IT Compliance and Controls

The GSA Final Rule got a lot of attention in the government services sector as it solidified the requirements related to security and third parties.  The Final Rule makes it clear that upon winning a contract and to continue the contract ongoing performance and attestation is required of the Security program.  Specifically the language states [...]

[Read more →]

An article published on Open Group’s site has a nice Q&A with Jeanne Ross a Scientist at MIT Center for information systems research, and an author of 3 books.  She is a speaker on how adoption of enterprise architecture (EA) leads to greater efficiencies and better business agility.  Reading the interview I had a few [...]

[Read more →]

When pre-boot authentication is not a safeguard … how does that change the risk landscape, the assumptions on other controls, and user behaviors? DEFCON 16 had a presentation on “Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer (practical low level attacks against x86 pre-boot authentication software)”.  This is available for free consumption on [...]

[Read more →]

Many organizations around the world rely upon the ISO 27001 standard as the premier method of structuring and governing their information security operations.  As the world changes, so too must the standards.  The latest draft (currently the standard is in it’s 4th working stage), highlighted a few interesting improvements.  More can be read here by [...]

[Read more →]

HITECH and HIPAA Security and Privacy safeguards have been evolving over the past 14 years.  Today a large amount of information has been provided outlining guidance for Medical providers.  Specifically 2 rules outling how to qualify for the federal incentive program for electronic health records was released today (July 13, 2010) (though not in effect [...]

[Read more →]

A report released this month has identified one single group that is responsible for 2/3 of ALL global phishing attacks.  This is a tremendous task and requires a exceedingly large amount of sophistication.  A telling quote from the report (available here) gives a bit of background: Central to Avalanche’s success is its use of fast-flux [...]

[Read more →]

A great amount of efficiencies exist in the Cloud solution model, but the savings can be wasted through management waste, lax business support services, and insufficient information technology controls.  Vivek Kundra (United States Government Federal CIO) gave a presentation to the Brookings Institution on how Clouds will be a central focus of all government information [...]

[Read more →]

A web cast by Deloitte accompanied with a poll has provided some interesting data points on the state of data governance within businesses.  On the heels of this web cast and poll results I have also added some insight from my field experience and general personal impressions.  Interesting facts include: The definition of Data Governance [...]

[Read more →]

The FTC sent out letters to nearly 100 organizations advising that customer and / or employee data that is protected by United States’ laws were widely available online.  The release of such information is not new to most – given the early days of Napster when entire hard drives were shared and Quickbook files and [...]

[Read more →]

According to a recent examination by global professionals relating to the failure of risk management controls with respect to financial exposures many of the failures can be attributed to very specific technology failures.  This does not excuse the vast amount of other shortfalls, and apply blame as you see fit arguments.  It does highlight that [...]

[Read more →]