menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics

 

Educating the Masses: Audit, Control and Security of Information Systems Today and Tomorrow

By Frederick Gallegos, CISA, CDE, CGFM
Volume 6, 2004
 

Recent terrorist events and the continuing repercussions from the financial frauds involving Enron, Arthur Andersen LLP, Global Crossing, Adelphia and others bear constant reminders that audit, control and security of information technology now take on a whole new meaning. With the release in 2002 of the US Department of Homeland Security’s “Plan for Securing Cyberspace,” the passage of the US Sarbanes-Oxley Act, the constant battles with viruses and worms, the increase in new forms of crime targeting the uneducated and uninformed (such as identity theft, phishing and solicitation scams), it may be time for education entities at all levels to begin rolling up their sleeves and establishing courses and curriculum to educate the masses in protecting information and infrastructure.

This is a tall order, but it can begin by establishing such graduate and undergraduate coursework at the university level. Also, this education eventually needs to extend to the community colleges and all levels of education. With the passage of the US Homeland Security Act and especially its inclusion of the Cyber Security Enhancement Act, cybersecurity, information assurance and IT ethics become everyone’s business.

So now, how can a university or community college or any level of education, help educate the world’s population on information assurance? How is appropriate instruction provided to the upcoming, high-tech generations who learned all the wrong things and now violate the integrity of public and private information infrastructures today?

Also, how can educators protect the information technology infrastructure against current and new challenges that will confront all computer users in the years ahead, as new technology becomes affordable, and enters the business and services arenas? George Washington University (Washington, DC, USA) completed a rather remarkable study on future technology innovations (see figure 1). This study brings not only excitement, but also chills, regarding the future protection of an information technology architecture.

Image

Information Assurance

Businesses and governments alike have become increasingly reliant upon critical digital electronic information capabilities to store, process and move essential data in planning, directing, coordinating and executing operations. Powerful and sophisticated threats can exploit security weaknesses in many of these systems. As businesses continue to outsource technology development, the risks of disruption, havoc, embezzlement, theft, etc., increase. And, of course, risk remains from the enterprise’s own personnel and other internal weaknesses that can be exploited and become vulnerabilities that can jeopardize the most sensitive components of information capabilities. Can organizations employ deep, layered defenses to reduce vulnerabilities and deter, defeat and recover from a wide range of threats? From an information assurance perspective, the capabilities that must be defended against can be viewed broadly in terms of four major elements: local computing environments, their boundaries, networks that link them together and their supporting infrastructure.

The term information assurance means safeguarding the collection, storage, transmission and use of information. The ultimate goal of information assurance is to protect users, business units and enterprises from the negative affects of corruption of information or denial-of-service attacks. For example, if the personnel data in a human resource database are valid in the sense that they could be correct, but are in fact not correct, there may be no negative impact on the information system, but the enterprise may suffer when people get the wrong amount of money in their paycheck or the check is sent to the wrong address. Similarly, if an order for an engine part in a supply and logistics system is lost in the part of the system that dictates which pallets get loaded onto the wrong boat to the wrong destination, the information system continues to operate, but the supply service is denied to the person requiring the parts. Naturally, if the information systems processing, storing or communicating the information become corrupt or unavailable, that may also affect the enterprise as a whole, but simply protecting the systems without protecting the information, processing and communication is not adequate.

As the nation’s information systems are being tied together (government and business), the points of entry and exposures increase, and thus risks increase. The technological advancement toward higher bandwidth communications, advanced switching systems and wireless technology has reduced the number of communications lines and further centralized the switching functions. Survey data indicate that the increased risk from these changes is not widely recognized. The above can only be done through people who are trained and educated, and can perform the functions of information assurance within government and private industry. So who are they?

A recent US Department of Labor study predicted an explosion of opportunities to arise in the information assurance field by 2010, with the need for 10,000 trained resources. This figure did not include the impact of legislation, such as the US Sarbanes-Oxley Act, AB 1386, and many other audit-, control-, security- and privacy-oriented legislation that will be passed before 2010.

Where can university or community college educators go for help in developing courses, curricula and programs? Since automated information permeates all aspects of a corporation or government agency or medical facility, everyone shares some responsibility for information security (infosec) and information assurance (IA), e.g., ensuring that confidentiality, integrity and availability (CIA) are maintained. However, someone must take on the responsibility for providing the leadership and guidance for infosec, but who? This is the crux of the issue. Should that responsibility fall on the information technology people, the corporate security people, internal or external auditors, or others?

NIETP

In the US, for example, the National InfoSec Education and Training Program (NIETP) directly supports the Committee on National Security Systems (CNSS) and plays a major role in ensuring that personnel in all US federal departments and agencies with national security systems are trained to safeguard information resources. To accomplish this task and assure adequate levels of security for all automated information systems (AIS), the NIETP has initiated a number of programs to enable the departments and agencies to implement and maintain robust AIS security programs. These NIETP programs are:

  • The Centers of Academic Excellence in Information Assurance Education Program
  • The Colloquium for Information Systems Security Education
  • The University Outreach Program
  • The Electronic Develop-A-Curriculum (EDACUM) Program
  • The “Blue Box” Initiative
  • Service Academy Visiting Professorship Program
  • Information Assurance Courseware Evaluation Process

The NIETP operates under national authority, and its initiatives provide the foundation for a dramatic increase in the population of trained and professionalized security experts. An article addressing professionalization, “InfoSec Professionalization: A Road to Be Traveled,” is published in the Forum for Advancing Software Engineering Education, volume 9, number 01, 15 January 1999. Activities in this area directly support government efforts to professionalize and certify system administrators and associated network positions. There is no single vehicle to accomplish this task. NIETP initiatives are multifaceted and strive to address all aspects of the NIETP’s role in education, training and awareness by creating partnerships among government, academia and industry. Through these partnerships, the NIETP can assess current offerings in infosec courses, from a variety of sources, to identify gaps and determine how to fill those gaps. The US National Security Agency (NSA), under the support of the US Department of Homeland Security, is continuing in its leadership role with national-level programs, via the CNSS, to assure the very finest preparation of professionals entrusted with securing the US national security systems (www.niatec.net).

Conclusion

The Committee on National Security Systems and the National Security Agency have begun a program for information assurance education that provides a clear direction and purpose for those institutions wishing to pursue this goal. Integral parts of information assurance are the disciplines of IT audit and internal audit and quality assurance. Organizations such as ISACA, American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA) and International Securities Services Association (ISSA), have developed models for universities to take, refine and implement in practicum. These are all programs that can harness the education and research power of many institutions committed to the field of information assurances education.

From a production standpoint, developing graduates who can enter this profession and perform these services for government and private industry will help in the global pursuit of securing cyberspace and maintaining integrity, confidentiality and control over financial and private information. It is a tremendous challenge for those of us committed to this field.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

© Copyright 2004 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMSCONTROL JOURNAL, VOLUME 6, 2004
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2008 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA