Art of Info Sec 002: GTAGs and Safe Harbors
The Institute of Internal Auditors has been releasing a white paper series on issues related to IT Risk Management and Information Security. The paper’s are titled as GTAGs, which is an acronym for Global Technology Audit Guidance. The project is very ambitious, trying to break down major technical topics, the IT risks associated with them, and the controls that are available in a concise format accessible to senior risk executives.
Of the nine that have been released to date, several caught my eye. Here are the ones I would like to highlight:
- Auditing Application Controls
- Change and Patch Management Controls
- Identity and Access Management
- Information Technology Outsourcing
- Managing and Auditing Privacy Risks
- Managing and Auditing IT Vulnerabilities
You can find the library of papers at The IIA’s GTAG portal. New materials are released regularly.
In Other News…
Earlier this month I participated in a Webinar titled “Getting More Encryption for Less”. At the end of the call there were a few interesting questions during the Q and A session, one of which I wanted to recap here…
Question: Will Federal Privacy Regulations include Cryptography Standards for “Safe Harbors” ?
- Discuss what a Safe Harbor is, using California Security Breach Information Act (SB-1386) as an example
- Introduce NIST, FIPS, and FIPS 140-2