Book Signings | Articles
and Book Reviews | Know
Your Life Workshops | Presentations
MIS Training Institute’s TransMISsion Online, Infosecurity/IT
Audit Edition, Volume 7, Issue 1
======================================================================
What’s Inside…
1. Making the Cyber Security Grade
2. New from MIS: The Sarbanes-Oxley Certificate
3. Your 2006 Course Catalog Will Be Arriving Soon
4. MIS' IT Security World 2005 Conference and Expo
5. Upcoming Events
======================================================================
1. Making the Cyber Security Grade
By Jim Litchko, CAS
Why do the IT security programs of so many organizations fail to
make the grade?
Most frequently, the answers to this troubling question include
not enough senior management support, experts, technology, trusted
commercial software, resources, and standards. The real reason,
however, is they lack a balanced strategy, one that incorporates
three distinct plans of action.
The Wrong Approach…and the Right One
Over the past three decades, the two most common practices have
involved the “secure-it” and “technology”
approaches. The secure-it approach seeks to build a 100% secure
system. The technology approach attempts to prevent all attacks
on a system using just technical solutions.
After supporting over 100 IT security assessments, I have concluded
the following truths:
• A 100% secure IT system is not affordable, nor will it meet
operational requirements or be user acceptable
• The most successful IT system security programs blend10-30%
technology and 70-90% traditional security solutions (policy, procedures,
physical, personnel, etc.)
• Using the best, most complex, and strongest security solutions
can kill a business faster then any hacker, insider, virus, or terrorist
• Securing any IT system without an understanding of the business,
its operations, and its users will end in failure
What is needed is for security and IT professionals to pull together
a successful security strategy that uses all three approaches: secure-it,
technology, and business.
The Business Approach
The business approach focuses on securing the system from a business
perspective and on achieving the organization’s goals and
objectives. This approach starts with understanding the organization’s
business, operations, flow of information, and users’ culture,
capabilities and expectations.
Business is about meeting the goals and objectives of the organization.
What is its purpose? Does it provide services, distribute information,
sell and ship products, or reserve transportation or properties?
Operations are about how businesses accomplish their goals and objectives
and with what structure. Some examples might include interfacing
with banks, shipping products, communicating with partners and employees,
or advertising products and services.
The flow of information is important because it explains, for example,
how things are controlled, how people are informed so they can take
actions and/or make decisions, what is sensitive and what is public,
and how fast information has to move.
Users’ expectations, culture, environment and capabilities
are critical to determining which security solutions will be most
effective for a system. Would an accountant and researcher accept
the same authentication solution? What personal information is considered
sensitive to individuals filling out forms? What would be the result
if an online store required that buyers have a smartcard to conduct
a transaction?
The business approach allows anyone to gather the above information
without asking one security question, and that makes the assessment
process much more comfortable for system personnel. It also allows
them to gain a better understanding of why the system is there,
how it operates, what elements are critical, and what security is
required.
The business approach will also give IT managers a business and
operational understanding, terminology, motivations, and justifications
that will allow them to promote the need for security to their management
and users and gain additional resources and compliance.
Finally, it will allow them to explain to the auditors and senior
management why the system’s residual security risks and deviations
from standards are acceptable for operational reasons.
Advantages
Using the business approach with the secure-it and technical approaches
lets you:
• Make assessment relevant and less invasive to the owner
• Improve owner awareness of the system and its impact on
operations
• Allow for more effective use of resources and setting priorities
• Help identify the most acceptable solutions for operations
and users
• Provide realistic justifications for explaining security
needs to executives and users
• Support compliance with regulations and standards
In short, using all three approaches will allow your organization
to gain a passing cyber security grade.
Recently, a consultant started a security assessment by asking,
“Where is your firewall?” The system owner responded,
“Don’t you want to know what our system supports?”
The consultant answered, “No, I am here to secure your system
not improve your business.” The owner correctly hired another
consultant.
About the Author: Jim Litchko, CAS, is an IT security expert, TEC
speaker, strategic advisor, corporate executive, entrepreneur, IT
manager, an adjunct professor at Johns Hopkins University, and the
author of KNOW IT Security, KNOW Cyber Risk, and Cyber Threat Level
Response Handbook.
2. New from MIS: The Sarbanes-Oxley Certificate
In response to the many requests we’ve received, we are now
offering the MIS Sarbanes-Oxley Certificate. The seminars in this
curriculum focus on the essential skills you need to help your organization
ensure proper controls are in place to achieve S-OX compliance;
to test those controls; and to implement an ongoing program that
will allow you to capitalize on your initial compliance efforts.
What’s more, whether you are an internal auditor, IT auditor,
or infosec professional, you can customize the certificate curriculum
to your discipline. For more information about this timely new certificate,
go to:
http://www.misti.com/08/tris0805cert.html <http://pull.xmr3.com/p/15521-B08A/32536820/http-www.misti.com-08-tris0805cert.html>
3. Your 2006 Course Catalog Will Be Arriving Soon
Watch your mailbox for your 2006 Course Catalog. We’ve added
six new courses to our comprehensive curriculum to boost your audit
and information security skills:
**Combating Financial Institution Fraud
http://www.misti.com/08/tris0805oaf305inf.html <http://pull.xmr3.com/p/15521-B34A/32536825/clickto2_isti.com-08-tris0805oaf305inf.html>
**Auditing Construction Activities
http://www.misti.com/08/tris0805oap112inf.html <http://pull.xmr3.com/p/15521-21CB/32536833/clickto3_isti.com-08-tris0805oap112inf.html>
**Data Mining for Auditors
http://www.misti.com/08/tris0805oap215inf.html <http://pull.xmr3.com/p/15521-E68A/32536838/clickto4_isti.com-08-tris0805oap215inf.html>
**Auditing Procurement Card Systems
http://www.misti.com/08/tris0805oap224inf.html <http://pull.xmr3.com/p/15521-D108/32536842/clickto5_isti.com-08-tris0805oap224inf.html>
**Internal Audit Quality Assessment Reviews
http://www.misti.com/08/tris0805oap361inf.html <http://pull.xmr3.com/p/15521-1349/32536845/clickto6_isti.com-08-tris0805oap361inf.html>
**Securing and Auditing Windows XP Workstations
http://www.misti.com/08/tris0805aso211inf.html <http://pull.xmr3.com/p/15521-D2C8/32536847/clickto7_isti.com-08-tris0805aso211inf.html>
4. MIS' IT Security World 2005 Conference and Expo
Coming to San Francisco September 28-30, 2005, IT Security World
2005 tackles the full spectrum of security challenges and delivers
real-world, unbiased solutions. This one-of-a-kind event offers
over 30 focused, technical sessions that get to the heart of today’s
e-security and network demands.
Plus, the unique format of the conference allows you to attend any
of the following Sector Security Summits:
FinSec - Tailored to the needs of information security professionals
in the financial sector
GovernmentSec - Designed for those in state and federal service
who need to focus on the security interests of government
LegalSec - Provides the low-down on Sarbanes-Oxley and other security-related
legislation
HealthSec - A proven roadmap for healthcare information security
professionals to optimize security in a HIPAA and e-health world
And there’s more.
The IT Security World 2005 Expo will feature top technology companies
showcasing the latest in information security solutions. Also, in
conjunction with the conference, the CISO Executive Roundtable will
be held on September 27. This one-day event will address the challenges
faced by today’s CISO and provide real-world strategies and
best practices for aligning security objectives with business goals.
For more information and to register, go to:
http://www.misti.com/08/tris0805reg.html <http://pull.xmr3.com/p/15521-4049/32536851/http-www.misti.com-08-tris0805reg.html>
5. Upcoming Events
***Special Programs
___HealthSec 2005 Conference and Expo
September 28-30, 2005, San Francisco, CA (Optional workshops September
26, 27, & October 1)
http://www.misti.com/08/tris0805hs05inf.html <http://pull.xmr3.com/p/15521-8348/32536855/http-www.misti.com-08-tris0805hs05inf.html>
___CISO Executive Roundtable at IT Security World
September 27, 2005, San Francisco, CA
http://www.misti.com/08/tris0805cisoits.html <http://pull.xmr3.com/p/15521-7648/32536869/http-www.misti.com-08-tris0805cisoits.html>
___IT Security World
September 28-30, 2005, San Francisco, CA (Optional workshops September
26, 27, 30, & October 1)
http://www.misti.com/08/tris0805its05inf.html <http://pull.xmr3.com/p/15521-2108/32536872/http-www.misti.com-08-tris0805its05inf.html>
***Seminars
___Information Security Boot Camp
http://www.misti.com/08/tris0805isg291inf.html <http://pull.xmr3.com/p/15521-22C8/32536877/clickto12_sti.com-08-tris0805isg291inf.html>
___Using CAATs to Improve Audit Productivity
http://www.misti.com/08/tris0805itg225inf.html <http://pull.xmr3.com/p/15521-D38D/32536884/clickto13_sti.com-08-tris0805itg225inf.html>
___Sarbanes-Oxley for Information Security Professionals
http://www.misti.com/08/tris0805isg242inf.html <http://pull.xmr3.com/p/15521-808D/32536890/clickto14_sti.com-08-tris0805isg242inf.html>
___How to Manage an Information Security Program
http://www.misti.com/08/tris0805ism101inf.html <http://pull.xmr3.com/p/15521-834D/32536895/clickto15_sti.com-08-tris0805ism101inf.html>
___Preparing the CISA Examination
http://www.misti.com/08/tris0805itg231inf.html <http://pull.xmr3.com/p/15521-D01B/32536901/clickto16_sti.com-08-tris0805itg231inf.html>
-------------------------------------------------------------------------------------------------------------------
MIS Training Institute
498 Concord St., Framingham, MA 01702-2357
Tel: (508) 879-7999
Fax: (508) 872-1153
E-mail: mailto:mis@misti.com
Web: http://www.misti.com/08/tris0805hp.html <http://pull.xmr3.com/p/15521-D3DB/32536904/http-www.misti.com-08-tris0805hp.html>
In addition to its US programs, MIS Training Institute delivers
leading information security and audit training around the globe.
For courses in Europe, Middle East and Africa go to:http://www.misti.com/08/europe.html
<http://pull.xmr3.com/p/15521-125A/32536906/http-www.misti.com-08-europe.html>
; in Asia, go to:http://www.misti.com/08/asia.html <http://pull.xmr3.com/p/15521-161A/32536909/http-www.misti.com-08-asia.html>
.
---------------------------------------------------------------------------------------------------------------------
You are receiving this email from MIS Training Institute as part
of your requested subscription to TransMISsion Online. This e-mail
is commercial in nature.
---------------------------------------------------------------------------------------------------------------------
back to top
|
