Art of Information Security

Art of Info Sec 002: GTAGs and Safe Harbors

GTAG’s

The Institute of Internal Auditors has been releasing a white paper series on issues related to IT Risk Management and Information Security. The paper’s are titled as GTAGs, which is an acronym for Global Technology Audit Guidance. The project is very ambitious, trying to break down major technical topics, the IT risks associated with them, and the controls that are available in a concise format accessible to senior risk executives.

Of the nine that have been released to date, several caught my eye. Here are the ones I would like to highlight:

• Auditing Application Controls
• Change and Patch Management Controls
• Identity and Access Management
• Information Technology Outsourcing
• Managing and Auditing Privacy Risks
• Managing and Auditing IT Vulnerabilities

You can find the library of papers at The IIA’s GTAG portal. New materials are released regularly.

In Other News…

Earlier this month I participated in a Webinar titled “Getting More Encryption for Less”. At the end of the call there were a few interesting questions during the Q and A session, one of which I wanted to recap here…

Question: Will Federal Privacy Regulations include Cryptography Standards for “Safe Harbors” ?

• Discuss what a Safe Harbor is, using California Security Breach Information Act (SB-1386) as an example
• Introduce NIST, FIPS, and FIPS 140-2

Cheers, Erik

While I was checking the weather via the internet last night, I saw a banner ad for FakeChecks.org (click here), which turns out to be an anti-check fraud website sponsored by the National Consumers League . Check fraud has been around almost as long as checks themselves (I am sure it took a week or two for someone to try to steal cash using the newly invented check… ), but the anonymity and long distance communications capabilities provided by the Internet are reviving old scams and creating new ones.

A key component in a lot of fraud and scams is Social Engineering of one kind or another. Social Engineering is also a a huge threat to Information Security controls of all kinds. The tool to combat it is user awareness. I applaud FakeChecks.org for their efforts.

Cheers, Erik

It has been one month since the release of Episode 1, and it has been downloaded over 215 times and FeedBurner is reporting over 80 subscribers to the feed (RSS and Podcast combined). This is much more attention than I expected Episode 1 to generate. Thanks !

But don’t think I am going to ‘rest on my laurels’…

The last month has been incredibly busy, and I have a ton of content that I want to work on but I keep getting pulled in different directions. Episode 2 is going to be an audio only podcast which I hope to have released over the weekend…

I have a number of topics that I am mulling over for Episodes 3 and beyond, which include:

- Basics of Information Security and Risk Management series

- Quick intro to some of the open source host protection tools I have been working with

- Discussion of my favorite open source security tool… (openSSL)

- and I am dying to start discussing some real world cryptography topics…

(Just to name a few…)

What I would really like to do is find out what topics you are interested in, so that Art of Information Security can have relevant and compelling content. To address this need I have created a feedback section on the site, located in the main menu bar (or click here). Also, your comments, posted either on Art of Information Security or via email, are always welcome.

BTW: Last week I participated in a webinar entitled Getting More Encryption for Less with Paul Stamp (Forrester Research), Jim Porell (Chief Architect IBM System z), and Paul Turner (VP, Product and Customer Solutions, Venafi). (Click here to listen to a replay.) Also, I will recap the Q & A portion of the webinar in Episode 2.

Best regards, Erik

While I was in London, the folks who run the RSA Conference did a quick interview with me on the Quick Business Case and Information Security in general.

Here is a link to the RSA Europe 2007 podcasts…

There are 16 conference participants with whom RSA did podcasts.

Check them out…

First, my apologies that the Quick Business Case Slidecast hasn’t been completed and posted yet. As soon as I get rid of my cold, I will be recording and posting it. I hope that will be within a few days.

It appears that someone was taking notes at my presentation on Oct 22nd. My presentation was featured in the RSA Conference Daily (article link) summary.

Cheers, Erik