When the word ‘audit’ or ‘auditor’ is used in a sentence there is often an immediate cringing effect that happens in our minds. People have learned to fear the audit and as such, auditors. We have found this to be true in our line of business; we are constantly being categorized as auditors. People immediately get nervous when we starting asking questions for fear that the next answer will have them fired. THIS IS NOT THE CASE!

It has always been an on-going fight to help people understand that we are more consultants than auditors. Our goal is NOT to judge or get people in trouble, but to improve policies and procedures for the security of the employees, banks, and ultimately, their customers. So like we tell all of our clients, “We’re the good guys here. We’re here to help.“

The number of companies reporting a spyware infestation has increased by almost half in the past 12 months, according to a new survey.

In addition, 17 percent of companies with more than 100 employees have spyware such as a keylogger on their networks, said the authors of the annual Websense Web@Work survey, published on Tuesday.

“This is almost 50 percent growth in the instances of keyloggers that organizations are reporting back,” said Joel Camissar, a manager for Internet security specialist Websense. “Despite the organizations’ having a ‘best of breed’ antivirus, anti-spyware and firewall, we are still detecting a huge amount of back-channel spyware communication.”

Spyware is seen as an increasingly serious security problem, and the U.S. Federal Trade Commission has pledged to take action against companies that distribute it. The software is installed on machines without the owner’s knowledge to track their online habits, sometimes via a keylogger, which records the user’s keystrokes.

One reason for the growth in corporate spyware infestation is a massive increase in the number of spyware-making toolkits being sold online, said Camissar, who referred to some research that Websense conducted earlier this year in partnership with the Anti-Phishing Working Group.

<!- STORY TEASE ->

<!- END STORY TEASE ->”In April 2005, there were 77 unique password-stealing applications. In the latest March report, there were 197. Unique Web sites hosing keyloggers in the same time frame have gone up from 260 to 2,157—almost a 10-times growth,” Camissar said.

The Websense survey also discovered …

Entire Article HERE…

SAN FRANCISCO—Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption.

The update to the Thursday, Mar 16, 2006” href=”http://www.thegarlandgroup.net/Your+secret+PIN+may+not+be+so+secret/2100-1029_3-6050259.html?tag=nl”>evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday.

The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. “There is an increase in application-level attacks,” Maxwell said.

While security stands to benefit from a broader vulnerability scan, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer …

Click here to read article…

What is a policy? What is a procedure? To many this can be a deceptively confusing topic. What is the difference between the two? Where do you draw the line? These are strangely important questions, and the answers can affect your workload in a very real way. So how do we cope? Well… we have two options:

1. Put plain and simply, the first option is to actually establish your policies and procedures. To this end remember that a policy is a very high level statement briefly stating an organization’s stance on a particular topic. Ideally, this statement should be periodically reviewed and only rarely modified or updated. For example, I will use my organization’s policy regarding coffee expenditure.

Policy: The Garland Group recognizes the plight of the local barista and as such will devote far too large a percentage of each employee’s salary to our local Starbucks.

Procedure: To accomplish this goal, management has developed the following procedures to assist in the daily function of this duty.

1. Every Monday each individual shall purchase exactly one of his/her favorite blends before 10 a.m.

2. Every Tuesday each individual shall purchase his/her favorite blend + one food item. This may be any food item so long as it is loaded enough sugar to seriously injure a domestic cat.
3. Every Wednesday each individual is allowed to make a purchase of his/her choosing so long as:

a. It is accomplished before the close of business.
b. It is not good for you.

4. Every Thursday each individual shall purchase his/her favorite blend before 10am. Additionally, you may purchaseanother beverage of your choosing in the p.m. to satisfy the addiction to caffeine that you have developed as an employee of The Garland Group.

5. Every Friday, you may fill out an expense report detailing your self-help books/medications in helping you deal with your
newfound addiction. So long as:

a. You repeat this exercise at the opening of business on Monday.
b. These expenditures do not actually cure you of your new found addiction.

2. Now remember I said there is a second option. Well, there really isn’t. I just said that to encourage you to read this far. Now that you have… you might as well read to the end.

Typically, as a best practice, all policies should be reviewed and approved at least annually by the Board of Directors or some similarly entrusted governing body. If it is a well developed policy… meaning it provides clear direction without being so specific as to require frequent modification, annual review should be more than ample. In this case, our policy should only need modification in the event that we choose to no longer recognize the plight of our local barista, or if Starbucks were to no longer do business in this area.

On the other hand, procedures need to spell out proper execution of a policy. Because procedures by their very nature are specific, they will typically require review and updates on a much more frequent basis than a policy. In this case, we may discover that it is possible to get real work done before 10am in the morning if we drink our coffee earlier on Monday. As a result, the procedure would need to be reviewed and approved much sooner than next year to reap the expected benefits. In this case, we may bring the procedures in front of a steering committee at the end of the month, or simply have a manager approve the procedure. Hopefully though, my boss doesn’t read this and accordingly adjust his expectations of my performance.