WHS enters FISCAM

02-11-2015

With the Department of Defense (DoD) continuing its efforts of moving to the Risk Management Framework (RMF), Washington Headquarters Services (WHS) Financial Management Directorate (FMD) has established an independent team, which includes Global Shield IS, to perform a Federal Information Systems Controls Audit Manual (FISCAM) assessment of its Enterprise Resource Planning application and its surrounding environment.

FISCAM was established by the Government Accountability Office (GAO) and the President’s Council on Integrity and Efficiency (PCIE) as a complement to the Financial Audit Manual (FAM). FISCAM presents a methodology for performing information system control audits of Federal and other governmental entities in accordance with professional standards such as National Institute of Standards and Technology (NIST), Special Publication (SP) 800-53.

The FISCAM methodology provides a top-down, risk-based approach which evaluates:

  • Entity-wide controls and their effect on audit risk
  • IT General and Application controls and their impact on transaction processing

The FISCAM IT controls model is depicted below. Starting with the General Control categories and ending in the Business Process Application Controls.

Untitled-1

The FISCAM team is conducting on-going testing efforts through March 31, 2015.

Must Have Essentials for Client Serving Professionals

1-02-2015

As client serving professionals we all hate those “Oh No!” moments when we forget a critical piece of equipment or documentation we absolutely must have to complete our task or objective. Over the years I have personally gone through many of those moments where I found myself without the right piece of equipment or access I needed to help get my tasks accomplished from client sites. This was mainly due to higher security standards at our client sites which resulted in denial-of-access to our home office servers, cloud access, VPN and plenty more.

Detailed below are the “tools” in my workbag that have helped me with workarounds when those access issues occur at client sites.

Necessities:

  1. Work Laptop: This might seem as a given, however I added it to the list as a lot of clients have you working from their computers which limit access to your corporate file shares back at the office.
  2. Personal Hotspot or Cell Phone with Tethering capabilities: I have had many client sites where I did not have a reliable Wi-Fi connection that allowed me access to the Internet, therefore I have found tethering to be invaluable. This technology has saved me a number of times over the years. If you also don’t feel comfortable using a shared connection at a cafe for example, this solution helps create a personal network for just you at almost any public location. Don’t forget your charger!
  3. USB Powered Portable LCD Screen: This is another critical piece of equipment that has saved me a lot of trouble over the past couple of years. If you work in the audit or consulting field, dual screen setups save a lot of time. However you find yourself limited when traveling and only having access to your laptop screen. Portable LCD screens can be rather inexpensive and fit nicely into most workbags.
  4. USB Powered Smart Card Reader:  For working professionals with Government clients, this is a great help if you are working remotely and the client allows you to access their network with your CAC card.
  5. Portable USB hub (at least four port): With laptops constantly shrinking and most equipment working off of USB, it is important to have at least a four port USB hub so you can connect everything at the same time. Disconnecting and reconnecting equipment can become tedious after a while especially when you need to disconnect your wireless mouse to plug in your smart card reader and vice-versa, over and over.
  6. Cloud account or personal Cloud drive: This is a more recent technology that I have found to be extremely valuable. Especially for people working on multiple clients. As traveling professionals we sometimes find ourselves on our work laptops, client machine(s) or personal machines, however, need access to files on central storage depending on where we are. Having certain administrative files accessible no matter which machine we are on saves a great deal of time and stress. I do not recommend storing any client files however to the cloud at this time. Before adding client files to any central storage, discuss with your client.
  7. USB Storage Stick: Having this as backup is helpful for emergency situations. It also helps transfer files when you do not have access to an Internet connection.
  8. Video Adapter: It is helpful to have a video adapter to connect a DVI or VGA monitor to your Apple machine. I would also recommend a DVI or VDA to HDMI for newer Windows laptops. These adapters are rather small and can be kept hidden in your workbag for when the situation arises.

Convenience:

  1. Wireless Mouse: Not a necessity by any means, however I find this to be an easy-to-carry piece of equipment that makes daily work life a little easier. Make sure to carry an additional rechargeable battery for emergencies.
  2. Headphones: I also carry noise-canceling headphones in my bag while traveling, which includes my daily commute on public transportation to client sites. This personally helps me focus when listening to radio or reading.
  3. Tablet and/or paper notebook: I alternate between a tablet and a notepad for taking notes during meetings or personal items I need to remember for later. This is just more of a convenience especially if you use Evernote or similar software to plan and execute tasks.
  4. Additional pens and paper: I carry a few extra pens and small notebook just in case any of the technology above decides not to play nice that day. This has saved me time during work allowing me to deal with troubleshooting issues after work hours.

And there you have it. I carry these items with me at all times in my workbag (backpack). I can’t say it’s a lightweight bag to carry around (not backbreaking either), however it has basically become my mobile office, allowing me to be 100% productive in almost any situation including restrictive client sites, hotels, airports and cafes. If you have additional items please share in the comments section!

Configuration Management: Why You Should Care, No Matter Your Size

12-30-2014

As technology advances and more companies turn to computer software to digitally process their data, a great deal of those companies overlook a very critical business process known as Configuration Management[1]. At a high level, Configuration Management (CM)[2] is the process of managing and tracking all changes within an entity, be it an individual server or an entire organization. It can quickly become a complex and labor intensive process, however implementing the basic fundamentals matter most. The official definition as stated by the National Institute of Standards and Technology (NIST)[3] is as follows:

Configuration Management (CM) comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.

Over the course of the past ten years, we have observed companies, large and small overlook this process as a whole or mismanage the process by not segregating duties through several individuals, inherently introducing significant risk to the organization. As a result, lack of proper CM has resulted in non-functional software, data errors, system downtime, compromise of data and even financial fraud within an organization.

To minimize these costly risks it is important to incorporate a CM process to properly manage changes within your organization. Luckily, this process can be tailored to your organization depending on size and capabilities. NIST has a significantly detailed publication titled NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems which covers CM in large, complex environments along with the controls to periodically check that the process is working as it should in a separate publication titled NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations[4]. In addition, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) offers a less detailed, financially focused framework[5] for managing a CM process.

However, if you do not have time to go through the processes mentioned above in great detail, or feel like your organization has not reached the level of where you would need to implement such a large effort to manage a small amount of changes to your IT environment, the following three steps could help start in developing your own CM process[6]:

  1. Identify any risks and gaps in the current process for implementing and managing changes. Several factors to consider are as follows:
    • Does your organization currently have a CM process?
    • Understand the basics of the CM flow (documented in NIST 800-128 and COSO)
    • Identify and accept or mitigate your risks before beginning to develop your new CM process. Such examples are as follows:
      • Does your organization currently have only one individual who is responsible for creating and implementing all changes within your IT environment? If so, this is a risk and will need to be mitigated. Examples we have seen in the past include separating duties and having a supervisor approve all changes before they are implemented into the production environment. In addition, changes included enforcement of separation, such as removing administrative access for programmers or implementers of changes.
      • Do you track all changes? If so, are they consolidated and reviewed on a periodic basis?
      • Do you keep backups of software or code before implementing new changes?
      • Do you have separate test and development environments for your software in order to test changes before implementing them into production?
      • Do you have a patch management process? Is your patch management process documented?
  1. Develop your new process:
    • Develop a tailored draft CM process from the fundamentals mentioned in in NIST 800-128 and COSO, the process should cover the CM controls in COSO and/or NIST 800-53, rev 4.
    • Discuss your new draft CM process with all appropriate divisions, management and stakeholders involved in your business. Additional tailoring might be required based on management’s guidance and recommendations.
    • Test the process from start to finish
    • After successful testing, implement your newfound CM process and make the entire organization aware of the changes.
  2. Continually monitor your process as you grow:
    • Conduct patch management on your IT infrastructure.
    • Conduct periodic vulnerability assessments on your IT infrastructure.
    • Periodically review all changes for completeness and adherence to the CM process that you helped develop. This will help catch errors and also ensure that staff are following the new CM process.
    • Revisit your CM process and periodically check for updated guidance from NIST or COSO. Make any changes or updates as necessary to improve the process.

The steps above are general and will help you get started. Each organization will have to tailor these steps based on internal policies and procedures. Each organization will also add or remove steps that do not present a risk at the time. In addition, implementing these steps will not guarantee that you will pass an IT audit. They only serve as guidance for starting the development of a CM process. For assistance in understanding the requirements of an IT Audit or for help getting optimal results, please contact us.

All organizations must implement some form of CM to manage changes to their systems and applications in order to reduce the risks mentioned above. Implementing an effective and efficient CM process will reduce[7] risks such as financial fraud, compromise of confidential data, non-functional software, data errors and costs associated with user downtime that come with implementing newer software and technology within your organization. As always, if you or someone you know needs assistance in understanding or implementing a new CM process, please do not hesitate to contact us at [email protected].

————————

[1] For the purposes of this article, we will use the term Configuration Management.

[2] We are referring to the IT Configuration Management process as opposed to the engineering Configuration or Change Management process.

[3] NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, August 2011.

[4] NIST SP 800-53, rev.4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.

[5] COSO, The 2013 COSO Framework & SOX Compliance, One Approach To An Effective Transition, June 2013.

[6] Before making any changes and/or implementing any processes into your organization, always consult with your IT Security and IT Audit departments.

[7] Although implementing a CM process will reduce certain risks, it does not eliminate them. Many other factors come into play when considering the threats of today’s world coupled with the vulnerabilities of today’s technology.

Wonderful 2014 year and more for the future!

12-29-2014

It has been a great year for GSIS.  We have gained an additional five clients and have had 100% revenue growth in 2014 alone.  Thank you everyone for your ongoing support and business.  We have many plans for 2015 which will enable us to continue growth and help our clients with their needs!

GSIS Enters DoD with FIAR and FISCAM readiness

10-14-2014

Beginning September 1, 2014, Global Shield IS will be working alongside multiple partners to assist the Department of Defense and Washington Headquarters Services with both FIAR and FISCAM audit readiness efforts.  This effort is in response to the upcoming mandatory audit scheduled for 2017.  We are excited to be helping both agencies with their IT security programs and are looking forward to helping achieve full readiness for the upcoming audits. 

New FedRAMP initiative

1-20-2014

Beginning Jan 20, 2014, Global Shield IS will be working with CA Technologies to help prepare them for the FedRAMP process.  This will help CA Technologies better position themselves for success to providing hosting services to the U.S. Government.

Christmas Cheer Brings Credit Fraud Fear

12-24-2013

The holidays are a time to celebrate with friends and family.  Unfortunately, the holidays are also a time when online thieves try everything within their power to steal your identity and use it for their own desires.   With the advancement of computing power, it is becoming easier for hackers to successfully conduct a data breach of any magnitude.

Follow these simple steps to avoid your credit card information being stolen:

  • Don’t make any purchases from community or shared Wi-Fi hotspots.  For example, don’t go shopping online while visiting your favorite coffee shop or fast food restaurant.
  • Never respond to any e-mails asking for your personal information.  If you need to provide information to a legitimate company, call them.
  • Turn on your browser’s pop-up blocker.  This will avoid those pesky ads that might try tricking you into providing additional information about yourself.
  • Always make sure the website you are shopping on or providing your credit card information to is secure.  Usually your web browser will display a padlock icon before the website address.  In addition, most online secure links will start with https://.
  • Always review your credit card and bank statements, weekly if possible, to check for any unusual activity.

If you feel like your information has been compromised, immediately call your credit card company or bank.   In addition, request a credit report from one of the three major credit bureaus available.   AnnualCreditReport.com provides a free credit report once a year.

And as always, enjoy the holidays with your loved ones!

End of FISMA 2013

11-22-2013

Global Shield IS is proud to announce the successful end of it’s first FISMA season!  We’d like to thank our partner Williams Adley for a great year. We couldn’t have done it without you!

Information Security for Small Business

11-14-2013

As the risk of successful cyber security attacks continually increase, many small business owners are still unaware of simple precautions that can save them a great deal of time and grief from a successful attack.  Information Technology (IT) security for small business has been a hot topic this year as more and more small businesses are succumbing to hack attempts.

However, a recent survey conducted by McAfee and Office Depot[1] showed that 66 percent of small and medium sized businesses surveyed felt that their data was secure and safe from hackers. In addition, 77 percent of respondents noted that they had not been hacked.  Within the same survey, 80 percent of the respondents admitted to not using data protection.  Only about 50 percent noted that they were using e-mail and Internet security measures. The most surprising of results however showed that 14 percent of respondents said they had not implemented any security measures within their IT environments.

As a result of our continued work with small and medium sized businesses, Global Shield IS (GSIS) has also noted that businesses with 1-50 employees tend to overlook simple IT security measures such as basic IT security awareness training, logical access controls and data encryption. With a little time and research, many of these measures can be implemented at little to no cost to the business. However, based on discussions, small business owners have no additional time or capacity to implement these security measures within their IT environments.  They tend to generally focus on marketing, finance and overall expansion.

Although small and medium sized businesses tend to lack the resources to implement IT security programs within their businesses, the ever-growing threat of intrusions and theft of proprietary data increases day by day. These threats have the potential to disrupt and cripple small to medium sized businesses within hours, resulting in significant loss of data, revenue and worse of all, loss of returning customer business. Small business Chief Executive Officers (CEO) and Chief Financial Officers (CFO) should factor in a small budget to incorporate basic IT security measures that can close the most common vulnerabilities within their IT environments. CEOs and CFOs that do not understand IT Security should consult with an IT Security professional to help implement a progressive security plan.


[1] Office Depot Small Business Index Survey, September 2013

 

Doguhan Avsar, Principal

Mr. Avsar has over 10 years experience in Information Systems, Information Systems Auditing, SOX 404, security reviews, SSAE-16 reviews, managing multiple IT Security and Services teams for government organizations, delivering reporting and analysis results to upper management, Capital Planning representation and Government IT/IS contracting. He has utilized various assessment tools in testing performance and audit evaluations for various clients. He has knowledge of the federal government supporting information assurance programs and financial statement audits under FISMA, FISCAM, FedRAMP, FIAR, NIST, FIPS, and other Federal laws, regulations, and policies. Mr. Avsar has held positions at BDO and Ernst & Young where he served clients in both government and private sectors. He was also a Program Manager for a government contracting firm mainly dealing with Certification and Accreditation (C&A), NIST 800-53 series and internal, FISMA and FISCAM compliance. He has worked with clients such as the Department of Commerce, Department of Treasury, Department of State, HUD and the SEC.

Prior to Global Shield IS, he was an IS Assurance manager for BDO USA managing over 100 clients year round for the Greater Washington D.C., Nashville, Memphis, Charlotte and Raleigh offices.