos.  Given the finickiness of the internet consumer the outage will probably impact Google’s viewership for the month, but generally return to a normal rate.    Now as to the actual revenue impact - even at the most optimistic predictions the ad revenues make up only a half of one percent of the Google revenues.  Two nice (a bit dated though) writeups on the revenue are here and here.  So, no this should have zero affect on Google’s earnings or future.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today

Yesterday I highlighted that organizations must consider the value of information based on the party that possesses it, i.e. If the information was made available to anyone - what could they do and how bad would the impact be to your organization?

Today’s Wall Street Journal had an article entitled “Another Liechtenstein Bank Suffers Theft of Client Data”. It is an interesting read compared to the others, because in this case the organizations paid millions of dollars since 2003 in blackmail payments in order to cover-up the event and recover the data.

While it is rare to publicly hear of organizations paying blackmail in order to recover data, it does provide intelligence on the value this financial institution placed on their image and the stolen data.

David and Mike provide rich details on the payments, the situation, and an overview of another Liechtenstein bank, LGT Group.

Best,

James DeLuccia

Intellectual property for an organization can vary between trade secrets (i.e. the ’secret sauce recipe’) and customer specific data.  Every organization must classify information appropriately based on their own usage of the data, governing laws, and best practices.  Two recent examples caught my attention as examples where data was compromised and the affects.

The first is an example where a company’s secrets were stolen by an agent of a foreign government.  This company builds space shuttles, war planes, rockets, and commercial aircraft.  Obviously a very clear national security concern, and both a massively competitive threat to the company itself.  The article is here posted at CNN.  Currently espionage charges are filed against the individuals involved.  The agent was ‘allegedly’ sending data to the China Aviation Industry since 1979 from Boeing.

Not much has been posted on the controls that were violated or bypassed; however, it is likely a breakdown that may have occurred as a result of the merger that brought this employee into the companies environment.  Pure speculation, but a common weakness and risk that occurs when organizations acquire companies and must combine the technologies - including identity management, and HR safeguards.

The second is a story where Harvard’s website was breached - which in itself is a repository likely to hold sensitive customer information, but also further network credentials.  The system hacked was then downloaded and posted as an archive file on bittorrent.  This highlights a risk that is commonly discounted - The question “What can they really do with the data?”.  In the case of a website with sensitive information the answer is that it depends on who has the data.  In this case, the attackers distributed the information to the entire internet without prejudice and have eliminated this factor.  Now the risk is highly likely that someone can leverage this information to cause further harm.  The news post is here.

In the end, companies must recognize the value of the intellectual assets of the organization.  As was demonstrated recently, the value of the data depends on the holder, and it is from that perspective that organizations must evaluate risk.

Best regards,

James DeLuccia

The criticality of the Internet has grown exponentially. Consumers rely on Internet based applications (or RIA) for everything from email, CRM, ERP, publishing - and this online portal. Businesses have generally transitioned from dedicated frame relays, and leased lines to VPN tunnels through the Internet (link to Cisco Whitepaper). The efficiency gained by organizations sourcing their business processes has created a $40+ billion dollar BPO industry. In addition, organizations have been able to distribute business centers across the globe, and allow for true teleworking to exist that is both productive and collaborative. These points all highlighted under the Caveats and Threat sections highlighted in IT Compliance and Controls.

A recent batch of disruptions made the Wall Street Journal by Christopher Rhoads. He reports in “Internet Logjams Spur Cable Boom” that the fiber optic business is booming as businesses rush to build up the capacity of the backbone of the Internet. The build up is akin to the 1999/2000 build up (which had both positive and negative impacts). As support for the buildup and demonstrating the precarious nature of the current infrastructure, the author highlights the past breakages in oceanic fiber optic cable connections. Basically there are cables stretching across the ocean floor that allow islands and entire continents to participate on the Internet and enjoy higher speeds. Recent disruptions include:

• 2006 Earthquake near Taiwan where 7 of 8 undersea cables were severed - causing months of disruptions
• 2008 Undersea cables severed dramatically reduced connectivity in the Middle East
• 2008 More Undersea cables severed impacting the Persian gulf and India

There are many articles and thoughts published here and here for further details. The significance of these disruptions and the expected future of brown outs on the Internet, as predicted by Nemertes as early as 2010, emphasize the need for businesses to consider their technology environments and all risks to the organization. This is further emphasized by an article emphasizing the importance of availability.

Food for thought,

James DeLuccia

Remediation and corrective action are part of the lessons learned when a negative event (security breach, fraud, etc…) occurs within an organization.  It is regarded as best practice to learn from one’s own mistakes, and an even better practice to learn from OTHER’s mistakes.  In either case understanding what controls may address the situation on hand is essential to improving and maintaining a operational effective control environment.

In the case of security breaches, a topic I cover extensively at PCI DSS & IT Controls Explained, the essential attack sources tend to be the cause of a few basic controls.  The majority of control weaknesses stem from the following controls:

• Data Classification
• Information Handling
• Information Awareness and Education
• Physical Access Controls (backup drives, laptops, PDA, and such devices are prone to exploitation)
• Logical Access Controls (Such as restrictions of data on public systems, and integrity of payment systems)

This analysis is based on a review of the past breaches found at the Privacy Clearinghouse site, and was composed and presented to Georgia State University by Taiye Lambo.  The effort they conducted highlights the importance of specific controls, and emphasizes the need to learn from these events.  The reports that align each breach with the regulatory impact (mostly focused on the most widely recognized - PCI, SB1386) and the ISO27001 Subsections are here and here for convenience)

Please check out this resource and others available for free at Educause - a great resource that should be leveraged as part of cross-industry collaboration.

Best,

James DeLuccia

A constant challenge for organizations is measuring the potential impact and consequences of mandated regulations. The weighting of compliance initiatives based on such consequences is not best practice, but is common. The need to demonstrate a true cost benefit analysis is dependent upon, in part, to the actual follow through and enforcement of requirements by regulatory bodies. Therefore, when I come across specific examples where regulations have been enforced, and the market is provided with transparent understanding as to the weaknesses and corrections I like to make them known. I certainly do not believe or endorse a FUD approach to seeking an optimal posture of compliance and operations, but to ignore these impacts is also inappropriate.

Past research I conducted focused on the Federal Trade Commission’s efforts to communicate identity theft and fraud. During that effort I found a speech (and another, and another) that identified the following companies that were identified as having weaknesses and made corrective actions. These are based on the FTC’s mandate to prevent deceptive business practices. The full text of the speech is available here, and is a great read to understand the FTC role in Identity protections. In addition, a publication from The Center for Information Policy Leadership entitled: “A Business Guide: Meeting Your Legal and Business Obligations to Safeguard Personal Information” is also helpful, but given a limitation of time I would recommend the FTC speech as they are the authoritative body.

Businesses and Docket References:

1. Petco Animal Supplies, Inc. (Docket No. C-4133)
2. MTS Inc., doing business as Tower Records, Tower Books, or Tower Video (Docket No. C-4110)
3. Guess?, Inc. (Docket No. C-4091)
4. Microsoft Corp. (Docket No. C-4069)
5. Eli Lilly (Docket No. C-4047)

Best,

James DeLuccia