Segregation of duties (SoD) has been a source of guidance for audit and accounting systems for a long time; nevertheless, many IT security controls imposed by recent trends and regulations can be viewed through its lenses.
Privacy by design and privacy by default, for example, as required by the new EU regulation recently approved by the European Parliament, require that duties are well separated and roles are well defined from the beginning.
Privacy by design must be introduced in the design of processes and in the design of systems and tools. For example, a client recently asked for a solution to make service desk personnel able to reset user passwords without knowing the user’s new password and without resorting to the self-help password reset. This does not only require a supporting tool but also a sound access management process in which SoD is the central issue.
Businesses of various sizes are extremely worried about information security. On a daily basis, we hear news of banks and financial institutions losing customer records, confidential information and money due to cyberattacks. Cyberattacks have increased exponentially over the last 5 years, and attack methods are becoming more sophisticated each day. On average, enterprises take about 100 days to identify an attack. It takes even more time to investigate, plug the gaps and prevent similar incidents. The goal of my recent Journal article is to help enterprises and security leaders realign the strategy of their information security teams by empowering the chief information officer (CIO) and the chief information security officer (CISO).
The ISO 31000:2009, Basel III recommendations, the EU Capital Requirement Directives and the Own Risk and Solvency Assessment (ORSA)/Forward Looking Assessment of Own Risk (FLAOR) processes of Solvency II Directives profoundly affect the financing and the insurance of companies in all business sectors and local authorities.
US companies use US National Association of Insurance Commissioners (NAIC) recommendations based on the fundamental principles of ORSA; EU firms refer to FLAOR recommendations; and companies in other countries (e.g., Canada, Japan, China) refer to Solvency II as an international best practice.
The elliptic curve cryptography (ECC) asymmetric algorithm is widely promoted to developers for new Internet of Things (IoT) advancements. At a first glance, it is easy to see why this is the case. While IoT faces new constraints and challenges that make traditional cryptography difficult to implement, these difficulties also empower ECC to emerge as a front-runner. Constraints in IoT include limitations to computational resources such as the bare minimum processor speed and memory needed as such devices are typically designed for low power consumption. Challenges include the need to reengineer things such as identity management, device and user registration, and cryptography to suit IoT needs.
There is an imbalance between technical issues and process aspects related to security information and event management (SIEM). This gap is the root cause of some skepticism with and disappointment in SIEM.
Be aware that before implementing SIEM, it is necessary to establish the basis of the information security management system (ISMS), which includes considering the global management commitment, asset inventory and categorization, and risk assessment.
The SIEM process consists of following 5-step cycle:
This SIEM approach is based on the plan-do-check-act (PDCA) cycle. Consider the first step, “SIEM Policy Establishment.” Upper management should demonstrate a commitment to the ISMS, including SIEM, by ensuring the SIEM policy is established and is compatible with the business direction, context and risk approach. Usually, the chief information security officer (CISO) prepares this internal policy and obtains the approval of all stakeholders. This policy should be mapped with existing internal policies, such as defining detailed event lists into standard and baselines for servers and network tools.