Database and ERP Security and Best Practice Management

How to Leverage Best Practices to Build Effective IT Audit Plans

Why best practices?
Process practices are improved every day. “Best practices” are recognized as the preferred methods for saving time and building efficiency within a process or group of processes. IT auditors should leverage best practices to build collaborative and effective technical audit plans, improve efficiency, and address risks.
What are best practices?
Wikipedia defines best practices as:
“…a technique, method, process, activity, incentive, or reward which conventional wisdom regards as more effective at delivering a particular outcome than any other technique, method, process, etc. when applied to a particular condition or circumstance. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications. Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.”
Best practices evolve over time. Best practices used in the appropriate situation should consistently produce the best possible results.
Don’t reinvent the wheel
Everyone—regardless of their profession—wants to accomplish tasks using the minimum available resources. Best practices can be leveraged effectively to design, implement, support, and audit a given technology area. This becomes increasingly important in fast-paced and complex sectors like IT where technology is constantly changing and processes must be able to efficiently adapt.
In addition, the IT industry is dominated by major vendors such as Microsoft, Oracle, SAP, and Google. Similarities of servers, databases, network peripherals, and functionality requirements make building a collection of best practices a major attraction for the IT community.
There are several key advantages of utilizing best practices in IT:
• Benchmarking operations with industry peers can calculate a true return on investment (ROI)
• Leveraging collective human capital to cut down on the time and expense of individual “trial and error” process development
• Reducing the total cost of operations (TCO) for individual organizations by using the combined knowledge of leading resources across multiple organizations
• Identifying and targeting well-known gaps or vulnerabilities
Building a collaborative platform of best practices, based on the input from a diverse group of domain experts, vendors, and authoritative organizations, serves the larger community and help share community knowledge.
How to build multi-dimensional and up-to-date best practices
Best practices, when captured, must be associated with relevant task scenarios and organized so that the community can apply and use them as required by their specific situation. This organization can be achieved using “tags”, or metadata, within the structure of the information. Tags, in Web 2.0 terminology, are keywords or terms assigned to practices, and topics that enable efficient organization or information and rapid searching across large information sets.
As the availability of best practices increase within a given field of technology, massive repositories will contain best practices for every conceivable task scenario. To reduce the time required to find the specific best practice, or groups of practices, needed for a given task, each practice is tagged for multiple contexts and user requirements. As new task scenarios develop to support evolving compliance and business requirements, existing practices can be tagged for association with the new scenarios.
In addition to clear associations and organization, it is essential to ensure that best practices are kept up-to-date in the fast-changing technology world. The incredible amount of information in the form of whitepaper, blogs, books, presentations etc., is isolated and lacks the framework to be updated frequently. Referencing a best practice published several years ago might yield undesirable results. These best practices are continuously kept up-to-date on the easy-to-use web platform with dedicated contributors and a review and comments section for the public.
Who builds best practices and why?
In our increasingly ‘connected’ world, the best ideas and practices can come from anywhere. The key to leveraging best practices is to get up-to-date details of practices that have similar dependency factors and then share them globally.
A physician in India might operate on ten (10) to twenty (20) patients per day. But best practices that apply to a physician working with a large population, such as in India, might not be ideal for a physician in a small, rural hospital in the United States. By collecting best practices from experts with varying demographics and organizing them to be easily accessed by others in similar situations, we can substantially reduce the total time required to develop efficient processes in any given field and with any specific set of criteria.
For example, best practices collaboratively developed by physicians who operate on many patients might enable more rapid deployment of successful triage and treatment processes during a natural disaster in an area that typically does not service large patient populations.

Why use best practices for IT audit planning?
IT Audit is the process of collecting and evaluating evidences to determine if an organization’s information systems are:
• Designed to maintain data integrity and safeguard assets
• Positioned to achieve current and future organizational goals effectively
• Designed to use resources efficiently
An effective and efficient information system leads the organization to achieve its objectives and uses minimum resources in achieving the required objectives. IT auditors must know the characteristics of information systems in the organization while evaluating the effectiveness of any system since IT governance and strategy are critical to an organization’s success. IT auditors play a major role in identifying risks and gaps in the system.
Controls in an information system reflect the practices designed to provide reasonable assurance that business objectives will be achieved. IT controls also ensure effectiveness and efficiency of operations, reliability of financial reporting, and compliance with rules and regulations using a global best practice knowledge base, organizations can learn from others who have experienced the same or similar issues and quickly employ controls to mitigate risks.
To develop an effective risk assessment and audit plan, it is essential to break down the IT universe into smaller and more manageable components. Typically, IT sub-components are defined as infrastructure and applications systems
Infrastructure systems consist of hardware systems that include servers, routers, communications devices, desktops, etc. The hardware infrastructure controls the flow and processing of information throughout the organization.
Applications systems are typically the software used to record and store business transactions. Examples would be databases, enterprise resource planning systems, cloud-hosted applications, and business intelligence software.
The hardware infrastructure and applications are audited to ensure security, effectiveness, continuity, maintenance, and cost. The IT controls that monitor these elements are generally contained in security and risk management documents, business continuity plans, and service level agreements (SLAs). By leveraging the best practices developed at the component level, an IT auditor can quickly build an audit plan based on specific criteria and provide a risk assessment report of the IT environment.
Why Checklist 2.0?
Checklist 2.0 is building the premier repository of best practices for creating effective and comprehensive IT audit plans. Our global collaborative knowledge base is organized for easy access and rapid deployment. Our dedicated contributors and online community update and validate practices every day to ensure they remain up-to-date for changing business requirements. We welcome your thoughts and inputs. To contribute to our global IT Audit Best Practices, please register at http://www.checklist20.com

Xerox Repair Services – Reliable Choice of Professionals

Hp 3000 Series realm Of Feature-rich Computers

Kim Kardashian And APTs

On Wednesday, American footwear company Skechers agreed to pay the US Federal Trade Commission $40 million. This settlement resulted from a series of commercials that deceived consumers claiming that the Shape-Ups shoe line would "help people lose weight, and strengthen and tone their buttocks, legs and abdominal muscles." Professional celebrity Kim Kardashian appeared in a 2011 Super Bowl commercial personally endorsing the health benefits of these shoes.

This settlement was part of an ongoing FTC campaign to "stop overhyped advertising claims." A similar effort would serve the information security community well. For example, one particular claim that causes me frequent grief is: "solution X detects and prevents advanced persistent threats." It is hard, dare I say impossible, to work in information security and not have heard similar assertions. I have heard it twice this week already, and these claims make my brain hurt.

Hp Repair Contract – Forward-Looking Step towards Mental Peace

Carwasher. Net: CWE&S Excellent Services And Maintenance

Law Office Printers | Law Office Technology & Marketing

HDS Blogs: Storage Virtualization to Reduce Cost of Copies – The …

The View From Here: Where do you draw the line on securing your …

Year Of Security for Java – Week 20 – Trust Nothing

What is it and why should I care?
While trust spawns interesting philosophical discussions, here I want to discuss the implications of trust within the applications we build. Trust is a funny thing in that we implicitly give it frequently without considering what we’re trusting. A simple example:

//bad bad do not use
executeDbQuery("select * from my_table where id = " + request.getParameter("my_id"));
//bad bad do not use

Here we’ve said that we trust that the user of the application has not tampered with the my_id request parameter in any way that may cause problems for our application. Obviously this is a poor assumption. We can do better by moving the above query to a prepared statement with parameter binding to prevent SQL injection and we can also validate the my_id parameter for appropriate input, but why do we do that?

It’s because we don’t trust the input to our system. We don’t (and shouldn’t) trust that a user or system is going to use our application in the way we would expect, or even the ways we’ve thought of necessarily (a good reason against blacklisting for security). We must build systems that not only are functional (use) but stand up under attack (abuse) or ignorant usage. Our systems must be robust or as some have called it, rugged. Whatever your term, the idea of trust is either explicitly or implicitly central to the idea. We can’t trust the environment.

If we can’t trust the environment, what does that mean? Does that mean we deal with XSS and SQLi? Yes, but much more than that, it’s a different way of thinking about the application. It becomes that simple picture of input-processing-output at varying levels of scope. A single request has inputs (request parameters, headers, database input, etc.), processing (authn/z, logic, etc.) and outputs (DB, screen, file, etc.). The application as a whole has inputs, processing and outputs that are essentially the combination of all the individual components of the application, and then you can scale on up to systems and organizations.

The “environment” I’m referring to changes depending on your specific situation, and it’s difficult to say that you simply can’t trust anything, because that’s usually a non-starter. You may have to trust your configuration files or your external SSO system, or any number of other entities. The idea is that you specifically label those things as trusted (an assumption) and treat everything else as being tainted.

These types of issues are considered in threat modelling, which is another planned topic in this series. For now, it’s sufficient to simply note that you should be thinking in terms of what data am I taking in, processing and sending out?

What should I do about it?
Now that we’ve established the environment can’t be trusted, the next logical question is what constitutes the environment?

This could be a long answer depending on your setup, but a decent starting list for web applications in particular might look like the following:

• web request data (parameters, headers, body, cookies)
• database data
• directory data (ldap)
• filesystem data
• web service data (any data in headers or body)
• external system data (any data you receive from another system – software you’re integrating with)
• network connection data (any data you receive while acting as the “server” – generally socket-based communication)
• user input (command line input)
• system environment variables
• third party software (libraries that you call that provide you data)

This list is incomplete I’m sure, but the idea is there. Any data you receive from any of these users or systems is generally untrusted, possibly with certain organization/application-specific well defined exceptions. When you start to view your applications in this way, you start to build better protections around them. You build better defences, and better logging/auditing so that you can detect when something actually does break (it will, I promise). However, thinking in this way can go a long way to helping you build safer and more secure systems.

References
———–
http://www.ruggedsoftware.org/
http://www.schneier.com/book-lo.html
http://en.wikipedia.org/wiki/Robustness_principle
http://www.jtmelton.com/2012/05/01/year-of-security-for-java-week-18-perform-application-layer-intrusion-detection/
http://www.jtmelton.com/2012/04/10/year-of-security-for-java-week-15-audit-security-related-events/

Technorati Tags: Trust Nothing

Best of your business phone system hardware | the down coats cheap

Is The Time Right To Spread Your Risk?

For many years, security professionals have lived by the three pillars of risk management - AVOID, TREAT, ACCEPT. These great tenets have served the profession well, enabling CISOs to build appropriately secure networks at a tolerable level of cost. Unfortunately, as evidenced by the litany of security breaches we have seen over the past 12 months, it's clear that the landscape is changing. More than ever before, security is clearly a 'no-win' game.

The high profile attackers, state-sponsored or otherwise, are one threat - but it goes deeper than this. The keys to the kingdom are no longer in the hands of the generals and policy makers; their decisions and discussions are enabled by email, IM and IP telephony, all of which sit firmly in the domain of the IT department and system admin - and stressed, poorly paid employees do not make the ideal custodians of such critical information. As an example, Anonymous claims to have access to every classified government database in the US, but they didn't hack them - disaffected system administrators and employees simply opened the doors for them, or sent them the access codes.

As the broadening gap between our ambitions for a secure enterprise and our abilities to deliver on such a vision become self-evident, the time has come to pay equal attention to the poor cousin of risk management, "TRANSFER." For many CISOs, risk transference is a topic that is largely theoretical as, even when a task is outsourced, the risk associated with a breach commonly remains with the data owning organisation. Cyber insurance offers a different solution.

PC Peripherals » Cisco SMARTnet Hardware and Software …

How To Deal With A Wet Basement » Articles Alternative

City of Napa, Calif., Forms Insourcing Agreement With Ambulance …

University of New Brunswick Hacked, Login Data Leaked

Laser Printer – Ultra-Fast & Affordable Printing Brand

Do You Need Accounting Software For Your Small Business …

VERUS Specialist, Multilingual OCR Computer software (5000 …

Xerox Repair – Expansion of Printing Maintenance

Negotiating Oracle year-end deals

Basin Futures Articles » Businesses Are Shifting To Cloud Hosting In …

Active Resource Management – Choosing Maintenance Services …

Six reasons not to use the VoIP Internet telephony, Internet …

How we leveraged the Oracle Fusion Applications User Experience Patterns in JD Edwards

Oracle JD Edwards World Announces Release A9.3

Do You Need Accounting Software For Your Small Business? | Articles

Difference between Oracle’s Exadata and Exalogic

Oracle Exadata (Oracle Exadata Database Machine) is strictly a data processing solution offered by Oracle. Initially conceived and promoted as a solution for mainly large data warehouse data load processing, Oracle now boldly proclaims that Exadata is suitable for high concurrency OLTP applications as well. It’s important to understand that Exadata isn’t something you use in addition to your current Oracle databases – rather, it comes with its own prepackaged Linux based Oracle database. Exadata is a prepackaged box that consists of the Oracle Exadata Storage Server software , Oracle Database 11g software, in addition to Sun branded hardware (RAM and CPUs) and Infiniband network technology software. Oracle’s claims of ultra fast data processing with Exadata are well supported by actual field experience of several companies, making this a really big success for Oracle Corporation. In addition to enabling fast processing of heavy amounts of data, Exadata also helps you consolidate multiple Oracle databases into a single easily manageable system. It’s important to note that the Exadata package (servers, software, network and storage) is completely preoptimized and preconfigured by Oracle.

If you’re running high volume, mission critical OLTP applications, or if you are having problems making sure that your current Oracle databases can crunch through heavy loads of warehouse data, it’s time to take a close look at Exadata – it’s more than likely that you’ll be surprised at the ease with which you can transition to Exadata from your current Oracle database based applications. Oracle claims that you’ll need fewer CPUs to run Exadata as compared to a non-Exadata solution. Exadata is configured in a balanced format, in units of “Racks” that are similar to standard data center rack configurations – you can purchase a quarter, half or a full rack and you can easily upgrade to more processing power by ordering additional Exadata racks.

Oracle Exalogic (Oracle Exadata Elastic Cloud) is also an “engineered system” and is similar to Exadata in the sense that it’s also a prepackaged hardware plus software solution, designed to be managed and monitored as a single stack. However, the main purpose of Exalogic isn’t data crunching – it’s an engineered system designed to provide high performance for Oracle middleware using custom Java EE applications, Oracle Applications and similar enterprise level applications.

Both Exadata and Exalogic are part of Oracle’s new paradigm of “purpose built systems” that provide pretested and preconfigured standardized sets of hardware, smart storage, and network and software components. The key goals are easy implementation, high speed processing and easy scalability on demand. The fundamental idea behind Oracle’s engineered systems – that standardizing and optimizing al the components will provide a higher performance through the exploitation of the synergies among the various components seems to be borne by the experience of users..

The art of saving money, or how to do more with less… – Mainframe …

Characteristics Of A Good Home Healthcare Software

Why do the French get it for free?

What do they get for free you ask? Patent licenses. That’s right, costly patent licenses don’t apply to French developers. How did this information all of a sudden come to light? With the anticipation of Windows 8 being shipped by Microsoft, minus the popular Media Center installed, the blogs are a chatter about an alternative to Media Center. A French developer has created a completely free program called VLC Media Player. It comes highly recommended and is completely 100% free. VLC Media Player is not subject to MPEG-2 licensing fees…nice huh?

This kind of thing would never fly in the United States, but because the developer is French and considered a non-profit (as it began as a student project), it is out of the reach of lawmakers in the U.S.

While this goes against everything Copyright law was created to prevent – what does it mean for us? Free Media player for Windows 8!