How Vast is your Universe?  Audit Tools - in addition to CobiT®, COSO, ITIL ....

By now you know we support use of IIA and ISACA frameworks (i.e., our tools).  Perhaps you are not aware that we also implement FISCAM, various ISO/IEC, PCI/VISA, Government NIST/FIPS, and OGC - BSI standards.

...see "GAO, is that you?" in The Perils of Mount Must Read™.  Then say, outloud:

Federal Information Systems Control Audit Manual (FISCAM) AKA: FISCAM, is a primary tool in audit and implementation of compliance as it relates to (among others) laws    P.L. 107-347, OMB Circular A-119 (note more OMB items in list at bottom) NIST SP 800-26 and all developments of the FISMA Project as noted in various areas with works by Ross, Katz and Swanson. Document ID or ISBN: GAO/AIMD-12.19.6 Author(s) Robert F. Dacey, Darrell L. Heim, Abraham D., Akresh, Jean L. Boltz, Carol A. Langelier, Crawford L. (Les) Thompson, Gary R. Austin Publisher: Government Accountability Office – revised 2005 and in Revision Primary URL FISCAM - Volume I: Financial Statement Audits Summary of Standard [As identified in FISCAM page 8-9]

This manual describes the computer-related controls that auditors should consider when assessing the integrity, confidentiality, and availability of computerized data. It is a guide applied by GAO primarily in support of financial statement audits and is available for use by other government auditors. It is not an audit standard. Its purposes are to inform financial auditors about computer-related controls and related audit issues so that they can better plan their work and integrate the work of information systems (IS) auditors with other aspects of the financial audit and provide guidance to IS auditors on the scope of issues that generally should be considered in any review of computer-related controls over the integrity, confidentiality, and availability of computerized dataassociated with federal agency systems.The manual lists specific control techniques and related suggested audit procedures. However, the audit procedures provided are stated at a high level and assume some expertise about the subject to be effectively performed. As a result, more detailed audit steps generally should be developed by the IS auditor based on the specific software and control techniques employed by the auditee after consulting with the financial auditor about audit objectives and significant accounts. Many of the suggested audit procedures start with the word “review.” We intend the auditor to do more than simply look at the subject to be reviewed. Rather, we envision a critical evaluation where the auditor uses professional judgment and experience and undertakes the task with a certain level of skepticism, critical thinking, and creativity. Although IS audit work, especially control testing, is generally performed by an IS auditor, financial auditors with appropriate training, expertise, and supervision may undertake specific tasks in this area of the audit. This is especially appropriate during financial statement audits where the work offinancial auditors and IS auditors must be closely coordinated. Throughout this manual, the term “auditor” should generally be interpreted as either (1) an IS auditor or (2) a financial auditor working in consultation with or under the supervision of an IS auditor.

References to FISCAM will further specify SP areas as follows:

Entity wide Security Program Planning and Management (SP)

Access Control (AC)

Application Software Development and Change Control (CC)

System Software (SS)

Can an auditor be successful without at least some of the tools as defined by the BS7799?

..not likely..

BS ISO/IEC 27001:2005 (BS 7799-2:2005)

• Type:  Code of Practice -
• US Laws  enforced by its implementation, for starters, P.L. 107-347
• Author(s) BS ISO/IEC 27001:2005 British Standards Institute
Publisher The United Kingdom Standards Policy, Supersedes BS 7799-2:2002, and is often mistaken for ISO/IEC 17799:2005                      
• Primary URL  www.bsi-global.com. and our
• primary source for work is ISO/IEC JTC 1 U.S. TAG who provide the following:
• Frequently Asked Questions for BS ISO/IEC

The standards as produced by ISO/IEC and BSG are heavily supported by US Technical Advisory Group for ISO / IEC Joint Technical Committee.  Owned and managed by BSI, the focus of the BS27000 series is Risk Management.  BSI defines risk this way: Assessing security risks

Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. Risk assessment techniques can be applied to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems." This series demonstrates tremendous efforts to align language and concepts across all major standards with emphasis in: ISO 9000 Quality Management, ISO 14001 Environment, OHSAS 18001 Occupational Health & Safety, and BS 7799 Information Security.  Note a shift in language from IT Service Management to a broader ICT Infrastructure Management in all areas that pertain to information systems.  The expanded use of ICT Infrastructure in place of ITIL Service Management and Service Delivery concepts makes room for a broader and more consistent mapping of British and other frameworks such as CobiT®  4th edition by ISACA®, and NIST Special Publication 53a, FISCAM Volume Two and the ISG Tool as produced by the team of CISWG. ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:

• security policy;
• organization of information security;
• asset management;
• human resources security;
• physical and environmental security;
• communications and operations management;
• access control;   
• information systems acquisition, development and maintenance;      
• information security incident management;
• business continuity management;
• compliance.

The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

As further explained by the JTAG: What is BS ISO/IEC 27001?

BS ISO/IEC 27001:2005 (BS 7799-2:2005) is the new international standard that provides a specification for ISMS and  the foundation for third-party audit and certification. The standard is complementary to the new standard BS ISO/IEC 17799:2005 (BS 7799-1:2005). The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles governing security of information and network systems. The new standard replaces BS 7799-2:2002. ISO publishes the following abstract and statement regarding use: Abstract ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

!! Source: http://www.insight.co.uk/bs7799/iso17799.htm !!

About ISO 17799 and BS 7799 BS 7799 part I = ISO 17799 BS 7799 part II = summarizes the 127 ISO controls and additionally provides a specification for an Information Security Management System (ISMS). An ISMS is the means by which Senior Management must monitor and control their security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements. BS 7799 - the Code of Practice for establishing an Information Security Management System (ISMS) - is rapidly being adopted by many UK and international businesses who have recognized the need to demonstrate effective protection of their own, and their customers', information. This adoption led, in December 2000, to the International Standards Organization (ISO) publishing BS 7799: Part I as an international standard. It is known as ISO/IEC 17799:2000.

What's not in the ISO STANDARD? The ISO standard currently provides guidance on 127 security 'controls' that are structured under ten major headings. The information provided for each control is intended for guidance only. Some confusion still arises, however, from the fact that there is a second part to BS 7799. This is a separate publication and covers Information Security Management Systems. It is not currently an ISO document. It is important to note that formal certification must always be carried out against BS 7799 Part II. This will continue to be the case until the publication of a fully ratified ISO equivalent of BS 7799 Part II.

The ISO Standard and BS 7799 Part II should be considered as a working 'pair' with distinct purposes as follows:

• ISO/IEC 17799:2000 (formerly BS 7799 Part I) is the Code of Practice and can be regarded as a comprehensive catalogue of guidance on what constitutes good security practice.
• BS 7799-2:2002 (Part II) summarizes the same 127 ISO controls and additionally provides a specification for an Information Security Management System (ISMS). An ISMS is the means by which Senior Management must monitor and control their security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

It is important to note that formal certification must always be carried out against BS 7799 Part II. This will continue to be the case until the publication of a fully ratified ISO equivalent of BS 7799 Part II

Persons with certification will be required to transition to the new standard in 2006: ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following:

• use within organizations to formulate security requirements and objectives;
• use within organizations as a way to ensure that security risks are cost effectively managed;
• use within organizations to ensure compliance with laws and regulations;
• use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
• definition of new information security management processes;
• identification and clarification of existing information security management processes;
• use by the management of organizations to determine the status of information security management activities;
• use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
• use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
• implementation of business-enabling information security;
• use by organizations to provide relevant information about information security to customers.

Companies certified/registered to BS 7799-2:2002 will need to make the transition to the new standard; Complete information regarding accreditation and certification is found at http://www.ukas.com/about_accreditation/International/default.asp

A certification scheme exists to certify organizations toward compliance. Although this is a British Standard, more than  9004 organizations in more than 40 countries have been evaluated and certified to BS 7799-2. The guidance is available for purchase from www.bsi-global.com (GB sterling £28.00 for British Standard Institute

HIPAA - Health Insurance Portability Requirements:

Our recommendation for medical Compliance is to follow the guidance of the

CMS Manual System: Business Partners Systems Security Manual 

• AKA:  Business Partners Systems
Laws enforced by this framework or standard:  
• P.L. 104-191
P.L. 107-347, Title III                                                 
• P.L. 93-579
P.L. 108–173 
• OMB Circular A-130
• Author Publisher Sherwin Schulterbrandt, Centers for Medicare & Medicaid Services (CMS),
Edition/Version 5 December 23, 2004

CMS Manual System Pub 100-17 Medicare

CMS Partner Training and Resources

CMS on The Health Insurance Portability Act

Summary of Standard Notable in any area of information systems, Medical Program Management and Security professionals MUST READ and have full awareness of changes in the  CENTERS FOR MEDICARE & MEDICAID SERVICES OFFICE OF INFORMATION SERVICES SECURITY AND STANDARDS GROUP,  CMS Manual System: Business Partners Systems Security Manual.  The list of legal and standards information alone make this a product that is clearly better than most efforts made by any other standards and regulatory group. 

This guide has a number of oustanding tools, including Contractor Assessment Security Tool, "CAST", based in the highest level of legal awareness, implementation of current standard and care for specific industry medical context.  The authors use FISCAM and NIST 26, as well as FIPS 199-201 to enforce industry regulations for the implementation of standards ranging from banking to government systems. Recent changes in law and standards are reflected, with updates as recently as the last four weeks.  Careful attention  to all forms of change management are visible in the first section of the manual. Table of contents will not do justice, but includes:

1.0 Introduction
2.0 IT Systems Security Roles and Responsibilities
2.1 Consortium Contractor Management Officer and CMS Project Officer (CCMO/PO)
2.2 The (Principal) Systems Security Officer (SSO)
2.3 System Owners/Managers
2.4 System Maintainers/Developers
2.5 Personnel Security/Suitability
3.0 IT Systems Security Program Management
3.1 System Security Plan (SSP)
3.2 Risk Assessment
3.3 Certification
3.4 Information Technology Systems Contingency Plan
3.5 Compliance
3.5.1 Annual Compliance Audit (ACA)
3.5.2 Corrective Action Management Process and Plans of Action and Milestones
3.6 Incident Reporting and Response
3.6.1 Computer Security Incident Response
3.7 System Security Profile
3.8 Fraud Control
3.9 Patch Management
3.10 Security Management Resources
3.10.1 Security Configuration Management          
3.10.2 National Institute of Standards and Technology (NIST)
4.0 IT Systems Sensitivity/Criticality Determinations
4.1 Information Security Levels
4.1.1 Sensitivity Levels for Data
4.1.1.1 Level 1: Low Sensitivity
4.1.1.2 Level 2: Moderate Sensitivity
4.1.1.3 Level 3: High Sensitivity
4.1.1.4 Level 4: High Sensitivity and National Security Interest
4.1.2 Criticality Levels for IT Systems
4.1.2.1 Level 1: Low Criticality
4.1.2.2 Level 2: Moderate Criticality
4.1.2.3 Level 3: High Criticality
4.1.2.4 Level 4: High Criticality and National Security Interest
4.2 Sensitive Information Protection Requirements
4.2.1 Restricted Area
4.2.2 Security Room
4.2.3 Secured Interior/Secured Perimeter
4.2.4 Container
4.2.4.1 Locked Container
4.2.4.2 Security Container
4.2.4.3 Safes/Vaults
4.2.5 Locking Systems for Secured Areas and Security Rooms
4.2.6 Intrusion Detection System (IDS)
5.0 Internet Security
Appendices
Appendix A CMS Core Security Requirements and the Contractor Assessment Security
Tool (CAST)
Attachment A CMS Core Set of Security Requirements
Appendix B Medicare Information Technology (IT) Systems Contingency Planning
Appendix C An Approach to Fraud Control
Appendix D Acronyms and Abbreviations
Appendix E Glossary

Applicable To: The CMS IT systems security program and Core Security Requirements were developed in accordance with Federal and CMS documents that mandate the handling and processing of Medicare data. These documents include the following:

Why we need FISCAM and NIST....

Federal Laws

• Privacy Act of 1974, as amended, (5 U.S.C. 552a), [http://www.usdoj.gov/04foia/privstat.htm]
• Paperwork Reduction Act of 1995, Title 44 Chapter 35
• [http://www.archives.gov/federal_register/public_laws]
• Chief Financial Officers Act of 1990, (31 U.S.C. 2512 et seq.) [http://www.gao.gov/policy/12_19_4.pdf] and [http://wwwoirm.nih.gov/itmra/cfoact.html]
• Clinger-Cohen Act, P.L. 104-106, Division E, Information Technology Management Reform Act of 1996 [http://www.cio.gov/documents]
• Computer Security Enhancement Act of 1997, H.R. 1903 [http://www.fas.org/irp/congress/1997_rpt/h105_243.htm]
• Government Paperwork Elimination Act of 1998, P.L. 105-277, Title XVII [http://www.cdt.org/legislations/105th/digsig/govnopaper.html]
• FY 2001 Defense Authorization Act (P.L. 106-398) – Title X, subtitle G “Government Information Security Reform” (The Security Act) [http://www.access.gpo.gov/nara/publaw/106publ.htm]
• Federal Information Security Management Act (FISMA), P.L. 107-347, Title III, December 2002 [http://www.fedcirc.gov/library/legislation/FISMA.html]
• Freedom of Information Act, P.L. 89-487 [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+5USC552]
• Computer Fraud and Abuse Act, P.L. 99-474,
• [http://www.alw.nih.gov/Security/FIRST/papers/legal/cfa.txt]
• Electronic Signature in Global and National Commerce Act, P.L. 106-229, [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf]
• Government Information Security Reform Act, P.L. 106-398, [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ398.106]
• Children’s Online Privacy Protection Act of 1998, [http://www.ftc.gov/ogc/coppa1.htm]
• Executive Orders/Presidential Decision Directives
• Executive Order No. 12046 of March 27, 1978 [no electronic version available]
• Executive Order No. 12472 of April 3, 1984 [no electronic version available]
• Executive Order No. 13011 of July 16, 1996 [http://www.nara.gov/fedreg/eo_clint.html]
• Homeland Security Directive HSPD-7, Critical Infrastructure Identification, Prioritization and Protection [http://www.usda.gov/da/physicalsecurity/hspd.pdf]
• Homeland Security Directive HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors

Office of Management & Budget (OMB) Circulars, Bulletins and Memoranda [http://www.whitehouse.gov/omb]

• OMB Circular No. A-11 Preparation and Submission of Budget Estimates (05/03)
• OMB Circular No. A-123 Management Accountability and Control (06/95)
• OMB Circular No. A-127 Policies and Standards for Financial Management Systems (07/93)
• OMB Circular No. A-130 Security of Federal Automated Information Resources (Appendix III) (11/00)
• OMB Bulletin No. 90-08 (Appendix A) [Security Plans]
• M-97-16 Information Technology Architectures (06/18/97)
• M-99-05 Instructions on Complying with President’s Memorandum of May 14, 1998 “Privacy and Personal Information in Federal Records” (01/07/99)
• M-99-18 Privacy Policies on Federal Web Sites (06/02/99)
• M-99-00 Security of Federal Automated Information Resources (06/23/99) M-00-07 Incorporating and Funding Security in Information Systems Inves ments (02/28/00)
• M-00-10 OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act (04/25/00)
• M-00-13 Privacy Policies and Data Collection on Federal Web Sites (06/22/01)
• M-00-15 OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act (09/25/00)
M-01-05 Guidance on Inter-agency Sharing of Personal Data – Protecting Personal data (12/20/00)
• M-03-19 Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (08/06/03)

National Institute of Standards & Technology (NIST) Federal Information Processing Standards Publications (FIPS)[http://csrc.nist.gov/publications/fips/index.html]

• FIPS PUB 31 Guidelines for Automatic Data Processing Physical Security and Risk Management (06/74)
• FIPS PUB 46-3 Data Encryption Standard (DES); specifies the use of Triple DES (10/99)
• FIPS PUB 48 Guidelines on Evaluation of Techniques for Automated Personal Identification (04/77)
• FIPS PUB 73 Guidelines for Security of Computer Applications (06/80)
• FIPS PUB 74 Guidelines for Implementing and Using the NBS Data Encryption Standard (04/81)
• FIPS PUB 81 DES Modes of Operation (12/80)
• FIPS PUB 83 Guideline on User Authentication Techniques for Computer Network Access Control (09/80)
• FIPS PUB 87 Guidelines for ADP Contingency Planning (03/81)
• FIPS PUB 102 Guideline for Computer Security Certification and Accreditation (09/83)
• FIPS PUB 112 Password Usage (05/85)
• FIPS PUB 113 Computer Data Authentication (05/85)
• FIPS PUB 140-1 Security Requirements for Cryptographic Modules (01/94)
• FIPS PUB 140-2 Security Requirements for Cryptographic Modules (06/01)
• FIPS PUB 171 Key Management Using ANSI X9.71 (04/92)
• FIPS PUB 180-2 Secure Hash Standard (04/95)
• FIPS PUB 181 Automated Password Generator (10/93)
• FIPS PUB 185 Escrowed Encryption Standard (02/94)
• FIPS PUB 186-2 Digital Signature Standard (DSS) (01/00)
• FIPS PUB 188 Standard Security Labels for Information Transfer (09/94)
• FIPS PUB 190 Guideline for the Use of Advanced Authentication Technology Alternatives (09/94)
• FIPS PUB 191 Guideline for the Analysis of Local Area Network Security (11/94)
• FIPS PUB 196 Entity Authentication Using Public Key Cryptography (02/97)
• FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 201 Personal Identification Verification for Federal Employees and Contractors

NIST Special Publications [http://csrc.nist.gov/publications/nistpubs/index.html]

• NIST Special Publication 800-2, Public-Key Cryptography
• NIST Special Publication 800-3, Establishing a Computer Security Incident Response Capability (CSIRC)
• NIST Special Publication 800-4, Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting
• Officers, and Computer Security Officials
• NIST Special Publication 800-4A, Security Considerations in Federal Information Technology Procurements
• NIST Special Publication 800-5, A Guide to the Selection of Anti-Virus Tools and Techniques
• NIST Special Publication 800-6, Automated Tools for Testing Computer System Vulnerability)
• NIST Special Publication 800-7, Security in Open Systems
• NIST Special Publication 800-8, Security Issues in the Database Language SQL
• NIST Special Publication 800-9, Good Security Practices for Electronic Commerce, Including Electronic Data Interchange
• NIST Special Publication 800-10, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls
• NIST Special Publication 800-11, The Impact of the FCC’s Open Network Architecture on NS/EP Telecommunications Security
• NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook
• NIST Special Publication 800-13, Telecommunications Security Guidelines for Telecommunications Management Network
• NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
• NIST Special Publication 800-15, Minimum Interoperability Specification for PKI components (MISPC), Version 1
• NIST Special Publication 800-16, Information Technology Security   Training Requirements: A Role- and Performance-Base Model (supersedes NIST Spec Pub. 500-172)
• NIST Special Publication 800-17, Modes of Operation Validation System (MOVS): Requirements and Procedures
• NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
• NIST Special Publication 800-19, Mobile Agent Security
• NIST Special Publication 800-20, Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
• NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government
• NIST Special Publication 800-22, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
• NIST Special Publication 800-23,Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
• NIST Special Publication 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
• NIST Special Publication 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
• NIST Special Publication 800-26, Security Self Assessment Guide for Information Technology Systems
• NIST Special Publication 800-27, Engineering Principles for IT Security
• NIST Special Publication 800-28, Guidelines on Active Content and Mobile Code
• NIST Special Publication 800-29, A Comparison of the Security Requirements of Cryptographic Modules in FIPS 140-1 and 140-2
• NIST Special Publication 800-30, Risk Management Guide for Information
• Technology Systems
• NIST Special Publication 800-31, Intrusion Detection Systems (IDS)
• NIST Special Publication 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure
• NIST Special Publication 800-33, Underlying Technical Models for
• Information Technology Security
• NIST Special Publication 800-34, Contingency Planning Guide for
• Information Technology Systems
• NIST Special Publication 800-35, Guide to IT Security Services
• NIST Special Publication 800-36, Guide to Selecting IT Security Products
• NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
• NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques
• NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: the RMAC Authentication Mode
• NIST Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
• NIST Special Publication 800-40, Procedures for Handling Security Patches
• NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy
• NIST Special Publication 800-42, Guideline on Network Security Testing
• NIST Special Publication 800-43, System Administration Guidance for Windows 2000 Professional NIST Special Publication 800-44, Guidelines on Securing Public Web Servers
• NIST Special Publication 800-45, Guidelines on Electronic Mail Security
• NIST Special Publication 800-46, Security for Telcommuting and Broadband Communications
• NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems
• NIST Special Publication 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
• NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program
• NIST Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
• NIST Special Publication 800-53, Security Controls for Federal Information Systems
• NIST Special Publication 800-53A, Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems
• NIST Special Publication 800-55, Security Metrics Guide for Information Technology Systems
• NIST Special Publication 800-60, Guide for Mapping Information and Information Types to Security Objectives and Risk Levels
• NIST Special Publication 800-61, Computer Security Incident Handling Guide
• NIST Special Publication 800-63, Recommendation for Electronic Authentication

USDA Policies & Regulations [http://www.ocionet.usda.gov/ocio/cyber_sec/index.html]

DR 3140-2, USDA Internet Security Policy DR 3300-1, Telecommunications & Internet Services & Use DR 3410-1, Information Collection Activity DR 3080-1, Records Disposition DM 3200-2, Management: A Project Managers Guide to Applications Systems Life Cycle Management DM 3500, USDA Cyber Security Manual OCIO Web Farm Physical Security Standards, Policies & Procedures Director Central Intelligence Directive (DCID) 1/21; DCID 6/3, Secure Compartmented Information Facility Construction Specifications Office of Operations, USDA Physical Security Handbook, Chapter 3, Exterior and Interior Protection (Draft) Interagency Security Committee (ISC) Security Design Criteria for Federal Facilities (Classified Document)

Miscellaneous

• DOD Directive 8500.1 Information Assurance (10/02) [http://www.dtic.mil/whs/directives/]
• GAO Federal Information System Control Audit Manual (Exposure Draft) (FISCAM) (08/97) [http://www.gao.gov/policy/12_19_6.pdf]
• Common Criteria for Information Technology Security Evaluation (Ver. 2.1) (08/99) [http://csrc.nist.gov/cc/ccv20/ccv2list.htm]
• Federal CIO Council, Securing Electronic Government (01/01) [http://www.cio.gov]

Networking:

A typical day from Dan Swanson and with noted contribution from George Spafford, two men who make a difference in all our lives by being Eagles among dogs and sheep.

1. A variety of excellent resources arrived over the weekend and late last week - (see below). 2. Today's highlight - The "Innovation Network" web site. http://www.thinksmart.com/ Enjoy. Dan www.securitybenchmark.com http://finance.groups.yahoo.com/group/Dans_SECemails/ http://finance.groups.yahoo.com/group/Dans_CCCemails/ ==============================================================

1. The! February 2006, issue of ITAudit is available. http://www.theiia.org/itaudit ==============================================================

2. NSA's SNAC set - one of the best security web sites you can bookmark. http://www.nsa.gov/snac/ ==============================================================

3. Financial Institution Shared Assessments Program. The FISAP assessment documents that were released this past week are well worth reviewing. FISAP is a process for financial institutions to evaluate their IT service providers. The site includes a FISAP FAQ and the assessment documents. www.bitsinfo.org/fisap ============================================================== 4. The Skinny on ITIL. The Information Technology Infrastructure Library is coming to America; early adopters say it's a friendly invasion. www.csoonline.com/read/020106/itil.html ============================================================== 5. Security Issues Continue to Dominate in AICPA Top Ten Technologies For the fourth consecutive year, professionals who sit at the intersection of information technology and accounting have selected Information Security as the number one technology to watch in 2006, according to the results of the AICPA's 17th annual Top Ten Technologies survey. Four new technologies placed on this year's Top Ten list: Assurance and Compliance Applications, IT Governance, Privacy Management, and Spyware Detection and Removal. The Top 10 Tech this refers to is at: http://infotech.aicpa.org/

FAB FIVE - BIG FOUR - BIG EIGHT - HEAVY HITTERS - THE GURUS

as said by Garth "We're not worthy"...

Big 4 is a term that implies only four leaders. In the past it was the Big 8 and as Arthur Anderson fell, the number of leaders also declined. There are a lot more than four.

A few faces in the current Audit Hall of Fame:

• Deloitte (http://www.deloitte.com)  "The Doors "
• KPMG (http://www.kpmg.com)  "Sly and the Family Stone"
• BearingPoint (http://www.bearingpoint.com) "The Ramones"
• Ernst & Young (http://www.ey.com) "Nirvana"
• Grant Thornton (http://www.gt.com) "The Pixies"
• PricewaterhouseCoopers (http://www.pwc.com) "Aerosmith"
• Crowe Chizek (http://www.crowechizek.com) "The Grateful Dead"
• Protiviti (http://www.knowledgeleader.com) "The Velvet Underground"
• Jefferson Wells ( http://www.jeffersonwells.com) "Earth Wind and Fire"
• Amid the noise and fan fair, class acts never go out of style, and we love a class act.

See sections on Security, Risk, Data Retention, and more for additional laws and regulation reviews.  We also hope you will enjoy reading "The Perils of Mount Must Read™" This is our gift to the hurting, overwhelmed and confused.

Please check out FCM™, our product and custom solution for all form of compliance management.

Internal Control and Control Self Assessment 

CobiT® On Line from ISACA and ITGI and CobiT Advisor 3rd Ed from Methodware™

Grand slams go to the teams producing harmonization and synergy across standards and regulatory requirements. 

CobiT® 4.0 and the recent release of Aligning CobiT®., ITIL® and ISO 17799® for Business Benefit: A Management Briefing, as well as the combined Booz Allen Hamilton, ISACA, ISSA and ASIS release "Convergence of Enterprise Security Organizations"

To paraphrase just a few of the points by Gary Hardy and Erik Guldentops, who introduced CobiT®4.0 in Volume 6, 2005 Information Systems Control Journal, (Professional publication produced by The Information Systems Audit and Control Association), CobiT®.4.0 adds to the already valuable framework:

"CobiT®.Online is a web-based resource where you can browse and search the very latest best practices, download customized guidance, perform benchmarking and more. A variety of subscription levels are available, each allowing different amounts and types of access and functionality. ISACA membership provides for Basic access rights and discounts on purchasing Full access."

Resources and Publications on Internal Audit:

Excellence takes teams, time and money:   Pay your dues, buy your tools, because none of us is as smart as all of us...

Leading IIA Guidance Reports, Papers, and Publications:

Federal Financial Institutions Examination Council
AKA:      FFIEC Examination Handbook
Sometimes searched       Information Security IT Examination Handbook
URL Source Data
Federal Financial Institutions Examination Council
FFIEC Information Technology Examination Handbook
FFIEC IT Handbook InfoBase Main Page
Information Security IT Examination Handbook
http://www.ffiec.gov/ffiecinfobase/booklets/information_security/Info_sec_workprogram.doc
Summary:
The Federal Financial Institute Examination Council is the governing body over financial institutions. This site provides field examiners in financial institution regulatory agencies an InfoBase of new regulations and standards.

The structure of the on line Information Security "Booklet" surpasses any other form of presentation I have seen. Writing is clear, and sources are comprehensive.  Regulated Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS), it is hard to imagine that the guidelines used to create the FFIEC framework lack consideration for laws I any industry, public, private or international.

OVERVIEW
Information is one of a financial institution’s most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers. Timely and reliable information is necessary to process transactions and support financial institution and customer decisions. A financial institution’s earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed.

Information security is the process by which an organization protects and secures systems, media, and facilities that process and maintain information vital to its operations. On a broad scale, the financial institution industry has a primary role in protecting the nation’s financial services infrastructure. The security of the industry’s systems and information is essential to its safety and soundness and to the privacy of customer financial information. Individual financial institutions and their service providers must maintain effective security programs adequate for their operational complexity. These security programs must have strong board and senior management level support, integration of security responsibilities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities. This booklet provides guidance to examiners and organizations on determining the level of security risks to the organization and evaluating the adequacy of the organization’s risk management.

Organizations often inaccurately perceive information security as the state or condition of controls at a point in time. Security is an ongoing process, whereby the condition of a financial institution’s controls is just one indicator of its overall security posture. Other indicators include the ability of the institution to continually assess its posture and react appropriately in the face of rapidly changing threats, technologies, and business conditions. A financial institution establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance levels. Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks.

Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations.

Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution.

This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 14-16.

SECURITY OBJECTIVES
Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT)-related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

Availability—The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.
Integrity of Data or Systems—System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.  

REGULATORY GUIDANCE, RESOURCES, AND STANDARDS
Financial institutions developing or reviewing their information security controls, policies, procedures, or processes have a variety of sources to draw upon. First, federal laws and regulations address security, and regulators have issued numerous security related guidance documents. Institutions also have a number of third-party or security industry resources to draw upon for guidance, including outside auditors, consulting firms, insurance companies, and information security professional organizations. In addition, many national and international standard-setting organizations are working to define information security standards and best practices for electronic commerce. While no formal industry accepted security standards exist, these various standards provide benchmarks that both financial institutions and their regulators can draw upon for the development of industry expectations and security practices. Some standard-setting groups include the following organizations

 The National Institute of Standards and Technology (NIST) at www.nist.gov; 
 The International Organization for Standardization (ISO) Information technology at www.iso.ch with specific standards such as

More Good stuff :

Why internal auditing exists by David Griffith

As organized by the committee and OCEG Leadership Council supporting Dan Swanson in release of Internal Audit Guide Evaluating a Compliance & Ethics Program, OCEG Practice Aid

COSO:

• “Executive Summary - Internal Control - Integrated Framework (COSO IC-IF)”  www.coso.org/publications/executive_summary_integrated_framework.htm
• “Enterprise-Wide Risk Management - Integrated Framework (COSO ERM-IF)”.   www.coso.org

PCAOB:

• “Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements”  www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf
• “Policy Statement Regarding Implementation of Auditing Standard No.2” (May 16th 2005 guidance )www.pcaobus.org/Rules/Docket_014/2004-09-15_Release_2004-008.pdf
• Staff Questions and Answers on Auditing Standard No. 2” www.pcaobus.org/Standards/Staff_Questions_and_Answers

SEC:

• “Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports”  www.sec.gov/rules/final/33-8238.htm
• “Commission Statement on Implementation of Internal Control Reporting Requirements” (May 16, 2005) - www.sec.gov/news/press/2005-74.htm

AICPA:

• Audit Committee Effectiveness Center http://www.aicpa.org/audcommctr/homepage.htm
• AICPA Antifraud & Corporate Responsibility Resource Center
• http://www.aicpa.org/antifraud/homepage.htm
• Audit and Attest Standards
• http://www.aicpa.org/members/div/auditstd/index.htm

Deloitte:

• “Taking Control: A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002”  www.deloitte.com/dtt/whitepaper/0,1017,sid%253D36513%2526cid%253D54135,00.html
• “Sarbanes-Oxley Section 404: 10 Threats to Compliance”  www.deloitte.com/dtt/article/0,1002,sid%253D36513%2526cid%253D58359,00.html

Ernst & Young:

• “Emerging Trends in Internal Controls — Third Survey”  www.ey.com/global/content.nsf/US/AABS_-_Assurance_-_Library_-_Registration
• Emerging Trends in Internal Controls: Fourth Survey & Industry Insights (September 2005)
• Key Business Considerations – Implementing Section 404 for Foreign Private Issuers One Year Extension of Internal Control Reporting (March 2005)
• Emerging Trends in Internal Controls: Third Survey (December 2004)
• Internal Control over Financial Reporting – An Investor Resource (December 2004)
• Perspectives on Internal Control Reporting – A Resource for Financial Market Participants (December 2004)
• Emerging Trends in Internal Controls: Second Survey (May 2004)
• Section 404 Post-Implementation: What You Should Be Thinking About Now (May 2004)
• E&Y Summary – PCAOB Standard No.2: Audits of Internal Control Over Financial Reporting (April 2004)
• Emerging Trends in Internal Controls: Initial Survey (January 2004)

KPMG:

• “Making Sarbanes-Oxley Section 404 Compliance Sustainable”  www.us.kpmg.com/RutUS_prod/Documents/9/Sustaining_Web.pdf

PricewaterhouseCoopers:

• “How to move your company to sustainable Sarbanes-Oxley compliance - from project to process”  www.pwc.com/

Protiviti:

• “Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements - Third Edition” - www.protiviti.com/?pgTitle=Sarbanes-Oxley%20Section%20404%20FAQs

...more links in the security and IT resources section

Special Thanks to Bruce Winters for his article Compliance CHOOSE THE RIGHT TOOLS FOR INTERNAL CONTROL REPORTING Bruce I. Winters New federal regulations require public companies to assess the effectiveness of their internal control structure and financial reporting procedures. Complex software is essential to such analysis. Here’s how to determine what kind is needed and how it should link to—or replace—a company’s existing systems., Dan Swanson, ISACA List Serve Community.  Special Thanks to the IIA and again especially, Dan Swanson, CIA, CMA, CISA, CISSP, CAP, who coauthored with others mentioned on every page of this site in his long and productive career as Director of Professional Practices, The Institute of Internal Auditors. He frequently writes on IT audit, IT security, and various management practices. He is a past Winnipeg chapter president for both The IIA and ISACA and chaired ISACA International's publication committee for two years. Swanson has also been on the Board of Directors of The IIA