Global Perspectives

Jeimy J. Cano, Ph.D., CFE, John Mitchell, CISA and Peter Koo, CISA, CISM, CPA (HK), CA, CFE, CIA,

Emerging Technologies—A Colombian Perspective

By Jeimy J. Cano, Ph.D., CFE

In Colombia, the topics related to information technology, information security, software development and systems auditing are constantly evolving in the country's enterprises and universities. Therefore, trying to identify specific emerging technologies for the country represents a challenging task and a predictive one, due to the strict influence of products, methodologies, concepts and providers, which are constantly present in the evolving developments in IT and information systems.

IT in Colombia can be divided into three categories: business-oriented, process-oriented, and IT support- and operation-oriented. Business-oriented technologies, which develop the concept of business intelligence, are best accepted in the market due to the significant need for organizations to generate differentiation and added value for their clients, and to procure new, solid business relations that enable the enterprise and its clients to share in the success of sustainable growth and long-term survival.

Regarding process-oriented technologies, enterprise resource planning (ERP) systems represent one of the strategies that are quickly advancing in organizations in Colombia. It is true that not all big corporations follow this trend. However, it is important to mention that organizations such as SAP, JD Edwards, Peoplesoft, Siebel and Baan have appeared to demonstrate an integrated view of Colombian organizations' management. Facing a project of this nature, a coherent dialog is needed with corporate strategy, IT governance and, most important, management, which makes it easier to obtain the benefits of this initiative and face the challenges that this alternative poses for the organization.

Finally, when reviewing the technologies oriented to IT support and operations, topics on information systems security and auditing are experiencing particular growth in Colombia. According to the IV Information Systems Security Survey (IV Encuesta Nacional de Seguridad Informática) developed by the Computer and Information Security Community (Comunidad de Seguridad Informática—SEGURINFO ¹) of the Colombian Association of Computer and Systems Science Engineers (Asociación Colombiana de Ingenieros de Sistemas-ACIS), the investment in information security at medium-sized organizations has been growing each year and is currently US $55,000 annually. Though this is a relatively small amount, it has affected the development of Colombian enterprises. Technologies such as public key infrastructure (PKI), intrusion prevention systems (IPS), high availability systems and clustering have been gaining recognition within Colombian organizations, as these strategies offer more reliable and efficient services.

In the same line, information systems and IT auditing are evolving, because they must stay in front of the IT developments and strategies that organizations incorporate to cope with business operations and support business strategies. The electronic information resulting from registered transactions of the organization—the fruit of IT's use—is the primary evidence of the organization's activities. Therefore, the adequate registration, control, security, disposition and follow-up of this information is key to supporting and verifying business activities within the enterprise, performance indicators and the correct use of information systems.

Consequently, data extraction technologies, integrity control, information recovery on file systems (data recovery) and transaction monitoring procedures are required to maintain a high level of monitoring and analysis to account for possible situations that could compromise operations and the good name of the organization.

This brief review of corporate technologies and strategies is not intended to be an exact snapshot of the emerging trends in Colombia, but a conceptual and exploratory approximation of an IT market that is evolving rapidly, thanks to the constant demands of international dynamics, the need for high quality and service levels, and especially the quick incorporation of Colombia in the Free Commerce Treaty (Tratado de Libre Comercio) with the US. Therefore, the emerging technologies depicted in this article correspond to a dynamic view of a market that demands more knowledge of clients and the long-term needs of organizations to build and propose scenarios in which IT is a fundamental part of the business view of security and control strategies and a significant value generator within the organization.

Endnotes

¹ Available at http://sitio.acis.org.co/Paginas/publicaciones/ inves89.html

Jeimy J. Cano, Ph.D., CFE
is a computer and systems science engineer. Cano is president of the Colombian Association of Computer and Systems Science Engineers [Asociación Colombiana de Ingenieros de Sistemas (ACIS) 2005-2006], senior member of the Institute of Electrical and Electronics Engineers (IEEE), and a professor at universities in Colombia and other Latin American countries. His academic and professional works are focused on IT auditing, security and control, forensics and information systems management.

Tecnologías Emergentes—Una Perspectiva Colombiana

Por Jeimy J. Cano, Ph.D., CFE

En Colombia los temas relacionados con tecnologías de información-TI, seguridad informática, desarrollo de software y auditoría de sistemas son constantes características en la dinámica de las empresas y universidades en el país. En este sentido, identificar tecnologías emergentes particulares para el país resulta una tarea desafiante y un poco predictiva, dada la marcada influencia de productos, metodologías, conceptos y proveedores que constantemente están presentes en los desarrollos y trabajos que se adelantan en los temas de tecnología informática y sistemas de información.

Las tecnologías de información que actualmente impactan el escenario de las empresas en Colombia se podrían dividir en tres secciones: las orientadas al negocio, las orientadas a los procesos y las orientadas al soporte y operación de la TI. En las primeras, las tecnologías que desarrollan el concepto de inteligencia de negocios (business intelligence) son las que mejor se perfilan en el mercado, dada la marcada necesidad de las empresas de generar diferenciación y valor agregado a sus clientes, en procura de nuevas y firmes relaciones de negocio que proyecten a la empresa y sus clientes en un escenario de éxito compartido: crecimiento sostenible y superviviencia en el largo plazo.

En el escenario de las tecnologías orientadas a los procesos, los sistemas ERP- Enterprise Resource Planning o aplicaciones de clase mundial, representan una de las estrategias que avanza rápidamente en las empresas del país. Si bien, aún no todas las grandes empresas están en esta tendencia, si es importante comentar que firmas como SAP, JD Edwards, Peoplesoft, Siebel, Baan, entre otras han hecho su aparición para mostrar un enfoque integrado de la gestión de las empresas colombianas. Al enfrentar un proyecto de esta envergadura, es necesario establecer un discurso coherente entre estrategia corporativa, gobernabilidad de TI y sobre manera, gestión de proyectos que permitan obtener las bondades de esta iniciativa y afrontar los retos y desafíos que propone una alternativa como éstas en la empresa.

Finalmente al revisar las tecnologías orientadas al soporte y operación de TI, los temas de seguridad informáticas y auditoría de sistema marcan una diferencia particular en Colombia. De acuerdo con la IV Encuesta Nacional de Seguridad Informática desarrollada por la Comunidad de Seguridad Informática-SEGURINFO¹ de la Asociación Colombiana de Ingenieros de Sistemas-ACIS, la inversión en el tema de seguridad informática en la mediana empresa ha venido creciendo año tras año, ubicándose en US$55000 dólares anuales, que si bien es poco, sí esta impactando el desarrollo de los negocios en el país. Tecnologías como las PKI (Public Key Infraestructure), IPS (Intrusión Prevention Systems), sistemas de alta disponibilidad y clustering han venido ganando terreno en las organizaciones colombianas como alternativas y estrategias requeridas para ofrecer servicios más confiables y eficientes.

En esta misma línea, la auditoría de sistemas y de tecnologías de información evoluciona, pues requiere ser consecuente y especializada frente a los desarrollos y estrategias de TI que las organizaciones incorporan tanto para soportar las operaciones de negocio como para apoyar y desarrollar las estrategias de la empresa. Los registros electrónicos de las organizaciones, fruto del uso de las TI, son la fuente primaria de la evidencia de las acciones de la organización. Por tanto, el adecuado registro, control, seguridad, disposición y seguimiento de éstos, se convierte en pieza fundamental para poder soportar y verificar tanto los negocios de la empresa y sus indicadores de desempeño, como el adecuado uso de los sistemas de información. En consecuencia tecnologías de extracción de datos, control de integridad, recuperación de información sobre sistemas de archivos (data recovery) y procedimiento de monitoreo de transacciones son requeridas para mantener un alto nivel de seguimiento y análisis requerido para dar cuenta de las posibles situaciones que puedan comprometer la operación y el buen nombre de las organizaciones.

Esta breve revisión de tecnologías y estrategias corporativas, no pretende ser una imagen de la realidad o tendencias particularmente emergentes en Colombia, sino una aproximación conceptual y exploratoria de un mercado de TI que evoluciona rápidamente gracias a la mayor exigencia de la dinámica internacional, la necesidad de altos niveles de calidad y servicio y sobre manera, por la pronta incorporación de nuestro país al Tratado de Libre Comercio (TLC) con los Estados Unidos. Por tanto, las tecnologías emergentes reseñadas en estas líneas corresponden a una vista dinámica de un mercado que demanda mayor conocimiento del cliente y necesidades empresariales de largo plazo, para construir y proponer escenarios donde las TI hagan parte fundamental de una visión de negocio, de las estrategias de seguridad y control y de la generación de valor en los procesos de las corporaciones.

Jeimy J. Cano, Ph.D., CFE
es ingeniero de sistemas y computación. Cano es presidente de la Asociación Colombiana de Ingenieros de Sistemas (ACIS), miembro senior del IEEE y profesor universitario en Colombia y otros países de Latinoamérica. Su labor académica y profesional se ha concentrado en los temas de auditoría, seguridad y control de TI, computación forense y administración de sistemas de información.

¹ Disponible en:
http://sitio.acis.org.co/Paginas/publicaciones/ inves89.html

Emerging Technologies—A European Perspective

By John Mitchell, CISA

The predominant emerging technology in Europe is radio frequency identification (RFID). It is the size of a grain of rice but has the potential venom of a cobra. RFID tags can be either passive or active.

Passive tags are activated by an electromagnetic field generated by a reader; when exposed to this field, the tag transmits its identification code. Active tags, by contrast, contain their own battery and transmit a signal voluntarily. Active tags can also accept new data and are thus capable of acting as an interactive storage device.

The extent of RFID's application can be seen by examining a snapshot of its current and proposed use. Apart from its use by retailers and others to track inventory and by toll stations to collect vehicle information, the new Airbus 380 has more than 10,000 (yes, 10,000) RFID chips embedded in its airframe to allow the functionality of items, such as emergency oxygen masks, to be checked without deploying them. Hospitals are keeping track of patients by attaching RFID tags to them, and security officers are evaluating RFID for that holy grail of security—single sign-on.

It is not very surprising, then, that there is once again concern that the implementation of a technology will outpace users' ability to ascertain the control implications. Consumer groups are already concerned about the privacy implications, while security officers are worried about the possibility of flooding an area with many thousands of tags to confuse local scanners. Potential attacks may not be limited to spreading confusing identification data. A small executable or two could be embedded. The recent Bluetooth virus scare has shown the ability of black hats to exploit short-range wireless technology to their own perverse ends. Any RFID scanner will be linked to an enterprise's internal systems, so will it be necessary to provide demilitarized zones (DMZs) and firewalls to protect the internal systems from RFID-initiated attacks? As with all international standards, RFID protocols are in the public domain, which means that exploitation of any weaknesses in control will be swift and vicious. Will visitors to an office be able to obtain vital infrastructure configuration information by simply carrying a concealed scanner into the building? If so, data or signal encryption becomes a necessity. So, once again, an apparently simple and cost-effective concept for item identification, when examined holistically, needs much more in the way of control than is apparent on the surface.

John Mitchell, CISA
is managing director of LHS Business Control, a consultancy founded in 1988 to offer corporate governance services. He is the academic relations director for the ISACA London (UK) Chapter. Mitchell has been an expert witness in a number of high-profile UK criminal cases and has been featured in a major British computing publication as the "IT detective." He can be contacted at john@lhscontrol.com or via www.lhscontrol.com.

Emerging Technologies—An Asian Perspective

By Peter Koo, CISA, CISM, CPA (HK), CA, CFE, CIA, CRP

Radio frequency identification (RFID) is a generic term used to describe a system that transmits the identity (in the form of a unique serial number) of an object or person wirelessly, using radio waves. It is grouped under the broad category of automatic identification technologies.

Though RFID was introduced more than 30 years ago, the recent RFID compliance requirement for more than 100 of Wal-Mart's suppliers aroused the interest of the market.

The RFID Market

According to recent market research, about 300 million RFID tags have been used as trademark, and another 300 million nontrademark RFID tags were used around the world in 2003. The whole market size of RFID is estimated at US $900 million, and it is anticipated that the market size will increase to US $2.8 billion in 2010. Approximately 65 billion RFID tags will be used as trademark by then.

As one of the most important OEM manufacturing centres in the world, China already started its own research and development in RFID technology. Five major manufacturers are conducting research on RFID readers, while another five manufacturers are focusing on RFID encapsulation technology, and two chip factories are studying the production of RFID chips. It is anticipated that the Yangtze River Delta and the Pearl River Delta will be the main production bases of RFID in the coming years.

The RFID Application

Currently, the RFID technology is widely used in supply chain management and logistics control. Retailers, such as Wal-Mart and Metro, are currently focused on improving supply chain efficiency and ensuring that products are put on the shelf promptly for consumption. RFID-enabling makes these operations much more efficient, effective and economical. It also greatly improves the efficiency and effectiveness of inventory-taking and logistics controls.

In the meantime, RFID can also be applied for antitheft to prevent the goods from being stolen.

Research also suggests the possible use of an RFID application for toll road payment systems, traffic controls, healthcare systems and security authentication. For instance, a famous luxury goods company is considering attaching an RFID chip in each of its products to distinguish its real goods from fake ones. This may help deter copycat activities.

Audit Considerations

While RFID technology leads to significant changes in technical infrastructure, business process and operations, the following areas should be considered in auditing an RFID environment:

Automated controls—The supply chain management and logistics workflow become automated following the implementation of RFID; system processes will mostly replace the existing manual processes and related controls. Therefore, for compliance testing, the audit focus should be placed on the automated controls. Using a black box approach, the testing will be more on the input, process and output of the related systems to obtain the satisfactory level of control reliance.
Security and confidentiality—Auditors should also review the security and system controls over RFID and its related systems, including access controls, network security and encryption over radio frequency transmission during the audit of an RFID environment. For example, data privacy and potential interception of information transmitted over the wireless environment and related network should be assessed.
Data integrity—Completeness, validity and accuracy of the data are critical within an RFID environment. During substantive testing, auditors should assess the integrity, completeness and accuracy of data transfer over RFID systems, databases, the legacy application systems and different platforms, and computer-assisted auditing techniques (CAATs) should be heavily deployed. For example, the record counts and hash totals should be reviewed during interface controls between RFID and legacy databases. In addition, integrity of data transfer and communication with business partners and related interfaces should also be considered.

RFID is not a new technology. It is simply getting trendier as a result of its wider-spread application. This may have an impact over the audit planning and scoping exercise and even the testing methods. However, the fundamentals of the principles should remain the same as the conventional approach. As the world is getting more modernized and automated, the role of information technology audit is getting more weight in the audit activities.

Peter Koo, CISA, CISM, CPA (HK), CA, CFE, CIA, CRP
is a partner of enterprise risk services at the Hong Kong and China practices of Deloitte Touche Tohmatsu, where he leads and manages risk management consulting and attestation services. Prior to this, Koo served Deloitte's US and Canadian practice in the Security Services Group. He is also the China affairs director of ISACA's Hong Kong Chapter and is serving as a member of the China Banking Regulatory Commission's electronic banking expert panel.

To contribute as an author to upcoming Global Perspectives columns, please contact Jennifer Blader at jblader@isaca.org.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2005


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC

World Congress: INSIGHTS	Training Week	Webinars
North America CACS	eLearning Campus	Virtual Conferences
EuroCACS / ISRM	On-Site Training
Governance, Risk and Control	Exam Review Courses	COBIT EDUCATION
North America ISRM
Latin America CACS / ISRM
Oceania CACS
Asia-Pacific CACS / ISRM


COBIT 5 Home
Product Family
Training & Accreditation
Licensing
Join the Conversation
News
Recognition
FAQs