Business Risk Management
- Vendor Security Risk Assessment, by Kashif
Manzoor (report, slides, audit
Most of the IT security standards are too general and can be overwhelming.
Even if a company picks up one of these standards and decides to follow it and roll
it out - it can still find the standard overwhelming as most of the standards have
hundreds of controls and practices that the company must instill in its culture.
Despite the importance of security, the fact remains that companies usually do not
treat this as high priority unless there is either a big incentive for doing it (e.g.
high profit) or a liability for not doing it (e.g. mandatory government compliance).
For USA companies various regulations (SOX, HIPAA etc.) have proven to be the motivating
factor to implement IT security standards - unfortunately this motivation factor does
not apply to offshore companies - since these regulations are not present in those
In my project I present a lightweight, easy to follow, concrete IT security risk assessment
model (implemented as EXCEL sheet) which USA companies can use to assess the IT security
risk of their vendors.
Also related to: vulnerability management and assessment, information security
Management of Information Technology Outsourcing under ITIL ITSM framework, by Szu
Chia Cheng (report)
This report covered the Business Risk Management and Information Trust and Compliance
issues which discussed management process of identifying, measuring, monitoring, and
controlling the risks associated in outsourcing information technology scenario.
The major focus of this paper is to describe the monitoring process which setup up
by ITIL ITSM framework. The content of this project includes the introduction
about IT outsourcing risks, concept of ITIL (IT Infrastructure Library) and ITSM
(IT Service Mangement), and ITSM framework. For
case study part is discussed the HP ITSM, which dicussed the how ITIL influence ITSM,
ITSM components, and discessed P&G ITSM experience in IT outsourcing control tool,
which told us that the ability of ITIL ITSM could manage IT process effectively, and
get more control power after outsourcing the IT operation.
- Sarbanes-Oxley Act (SOX),
Project, By Subra
The grand framework of SoX, COSO
(Committee of Sponsoring Organizations of the Treadway Committee), CoBIT
(Control Objectives for Information and related Technologies) and their future
trends with some managerial caveats are introduced. Trustworthy computing usage
model from Microsoft is summarized to indicate the direction where modern software
development is heading. This would become a de facto standards for all software corporations.
In COSO framework, ideas on Enterprise Risk management is touched upon. ERM
not an end in itself, but rather an important means and helps an entity achieve its
performance and profitability targets, and prevent loss of resources. It helps an
entity get to where it wants to go and avoid pitfalls and surprises along the way.
Under CoBIT, CRM and the Key Performance Indicators using Dashboard techniques
to help top management evaluate the projects is discussed and IT is a major component
of it. Some managerial intuition and how corporation are turning this new compliance
into financial opportunity. In that regard the concept of Single Compliance platform
will be the wave of the future.
Keywords: Business Risk Management, Information
Trust and Compliance Issues, Trustworthy Systems Development.
Cross Link keywords: Dependable & Trustworthy Enterprises
Systems, Enterprise Information Security Policy.
Management and Assessment
|- Vulnerability Management and Assessment, by Syed Haider (Riz) (report)
is a measurable and proactive process which enables organizations to understand the
risk of certain vulnerabilities in its IT environment and ensure its network is not
compromised. Assessing and managing risk relating to
vulnerabilities requires that an organization understand the impact and cost of a
successful attack on their environment. Automating the vulnerability management process
with software provides a cost effective way for organizations to do that.
This paper addresses the methodology required for successfully conducting, reviewing,
and maintaining an effective Enterprise Vulnerability Management program.
Related cases: eBay, AT&T
Information Trust and Compliance Issues (Sarbanes-Oxley Act)
|- Exploring the Potential for an Unified Compliance Policy Approach for Publicly-Listed
Companies in Healthcare Industry Complying with Both Sarbanes Oxley & Health Insurance
Portability & Accountability Act, by Sidhartha
We look at common parts of these compliances in order to demonstrate
that Corporations can approach regulatory compliances through a uniform policy matrix
in order to reduce cost without missing out on any regulations.
We conclude by sharing industry trends and the growing corporate realization for regulatory
compliance unification which present day CEOs can not ignore.
|- Information Trust and Compliance Issues under
Sarbanes-Oxley Act: Case
Study from Financial Service Industry, by Shu-shu Chou
This project is to explore
the relationship with information trust and
the Sarbanes-Oxley Act (SOX) issue. The SOX compliance requirement
require IT department to play a more proactive role in overall company
management infrastructure. Therefore, a close look about the IT trust
issues and governance topics are extremely important in post-SOX era.
There are many research projects and papers address to this topic and
the purpose of this project will focus on the application side in a
The content of the project includes the introduction about major SOX and IT compliance
concepts and tools, the analysis of the application in financial industry. Included
on the case study are two financial service companies, Allstate and Moodys KMV. Conclusion
and findings re-emphasize the importance on the close relationship with ITs role in
building a trust and compliance enterprise in the future.
|- Issues in Information Security and Verifiability for Biomedical Technology
Companies, by Ryan Morlok (report)
Pharmaceutical, biomedical, and medical device companies face special
IT requirements related to their use and storing of digital records. Regulated by
the FDA, 21 CFR Part 11 allows such companies to use digital records and digital signatures
in lieu of paper versions, provided they meet specific requirements in their implementation.
In this paper, we look at the details of these requirements, and evaluate a risk-centric
approach to compliance.
Key words: FDA, 21 CFR Part 11, digital records, digital signature, compliance
|- Information Protection Management, by Kshitij Shah (report, appendices)
The topic selected by me is Information Trust and Compliance Issues
(SOX) and I have chosen to cover more depth about a single application of Confidentiality
of Data that is Information Protection Management. This is as per the SOX section
404 Audit that describes the importance of the IT component of internal control guidelines.
Financial data must remain confidential in transit via email outside the corporate
network and this involves risks of confidential information, PCI/HIPAA/SOX/SEC violation
and also a huge reputation risk.
The approach that I have used is a real world application where consultants can actually
use the questionnaires, risk assessment model and information protection worksheet
provided by me to conduct assignments at client locations to address the problems
of information protection.
Also related to: Business Risk Management, Strategic Vulnerability Management, Technical
Issues in Incident Handling
An Information Protection Management Working Sheet can be provided by request
|- Trustworthy and IT Security - COBIT Framework, by Ellan Imad
Information technology is an important factor in achieving success in the information
economy and central to an entity's operational and financial management. As a result,
enterprise governance and IT governance can no longer be considered separate and distinct
disciplines. Effective enterprise governance focuses individual and group expertise
and experience where it can be most productive, monitors and measures performance,
and provides assurance to critical issues. IT, long considered solely an enable of
an enterprise's strategy, must now be regarded as an integral part of that strategy.
In my paper, I focused on COBIT which is a framework that aligns IT with business
strategy for any company. In addition, I analyze a case study on how Sun Microsystems
implemented COBIT? What were the barriers that they faced?
Dependable & Trustworthy Enterprise Systems
|- Dependable and Trustworthy Enterprise Systems, by YoungHo Han (report)
As the business environment becomes more open, companies and their
enterprise systems need to handle a greater number of customers and thus plenty of
uncertainties and potential risks. Plus, enterprise systems increasingly deal
with mission critical applications with no stop. In this sense, the importance
of reliability and uptime as well as performance is an essential part of enterprise
systems. Since a short period of system down can cause a tremendous negative
impact on a company image as well as on its financial structure, business enterprises
strive to make their system more reliable, flexible, and protective. At the
same time, companies also search for technology that can present them not only more
dependable and trustworthy systems but also cost-effective systems.
Information Security Policy
|- Security Maturity Assessment of B2B Company - GlobalUBid.com Case Study
and Application, by Tai Lan Chu (report)
will focus on introducing the risks which a B2B company might face and trying to develop
general concepts to solve these possible crises by accessing the security maturity
of the B2B companies which is from a case study. Furthermore, it will also discuss
how a B2B company control and manage IT security to prevent the risks from happening.
Building an e-Healthcare,
As the internet rising and developing, every industry wants to make money by setting
the website through the internet. But e-business in Health Care Industry is not easy
to set up because this industry is too complicated, specific and professional. All
is about the life not a product. Now, something is changing. E-business will redefine
the delivery, administration and management of health care during the next five years.
Building an e-health care is not a dream. It can be put into practice in the future.
Nowadays, the patient can look online with his symptoms and figure out what he has.
He still needs to go to his doctor to get the prescription or orders the prescription
online and then goes pick it up in hospital. This process is still inconvenient. Can
we see the doctor online and get the prescription by printing it out? All the diagnosis
process is online. This idea has been practiced by General Motor (GM) and Medscape.
It launched in 2001 only for the employees in two isolated cities of GM. The
project will concentrate on the three parts. One is policy issue- HIPAA; another is
the infrastructures; the other is administration. In the first part, e-healthcare
work in hospitals and clinics must be related by HIPAA- the privacy of personal health
information and electronic information transmission. What are the infrastructures
and the applications used for e-business will mention detail.
of Information Technology Assets and the Diffusion of Cyber Insurance, by
Modern information technology (IT) environments are growing in complexity. In spite
of these growing complexities and the challenges associated with successfully implementing
Information Systems, firms in different industries are investing in IT assets to conduct
their business online (Jonathan 2000). The recent trade press indicates that the number
of security threats and successful attacks is increasing at an alarming rate (Russ
2000; Hartwig 2002; Anat and John 2003; Joanne 2003; Anat and John 2004). In spite
of widespread adoption of electronic commerce internet applications, cyber risks are
not yet well understood (Dave 2004). Thus one key challenge in successfully using
IT assets lies in ensuring that these IT assets are secure and not vulnerable to security
violations (Orlowski 1996; Smith 2004).
As a result of the growing potential and threat of security violations, IT mangers
are making non-trivial investments to secure their IT assets (Mears 2004). In terms
of investments, to reduce the risk and damage from successful security violations,
IT manages can pursue several choices, including (1) investments in IT security technology
products and infrastructure (Abrams and Joyce 1995) (2) investments in developing
and enforcing IT controls, including security training of employees, developing and
enforcing acceptable use policies, raising awareness regarding IT security issues
or (3) outsource the IT security tasks to reputable vendors (Desouza, Awazu et al.
2004; Endorf 2004; Goodwin 2004; Blum 2005). A more recent investment opportunity
IT managers are pursuing is (3) to invest in cyber insurance (Gordon, Loeb et al.
2003; Lynn 2004).
|- A Framework for Security Investment and E-commerce
Law: An Economic Approach, by Sehak Chun and Wooje Cho (report)
In this study, we examine how different legal systems regarding
e-commerce security affect the behavior of e-commerce firms and online customers.
When a fraud online transaction occurs and the online customer disputes the transaction,
in many European countries, the online customer takes responsibility for the proof
of her/his argument, but, in the U.S., the burden of proof lays on the e-commerce
firm (Anderson, 2002). Using math models, we intend to find the optimal level of e-commerce
firms investment on security and see how online customers demand change under the
different regulation. A main finding is that under some conditions, the law that imposes
the onus of proof on the e-commerce firms drives them more profitable, which is consistent
with the prior finding that US banks spend on security more effectively than their
European counter parts (Anderson, 2002).
|- Trustworthy System Development: Grid Computing, by Sunghee Cho (report)
Grid computing environment results in substantial performance that
can be comparable to that of a super computer enabling high-level research or mass
data analysis of cutting-edge sciences. Although grid computing has developed due
to such a high performance, many security and license issues have been noted due to
the fact that locally distributed computer resources. I will discuss grid computing
in terms of the demand relevant to the issues and I will address the future direction
& Auditing Systems: Hardware and Software Defenses
|- WORM is not enough!, by Soumyadeb Mitra (report)
Important documents like financial reports, customer communications
etc are increasingly being maintained by businesses in electronic format. These represent
much of the data on which key decisions in business operations are based and hence
must be maintained in a trustworthy fashion - safe from destruction or clandestine
modification. Secure retention of such data is also increasingly being regulated by
govt regulations like Sarbanes-Oxley Act or SEC Rule 17a 4. Thus there has been
a recent rush to introduce Write-Once-Read-Many (WORM) storage devices. In this paper,
we argue that simply storing records in WORM storage, as is the current focus, is
far from adequate to ensure that the records are trustworthy. The key issue is that
for data to be truly trustworthy its entire lifecycle has to be secured: starting
from the process of creating it, to storing & maintaining it and finally retrieving.
In this paper we show that it is possible to compromise both the maintenance and retrieval
of records even if it is maintained on WORM.
|- RFID Application & Issue, by Po-Chou Chen (report)
Nowadays, people hear more about RFID (Radio Frequency Identification) technology
than ever before since RFID is one of critical technologies that will be likely to
change their life in the near future. Most of people who thought that the RFID is
the brand-new technology would be surprised that RFID concept has been used for a
device for aircraft identification since World War II. Recent breakthrough in RFID
technology enabled element microminiaturization and cost deduction, which ultimately
made it possible to commercialize this technology in different applications in the
market. RFID technology has been the spot light people focus on and has been expected
to initiate the next revolution in delivery and supply chain system. However, like
many other new technologies, RFID technology also brings some concerns for people
as well as benefits. The most concern is a privacy issue because using the RFID technology
might have a risk of disclosing some personal information to others. So far, there
are some debates about a privacy issue of RFID technology application either in legal
or in morale perception. Despite the privacy concern RFID technology has been implemented
in various areas such as goods delivery and supply chain management system. As the
privacy issue is solved and technology becomes more mature, RFID technology is expected
to gain its momentum in the future.
|- Trustworthy Report-Privacy Issue, by Chi-Wen
Along with need for information circulation, internet became necessary
technology. Human being through internet to communication, business, entertainment
and consume. Mass circulation of information has become irresistible trend. It became
very easy to gather electronic documents of government, enterprise, and personal information
through internet, in which they often relate to private information. Because of commercialized
attempt, many people advanced process multi-information in order to enhance its value
added and be benefited from selling information accordingly. This phenomenon became
much easier because of overflow of information. For example, Marketing Company or
advertising agent can gather personal data through credit card bill, medical case,
phone registrations etc., and then resell them to relevant companies. Consequently,
we should sincerely consider this negative development, and adopt appropriate methods
to managing information collection and utilization in order to avoid harm of information
overflow. Otherwise, we can expect that information overflow will trigger serious
crisis of infringing privacy because tremendous demand of information exchange.
|- RFID, by Thidarat Rattanalert (report)
In recent years, Radio Frequency Identification (RFID) has caught attention
in retail industry for better productivity. RFID is a generic term for the technologies
that use radio waves to automatically identify individual items wirelessly , so
as to track the entire circulation process of items from suppliers to end users. The
actual adoption of RFID in retail industry is quite slow. In addition to the security
issue, data privacy is a big concern due to the possible unwanted revelation of confidential
or personal data stored within the RFID devices. In this paper, I aim to propose on
a RFID Security and Privacy. Moreover, I will mention the RFID concept, RFID System
accuracy and Scalability, RFID transmission system, RFID standards, the benefit of
RFID supply chain, and examples and cases ( From the Summary of a 21stCentury Information
Security: A Practitioners Perspective; Dan Swartwood, Motorola Privacy Protection
|- Consumer Privacy vs. Government Surveillance,
by Michael Turnley (report)
This project investigates known public standards of consumer privacy and the surveillance
practices of the American government. At the root of these issues is the evaluation
of current civil liberties and laws in place and their applicability tin the face
of technological advancement. The privacy issue in this analysis is concerned with
both an individuals communications and the tracking of their location and movement.
This is accomplished by performing a state-of-the-art survey of current trends and
practices. The technical aspects of this project are addressed by examining the following
topics: technological means by which the US government tracks individuals, and practices
the government uses to determine whom to investigate. The business aspects are addressed
by looking into: proposed legislation for privacy, current laws, roles played by communications
providers, and roles played by data resellers. The privacy issue evokes additional
factors such as trust and safety, which will be addressed as well.
The emergence of terrorist-related issues has changed the lives of all Americans,
and has renewed government interest into the daily lives of inhabitants in the US.
Although most of these changes have been perceivable, such as the developments of
the terrorist security threat level system and the Department of Homeland Security,
others have been overlooked; namely those regarding our data personalities in the
digital realm. Moreover, with the era of ubiquitous computing the issues of privacy
and surveillance are slowly re-emerging and long accepted policies are being reevaluated.
Measures to protect our alternate representations needs to be pushed to the fore so
that we may make informed decisions regarding such information. This project is to
serve as an informative, concise source that sheds light on a topic that affects all
inhabitants of the United States.
- RFID Privacy concerns and Compliance Issues,
by Elahe Javadi (report)
Radio Frequency Identification, though not a new technology, has attracted attention
in some parts of industry for a few years. The main advantages of RFID over optical
barcodes are their uniquely identifiable authenticity and ability to be authenticated
automatically. RFID tags and readers are still far from to be a commodity for companies;
therefore RFID hardware manufacturer are struggling to find an efficient way to achieve
the so-called 5-cent-tag goal set by market analysts. On the other hand, customer
privacy advocates, have already established their campaign against what they call
"spychip" or "the big brother barcode". CASPIAN (Consumers Against Supermarket Privacy
Invasion and Numbering) have proposed a model legislations for protecting individual
privacy titled "RFID right to know act of 2003". The basic concern is that companies
should notice consumers about RFID tag existence and provide them with the option
to destroy it. In this paper, first I'll review the technology and the way it helps
companies achieve their functional enhancement or reinvention goals. Then I discuss
several of challenges exist in RFID deployment including privacy as one of the biggest
obstacles; and then I explain the proposed solution by some organizations active in
this area; Finally, I'll introduce some guidelines concentrating on the privacy concern
Keywords: RFID, Privacy, EPC, Security, Threat
|- An Investigation of Privacy Tradeoff on the Internet,
by Fei Lee (report)
Privacy on the Internet may be considered as an economic tradeoff. Online consumers
are willing to tradeoff private personal information with benefits or rewards such
as a personalization user interface and product discounts. Organizations are willing
to risk their reputations in order to collect as much customer information as possible.
However, little is known regarding how to strike a balance between the tradeoffs that
could satisfy both consumers and online firms. This paper aims to examine the relationship
between online privacy, trust, and firms reputation. We propose that consumers
trust towards online firms is associated with firms self-regulated privacy policies.
In addition, online firms reputation can be enhanced if firms offer privacy awareness
information or technical support regarding privacy concerns on their websites.
|9. Trustworthy Supply Chains in Multinationals
|- Trustworthy Supply Chains, by Frances Qian (report)
My project is about the security of supply chains. One important
key concept of my project includes the descriptions of supply chain risks such as
financial risk, hazard risk, operation risk and strategic risk. Effective frameworks
and models for managing risks in supply chains are introduced and explained as well
from a business perspective. In addition, this project also points out the relationship
between supply chain security and Sabanes-Oxley Act. In the term of technology,
this project lists available techniques and tools, such as Bluetooth, RFID, Wi-Fi
network, and so on. Examples from companies such as P&G, Sun, Dell, Amazon,
Wal-Mart, and Motorola demonstrate how important it is for companies to make use of
good risk management frameworks and models, and advanced technologies and tools to
configure the right technologies combination, which can enhance the security of their
supply chains and gain advantages. Moreover, security is achieved by the combination
of people, policy, process and technology. Therefore, software security, partner cooperation
and coordination, corporation policy and employee training are fairly vital to secure
keywords: Trustworthy Enterprises Systems, Enterprise Information Security
Policy, Trustworthy Systems Development, RFID
Insurance Portability and Accountability Act (HIPAA)
|- HIPAA - Security and Privacy in the Healthcare Industry: A Survey of Industry
Practices and Trends Relating to HIPAA, by Kathrine Meus (report)
As information in today's world moves closer to being completely electronic, issues
in privacy and security become more and more prevalent. These issues are particularly
of interest in the realm of the healthcare industry. HIPAA legislation was a
great motivation for a revamping of the industry's technology infrastructures. HIPAA
was just the first step on the way to completely electronic health records and integrated
healthcare information technology. The spirit of HIPAA lives on through recent
legislative movements and industry initiatives."
Trustworthy under HIPAA in Healthcare Industry, by Eddy Tan (report)
April 13, 2003 was a landmark date for healthcare organizations through the United
States. This is the day that the Healthcare Insurance Portability and Accountability
Act of 1996 (HIPAA) Privacy Rule went into effect, carrying with it security implications
in the form of privacy safeguards. HIPAA seeks changes or reforms in the following
areas: portability of health insurance, prevent healthcare fraud and abuse, administrative
simplification, tax related provisions, group health plan requirement and revenue
offset. The federal government introduced HIPAA with expectations to lower the health
care administrative cost, improve the efficiency and effectiveness of health care
delivery system and to protect and safeguard patient health information. HIPAA regulation
applies to every health plan, health care clearinghouse, health care provider and
their business associates that transmit any administrative health information in electronic
form. Every transaction within the corporate entity is subject to HIPAA requirements
just as they are between such entities. Any record transmitted electronically, even
in paper format, is subject to the privacy rules.