Best practices for protecting against the highest risk factors and escalating threats facing cardholder data security:
· Milestone One: If you don’t need it, don’t store it
· Milestone Two: Secure the perimeter
· Milestone Three: Secure applications
· Milestone Four: Monitor and control access to your systems
· Milestone Five: Protect stored cardholder data
· Milestone Six: Finalize remaining compliance efforts, and ensure all controls are in place
Thursday, April 30, 2009
Thursday, April 23, 2009
PCI Compliance Standards
PCI Data Security Standard (PCI DSS) from PCI Security Standards Council (TM)
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Wednesday, April 22, 2009
IT Security Matrix for Compliance
Create a matrix of controls on top and security layers on the left. When listing security layer or element, also identify whether it is a preventive or detective control. Control listings and security architecture maps should help.
Use clear, green, yellow, and red to identify which layers/control types meet completely, partially, or not meet the control requirements on top. The deliverable will be a control assessment.
In some cases, two or more controls may provide a partial protection individually, but together may meet fully the control requirements.
Check to see if there are unnecessary controls, and analyze to identify where a single layer may address a control cluster.
Use clear, green, yellow, and red to identify which layers/control types meet completely, partially, or not meet the control requirements on top. The deliverable will be a control assessment.
In some cases, two or more controls may provide a partial protection individually, but together may meet fully the control requirements.
Check to see if there are unnecessary controls, and analyze to identify where a single layer may address a control cluster.
Tuesday, April 21, 2009
Audit TCP/IP Infrastructure
•Review network policies and procedures
•Analyze network diagrams (layer 1 & 2), design, and walk-through, list of network equipment and IP address list
•Verify diagrams with Ping and Trace Route
•Review utilization, trouble reports and help desk procedures
•Probe systems using scanning tools
•Verify network vendor oversight, user support, and network technicians services
•Review software settings on network equipment
•Inspect computer room and network locations
•Evaluate back-up and operational procedures
•Analyze network diagrams (layer 1 & 2), design, and walk-through, list of network equipment and IP address list
•Verify diagrams with Ping and Trace Route
•Review utilization, trouble reports and help desk procedures
•Probe systems using scanning tools
•Verify network vendor oversight, user support, and network technicians services
•Review software settings on network equipment
•Inspect computer room and network locations
•Evaluate back-up and operational procedures
Monday, April 20, 2009
WLAN and Wireless Compliance
Review the FCC Part 15 regulatory requirements.
http://www.fcc.gov/oet/info/rules/part15/part15-91905.pdf
It covers various emission guidelines and regulations, focusing on unlicensed transmissions, such as low-power broadcasting. The 802.11x Wireless LAN (e.g. "Wi-Fi") 2.4 GHz, 5 GHz (U-NII) is under this regulation.
Include compliance requirements as appropriate in your WLAN and wireless compliance reviews, recommendations, and proposed documented policies, procedures, or internal standards.
http://www.fcc.gov/oet/info/rules/part15/part15-91905.pdf
It covers various emission guidelines and regulations, focusing on unlicensed transmissions, such as low-power broadcasting. The 802.11x Wireless LAN (e.g. "Wi-Fi") 2.4 GHz, 5 GHz (U-NII) is under this regulation.
Include compliance requirements as appropriate in your WLAN and wireless compliance reviews, recommendations, and proposed documented policies, procedures, or internal standards.
Third-party BCP Impact Audit Scope
Vendor contract obligations
Defined cut over procedures
Risks to shared facilities and overall availability
Data backups and storage
Hardware and applications availability
Access security controls
Facility and environmental controls
Time frames for acceptable off site processing
Defined cut over procedures
Risks to shared facilities and overall availability
Data backups and storage
Hardware and applications availability
Access security controls
Facility and environmental controls
Time frames for acceptable off site processing
Sunday, April 19, 2009
Security and Audit - Improve The Relatioship
Document everything. List your measures to reduce risk, and decisions to accept risk, when flexibility or potential benefits dictate it.
Good controls should be part of the process, not after thought insertions. They address compliance requirements and enhance security. Monitor through metrics.
Design and implement best practices that fit your infrastructure; then, track through measurable performance metrics.
Be prepared to prove your assessment of the effectiveness of controls framework and mitigating factors.
Good controls should be part of the process, not after thought insertions. They address compliance requirements and enhance security. Monitor through metrics.
Design and implement best practices that fit your infrastructure; then, track through measurable performance metrics.
Be prepared to prove your assessment of the effectiveness of controls framework and mitigating factors.
Saturday, April 18, 2009
Audit Healthcare Provider Fraud Schemes
Billing for services not performed
Documenting non-covered treatments as covered
Recording diagnosis and treatments based on what is covered
Performing more care than necessary
Coding for high pay than was performed
Misstating services performed
Pretending to be a health care worker to bill
Un-bundling services and coding
Documenting non-covered treatments as covered
Recording diagnosis and treatments based on what is covered
Performing more care than necessary
Coding for high pay than was performed
Misstating services performed
Pretending to be a health care worker to bill
Un-bundling services and coding
Thursday, April 16, 2009
Guess What's On Your Hard Drive
In addition to documents, graphics, and sound files, there are
Internet Browser History Files
Temporary Internet Files
Automatic Backup Files
Power Saver Functions
Data about your data files
Unique Identifiers
Virtual Memory and Swap Files
Temporary Files
Spooled Files
Plenty of data for forensics and privacy issues
Internet Browser History Files
Temporary Internet Files
Automatic Backup Files
Power Saver Functions
Data about your data files
Unique Identifiers
Virtual Memory and Swap Files
Temporary Files
Spooled Files
Plenty of data for forensics and privacy issues
Internal Audit Essential Objectives
Learn and know the business supported by processes
Adopt auditing appropriately to the environment
Upgrade audit skills inventory for effective performance
Adopt auditing appropriately to the environment
Upgrade audit skills inventory for effective performance
Wednesday, April 15, 2009
What Corporations Want from Internal Auditors
Appropriate scope of audit activities
Input in risk mitigation
Efficient and effective periodic internal control assessments
Value-added improvements in processes and error reductions
Help with cost reductions
Providing appropriate assistance in achieving compliance
Assistance in fraud prevention, detection, and evaluations
Help with financial statement assurance
Input in risk mitigation
Efficient and effective periodic internal control assessments
Value-added improvements in processes and error reductions
Help with cost reductions
Providing appropriate assistance in achieving compliance
Assistance in fraud prevention, detection, and evaluations
Help with financial statement assurance
Tuesday, April 14, 2009
Mistakes Responding to Auditors
Misreading what the auditor is asking or asking for
Not fully understanding the scope and implications of auditor inquiries
Forwarding documents to auditors with obvious errors
Responding with the wrong policy or procedure documents
Being distracted or confused by auditor's multiple requests
Not providing relevant info due to elimination of areas that are applicable to a request
Not having detail knowledge of the specific test area, and not asking for appropriate help
Attempting to respond to auditors by guessing or using intuition
Not fully understanding the scope and implications of auditor inquiries
Forwarding documents to auditors with obvious errors
Responding with the wrong policy or procedure documents
Being distracted or confused by auditor's multiple requests
Not providing relevant info due to elimination of areas that are applicable to a request
Not having detail knowledge of the specific test area, and not asking for appropriate help
Attempting to respond to auditors by guessing or using intuition
IFRS Impact on Audit
Analyze the adequacy and appropriateness of identification of gaps between US GAAP and IFRS
Determine whether proposed internal control changes are aligned with the identified gaps.
Review current policies and documented processes to assess alignment
Analyze whether information gathering processes will support the new data requirements
Evaluate any workarounds to meet compliance requirements, resulting from lack of adequate information system integration of data collection processes
Review transition plans for risks and adequacy of testing
Determine whether adequate backup plans exist, and how backward compatibility will be maintained (this could be the sticky one)
Determine whether proposed internal control changes are aligned with the identified gaps.
Review current policies and documented processes to assess alignment
Analyze whether information gathering processes will support the new data requirements
Evaluate any workarounds to meet compliance requirements, resulting from lack of adequate information system integration of data collection processes
Review transition plans for risks and adequacy of testing
Determine whether adequate backup plans exist, and how backward compatibility will be maintained (this could be the sticky one)
Current Compliance Challenges
Companies operating in more than one state, country, or continent, face multiple and diverse regulations.
Developing coherent compliance strategies and policies becomes a challenge because of the diversity of regulations and potential conflicts among these regulations in different markets.
This creates a form a risk for corporations attempting to develop efficient and effective strategies to meet their obligations.
Developing coherent compliance strategies and policies becomes a challenge because of the diversity of regulations and potential conflicts among these regulations in different markets.
This creates a form a risk for corporations attempting to develop efficient and effective strategies to meet their obligations.
Friday, April 10, 2009
Improve Internal Audits
Like zero-based budgeting, determine what audits to perform, not just repeat last year
Envision potential value of recommendations, to ensure that higher-value areas are covered
Define audit objectives in detail to avoid over-extending resources
Use established formats for every audit process step to slow the flurry of emails
Risk assessments should use process owners input
Audit tools are fine as long as auditors understand what is obtained and tools limitations
Not only false positives are audit tool problems, but are things fine if no exceptions show up?
Audit findings should be meaningful, not just enough to fill up a report
Envision potential value of recommendations, to ensure that higher-value areas are covered
Define audit objectives in detail to avoid over-extending resources
Use established formats for every audit process step to slow the flurry of emails
Risk assessments should use process owners input
Audit tools are fine as long as auditors understand what is obtained and tools limitations
Not only false positives are audit tool problems, but are things fine if no exceptions show up?
Audit findings should be meaningful, not just enough to fill up a report
Just What Is Internal Auditing?
Getting back to basics reminder:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”*
* The International Standards for the Professional Practice of Internal Auditing
promulgated by the Institute of Internal Auditors
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”*
* The International Standards for the Professional Practice of Internal Auditing
promulgated by the Institute of Internal Auditors
Thursday, April 9, 2009
Develop High-Performance Audit Teams
1. Communicate confidence in your auditors. It will promote creative problem solving and independent decision making.
2. Let everyone in on what's going on. When changes happen, no one will be surprised. Ask for help and input when struggling with your decisions. Everyone appreciates the opportunity to add insight to important decisions. Hey, it also helps to build consensus.
3. Focus on obstacles and objectives. Not everything turns out as planned, but great teams shine by how they adjust to unforeseen changes.
4. Relax, you don't need to know everything. Let everyone share their experience and provide facts, analysis, and recommendations.
5. Get to know them and their goals, interests, and passions. For one thing, you will be able to connect what needs to be done to those persons and interests, and increase effectiveness and efficiency.
2. Let everyone in on what's going on. When changes happen, no one will be surprised. Ask for help and input when struggling with your decisions. Everyone appreciates the opportunity to add insight to important decisions. Hey, it also helps to build consensus.
3. Focus on obstacles and objectives. Not everything turns out as planned, but great teams shine by how they adjust to unforeseen changes.
4. Relax, you don't need to know everything. Let everyone share their experience and provide facts, analysis, and recommendations.
5. Get to know them and their goals, interests, and passions. For one thing, you will be able to connect what needs to be done to those persons and interests, and increase effectiveness and efficiency.
Wednesday, April 8, 2009
Fastrack BCP Steps
1. Assess business impact of a disaster, using process owners, and prioritizing operations
2. Know your data and ensure that it is protected, testing to ensure compatibility of restores
3. Check the UPS choices for your key servers, networks, ensuring that essential apps will be up
4. Document all, including your testing and changes to underlying process support
5. Develop communication duplications, assuming that what you rely on will fail
6. Be able to provide management with choices and costs, to permit right timely decisions
2. Know your data and ensure that it is protected, testing to ensure compatibility of restores
3. Check the UPS choices for your key servers, networks, ensuring that essential apps will be up
4. Document all, including your testing and changes to underlying process support
5. Develop communication duplications, assuming that what you rely on will fail
6. Be able to provide management with choices and costs, to permit right timely decisions
Tuesday, April 7, 2009
Audit Team Effectiveness Criteria
When evaluating audit team performance within a team-oriented corporate culture, consider rating on the following items:
- Results that match goals and objectives
- Employing effectively available resources
- Developing cooperative relationships that enhance conflict resolution
- Bringing new insights and finding improved methods
- Developing appropriate team roles and responsibilities
- Ability to handle various organizational levels and interpersonal challenges
- Group effectiveness in decision-making and responding to unforeseen developments
- Being seen as providing added-value leadership on key issues
- Adherence to established internal audit processes
- Results that match goals and objectives
- Employing effectively available resources
- Developing cooperative relationships that enhance conflict resolution
- Bringing new insights and finding improved methods
- Developing appropriate team roles and responsibilities
- Ability to handle various organizational levels and interpersonal challenges
- Group effectiveness in decision-making and responding to unforeseen developments
- Being seen as providing added-value leadership on key issues
- Adherence to established internal audit processes
Monday, April 6, 2009
Computer Forensics Can Do
1. Who accessed what information and when
2. Who created/edited/deleted what and when
3. What documents were copied, and to what device
4. What was the content of communication between employees and outsiders
5. What other out of policy acts were attempted by the use of information systems
2. Who created/edited/deleted what and when
3. What documents were copied, and to what device
4. What was the content of communication between employees and outsiders
5. What other out of policy acts were attempted by the use of information systems
Saturday, April 4, 2009
Privacy Compliance
Privacy, the current focus for corporations, presents a new set a potential liabilities that have to be addressed by audit and information security. Worse yet, these complex set of issues are not being handled by general control reviews, SOD, access or even accounting controls.
Privacy policies, if in place, have to encompass various requirements like PII, some of which seem almost contradictory. Generally, privacy is the safeguarding of information that can be identified with a person. The right to privacy implies ownership rights to one's own personal data.
For organizations, the concern is how to define, protect, and respond to privacy issues. Thus, auditors need to determine whether privacy-related information handling meets various privacy requirements.
A good starting point is to examine the current privacy statements, especially those sent to customers, and trace back to ensure that what is promised is adequately covered by policies, procedures, and actual practices. It will help to avoid potential false and deceptive business practices issues arising from not actually performing what has been promised to customers.
Privacy policies, if in place, have to encompass various requirements like PII, some of which seem almost contradictory. Generally, privacy is the safeguarding of information that can be identified with a person. The right to privacy implies ownership rights to one's own personal data.
For organizations, the concern is how to define, protect, and respond to privacy issues. Thus, auditors need to determine whether privacy-related information handling meets various privacy requirements.
A good starting point is to examine the current privacy statements, especially those sent to customers, and trace back to ensure that what is promised is adequately covered by policies, procedures, and actual practices. It will help to avoid potential false and deceptive business practices issues arising from not actually performing what has been promised to customers.
Friday, April 3, 2009
Comply While Centralizing Information and Data
Centralizing data allows for access from wired, wireless, and portable devices. Check the following for right coverage.
Know your data and its location Map data and applications that handle it. Make sure you identify owners as data moves across applications.
Examine security for your and vendor-kept data Check third-party vendor contract for security specifications, and verify access over in-house data
When putting all your data in a single basket, watch the power flowing to it Examine potential and protection against any power disruptions
Monitor Activity Look at vendor performance reports and your own data stats. Compare it to the agreed service levels, and trace back to service levels to vendor contracts, determining if contracts adequately address performance.
Above all, have fun.
Know your data and its location Map data and applications that handle it. Make sure you identify owners as data moves across applications.
Examine security for your and vendor-kept data Check third-party vendor contract for security specifications, and verify access over in-house data
When putting all your data in a single basket, watch the power flowing to it Examine potential and protection against any power disruptions
Monitor Activity Look at vendor performance reports and your own data stats. Compare it to the agreed service levels, and trace back to service levels to vendor contracts, determining if contracts adequately address performance.
Above all, have fun.
Thursday, April 2, 2009
How Not to Misunderstand an Auditor
Understand the question in terms of the applicable context.
Get a clear idea on what is to be delivered-the deliverable.
Provide only the appropriate documentation.
Check for errors on all documents provided, and keep a list of what was given.
Avoid being distracted by multiple requests when completing a specific request.
Don't overlook appropriate and relevant information.
If you don't understand what to provide, ask those who know more details.
Pay attention to the wording of requests, leaving intuition for picking lotto numbers.
Wednesday, April 1, 2009
Policy & Procedure Tactics
Promote commitment to compliance through developing and living by compliance policies and procedures, focusing on specific areas because of of audit findings or other new requirements.
1. Baseline Policies: Review existing policies, creating an initial list of baseline compliance policies that will be maintained.
2. Issue-Specific Policies: See if there is a need to create any new issue-specific policies.
3. Existing Non-Compliance Policies: Which existing noncompliance policies should be reviewed for compliance with legal people?
4. Annual Policy Review: Each year review all compliance policies and procedures and determine whether any of the policies require revisions or updates.
Prepare the first draft of baseline and issue-specific compliance policies and procedures, as well as revisions to existing policies. Then, submit the first draft of the policies for appropriate approval. Next, get feedback on any draft policy via redlined draft or comments within a week of receipt of the draft. Get the right approval group to review and authorize the revisions
1. Baseline Policies: Review existing policies, creating an initial list of baseline compliance policies that will be maintained.
2. Issue-Specific Policies: See if there is a need to create any new issue-specific policies.
3. Existing Non-Compliance Policies: Which existing noncompliance policies should be reviewed for compliance with legal people?
4. Annual Policy Review: Each year review all compliance policies and procedures and determine whether any of the policies require revisions or updates.
Prepare the first draft of baseline and issue-specific compliance policies and procedures, as well as revisions to existing policies. Then, submit the first draft of the policies for appropriate approval. Next, get feedback on any draft policy via redlined draft or comments within a week of receipt of the draft. Get the right approval group to review and authorize the revisions
Subscribe to:
Posts (Atom)