ISSC Governance



IT Security                                

IT Governance                                        

Top FAQs                                 

Training & Videos                                   


posted 18 May 2010, 05:03 by Kanav Gupta

False reject rate (FRR): This is commonly referred to as a Type I error, or a false rejection error.
False accept rate (FAR): This is commonly referred to as a Type II error, or a false acceptance error.
Crossover error rate (CER): This is a measurement betwee then the FRR and FAR represented as a number or a percentage.  The lower the number or percentage, the more accurate the biometrics system is.  For example, a  CER of 2 (or 2 percent) is much better than a CER of 10 (or 10 percent).

5 Myths and Realities of PCI Compliance

posted 5 Feb 2010, 14:13 by Kanav Gupta

In the wake of major security incidents such as the Heartland Payment Systems data breach, critics have focused on the perceived flaws of the Payment Card Industry Data Security Standard (PCI) and the role of qualified security assessors (QSAs).

QSAs in particular have been called out by critics such as Heartland CEO Robert Carr, who in a 2009 interview said that PCI audits done by the firm's QSAs were "of no value" in preventing the company's data breach.

PCI supporters, however, say it isn't the standard or standard-bearers that are flawed - it's how merchants and other organizations approach PCI compliance.

"'I was PCI compliant and I was breached' -- this is a very misleading statement," says Bob Russo, General Manager of the PCI Security Standards Council. "When a company is PCI compliant, it is within a snapshot of time. Companies need to ensure that their goal is to be secure and not just gain a compliance certification."

Organizations also need to accept that PCI compliance is a process - not a piece of paper, says Marcus Ranum, a well-known security practitioner and Chief Security Officer of Tenable Security. "The basic problem with PCI is that it is making security into a checklist, and good security can never be attained by a checkmark process," Ranum says. "What organizations need to understand is that PCI is a minimum baseline requirement toward security, and companies just cannot afford to focus on PCI alone in being secure."

The selection of QSAs "is very critical," says Ranum. Organizations should interview the individuals conducting the assessments, as well as get their resumes and list of client organizations they have worked for to fully understand their expertise in the field. "The standard is solid; there is nothing in the standard which needs change or requires to be addressed immediately," says Russo. "What companies must understand is that they need to focus on effective security practices and controls on a continuous basis and monitor logs, which often go undetected."

Following are five myths and realities detailed by PCI compliance experts.

PCI Compliance: Myths and Realities

Myth #1. A QSA is Responsible for Security

A QSA is only a third-party assessor who comes in to ensure that the client organization by in large is in compliance with the PCI- DSS and has an effective security program in place. "There is no excuse for anomalies," says Ben Rothke, QSA and senior security consultant with BT Global Services. "If an organization has no security in place, the gaps are so huge that a QSA or any outside auditor cannot be of much help." Senior management at companies needs to take security seriously and implement effective controls and practices to minimize the chances of being breached. The tone has to be set from top down to cultivate a successful information security program at any organization. The QSA then steps into the role of a trusted advisor.

Myth #2. Companies can Instantly be PCI Compliant

"'We use all applications and tools that are PCI compliant; therefore, we are OK on PCI,' -- that is a very common attitude with organizations," says Rothke. While there is software and hardware that can aid in a PCI compliance effort, there is no single vendor or product that fully addresses all 12 requirements of the PCI standard. To be compliant, an organization needs to understand the importance of security and invest in implementing best practices on a regular basis.

Myth #3. PCI is 'Enough Security'

"Most organizations think that PCI is all they have to do to be secure," says Blake Huebner, QSA and PCI team lead at NetSpi, a security assessment and program development consulting company based in Minneapolis, MN. "'I passed the audit; therefore, I am good and safe.'" This is far from reality because the QSA's role is to validate the environment and practices associated with card holder data and privacy information, as advocated by the PCI Council, and ensure effective controls are in place. "However, this is a point-in-time audit and is not reflective of changes made throughout the year," says Huebner. PCI is just a necessary base for security and focuses primarily on data security surrounding the card holder's information without taking into account intellectual property, privacy of other data and information etc.

Myth #4. PCI is Confusing

"We hear organizations say that PCI is confusing and not specific," says Huebner. This attitude is mostly because critics have not invested the time and effort in going through the PCI DSS documents which clearly explain what processes and steps to follow and how to validate the changes addressed," he says. Companies need to spend time to read and understand the documents to gain clarity.

Myth #5. PCI is 'Too Hard'

At the end of the day, the PCI DSS is simply about good information security fundamentals, supporters say. "Any organization with a formal enterprise security strategy will find that PCI is not a daunting thing to deal with," says Rothke. PCI is a basic security practice, and this essentially becomes hard for organizations only if they do not have an effective security program and controls in place.

Social Engineering

posted 30 Dec 2009, 00:27 by Kanav Gupta

Train Employees to Spot and Stop the Scams
Having invested smartly in information and physical security, and you think organization is safe from external attacks? Well, the strongest defenses in the world are worthless if someone leaves the gate open. That "someone" is any one of your well-intentioned employees, and the key to the "gate" is that individual's susceptibility to social engineering. Register for this webinar to receive expert advice on:
  • The Latest Social Engineering Scams;
  • Why Social Engineering Is So Effective;
  • What Happens After You Have Been "Socialed";
  • Proactive Measures To Mitigate the Effects of "Being Socialed";
  • How to Test Your Employees Preparedness;
  • How to Test the Effectiveness of Your Awareness Efforts.
Despite all the media hype about hackers and viruses, the greatest threats to an organization's information security are the employees of the company. They're the ones who too often, too willingly, fall victim to Social Engineering ploys and open the doors wide to slick-tongued fraudsters.

When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gleaning information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving. It is not beyond an attacker to use everything at their disposal to gain information. Much like the telemarketer badgers the elderly couple into investing in fraudulent stock, a social engineer uses all the tricks in the book to obtain the goal.

Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to surviving these manipulations.

This presentation focuses on the core issues of social engineering's methodologies, effectiveness and prevention - as well as how to test the effectiveness of your training efforts. These core components include:

  • Identifying the many forms in which the attack may occur;
  • Understanding the intention of the attack;
  • Educating the potential victims;
  • Creating a policy to minimize the impact of the attack;
  • Testing employees' abilities to sniff out social engineering scams;
  • Managing a program to ensure that ongoing reviews and updates are in place;
  • Regular testing to ensure the effectiveness of your training initiatives.

You will understand social engineering methodologies, why it is the most effective tool in attacking a company and why so many people fall victim. You will also learn how the importance of effective corporate communication and incident response planning can prevent attacks from occurring in the first place. You will discover new ways to test the effectiveness of your awareness efforts. And finally you will learn what to do "next" after the attack has occurred. Can you put the genie back in the bottle? Yes, if you know where the genie is likely to go next.


posted 26 Dec 2009, 12:03 by Kanav Gupta

There are quite a few supporting references developed to guide the implementation of information technology governance. Some of them are:

Control Objectives for Information and related Technology (COBIT) is regarded as the worlds leading IT governance and control framework. This is done by providing tools to assess and measure the performance of 34 IT processes of an organization. Originally created by ISACA, COBIT is now the responsibility of the ITGI (IT Governance Institute).
The IT Infrastructure Library (ITIL) is a detailed framework with hands-on information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum.

The ISO/IEC 27001 (ISO 27001) is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 ([BS7799]), which was published in the United Kingdom and became a well known standard in the industry that was used to provide guidance to organizations in the practice of information security.

The IT Baseline Protection Catalogs, or IT-Grundschutz Catalogs, ("IT Baseline Protection Manual" before 2005) are a collection of documents from the German Federal Office for Security in Information Technology (FSI), useful for detecting and combating security-relevant weak points in the IT environment. The collection encompasses over 3000 pages with the introduction and catalogs.
The Information Security Management Maturity Model ISM3 is a process based ISM maturity model for security.
AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008
ISO/IEC 38500:2008 Corporate governance of information technology, (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.

Others include:

  • BS7799 - focus on IT security
  • CMM - The Capability Maturity Model - focus on software engineering

Non-IT specific frameworks of use include:

  • The Balanced Scorecard (BSC) - method to assess an organization’s performance in many different areas.
  • Six Sigma - focus on quality assurance

Problems with IT governance

posted 26 Dec 2009, 11:41 by Kanav Gupta

Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks. ISO 38500 has helped clarify IT governance by describing it as the management system used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.

Nicholas Carr has emerged as a prominent critic of the idea that information technology confers strategic advantage.[5] This line of criticism might imply that significant attention to IT governance is not a worthwhile pursuit for senior corporate leadership. However, Carr also indicates counterbalancing concern for effective IT risk management.

The manifestation of IT governance objectives through detailed process controls (e.g. in the context of project management) is a frequently controversial matter in large scale IT management. The difficulties in achieving a balance between financial transparency and cost-effective data capture in IT financial management (e.g., to enable chargeback) is a continual topic of discussion in the professional literature, and can be seen as a practical limitation to IT governance.

Information Technology Governance

posted 26 Dec 2009, 11:35 by Kanav Gupta   [ updated 26 Dec 2009, 11:46 ]

Information Technology Governance, IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxley in the USA and Basel II in Europe, as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.

A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional involvement of board-level executives in IT issues was to defer all key decisions to the company's IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers, and in particular departments such as finance, have the necessary input into the decision making process. This prevents IT from independently making and later being held solely responsible for poor decisions. It also prevents critical users from later finding that the system does not behave or perform as expected, as explained in the Harvard Business Review article by R. Nolan:

A board needs to understand the overall architecture of its company's IT applications portfolio … The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue…

There are narrower and broader definitions of IT governance. Weill and Ross focus on "Specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT.

Definitions: In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

While AS8015, the Australian Standard for Corporate Governance of ICT, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."

1-6 of 6