Security awareness success in the US Army

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

COBIT 4.1 released! [UPDATED]

Despite a press release, the latest v4.1 of COBIT is not yet available from the IT Governance Institute website but is expected imminently. Meanwhile, the ITGI has various other interesting docs available, including a new version of their paper on IT control objectives for SOX.

I note that COBIT is described in the press release as an 'international unifying framework that integrates all of the main global information technology standards, including ITIL, CMMI and ISO17799', which sounds strangely similar to what ISM3 claims to be.

Another ITGI document relates COBIT to an extraordinarily comprehensive set of information security, project and risk management standards, viz: COSO, ITIL, ISO/IEC 17799:2005, FIPS PUB 200, ISO/IEC TR 13335, ISO/IEC 15408:2005/Common Criteria/ITSEC PRINCE2, PMBOK, TickIT, CMMI, TOGAF, IT Baseline Protection Manual and NIST 800-14.

[UPDATE: May 20th: COBIT v4.1 has now been released. I'll probably add another blog entry if/when I find time to review it.

IT audit checklists

The IT Compliance Institute has so far published a set of four useful checklists providing practical guidance for IT, compliance, and business managers on preparing for successful internal audits of various aspects of their operations. In addition to helping managers understand what auditors look for and why, the checklists can also help managers proactively complete self assessments of their operations, thereby identifying opportunities for system and process improvements that can be performed in advance of actual audits. The four checklists are:
- information security audit checklist
- IT governance and strategy audit checklist
- IT risk management audit checklist
- PCI compliance audit checklist

Access to the downloads requires registration but if you are sufficiently interested in these checklists to download them, you would probably benefit from the occasional email updates and other information from the institute. They don't spam me, anyway.

More IT audit and IT governance links

EDPACS back catalog free this week

Until March 5th, EDPACS has given free access to 10 years' worth of information security articles. EDPACS is the world's longest running IT audit newsletter - this is its 35th year! It has ~24 pages each month on audit, governance, control and security topics. I agree with Mich Kabay's assessment of the EDPACS archive as a treasure trove. The new EDPACS editor, Dan Swanson, is on the lookout for good articles on emerging issues and practical solutions: send any article proposals to dswanson_2005@yahoo.com

IT performance proportional to change management

A well-written piece in the IIA's IT Audit by Dwayne Melancon outlines the results of a research study conducted by the IT Process Institute. The ITPI went looking for characteristics of the controls infrastructure that distinguish high- from low-performing IT departments. The researchers picked out IT process controls from COBIT and ITIL/ISO 20000 frameworks and measured 98 organizations - not a huge sample but statistically significant and adequate given the depth of study.

The headline is that they found a clear link between the quality of an organization's change management controls and its performance. Since top/medium/low performers were determined by the "number of controls for which respondents scored in the top 50th percentile if all respondents" across controls for access, change, release, configuration, service level and resolution (presumably of problems/incidents), it is inevitable that high performers scored well on the selected 6 control areas. The study indicates that the strongest link occurs in the change management domain.

The report picks out some interesting correlations between specific controls and high performers e.g.:
- monitoring for authorized/unauthorized and successful/unsuccessful changes;
- firm consequences for those who intentionally make unauthorized changes;
- formal processes and automation of configuration management.

These in turn suggest potential metrics e.g.:
- percentages of changes that are authorized and successful (the proportion of unplanned work that an IT department undertakes has been previously identified as a worthwhile metric; the "proportion of problems that are fixed first time" is another good one);
- percentage of unauthorized change incidents that lead to disciplinary action (measuring management's commitment to enforcing change management controls);
- percentage of configuration information that is accurate and complete.

The full study report costs $1,695 and may be hard to justify but the free executive summary is worth reading if you have an interest in the relationship between IT governance, risk, control and security.

More IT governance and change management links

POGO sticks at it

POGO (Project on Government Oversight) is a self-appointed activist body keeping a watchful eye on US government spending and governance issues. It encourages whistleblowers from public service to expose dubious fiscal and environmental practices or corruption, provides support and anonymity. It has been in existence since 1981. "In the beginning, POGO (which was then known as Project on Military Procurement) worked to expose outrageously overpriced military spending such as the $7,600 coffee maker and the $436 hammer. After many successes reforming the military, POGO expanded its mandate to investigate systemic waste, fraud, and abuse in all federal agencies."

POGO encourages and supports whistleblowers in public service: "Whistleblowing is often not easy. Exposed whistleblowers are almost always reprimanded, fired, and/or harassed, even if they have not "gone public" and even if their allegations are proven to be true. It takes a lot of courage and forethought to take on a powerful government agency or a private contractor. The mental, emotional, and fiscal hardships that a whistleblower may encounter should be fully understood before any steps are taken to disseminate information - publicly or not. In recent years, protections for federal employees have been unraveled by hostile judicial rulings. As a result, federal employees have little protections against retaliation."

More IT governance, fraud and audit resources

Insider threats info from CERT

A fascinating podcast by CERT's Dawn Capelli reveals a survey by CERT/SEI/US Secret Service/CSO survey of the insider threat. As well as the usual roll-call of scary statistics (27% of security incidents are caused by insiders; 55% of the organizations surveyed had experienced deliberate insider malicious activities; 57% of IT sabotage attacks are committed by former employees), mentions several interesting incidents and threats such as employees deliberately stealing proprietary software and other information over a long period or just prior to moving to a new job, downloading logic bombs and framing their supervisors, creating backdoor accounts or modifying privileged scripts or planting long-fuse logic bombs while they still have privileged systems access.

To back-up the podcast, there is a wealth of information on the insider threat on CERT's website. This is evidently a focus area for CERT and (on a professional note) it is gratifying to find that employee security awareness is recognized as an important control - specifically, Dawn mentioned use of 'whistleblower hotlines', policies and so forth to encourage/facilitate employees shopping their peers. Snitching may create its own ethical dilemmas but, speaking as one who has occasionally benefited from information provided in confidence by 'snouts' aggrieved at the liberties taken by their colleagues, it is a sadly underappreciated form of control.

Account management and review processes and change/configuration change management practices are also emphasized. The podcast highlights the amount of trust placed in privileged IT insiders.

More security awareness links

Audit checklist for information security management

The IT Compliance Institute has amassed an excellent collection of IT governance-related white papers, articles and resources. Their IT audit checklist for reviewing information security management, a new addition, has many potential uses [access requires you to register on the website]. It can be used directly by experienced IT auditors and compliance assessors as a checklist to guide a review of key controls, and it provides pointers on audit preparation, testing and reporting. Prospective auditees and managers will benefit from reading about and preparing for the kinds of things the auditors will be doing, especially the section on things the auditors will be looking for. Those designing and implementing Information Security Management Systems will appreciate the guidance on elements of an ISMS that auditors find particularly important. The checklist can even form the basis of a structured description or specification for a robust ISMS. All in all, a nice paper from the IT Compliance Institute. It's worth browsing the ITCi website for other similar resources including the biannual IT Compliance Journal [again, "free" to those who register].

More information security management, IT governance and IT audit resources

Risk management audit checklist

An audit checklist from the IT Compliance Institute (ITCi) explans what auditors would typically want to know about enterprise risk management practices. The checklist, written by the infamous Dan Swanson, offers practical advice to auditees as well as auditors. The ITCi "strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, we help organizations overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities."
More risk management and IT audit resources

Information Protection Made Easy

Information Protection Made Easy: A guide for employees and contractors is a new security awareness book by David Lineman. In just 96 pages, it covers the basics of information security with an emphasis on its relevance to individual employees. Chapter titles are: Desktop and Personal Data Security • Electronic Records • Secure Web Browsing • Protecting Customer Privacy • Email and Instant Messaging Security • Compliance with Laws and Regulations • Handling Confidential Information • Employee right to privacy • Managing Passwords • Corporate governance.
More security awareness advice

A solid information security manual

NIST Special Publication 800-100 "Information Security Manual: A Guide for Managers" is a 174-page draft released in June 2006 for public comment. It refers throughout to [US Government] agencies but in fact is broadly applicable, containing sound guidance on important areas such as information security governance, investment and metrics, planning, contingency, C&A, incident management and, of course, awareness training and education. It's a good-un, well worth a serious look.
More infosec laws, regulations and standards

SOX s404 paper released by IIA

Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners has been released by the Institute of Internal Auditors. We are encouraged to share it with our management and Boards.
More governance links

ISACA drops audit name

To help cement its move away from IT auditing towards IT governance, ISACA will no longer be known officially as the Information Systems Audit and Control Association. This is a bit like British Petroleum, British Telecom and British Airways becoming BP, BT and BA, respectively: some of us traditionalists still recall the original names and all that they once stood for. Some of us can tell the difference between Personal Computer and Politically Correct.
More IT audit resources

IIA Change and Patch Management Controls guide

The Institute of Internal Auditors’ final draft guide to change and patch management controls is “about managing risks that are a growing concern to those involved in the governance process. Like information security, management of IT changes is a fundamental process that can cause damage to the entire enterprise and easily disrupt operations if it is not performed well. This enterprisewide impact makes change management of interest to many audit committees and, as a result, to top management. The objective of this guide is to convey how effective and efficient IT change and patch management contribute to organizational success.”
More change management resources

ITIL portal

Loads of free information on the IT Infrastructure Library.
More IT governance links

SOX puts audit costs up

A survey attributing $1.4 bn of additional costs to Sarbanes-Oxley compliance includes a subtle message. Banks, insurance and drug companies saw significant increases in their audit costs, but energy, utilities and retail companies saw even greater increases ... presumably implying that they had much more to do to reach compliance.
More IT governance links here

Governance Focus blog

The Governance Focus blog has been going since September 2003. It covers governance very broadly and gives a fascinating insight into what's happening in the field. Well worth a look.
Other governance links here

IT Governance book

Peter Weill and Jeanne Ross published this precis of their book IT Governance in an Australian magazine.
Read our review of the book here

Principles of corporate governance

A white paper from US CEO forum The Business Roundtable gives an overview of their position on corporate governance. They recommend that every publicly owned corporation should have a committee that addresses governance issues, but then confuse the matter by discussing the nominating committee (appointing suitable Board members is only one part of corporate governance).
More governance resources

ISO17799 case study

This is a fascinating case study expounding the business value of implementing ISO17799 (BS7799). The case reveals some surprising linkages between information security management and general business management, plus several indirect benefits that are seldom mentioned elsewhere.
More IT governance and information security management resources

IT Governance book review

We have published a review of the IT Governance book by Weill and Ross to tie-in with this month's NoticeBored Classic security awareness module, funnily enough on IT governance. Find out what makes it worthwhile reading to the last chapter.
More IT governance resources

MG Rover bosses grilled

Two weeks before British vehicle manufacturer MG Rover finally went into administration, tough questions were being asked of its Chairman and directors regarding some 'unusual' business transactions. Corporate governance is the core issue. We will probably never know the full picture. Meanwhile, thousands of workers are unemployed despite millions of pounds of public money being spent in attempts to shore-up the failing firm.
IT governance resources

Corporate governance ratings for UK listed companies

FTSE, a private company providing financial information on thousands of companies worldwide, has started providing corporate governance ratings in conjunction with ISS. The ratings are apparently derived from "up to 61 corporate governance variables". We have no opinion on the veracity of their Corporate Governance Quotients and, as always, advise investors to take advice from professional advisors, not us. [Note: access to the FTSE site requires free registration].
More IT governance resources

Rash of new infosec laws

An article in USA Today lists quite a few security-related US laws that are in progress or planned. Multiply this list by N to cover similar initiatives in the rest of the world and the scale of the legal compliance issue starts to become clear.
More IT governance and IT law resources

Whistleblower brokerage service

ReportLine, ComplianceLine, SilentWhistle and Shareholder.com are examples of commercial services handling calls from customers’ employees who wish to blow the whistle on dishonest/unethical behavior, fraud, health and safety breaches, HIPAA/data protection breaches and related matters. The Government Accountability Project and BlowTheWhistle support those blowing the whistle on wrongdoing affecting public bodies. Sarbanes-Oxley is yet another reason why organizations should take their responsibilities towards such whistleblowers very seriously indeed. Outsourcing this particular kind of service has a number of advantages. For instance, the call handling agency is independent of the organization and thus may be considered more trustworthy than insiders. Secondly, it builds a competence in assessing, prioritizing and dealing professionally with reported issues beyond the level achievable by an internal function. [We recently proposed the formation of an international not-for-profit organization to handle information security vulnerability reports in the same kind of way ...]
More IT governance resources here

Infosec incident in Indian call center

The gist of this news article is that a fraud involving the theft of customer details by call-center operators in an Indian company may discredit the whole Indian off-shore/outsourcing market. Sorry, I don't buy that argument. The truth is that IT fraud is a risk in ALL countries. I see no reason to believe that India is inherently more risky than anywhere else - in fact, the increasing level of interest in our security awareness products from Indian IT companies suggests quite the opposite to me. At the risk of over-generalizing, India seems very well aware of the importance of information security.
More IT fraud links and IT governance links

Australian IT governance standard

Australian standard AS 8015-2005 provides guiding principles for Directors on "the effective, efficient, and acceptable use of ICT". This is believed to be