I don't know about you but models have intrigued me ever since I was a kid playing with Meccano and Lego. There's something fascinating about the structure and relationships making the whole thing greater than the sum of its parts. So when I heard about a new model linking people, process, technology and organizational design/strategy in the context of information security , I couldn't resist a look. A PDF presentation of the ICIIP model gets off to a good start, representing it as a nice symmetrical three-dimensional tetrahedron rather than so many other flat two-dimensional tabular models. It even has information labels on the six connections (described as "tensions") between the four nodes as well as on the nodes themselves. The tensions are governance, architecture, culture, human factors, enabling and support, and 'emergence' (representing the inherent complexity and emergent properties of any organizational system). Digging a bit deeper, authors ...

The field of corporate governance exploded onto management’s agenda following Enron’s collapse in 2000/2001 and the introduction of SOX (Sarbanes Oxley Act) in 2002. There has been some public discussion of IT governance since then but information security governance is still emerging from the murk. In August's security awareness module we expand on what ‘governance’ means and how it relates to information security in particular. It affects our target audiences (staff, managers and IT professionals) differently so we explain the implications in practical terms, covering the essential elements that everyone should comprehend. You may have seen the recent news about the arrest of a network administrator in San Francisco. As reported, the accused (Terry Childs) was solely responsible for designing, operating and securing the city government’s network. He allegedly refused to disclose the network admin passwords at first, preventing others from managing the network in his absence...

Mike Blakley wrote a fine piece in EDPACS on using SQL queries to interrogate a database system for audit purposes. Abstract: "Organizations, both large and small, are increasingly reliant on database systems for their operational support needs. This is due to the adoption of accounting systems ranging from large enterprise resource planning systems, down to departmental or even desktop-based database systems. The traditional audit approach used to account for data stored in databases has relied on information technology or other support staff to extract data for audit, which was then tested by others, often technical specialists. An alternative approach, which also provides greater audit independence, is to increase the knowledge level and skills of audit staff so they can obtain this data directly and perform their audit tests independently. This article may have relevance to other IT system audits." In the same issue, Fred Cohen discusses the specification of control requi...