home contact keylogger.org add keylogger.org to favorites set keylogger.org as homepage Anti-Keylogger.org
Keylogger testing and reviews

Keylogger testing policy

Press-releases

Keylogger developers

Links 		Monitoring Software Keylogger articles

Get Free Software

Keylogger chat

Keylogger forum

Sponsorship & services
Advertising
Your Ad Here
Site News
Current section
Keylogger.Org Site News

November 27th, 2008

New version of XPC Spy Pro added!
Security World News
Keylogger.Org Security World News

December 04th, 2008

Microsoft and RSA partner on Data Loss Prevention

Worm uses familiar brands to lure people

Company data at the mercy of crooks

Norton AntiVirus Begone!

Criminals Take Control of CheckFree Web Site

Firefox Users Targeted by Rare Piece of Malware

Hacker threat: Rudd promises action

Lib Dems criticise 'shambolic' DNA database

Experts: US cybersecurity needs fresh ideas

Pentagon hacker tries one more time to avoid extradition

Virtually every Windows PC at risk, says Secunia

Sun patches at least 14 bugs in Java

Security, civil liberties experts question data mining
Voting

We are planning to redesign our site. We would like You to express your opinion in this respect. Would you like to leave the site as it is? What changes would you like to suggest?

Yes, I like the site as it is.
It's ok, but some changes are necessary.
It should be changed completely.
VotingView results
DISCLAIMER: Logging other people's keystrokes or breaking into other people's computer without their permission can be considered illegal by the courts of many countries. The monitoring software reviewed here is ONLY for authorized system administrators and/or owners of computers. We assume no liability and are not responsible for any misuse or damage caused by the keylogging software. The end user of this software is obliged to obey all applicable local, state, federal and other laws in his country of residence.

August 27th, 2008

Separation of Duties and IT Security

Separation of duties is a key concept of internal controls and is the most difficult and sometimes the most costly one to achieve. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.

The term SoD is already well-known in financial accounting systems. Companies in all sizes understand not to combine roles such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, etc. However, SoD is fairly new to the IT organization. It is not a surprise that concerns are being raised about separation of duties in IT given that a very high portion of SOX internal control issues come from or rely on IT. Separation of duties is a fundamental principles of many regulatory mandates such as Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA) and others. As a result IT organizations must now place greater emphasis on separation of duties across all IT functions, especially security.

Security Separation of Duties

Separation of duty, as it relates to security, has two primary objectives. The first is the prevention of conflict of interest, the appearance of conflict of interest, wrongful acts, fraud, abuse and errors. The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls. Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity, and availability of computer systems, networks and the data they use. In addition, the security controls are selected and applied based on a risk assessment of the information system. These controls restrict the amount of power / influence held by any one individual. Proper separation of duties, of course, is designed to ensure that individuals don't have conflicting responsibilities or is responsible for reporting on themselves or their superior.

There is an easy test for Separation of Duties. First ask if any one person alter or destroy your financial data without being detected. For the second test ask is any one person can steal or exfiltrate sensitive information. The final test asks if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. If the answer to any of these questions is YES, then you need to take a hard look at the separation of duties.

Now, as this relates specifically to security, the individual responsible for designing and implement security cannot be the same person as the person responsible for testing security, conducting security audits as well as monitoring and reporting on security. For these reasons, the reporting relationship of the individual responsible for information security should not be to the Chief Information Officer as is traditionally the case.

Separation of duties is a common policy when people are handling money so that fraud requires collusion of two or more parties. This greatly reduces the likelihood of crime. Information should be handled in the same way. Separation of duties as it related to information systems is not just a possible Sarbanes-Oxley issue but is a requirement for PCI compliance as well. It is therefore imperative that an organization structure be design such that no individual acting alone can compromise security controls. There are five primary options for achieving separation of duties in the information security space. This list is in order of acceptability based on my experience.
Option 1: Have the individual responsible for information security report to CSO (chief security officer) who takes care of information security and physical security and the CSO reports directly to CEO.
Option 2: Have the individual responsible for information security report to Chairman of the Audit Committee.
Option 3: Use a third party to monitor security, surprise security audits and security testing and they report to the Board of Directors or the Chairman of the Audit Committee.
Option 4: Have individual responsible for information security report to the board of directors.
Option 5: Have the individual responsible for information security report to internal audit as long as internal audit does not report to the executive in charge of finances like the CFO.

The issue of separation of duties is growing in importance. A lack of clear and concise responsibilities for the CSO and CISO has fueled confusion. It is imperative that there be separation between operations, development and testing of security and all controls to reduce the risk of unauthorized activity or access to operational systems or data. Responsibilities must be assigned to individuals in such a way as to mandate checks and balances within the system and minimize the opportunity for unauthorized access and fraud.

Remember, control techniques surrounding separation of duties are subject to review by external auditors. Auditors have in the past listed this concern as a material deficiency on the audit report when they determine the risks are great enough. It is just a matter of time before this is done as it relates to IT security. For this reasons as well as objectivity, why not have a discussion about separation of duties as it relates to IT security with your external auditors? It can save you a lot of aggravation, cost and political infighting by getting what they view as necessary in your particular case.


Source: CSO Online




All news for December 04th, 2008:
17:31Microsoft and RSA partner on Data Loss Prevention
17:29Worm uses familiar brands to lure people
17:27Company data at the mercy of crooks
17:23Norton AntiVirus Begone!
17:15Criminals Take Control of CheckFree Web Site
17:14Firefox Users Targeted by Rare Piece of Malware
17:12Hacker threat: Rudd promises action
17:11Lib Dems criticise 'shambolic' DNA database
17:10Experts: US cybersecurity needs fresh ideas
17:08Pentagon hacker tries one more time to avoid extradition
17:07Virtually every Windows PC at risk, says Secunia
17:06Sun patches at least 14 bugs in Java
17:05Security, civil liberties experts question data mining

All news for December 03rd, 2008:
15:18Hackers run Linux on iPhone
15:17Your face is easy to fake, says security company
15:15Microsoft opens up Vista SP2 beta
15:09Latest VB100 malware test brings good news
14:57Botnet Master Sees Himself as Next Bill Gates
14:53Apple removes Mac antivirus recommendation
14:51License server glitch exposes SonicWall users to e-mail security threats
14:50U.S. report sees major terror attack by 2013, ignores cyberattack risk
14:48Lenovo arms ThinkPads with Intel's built-in security
14:44Feds nab more members of alleged identity theft gang
14:43Apple's antivirus advice 'big to-do about nothing,' says researcher
14:42Opinion: Is there a hidden cost to data protection?
14:41Human error is top IT security concern
14:40Workers worried about job security might steal corporate data



All news for December, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year

DONATION: Keylogger.org is an independent research project supported by a team of enthusiasts. If you find this project useful or would like to help foster its continued development please consider making a donation using PayPal`s online secure payment service.

A PayPal account is not required. All major credit cards are accepted (MasterCard/Eurocard, Visa/Delta/Electron, American Express, Switch/Maestro, Solo). Simply click the button below.

Any amount would be useful and appreciated!

Thanks in advance for your support!

Advertising
Your Ad Here
| home | testing and reviews | testing policy | press_releases | developers |

| articles | contest | chat | forum | sponsorship & services | contacts | links |
Copyright © 2003-2008, Keylogger.Org Team. All Rights Reserved.
Use of any information from this website is permitted only with hypertext link to www.keylogger.org.