BullsEye Selected as a Master Contractor for Maryland Montgomery College’s Multi-Year IT Contract

Fulton, Maryland – July 11, 2018 – BullsEye Computing Solutions was selected by Montgomery College of Maryland as a Master Contractor for a five-year IT contract.

Under this IDIQ contract, BullsEye and its subcontractors will provide IT staffing and project-based services to the college and its affiliates in six (6) functional areas:

  1. IT Management
  2. IT System Management
  3. Information System Security
  4. Web & Internet Systems
  5. Application Support & Software Engineering
  6. Data Analytics & Reporting

BullsEye specializes in empowering technology and human resources to help customers achieve process efficiency and deliver high-profile, mission critical projects. The firm has 20 years of experience fulfilling business and IT needs of commercial and public organizations throughout the world. For more information, contact Elizabeth Hess at (410) 480-9443.

BullsEye plans to leverage Global Shield IS as a partner firm to bring unique Information Security and Compliance experience to enhance expertise in their respective focus areas.

Global Shield Information Services (GSIS) specializes in IT auditing for highly regulated government and commercial organizations. It supports public accounting firms with IT Risk Management Capabilities and performs IT financial and security audits and information assurance.  For more information, contact Doguhan Avsar at (202) 656-4099, or visit https://globalshieldis.com/.

An Introductory Guide to Audit Readiness – Part 2

Continuing from Part One where we covered the key milestones in the readiness process for an audit, as well as the timelines to consider for assessments in Governance,  Risk Management, Compliance, Information Technology and Financial Reporting, we can now take a look at the following competencies within departments and their procedures for audit readiness:

  • The required leadership to support assessments
  • IT Resources (IT)
  • The procedures of internal controls, and
  • Information Technology competencies – to be covered in Part 3

Required Support from Leadership

Support from leadership is defined by the organization’s culture to adopt audit readiness, as part of a necessary company process. If leadership supports audit readiness procedures, it will often create an environment that will achieve full cooperation from all levels of the organization and typically will yield better results than an organization without leadership support.

Full adoption and support from leaders across the organization would result in complete engagement planning standards, defining who should be involved in the audit procedure and what their role will be in the readiness process.  These leaders should have an ongoing, active role throughout the entire readiness process.  

Audit Readiness for IT

To understand the audit readiness procedure for IT, means to have the right employees with the right skills, aptitudes, experience and continuing education in place, who are able to identify any drawbacks or obstacles and correct them along the way. These skilled individuals will also have the capabilities to establish practical solutions to implement, and would have the ability to analyze and address any manual or automated requirements for internal controls.  They would also have the ability to determine and/or train supporting staff required to assist in the readiness procedure.

Once IT leadership has successfully put the appropriate readiness resources in place, the resource level of the team, as well as their individual skill needs to be sustained and prepped for growth. Sustainability can be accomplished through continuous training and knowledge sharing within the department. Each resource should also receive challenging tasks or be assigned appropriate projects to challenge and grow the overall IT team skillset, further sustaining the readiness procedure.   

Assurance with Internal Controls

Internal controls requires a designed set of policies and procedures which would need to be implemented and then maintained. Maintaining these policies and procedures provides assurance for the achievement of steady and functioning business operations; compliance for regulated and any legal procedures; and lastly for any reporting.   

Once an organization has demonstrated an efficiency with their internal control procedures and has been able to prove that their organization is in good standing, it will prove to be a positive benchmark on the overall health of the organization, including its financial statements.

Please note: These guidelines from Global Shield IS, are for an organization’s general information purposes only. It is not intended to advise or give any legal or business analysis. Global Shield IS, rather offers the services to any business who have further questions related to their uncommon or unique circumstances, to contact the office for further council.  We will then assign the most appropriate adviser to address each question specifically.

An Introductory Guide to Audit Readiness – Part 1

Understanding the audit readiness of an organization, is to have the ability to identify the auditory requirements that need to be in place from an infrastructure or back-end perspective, to the preparation needed to take place from a financial reporting perspective.

Auditory requirements for an audit may include:

  • Governance
  • Risk management
  • Compliance
  • Information technology – environment
  • Financial reporting
  • The financial close process

Each of these areas may pose a significant risk to the successful execution of an audit, if not taken into consideration as an overall ‘audit requirements’ set. These particular elements for an audit are routinely overlooked or underestimated by executives and management, along with their various teams. Executives and management who need to lead these teams, rather focus on gaining the competitive edge in their industry, then at the most basic level, tend to lack the understanding and knowledge required to consult, and therefore, prepare and achieve the readiness required. Executives and management should rather turn to industry consultants for support and guidance while they focus on ‘business’ success. Turning to a professional consulting firm from the beginning, can lead to a successful audit along with reduced overhead costs while undergoing the audit itself.

The time required to prepare

In most cases, the effort and time required to readily prepare for an audit are frequently misconceived once timelines are set, or more often than not, underestimated.  While each organization’s timelines may vary depending on the unique business requirements, it can typically take from 6 to 18 months to achieve readiness.

The key milestones in the readiness process should include:

  • An overall readiness assessment
  • A compliance assessment
  • A financial reporting assessment
  • IT infrastructure/systems and data assessment
  • Corporate governance assessment
  • Any other specific to-the-business requirements needing to be included in the assessments’

IT and data assessments – the most time consuming

Global Shield IS, considers all the key milestones to be relevant, and important to include in the timeline.  Among these milestones, most notably, IT infrastructure, systems and data assessments usually require a considerable amount of time to execute.  Furthermore, specific to timelines, audit related engagements from Global Shield IS are managed professionally and supervised to ensure quality and utilize industry specific audit processes.

The timelines and processes of preparing for the IT and data specific assessments should provide any organization with a clearer understanding of their business operations, on how to perform more efficiently and effectively going forward.

Please note: These guidelines from Global Shield IS, are for an organization’s general information purposes only. It is not intended to advise or give any legal or business analysis. Global Shield IS, rather offers the services to any business who have further questions related to their uncommon or unique circumstances, to contact the office for further council.  We will then assign the most appropriate adviser to address each question specifically.

Emerging Countries Still Lacking in IT Compliance

Emerging markets at the forefront of technology, yet still lacking in IT compliance

Until just a short time ago it seemed inappropriate to invest in Information Technology (IT), yet alone operate IT teams and systems in emerging markets such as Africa, China, Brazil or even the United Arab Emirates (UAE).  In fact, it was deemed by governing bodies to be too risky and financially reckless. Instead we now look at these high-end emerging markets and their growth (especially in IT), as the so called new frontier – with their ability to successfully and efficiently implement and use technology to their advantage, as well as setup functioning IT teams and systems. IT compliance on the other hand is another debate.

Entering or operating still a challenge

Although not deemed risky, entering and operating IT compliance departments in these emerging markets is challenging, especially when there is a prerequisite to invest in human or machine technological abilities, or to enter the market as a third-party technology entity (who would need to rely on internal and even external IT teams and systems to operate.) One would expect there to be an adherence to processes and enforcement of IT compliance, for now and future successes.

When we look at the attitude of compliance in emerging markets – every country faces different sentiments, ranging from complete disregard or passiveness towards compliance, to the lack of understanding of the impact of non-compliance. Presently, IT and technology in general, play a key role in the following factors for emerging countries:

  • enhancing infrastructures
  • leading business development
  • growing economies
  • socioeconomic status of people

Without IT compliance there will be lack of conformity to specifications, policies, procedures and standards as a whole. There will be no goals for IT departments to aspire to, and no effort taken by personnel to abide by them.

UAE – still at the forefront of technology

The UAE, considered by the rest of the world to be a rapidly emerging market and considered to be at the forefront of technology, may lack in IT compliance, but is strongly encouraged by a governing body named NESA, The National Electronic Security Authority (tasked with protecting the country’s critical information infrastructure and improving national cyber security overall) to adopt, apply,  and/or begin transitioning standards set by them. This is a positive step towards the introduction – and for the near future, enforcing and applying IT compliance.

Despite the lack IT compliance, it has been possible for the UAE to invest in and execute cutting edge technology, to support infrastructure, such as motorway toll gates, automated passport controls, and an Airport automated smartgate system, to name but a few.

For such complex systems and the need for regulation, Global Shield IS undertakes compliance reviews, advising and training entities about IT compliance, and the advantages thereof. It would be interesting to see where the future of IT compliance leads an emerging market entity such as the UAE.

About our services – https://globalshieldis.com/services/

Configuration Management: Why You Should Care, No Matter Your Size

12-30-2014

As technology advances and more companies turn to computer software to digitally process their data, a great deal of those companies overlook a very critical business process known as Configuration Management[1]. At a high level, Configuration Management (CM)[2] is the process of managing and tracking all changes within an entity, be it an individual server or an entire organization. It can quickly become a complex and labor intensive process, however implementing the basic fundamentals matter most. The official definition as stated by the National Institute of Standards and Technology (NIST)[3] is as follows:

Configuration Management (CM) comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.

Over the course of the past ten years, we have observed companies, large and small overlook this process as a whole or mismanage the process by not segregating duties through several individuals, inherently introducing significant risk to the organization. As a result, lack of proper CM has resulted in non-functional software, data errors, system downtime, compromise of data and even financial fraud within an organization.

To minimize these costly risks it is important to incorporate a CM process to properly manage changes within your organization. Luckily, this process can be tailored to your organization depending on size and capabilities. NIST has a significantly detailed publication titled NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems which covers CM in large, complex environments along with the controls to periodically check that the process is working as it should in a separate publication titled NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations[4]. In addition, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) offers a less detailed, financially focused framework[5] for managing a CM process.

However, if you do not have time to go through the processes mentioned above in great detail, or feel like your organization has not reached the level of where you would need to implement such a large effort to manage a small amount of changes to your IT environment, the following three steps could help start in developing your own CM process[6]:

  1. Identify any risks and gaps in the current process for implementing and managing changes. Several factors to consider are as follows:
    • Does your organization currently have a CM process?
    • Understand the basics of the CM flow (documented in NIST 800-128 and COSO)
    • Identify and accept or mitigate your risks before beginning to develop your new CM process. Such examples are as follows:
      • Does your organization currently have only one individual who is responsible for creating and implementing all changes within your IT environment? If so, this is a risk and will need to be mitigated. Examples we have seen in the past include separating duties and having a supervisor approve all changes before they are implemented into the production environment. In addition, changes included enforcement of separation, such as removing administrative access for programmers or implementers of changes.
      • Do you track all changes? If so, are they consolidated and reviewed on a periodic basis?
      • Do you keep backups of software or code before implementing new changes?
      • Do you have separate test and development environments for your software in order to test changes before implementing them into production?
      • Do you have a patch management process? Is your patch management process documented?
  1. Develop your new process:
    • Develop a tailored draft CM process from the fundamentals mentioned in in NIST 800-128 and COSO, the process should cover the CM controls in COSO and/or NIST 800-53, rev 4.
    • Discuss your new draft CM process with all appropriate divisions, management and stakeholders involved in your business. Additional tailoring might be required based on management’s guidance and recommendations.
    • Test the process from start to finish
    • After successful testing, implement your newfound CM process and make the entire organization aware of the changes.
  2. Continually monitor your process as you grow:
    • Conduct patch management on your IT infrastructure.
    • Conduct periodic vulnerability assessments on your IT infrastructure.
    • Periodically review all changes for completeness and adherence to the CM process that you helped develop. This will help catch errors and also ensure that staff are following the new CM process.
    • Revisit your CM process and periodically check for updated guidance from NIST or COSO. Make any changes or updates as necessary to improve the process.

The steps above are general and will help you get started. Each organization will have to tailor these steps based on internal policies and procedures. Each organization will also add or remove steps that do not present a risk at the time. In addition, implementing these steps will not guarantee that you will pass an IT audit. They only serve as guidance for starting the development of a CM process. For assistance in understanding the requirements of an IT Audit or for help getting optimal results, please contact us.

All organizations must implement some form of CM to manage changes to their systems and applications in order to reduce the risks mentioned above. Implementing an effective and efficient CM process will reduce[7] risks such as financial fraud, compromise of confidential data, non-functional software, data errors and costs associated with user downtime that come with implementing newer software and technology within your organization. As always, if you or someone you know needs assistance in understanding or implementing a new CM process, please do not hesitate to contact us at [email protected].

————————

[1] For the purposes of this article, we will use the term Configuration Management.

[2] We are referring to the IT Configuration Management process as opposed to the engineering Configuration or Change Management process.

[3] NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, August 2011.

[4] NIST SP 800-53, rev.4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.

[5] COSO, The 2013 COSO Framework & SOX Compliance, One Approach To An Effective Transition, June 2013.

[6] Before making any changes and/or implementing any processes into your organization, always consult with your IT Security and IT Audit departments.

[7] Although implementing a CM process will reduce certain risks, it does not eliminate them. Many other factors come into play when considering the threats of today’s world coupled with the vulnerabilities of today’s technology.

Christmas Cheer Brings Credit Fraud Fear

12-24-2013

The holidays are a time to celebrate with friends and family.  Unfortunately, the holidays are also a time when online thieves try everything within their power to steal your identity and use it for their own desires.   With the advancement of computing power, it is becoming easier for hackers to successfully conduct a data breach of any magnitude.

Follow these simple steps to avoid your credit card information being stolen:

  • Don’t make any purchases from community or shared Wi-Fi hotspots.  For example, don’t go shopping online while visiting your favorite coffee shop or fast food restaurant.
  • Never respond to any e-mails asking for your personal information.  If you need to provide information to a legitimate company, call them.
  • Turn on your browser’s pop-up blocker.  This will avoid those pesky ads that might try tricking you into providing additional information about yourself.
  • Always make sure the website you are shopping on or providing your credit card information to is secure.  Usually your web browser will display a padlock icon before the website address.  In addition, most online secure links will start with https://.
  • Always review your credit card and bank statements, weekly if possible, to check for any unusual activity.

If you feel like your information has been compromised, immediately call your credit card company or bank.   In addition, request a credit report from one of the three major credit bureaus available.   AnnualCreditReport.com provides a free credit report once a year.

And as always, enjoy the holidays with your loved ones!