@ISACA Volume 17: 18 August 2010 

@ISACA Relevant, Timely News

BMIS Will Fill the Gap

Information security is a critical business function. The success of an enterprise is closely affiliated with its ability to manage risks appropriately, and protecting valued and sensitive information is essential for enterprise sustainability. Effective management of information risks and exposures—as well as opportunities—can directly affect the profitability and overall value of an enterprise.

The Business Model for Information Security™ (BMIS™) enables security professionals to examine security from a systems perspective, creating an environment where security can be managed holistically and allowing actual risks to be addressed effectively. BMIS offers those interested in information security a business-oriented approach to managing information security and fills the need for a single, comprehensive model.

The latest publication related to this model is expected later this quarter. Watch ISACA’s web site for more information on the upcoming release.


Five Things to Think About When Using Social Networking

  1. The most effective approach to use when considering social networking within the enterprise is “embrace but educate.” There is a great demand for and business benefit associated with using social networking. Users should be educated on the expectations and risks associated with using social networking in both their professional and personal lives. They should also be reminded of their obligations concerning corporate data security, privacy and employee conduct, which they agreed to as part of their terms of employment.
  2. Social networking is often used for social engineering attacks. Adversaries are actively compromising social networking user accounts and using them to send malware and links to connected users from trusted connections to increase the likelihood that their attacks will be successful. Individuals are more likely to accept links and information from someone they trust than a random e-mail or message from a stranger.
  3. Social networking content has an unknown lifespan. Individuals should be made aware that once they post information including pictures, video and personal details to a public social networking site, the data may follow them for the rest of their lives. Students and young people are especially vulnerable to this fact since many organizations now include public social networking sites in their background checks for employment.
  4. Most public social networking sites do not have adequate authentication or identity verification capabilities. Social networking sites can be and have been used by individuals to pose as others to attempt to discredit, steal identities or use other identities in an effort to gain the trust of vulnerable targets. Most social networking sites use basic identity-verification techniques such as e-mail address validation and links within e-mail messages sent to the registered address. Setting up false e-mail accounts easily defeats these methods.
  5. Privacy in public social media sites is not easily achieved. Free to the user, public social media sites are typically funded by their ability to sell targeted advertising capabilities and marketing data to organizations. To demonstrate the value of these data, the site needs to be able to perform data mining and identification operations among all of the data posted to the site. The end-user license agreement (EULA) users agree to when joining public social media sites often include clauses that state that users should not expect privacy of data that they post and the site can use posted data for revenue-generating activities once the user has posted the data.

Click here for a complimentary download of ISACA’s white paper titled Social Media:  Business Benefits and Security, Governance and Assurance Perspectives.

John P. Pironti, CISA, CISM, CGEIT, CRISC, ISSAP, ISSMP, is the president of IP Architects LLC.


Participate in Survey on Economic Benefits of Access Control Effectiveness

Provisioning of users’ permissions, compliance with IT security and privacy laws, and maintaining and certifying access control policies consume a large and increasing amount of effort by IT and business managers. ISACA® is contributing to a National Institute of Standards and Technology (NIST) survey on the economics of access control. The purpose of the survey is to understand how different approaches, or models, for access control influence the efficiency and effectiveness of firms’ IT and business workflows.

This survey is part of a larger study on access control policies that NIST is preparing to inform IT standardization committees and organizations of various strategic activities, as well as to report to the broader IT community on the economic costs and benefits of critical IT security activities. In addition to provisioning, the study is reporting on the challenges organizations are having with complying with information security and privacy regulations, such as the US Sarbanes-Oxley and the US Health Insurance Portability and Accountability Act (HIPAA). This study will provide a unique view of the business value or access control approaches, which will be of interest to information security, assurance and IT management.

The survey is intended for active professionals in access control and identity management, such as IT managers, senior systems administrators and information security architects. Respondents should have an understanding of how their organizations provide permissions to their users and implement access control policies. Responses from ISACA members outside of the US are encouraged.

You can take part in this survey online until 31 August 2010. Click here to complete the survey. It is expected that the survey will take between 20 and 30 minutes to complete. Participants of this study will receive a complimentary copy of the final report and economic analysis. The survey and analysis is being conducted by RTI International, a nonprofit research institute.


Book Review:  GFI Network Security and PCI Compliance Power Tools
Reviewed by Horst Karin, Ph.D., CISA, CISSP, ITIL

GFI Network Security and PCI Compliance Power Tools, by Brien Posey, is an excellent resource for technical specialists, IT security professionals and audit practitioners who plan to deploy or are already using GFI security products, including LANguard, EndPointSecurity, EventsManager or Network Server Monitor. It is also an informative reference for technical security consultants and IT auditors to understand the functionality of these tools and how they fit in the corporate framework for information security controls, vulnerability assessments/prevention and, specifically, to support corporate Payment Card Industry (PCI) Data Security Standard (DSS) compliance.

This book is more than just another manual for GFI security products. It is a how-to and reference book. Further, it is written from the viewpoint of a system administrator who installs and configures the tools, runs the scans, and evaluates the generated reports. This interesting perspective adds increased value because you learn from the practical experience the author gained while installing and working with the applications.

The book, with more than 400 pages, is structured into 19 chapters. Each of them concludes with a summary, valuable tips, “solutions fast track” and a section with answers to frequently asked questions. You will appreciate the hands-on style in which the book is written, presenting step-by-step lists, numerous screen prints and detailed instructions, including background information and recommendations resulting from practical deployments and use of the tools. This combination makes the book helpful for the system administrator who will install the solutions, the security specialist who will operate the applications and the auditor who will interpret the analysis reports. The book is also an entertaining read because it presents sections with tips and tricks, notes and warnings, which provide anecdotes about potential vulnerabilities, risks and things that can go wrong when IT security and policies are neglected. Valuable sections on how to handle the “information overload” in system reports are also included.

Although the content is advanced due to the complexity of the applications, it is presented in an easy-to-understand style. New terms are explained and you will learn the details and background of information security in connection with the purpose and usage of these tools.

Where is the connection to PCI DSS? The applications introduced by the book support one part of the corporate IT controls framework for information security at the network and server level. A corporation must establish a complex framework of controls for data security to target PCI DSS compliance, and effective automated technical tools at the network and server level are part of that. For that reason, achieving PCI DSS compliance takes more than deploying and using technical controls at the network and server level. But, these automated technical tools play an essential part in the mosaic of PCI DSS compliance. This is also true with respect to sustainable compliance, once PCI DSS certification is attested.

The strength of this book is its delivery of detailed technical knowledge in an easy-to-understand style with useful supporting background information. It is a recommended guide book for technical specialists, security professionals and PCI DSS auditors who will use these GFI tools.

GFI Network Security and PCI Compliance Power Tools is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore or e-mail bookstore@isaca.org.

Horst Karin, Ph.D., CISA, CISSP, ITIL, is the owner and principal consultant of DELTA Information Security Consulting Inc.


Read More Articles in Our Archives