Author Archives: Doguhan Avsar

BullsEye Selected as a Master Contractor for Maryland Montgomery College’s Multi-Year IT Contract

Posted on by

Fulton, Maryland – July 11, 2018 – BullsEye Computing Solutions was selected by Montgomery College of Maryland as a Master Contractor for a five-year IT contract.

Under this IDIQ contract, BullsEye and its subcontractors will provide IT staffing and project-based services to the college and its affiliates in six (6) functional areas:

  1. IT Management
  2. IT System Management
  3. Information System Security
  4. Web & Internet Systems
  5. Application Support & Software Engineering
  6. Data Analytics & Reporting

BullsEye specializes in empowering technology and human resources to help customers achieve process efficiency and deliver high-profile, mission critical projects. The firm has 20 years of experience fulfilling business and IT needs of commercial and public organizations throughout the world. For more information, contact Elizabeth Hess at (410) 480-9443.

BullsEye plans to leverage Global Shield IS as a partner firm to bring unique Information Security and Compliance experience to enhance expertise in their respective focus areas.

Global Shield Information Services (GSIS) specializes in IT auditing for highly regulated government and commercial organizations. It supports public accounting firms with IT Risk Management Capabilities and performs IT financial and security audits and information assurance.  For more information, contact Doguhan Avsar at (202) 656-4099, or visit https://globalshieldis.com/.

An Introductory Guide to Audit Readiness – Part 3

Posted on by

VQXYE2ZEHC

Continuing from Part Two where we covered three of the four competencies within an organization and their procedures for audit readiness – Information Technology (IT) can turn out to be the most complex.

IT audit readiness may include, but is not limited to the following:

  • Resource planning for the organization and readiness procedures
  • IT General Controls
  • IT Systems and application controls

IT resource planning for audit readiness

As discussed in part two of the audit readiness guide, one of the roles in the planning process is to help identify experienced team members who can contribute towards the IT department’s audit readiness, as they are the ones who have most likely undergone at least one or more IT audits. These individuals would be most familiar with the processes involved and would understand what the auditors would be requesting, the types of audits they would run, and the systems and applications involved.

Identifying IT internal systems and applications for audit readiness

Audit readiness activities for the IT environment require the identification and evaluation of in-scope systems within the organization. The organization should be tracking, recording and reporting on any activities taking place that involve the selected systems and/or applications involved in the audit readiness plan and within any department reliant on these the IT systems.

Activities may include:

  • Documented system certification and accreditation packages
  • Plans regarding system or application security controls
  • Project plans and/or agreements on any application interfaces
  • IT compliance procedures

Once the appropriate systems and applications have been identified, the audit process should move onto assessing the following two groups of controls:

  • IT general controls
  • IT application controls

IT general controls and IT applications controls

The objective or intent of IT General Controls (ITGC) is to apply assurance over the system environment(s) of in-scope systems and/or applications. The ITGCs establish the integrity of:

  • Processes and computer operations
  • Data and data files
  • Components and programs

ITGCs most commonly known are:

  • Computer operations controls
  • Data recover and backup controls
  • Data center security controls
  • Program management and program change management controls
  • SDLC also known as system development lifecycle controls
  • Access controls for data, applications and infrastructure

Furthermore, the objective or intent for IT application controls is to apply control(s) over an individual application or system, intending to support business processes.

Consideration and preparation are key to any audit assessment.  Ensuring the organization’s environments, systems and applications are identified and assessed will improve the overall efficiency during any audit or assessment related activity.

Global Shield IS specializes in IT audit readiness procedures. We are a global audit and advisory services company ready to help you become audit ready. Contact us today for advice.

 

 

Please note: These guidelines from Global Shield IS, are for an organization’s general information purposes only. It is not intended to advise or give any legal or business analysis. Global Shield IS, rather offers the services to any business who have further questions related to their uncommon or unique circumstances, to contact the office for further council.  We will then assign the most appropriate adviser to address each question specifically.

An Introductory Guide to Audit Readiness – Part 2

Posted on by

Continuing from Part One where we covered the key milestones in the readiness process for an audit, as well as the timelines to consider for assessments in Governance,  Risk Management, Compliance, Information Technology and Financial Reporting, we can now take a look at the following competencies within departments and their procedures for audit readiness:

  • The required leadership to support assessments
  • IT Resources (IT)
  • The procedures of internal controls, and
  • Information Technology competencies – to be covered in Part 3

Required Support from Leadership

Support from leadership is defined by the organization’s culture to adopt audit readiness, as part of a necessary company process. If leadership supports audit readiness procedures, it will often create an environment that will achieve full cooperation from all levels of the organization and typically will yield better results than an organization without leadership support.

Full adoption and support from leaders across the organization would result in complete engagement planning standards, defining who should be involved in the audit procedure and what their role will be in the readiness process.  These leaders should have an ongoing, active role throughout the entire readiness process.  

Audit Readiness for IT

To understand the audit readiness procedure for IT, means to have the right employees with the right skills, aptitudes, experience and continuing education in place, who are able to identify any drawbacks or obstacles and correct them along the way. These skilled individuals will also have the capabilities to establish practical solutions to implement, and would have the ability to analyze and address any manual or automated requirements for internal controls.  They would also have the ability to determine and/or train supporting staff required to assist in the readiness procedure.

Once IT leadership has successfully put the appropriate readiness resources in place, the resource level of the team, as well as their individual skill needs to be sustained and prepped for growth. Sustainability can be accomplished through continuous training and knowledge sharing within the department. Each resource should also receive challenging tasks or be assigned appropriate projects to challenge and grow the overall IT team skillset, further sustaining the readiness procedure.   

Assurance with Internal Controls

Internal controls requires a designed set of policies and procedures which would need to be implemented and then maintained. Maintaining these policies and procedures provides assurance for the achievement of steady and functioning business operations; compliance for regulated and any legal procedures; and lastly for any reporting.   

Once an organization has demonstrated an efficiency with their internal control procedures and has been able to prove that their organization is in good standing, it will prove to be a positive benchmark on the overall health of the organization, including its financial statements.

Please note: These guidelines from Global Shield IS, are for an organization’s general information purposes only. It is not intended to advise or give any legal or business analysis. Global Shield IS, rather offers the services to any business who have further questions related to their uncommon or unique circumstances, to contact the office for further council.  We will then assign the most appropriate adviser to address each question specifically.

An Introductory Guide to Audit Readiness – Part 1

Posted on by

Understanding the audit readiness of an organization, is to have the ability to identify the auditory requirements that need to be in place from an infrastructure or back-end perspective, to the preparation needed to take place from a financial reporting perspective.

Auditory requirements for an audit may include:

  • Governance
  • Risk management
  • Compliance
  • Information technology – environment
  • Financial reporting
  • The financial close process

Each of these areas may pose a significant risk to the successful execution of an audit, if not taken into consideration as an overall ‘audit requirements’ set. These particular elements for an audit are routinely overlooked or underestimated by executives and management, along with their various teams. Executives and management who need to lead these teams, rather focus on gaining the competitive edge in their industry, then at the most basic level, tend to lack the understanding and knowledge required to consult, and therefore, prepare and achieve the readiness required. Executives and management should rather turn to industry consultants for support and guidance while they focus on ‘business’ success. Turning to a professional consulting firm from the beginning, can lead to a successful audit along with reduced overhead costs while undergoing the audit itself.

The time required to prepare

In most cases, the effort and time required to readily prepare for an audit are frequently misconceived once timelines are set, or more often than not, underestimated.  While each organization’s timelines may vary depending on the unique business requirements, it can typically take from 6 to 18 months to achieve readiness.

The key milestones in the readiness process should include:

  • An overall readiness assessment
  • A compliance assessment
  • A financial reporting assessment
  • IT infrastructure/systems and data assessment
  • Corporate governance assessment
  • Any other specific to-the-business requirements needing to be included in the assessments’

IT and data assessments – the most time consuming

Global Shield IS, considers all the key milestones to be relevant, and important to include in the timeline.  Among these milestones, most notably, IT infrastructure, systems and data assessments usually require a considerable amount of time to execute.  Furthermore, specific to timelines, audit related engagements from Global Shield IS are managed professionally and supervised to ensure quality and utilize industry specific audit processes.

The timelines and processes of preparing for the IT and data specific assessments should provide any organization with a clearer understanding of their business operations, on how to perform more efficiently and effectively going forward.

Please note: These guidelines from Global Shield IS, are for an organization’s general information purposes only. It is not intended to advise or give any legal or business analysis. Global Shield IS, rather offers the services to any business who have further questions related to their uncommon or unique circumstances, to contact the office for further council.  We will then assign the most appropriate adviser to address each question specifically.

How PCI compliance is a major challenge for most businesses

Posted on by

money-card-business-credit-card-50987

PCI compliance is considered to be a tough challenge in itself, however maintaining current compliance until the next PCI assessment takes place is much harder task.

Businesses who do manage to meet PCI compliance requirements at first, but fail at their next PCI compliance assessment, often remain unprotected and are at risk of a data breach, or may even receive various high impact security threats. This is due to the lack of management, or rather the continued management thereof, and the fact that it is treated as an annual event instead of a continuous effort throughout the year.  We have seen many examples of the pitfalls of yearly exercises as opposed to continuous monitoring of the same controls within both the public and private sectors.

Standards or procedures created to increase control

Payment card/credit card processing organizations such as payment processors, financial institutions, merchants, and even service providers, have standards and procedures to abide by which help increase security and controls around the card owner’s data, leading to reduced credit card fraud. Companies such as Global Shield IS are able to understand an organization’s required standards and offer compliance assessment services, then create a Report on Compliance (ROC) to serve as a guide to uphold the set out standards for compliance going forward.

Too many businesses stop paying attention to ongoing PCI compliance activities. They often do not realize it should be seen as an ongoing effort. As an ongoing effort, businesses are able to continually mitigate various and arising risks.

We would say that if a business did meet the required PCI compliance standards, and failed, it is more likely they failed at the implementation of standards, or failed to continuously apply the defined standards.

Understanding the practice of continuous PCI compliance

Businesses can take control of their processes to unhold PCI compliance through practices such as:

  • Monitoring access which may include the use of Active Directory, Lightweight Directory Access Protocol, antivirus software, firewalls, (hardware and/or software) other access control mechanisms, Etc.
  • Ensuring security breaches or security control failures are detected and addressed in a timely manner
  • Assessing how newly introduced systems or new developments impacts PCI compliance, and updating accordingly
  • Assessing the impact on PCI compliance with acquisitions and mergers

Lack of resources to continue PCI compliance

Another challenge for businesses are the resources required to keep up with the demands of staying PCI compliant. Often resources are assigned to other duties or projects, allowing for compliance tasks to fall lower on the prioritization list. This more than likely happens after the initial, or annual PCI assessment/audits take place.

Businesses should conduct regular reviews with assigned resources, and strive to communicate the necessity of performing each task required to stay compliant. Regular reviews should cover tasks such as:

  • Reviewing the necessary configurations, and make sure they are applied
  • Reviewing any data centers and audit logs on a defined, periodic basis
  • Verify the PCI requirements that need to continually be in place
  • And so on…

The ongoing procedure to review and monitor processes that need to be in place for PCI compliance sets the necessary standard for performance. Achieving the necessary standard for security, should be considered as a business-as-usual act for any business large or small.

Emerging Countries Still Lacking in IT Compliance

Posted on by

Emerging markets at the forefront of technology, yet still lacking in IT compliance

Until just a short time ago it seemed inappropriate to invest in Information Technology (IT), yet alone operate IT teams and systems in emerging markets such as Africa, China, Brazil or even the United Arab Emirates (UAE).  In fact, it was deemed by governing bodies to be too risky and financially reckless. Instead we now look at these high-end emerging markets and their growth (especially in IT), as the so called new frontier – with their ability to successfully and efficiently implement and use technology to their advantage, as well as setup functioning IT teams and systems. IT compliance on the other hand is another debate.

Entering or operating still a challenge

Although not deemed risky, entering and operating IT compliance departments in these emerging markets is challenging, especially when there is a prerequisite to invest in human or machine technological abilities, or to enter the market as a third-party technology entity (who would need to rely on internal and even external IT teams and systems to operate.) One would expect there to be an adherence to processes and enforcement of IT compliance, for now and future successes.

When we look at the attitude of compliance in emerging markets – every country faces different sentiments, ranging from complete disregard or passiveness towards compliance, to the lack of understanding of the impact of non-compliance. Presently, IT and technology in general, play a key role in the following factors for emerging countries:

  • enhancing infrastructures
  • leading business development
  • growing economies
  • socioeconomic status of people

Without IT compliance there will be lack of conformity to specifications, policies, procedures and standards as a whole. There will be no goals for IT departments to aspire to, and no effort taken by personnel to abide by them.

UAE – still at the forefront of technology

The UAE, considered by the rest of the world to be a rapidly emerging market and considered to be at the forefront of technology, may lack in IT compliance, but is strongly encouraged by a governing body named NESA, The National Electronic Security Authority (tasked with protecting the country’s critical information infrastructure and improving national cyber security overall) to adopt, apply,  and/or begin transitioning standards set by them. This is a positive step towards the introduction – and for the near future, enforcing and applying IT compliance.

Despite the lack IT compliance, it has been possible for the UAE to invest in and execute cutting edge technology, to support infrastructure, such as motorway toll gates, automated passport controls, and an Airport automated smartgate system, to name but a few.

For such complex systems and the need for regulation, Global Shield IS undertakes compliance reviews, advising and training entities about IT compliance, and the advantages thereof. It would be interesting to see where the future of IT compliance leads an emerging market entity such as the UAE.

About our services – https://globalshieldis.com/services/

GSIS helps win Continuous Monitoring effort for large U.S. Department

Posted on by

10-19-2015

On October 19, 2015, Global Shield IS entered into a partnership with Constellation West to perform an on-going, multi-year review of the Continuous Monitoring implementation for a large Government Department in D.C.

This initiative will assist the Department in identifying the current status of their implementation Department-wide as well as identifying gaps and areas of improvement within the implementation.

GSIS is very excited for this new initiative and welcomes the chance to assist Constellation West with this effort!

GSIS enters partnership with State Street

Posted on by

05-13-2015

On May 11, 2015, Global Shield IS entered into a partnership with State Street bank to perform IT audit and internal IT review assessment related work. This initiative will assist State Street bank to manage and mitigate its current IT risks. GSIS is very excited for this new initiative and welcomes the chance to assist State Street with improving its overall IT security posture.

Three Steps to Improving Logical Access

Posted on by

3-29-2015

One of the most important IT control areas to consider for any small, medium or large-scale organization is logical access to resources such as applications and databases. Logical access is the process by which a user or object is identified, authenticated and/or authorized to an application, system, database or another object[1]. Every organization must implement logical access in order to protect valuable data and resources, both internally and externally. Logical access to information prevents this data from being accessed by employees or external threats that might present a risk to the organization. This also ensures that the right resources are being accessed on a need-to-know basis, based on each individual’s role within the organization.

If an organization chooses to ignore implementing logical access controls, it runs the risk of losing proprietary data to the outside world, which could pose a threat to the organization. If you run a search on logical access breaches you will find thousands of recent examples of data that was extracted for malicious purposes by both employees of organizations and outside threats such as hacking groups. The following three steps will enable an organization to implement logical access and provide a basic framework to protecting its data.

Step 1: Identify gaps and risks regarding logical access

The first step must be to assess what types of controls are in place currently to protect organizational data, “what do we currently have”. From there, an evaluation must be directed to find out what types of controls are missing, “what do we need”. In regards to the missing controls, calculating the risk, impact and likelihood is a necessary part of this evaluation. Other criteria to consider are:

  • Documenting a system inventory of all applications, databases, interfaces and systems within your organization.
  • Excessive Privilege: What does each employee have access to? Are controls in place to ensure each employee has access to only what he or she needs to perform daily job duties? An example of excessive privilege would be if Sandra in Accounting had full access to the Human Resources system.
  • Are the Access Control policy and procedures built off of a framework? Examples of frameworks are COSO, COBIT and NIST.

Step 2: Develop access control policy and procedures

The second step must be to develop an access control policy and procedures that adhere to the new policy. The policy will dictate an organizational wide process to implementing the access controls. Although developing a new policy can be a daunting task, the NIST, COSO and COBIT frameworks offer a great deal of information including templates to developing your access control policy and procedures.

Once the policy and procedures are outlined and developed, they must be updated, revised and tested for any errors and omissions. All members of the organization must be involved in the development process to make sure that every department’s opinions and concerns are taken into consideration. For example, if you leave the development of the policy strictly to IT management, it might restrict too much access for anyone to conduct his or her daily duties. On the other hand, if HR develops the policy, it might be too lenient and not address any threats appropriately.

Step 3: Continuously monitor and update with any changes

As the world evolves, so will its existing threats, vulnerabilities and risks. Therefore, the last step of improving logical access consists of continually monitoring and updating the implemented policy and procedures as necessary. In addition, reviews of access controls should be conducted on a periodic basis as deemed necessary by the organizational, or as dictated by policy. This will ensure that all changes to the organization are considered and implemented into the access policy.

To close, access controls are necessary and an integral part of any organization, no matter what its size. Every organization must implement logical access in order to protect its data and resources from internal and external threats. The steps above are general and will help you get started. Each organization will have to tailor these steps as necessary. Each organization will also add or remove steps that do not present a risk at the time. In addition, implementing these steps will not guarantee that you will pass an IT audit. For assistance in understanding the requirements of an IT Audit or for help getting optimal results, please contact us. As always, if you or someone you know needs assistance in understanding or implementing a new access control policy, please do not hesitate to contact us at [email protected].

————————

[1] This is not to be confused with physical access, which can also accomplish the same means, however not through the use of software alone.

Annual Update

Posted on by

3-23-2015

We have had a great start to the year! As of last week, we have helped CRG win the option period at WHS to continue our ongoing support of helping WHS FMD become compliant with NIST 800-53 controls. In addition, we continue to support DLA with ongoing SSAE-16 efforts. Lastly, we are branching out to obtain commercial engagements in 2015 with multiple contracts in the works across the U.S.