Google and China

Google is continuing its investigation into the recent hacker attacks allegedly emanating from China. It has reportedly reached an agreement with the National Security Agency to share data and gain its help in the investigation. The pending agreement with the NSA is raising some eyebrows, as there have been concerns in some quarters about the ability of the NSA to search and obtain data without obtaining warrants and its tendency to work behind a veil of secrecy. However, it would be naive to think that the US could survive in the high tech world of international criminality and espionage without such an agency or two. Check it out.

Is Skype Safe?

Recent surveys show that as much as 12% of all business long distance calls are made on Skype. VOIP applications such as Skype are an obvious way for companies to cut their phone bills. But there is always the question - does Skype present new security and control issues. According to this article in CIO Mag, there are not really very many new issues. Most of the exposures that do exist with Skype exist with any phone/IM system, and simply need to be recognized and addressed in the company's governance procedures. The author makes special mention of the need for encryption of VOIP transmissions, which is a good idea regardless of whether Skype or some other product is being used.

IFRS Convergence is not just an Accounting Issue

Experience of Canadian companies undergoing the transition to IFRS is showing that the convergence process is an IT issue as well as an accounting issue. IFRS requires the capture of more information than traditional GAAP systems, such as fair values of certain assets and additional disclosures in the notes and the systems need to be able to capture that information and keep track of it in a useful way. It isn't necessarily major changes that will be needed in the system, but there will be a need for changes, and IT personnel need to be involved to assess, implement and monitor those changes. There is a good article on this matter in CFO Magazine.

Hackers Still Exploit the Old Standard Security Weaknesses

A recent report by TrustWave finds that companies are spending so much time on trying to address the new security flaws coming up, such as mobility, they are missing the old standard. "For instance, the top three ways hackers gained initial access to corporate networks in 2009 were via remote access applications, trusted internal network connections and SQL injection attacks, Trustwave found." The report was based on an analysis of data gathered from more than 1,900 penetration tests and over 200 data breach investigations conducted on behalf of clients such as American Express, MasterCard, Discover, Visa and several large retailers.

The report is a wakeup call for security administrators - not to ignore the old vulnerabilities. But it also points to the growing complexity of systems security and control.

A write-up on the report can be found on Computerworld. The report can be downloaded from this site, after filling out a questionnaire.

The Four Principles of Data Governance

There is a high awareness of the fact that data is one of the most important elements of modern business and business systems - and a major focus of establishing good controls. The article referenced below picks up on this theme and lays out four major principles of good data governance. They are (1) clear ownership, (2) value recognition, (3) effective data policies and procedures and (4) data quality. The article expands on these principles. It is on the Information Management site.  

Online Banking - Separate Computer?

The American Banking Association has recommended that small business should use a separate dedicated computer for online banking activities to enable proper security to be followed. The increased activity of hackers focusing on banking has made this a prudent safeguard. However, the other experts caution that if there is a lack of proper security in other parts of the system, then having a separate computer will not really help.

Having said that, the use of a separate computer probably does help in a lot of cases. It just does mean that it needs to be done right - proper segregation from the rest of the system as much as possible, and maintenance of strong controls throughout the system, which should be happening in any event.

For a commentary on the Banking Association recommendation, take a look at this article.

The Case for Encryption of Laptops

Sophos has released an interesting white paper making the case for encryption of laptops. It does this by outlining various ways in which unauthorized people can access the data on a stolen laptop even where it is protected by a password. The means are so simple, it makes it clear that encryption is the best and only effective way to protect data on laptops. This is a message that has come from various sources, including the CICA and others. Download the whitepaper from this source.