It's been months since reporters started pelting the World Bank with questions about rumors that hackers had infiltrated their records and stolen large amounts of financial data.
Being a global financial organization, the World Bank did what any pseudo-respectable organization would do - they stonewalled like hell.
Indirectly confirming what many of us already knew to be true, the World Bank admitted that a leading India-based IT vendor, Satyam Computer service, was barred nearly a year ago from doing any business with the bank, and the ban started in September. Hmmmm. Think there's a connection?
This makes it a bad week to be Satyam, which deals with roughly 1/5 of Fortune 500 companies as clients, and also trades on the NYSE. These relationships reportedly generate about $2 billion is sales as part of outsourcing agreements.
Trends toward outsourcing of critical IT functions make it even more necessary to apply IT controls and substantiation requirements to vendors that are at least as robust, and in many cases much more so, than a firm's own internal controls.
From an information lifecycle perspective, how is information tracked from creation to destruction, and at all points in between? What controls are in place, and what sort of testing is performed to validate the effectiveness of those controls?
When controls are found to be ineffective, what steps are taken to either enhance these controls, supplement them, or replace them with entirely different control sets?
What are the hand-off points for critical data points? When data is created, how is it transmitted and utilized? What systems process the information, and who has access to the data, including system and database admins who provide maintenance and support?
Is separation of duties enforced, and are security admin roles kept segregated and distinct from production roles? What's the audit methodology, and how are the IT control audits validated?
Finally, how is information protected as it's moved from production to storage? Encryption, anyone? Access control?
How about destruction? When the information is no longer needed for business reasons, how is it destroyed, and what sort of validation is provided?
Business today is all about information - creating it, using it, running analytics and spinning out reports to be actioned, data warehousing, marketing, correlation and business intelligence.
No comments:
Post a Comment
Please tell me what you think.