information security and audit of financial institutions...

Szenes 1 Operational Sec. - Sec.-Based Governance

Information Security and Audit of Financial Institutions - Introduction

Dr. Katalin Szenes, CISA, CISM, CGEIT, [email protected]

Obuda UniversityJohn von Neumann Faculty of InformaticsInstitute Software Technology

Szenes Information Security and Audit of Financial Institutions- Introduction

2

is this a normal ATM? - ez egy normál ATM?



3

add in to the ATM - kütyü az ATM-hez


4

a nice case for circulars - egy csinos prospektustartó



5

is it really for holding papers there? - tényleg papírokat akarunk itt tartani?


6

another solution: wireless camera - másik megoldás: drótnélküli kamera



7

camera parts - kamera alkatrészek


8

what are the most dangerous threats?

lists will follow later, now: 1 adverb

1 direction:

INSIDE



9

how to defend the company?

is defense enough? - no, let's be proactive

to support market success by an improved corporate governancestrategy

strategic goal

subgoal to the strategic goal and / or activity contributing to it

help: ideas taken from:• information security• IT audit


10

connection between governance security and auditexpressed by basic information security / IT audit terms

goals - subgoals in information security / IT audit:so-called control objectives

activities in information security / IT audit:so-called control measures

special goals - information security / IT audit advice:(polished) information criteria

classification aspects - pillars of IT / IT security / corporate operations

risk - connected closely to strategy: asset risk . / .



11

connection between: governance - strategy - risk - business continuity

(operational risk) / IT risk market success

governance - served by / is to serve: strategy

risk: is to be managed: according to the strategic importance of the "things"= assets serving strategy

business continuity is necessary condition even to the survival "only"


12

what shall we do?

pave the way from / to security / audit governance

see, how to:☺ serve strategy by securitythe other way round:☺ justify security goals by governance promises



13

where is the "best" practice, and what are the designations?

www.isaca.orgwww.isc2.orgwww.coso.org

CISA – Certified Information Systems Auditor, CISM - Certified Information Security Manager, CGEIT - Certified in Governance Enterprise IT designator:ISACA: Information Systems Audit and Control Association - USA

CISSP - Certified Information Security Professional designator:ISC2 International Information Systems Security Certification Consortium

- USA


14

let's break in (at last)

let the target be an optional company, or even a security company

what is the goal of the attack? still stealing data data supervised by any company are:business infocustomers' data

looking for a weakness ☺ everlasting weak point:

disorder

basic requirement of operational excellence: order



15

order?

what is order?

☺ top management responsibility for the well-being of the company

the "what", "who" has to be determinedthe responsibility for determining the "how"

etc.: permission, execution, checking, acknowledgement

who will do these? - laterwhat is this exactly?


16

order

The order is by definition adequate, if top management takes up the responsibility for the well-being of the institution. This involves, from the one hand, the determination of the strategy, aligning it to the market success, and its continuous maintenance, and, from the other hand, to have the company fulfill the strategic goals.

(K. Szenes: Operational Security - Security Based Corporate Governance in: Procds. of IEEE 9th ICCC)

documentation

inventorychange managementbusiness continuity planning***



17

let's break in - cont'd

a story "retold" onattacker: Anonymous hacker group against: security company HBGary, that boasted of their cleverness

they aimed at the business of the target, and found- surprisingly "big holes in the shoe of a shoemaker"


18

let's break in

CEO used the same password to hisTwitter, linkedIn, and ! company mail admin. account

hacker could reset password of a security advisor with ssh access to a root

+ access rights to inside data from the outside - internet

social hacking: writing a mail "on behalf" hacker got a new password to access internals+ all these company activities have no elaborated workflow



19

let's break in

and then the hackers exploited the disorder inside

countermeasures:using the 3 pillars of operation, special case: IT

organizational, e.g.:define company organizational units, roles, job descriptions according to

duties

regulational, e.g.: duties, responsibilities, checkpoints, milestones, deliverables

technical support to all these


20

help: best practice

ISACA - Information Systems Audit and Control Association:COBIT® - Control Objectives for Information TechnologyCRM - CISA Review Technical Information Manual

ISO / IEC:International Organization for Standardization /international Electrotechnical Commission

PSZÁF: Hungarian Supervisory Authority of Financial Institutions

o availabilityo confidentialityo integrityo + ! functionalityo + ! documentation meaning: %



21

3 important criteria

availability, confidentiality, integrity

there will be different definitions for the basic criteriamy styleCOBITnotes on corrections

at first - the "my style" version


22

help: best practice

availability to a measurable extento in order to serve the business goals + compliance to laws &

regulations

o this is the base of success - company & employee:

survavibility on the market sustainable developmentfulfillment of the strategical & tactical goals

bank speciality -o extreme importance:

if the customer account system is not avaiable ...if the communication is not available ...



23

help: best practice

confidentialityin order to serve o both business and o private interestthrough compliance to corporate policy and (inter/)national laws

business interest - protected by employersprivate interest - personal: protected by laws & regulations

protection against illegal access

valuable business info: data & business logic (algorythms)is to be accessed by those and only those whose job needs it


24

help: best practice

integrity of data & processing: so that they are intact + without incidents

complete data throughout processingpreserve data throughout processingfaultless processing

our important plus security / quality requirements:o security and information security depends on the order

+ ! functionality – user satisfaction (ISO - already from the year 2000 on)

+ ! documentation throughout SDLC must not be omitted

there is no time to hurry



25

my operational excellence requirements - criteria of excellent governance

two groups:

operational excellence criteriaasset handling excellence criteria


26

ISACA COBIT information criteria - till COBIT 4.1

Confidentiality concerns the protection of sensitive informationfrom unauthorised disclosure.

Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values andexpectations.

Availability relates to information being available when required by the business process now and in the future. It also concernsthe safeguarding of necessary resources and associated capabilities.



27

ISACA COBIT information criteria - till COBIT 4.1

Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.

Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.

Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies.

Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary andgovernance responsibilities.


28

my operational excellence requirements - criteria of excellent governance- 1st group

my operational excellence criteria:

effectivity, efficiency, compliance, reliability, risk management excellence, functionality, order

the first four have the same name, as those of their COBIT predecessors, but their scope I generalized from IT to the whole operations arena



29

my operational excellence requirements - criteria of excellent governance- 2nd group

asset handling excellence criteria:

availability, integrity, confidentiality

same name, as ISACA / ISO 27000 family (with ancestors)but - for IT polished, for operations extended - meaning


30

another important help: my pillars

the 3 pillars are:

organizational, regulational, technical

pillars of operations, pillars of IT operations

classification aspects, and even more ...



31

most dangerous: the inside

threats to the regulational pillar: almost = with the difficulties in satisfying compliance

threats to the 1st pillar, the organizational / human pillarwith a little technicsof the IT operations, e.g.:

1 maintenance systems engineer from home

hackfamilysocial engineeringetc.


32

most dangerous: the inside - a frequent special case: outsource

2 outsource

the most difficult problems perhaps with:organizational / human pillar,

e.g.:

/1 application systems developers leave for better salary, coming back as an outsource partner

/2 they leave the partner firm, and ground a new one again

/3 now let us choose the outsource partner- no docu, no info, etc.

./.



33

most dangerous: the inside - a frequent special case: outsource

2 outsource - cont'd - sample of the problems onlytasks dangers

choosing partner unworthy partnerinside comm. of the situation enemy from inside

contracting requirements, responsibilitiesnot exactly defined

service level agreement no objective measurement,documentation, order

planning the practical execution with the partner comes the hacker identify the partner job force

preliminary def. of the break off handling the mutual discontent


34


threats to the 3rd pillar, the technical pillar of the IT operations, e.g.

threats to informatics BASES: HW, SW, network, databasecan cause disruption of the operation

all of the components of the infrastructure thatprovides for the services that are necessary for the survival of the institutions

another "good" technical possibility to endanger company operations:applications development



35


selected problems in applications development:

tasks dangers

defining the activities in: who - what - when ...life cycles & their phases - job, responsibilty: not known

what is / isn't ready (ready=?)preparedness %?

testing: who, what, how,... functionality? vulnerabilities?

we dream about new methods but we are not ready to use them


36


threats vulnerabilities of the infrastructural elements

vital importance: the inventory of these elementsand that of their state on ∀ sensible level

o computer + generally: the physical level ( the litterbox!)o operating system + utilitieso databaseo applicationo network element these are computers!o defense equipment these too!o business equipments – „automata”



37

most dangerous: the insidewhen do we feel safe?

what are the requirements to be fulfilled?

what does security mean?

the requirements specifying a known situationare fulfilled to a known level

and deviations are permitted only if they are ofpredefined typemeasure to be forecastedpredictable probability

- that is: they are known


38

a special company: a special financial institution: the bank(insurance is easier)

requirements triggered by the involvement of money:

o the threats concerning enterprise & private data / knowledge / property

o the extra & specific challenges that the financial institutionshave to counter:stealing, forging, alteration, counterfeit

o the customers want to have quick and safe banking operations they do not realize the "but" between quick and safe

the bank has to apply extra strong defense, BUTsupporting such customers'equipment that are out of its scope at the customers' site and of uncertain quality



39


fraud - BAD WILLED bank employee

false transactions:salami techniquerounding downfalse transfers

tampering with:the operating systemthe databasethe application

think! what kind of PILLARS can be the domain of our countermeasures?


40


bank employeeexample for the requirement "organized corporate": EFT problems

threats to the EFT - electronic fund transfer - files:• handling• access while travelling travelling on the network• access to the database containing the file• access to the application using the EFT

control measures will be the so-called preventive:• authentication, then authorization (- coming later)• securing the network• securing the application environment



41

my general type of countermeasures

information criteria - criteria of excellent operations= candidates for control objectives

control measures: activities serving the fulfillment of control objectives

pillars of operations / IT operationsrevisited, now they are: help in realization


42

countermeasures - criteria / objectives

information criteria - criteria of excellent operations= candidates for control objectives

these are not the goals of the auditors but those of the company

basics: asset handling excellenceavailability, integrity, confidentiality,

+: functionality, documentation

more: operational excellence- order- reliability, effectivity, efficiency, compliance,- risk management excellence



43

countermeasures - fulfillment of goals: control measures - activities

• control measures: activities serving the fulfillment of control objectives

these are not executed by the auditor, even if "control"

o detectiveo preventiveo corrective

the "what-who-how" actually is = what / domain / range / who / howtype of activities, e.g.:permission, execution, checking, acknowledgement

help in identifying these: the pillars . / .


44

countermeasures - help in finding "our" way

pillars of operations / IT operations revisited, now they are: help in realization

the 3 pillars were:organizational, regulational, technical

they are good for:• organizing company life,• classifying the

what / domain / range /who / how / ???



45

problems from the outside - more or less mishaps

e.g.external sources of danger:

external disordercutting cablessocial movements, strikes

natural disasterearthquake, lighting, etc.

robbery

can we handle these from inside?preventive control measures, e.g.:

guards, safes, cameras, etc.


46

problems from the outside - human

crooks & other human threat sources - their reasonscustomeremployee3rd party:

contracting partners - e.g. suppliersstrangers - e.g. hackers, crackers, students, etc.

▼willing - bad-willed

for fun, for benefitunwilling

incidental, ignorance, gullibility, credulity

and ?



47

problems from the outside - human cont'd

Banks - The Bad-Willed Customer – Counterfeiting

Against forging of money, banking formsdetective & preventive control measure, e.g.:

analyzing / checking devices

Against uncovered / false transactions, detective & preventive control measure, e.g.:well-defined service processes with control pointse.g. 4-eyes principle

homework: MARK THE PILLARS of our meansFIND information / operational excellence criteria


48


Banks - The Bad-Willed Customer – Counterfeiting

Against cheating with investments / false properties: raising money on

estate / fixed assets: jewels, pictures

Against cheating with fictious business entities

homework: MARK THE PILLARSFIND information / operational excellence criteria



49


Banks - The Bad-Willed Customer –Suspicious Transactions – Money Laundering

detective control measure is a Hungarian procedural rule:cash to be received ≥ 1 million –> report

technical prevention:inferences based on the investigation of data e.g. strange, unusually big

amount, unusually frequent handling of the same account, etc.:data warehouses, neural networks



50


Banks - The Bad-Willed 3rd party

with forged / stolen cards, e.g. (old) duplicating of magnetic stripsmoney withdrawal from ATMpurchase of goods

ATM tampering:false keyboardcamera hidden e.g. into leaflet holdersskimmer applied onto the ATM slot

(skimmer: microcomputer for reading / storing card info)

preventive control measure COULD BE: social, e.g.informative campaigns, movie, television, ads



51


Banks - The Bad-Willed 3rd party

Internet crimesusing stolen card numbers

obtaining customers' data by the means of:phishing - see the GULLIBLE customerfake warehouses, shopping facilities

MAN IN THE MIDDLE - physically, or rather in the (fake) process

for the sake of completeness:man at the end points - BUT THIS IS AN enemy INSIDE


52

problems from the outside - human cont'dthe GULLIBLE customer

inclination to believe the impossibleAfrican stories – the hidden money of the tribe

“you won the fortune of the year”http://our bank homepage@bad guy homepageand the like


e-, i-, m- and these bankings

. / .



53

problems from the outside - human cont'dthe GULLIBLE customer also cont'd

old: e-banking with a client program:controlled security level but resricted place of availability

connecting to an internet banking system from a computer withnot patched operating systemvirus, trojan, key-logger

mobile - wireless threats


and ./.


54

back to the countermeasures

technical preventive control measures: inferences based on the customers’ usual ways:

data warehouses, neural networksSSL VPN + tokenpassword, balance, acknowledgment of request sent in SMS

these are good against IGNORANT / GULLIBLE customer /that is e-, i-. m-banking threats

this is good against inside enemy, e.g.:ACCOUNT TAMPERING, too !

THE PILLAR is trivial here



55

back to the countermeasures, or rather: contribution to improvement

a best practice, that should already be a routine(what is "best"? - depends on the auditors' interpretation)

plan before act & continuous documentation

risk management, based onbusiness process /data / systems classification

results:• separation (segregation) of duties • access provision management for units / roles / tasks• dynamic inventory management• dynamic documentation & change management



56

countermeasures, or rather: contribution to improvement

organisational & human basesof the information security:

o risk management - based separation (segregation) of duties access provision management for units / roles / tasks

both need: authentication + authorization ./.

segregation of duties: • preparing job description, • consisting of roles, describing• duties = allocation of the the who of the "what-who-how",• and their connectionshw: identify pillars, criteria



57

an important, and old countermeasure - authentication + authorization

this belongs to the preconditions identity management

authentication - e.g. in the dictionary:

act of verifying athe identity of a userathe user’s eligibility to access ...aprior knowledge info

authentic: accurate, ... authoritative, ... certain, dependable, factual, trustworthy, ...

authenticate: ... authorize, ... certify, confirm,... guarantee, validate, verify, ...

. / .


58

authentication + authorization cont'd

authentication – IT best practice

The authentication is a 2 step process by which the system verifies the identity of the user

1st : the computer system verifies the validity of the logon ID

2nd :the computer system forces the user to substantiate his/her validity via a password

logon ID: individual identification and authenticationpassword: prevents unauthorized use



59

authentication + authorization cont'd

authorize - e.g. in the dictionary:

accredit, ... entitle...ability, blank cheque, ... approval, credentials,leave.. -... permission

authorization – IT best practice:user is authorized has the authority to access

test question:

The password is best described as a method of userA identification B AUTHORIZATIONC AUTHENTICATION D confirmation


60

a base of the control measures / improving activities to be introduced: strategy - driven risk management

my proved solution:

strategy-based security supporting strategy by security

risk strategic value of the asset * probability of the threatening

weighting the criteria according to the current requirements of the strategy

is the best practice really the best?

try a feasible special case ./.



61

a base of the control measures / improving activities to be introduced: strategy - driven risk management

the development & application of detective / preventive / corrective control measures depend:

on the parameters of the thing - here the risk - to be handled

risk impact = value of the asset * probability of the attack mishap

the value of the asset classification of the (information-related) assets

the role of the information sec. methods in the enterprise risk mgmgt.:identification of the vulnerabilitiesinvention of the methods to handle these

HOW TO DO THIS - 3 pillars: organizational, technical, regulational/ detective - preventive - corrective,

and matrices with, e.g. the criteria


62

back to the 3 pillars - organizational

requirements organizational units

availability top managementintegriy ITconfidentiality physical /

access control logical IT security - independent from ITlegal, regulatory compliance dept. internal auditfunctionality legal dept.best professional practice

external audit (enterpreneur)

support:IT steering committeerisk management shadow organization



63

back to the 3 pillars - regulational

usual information systems (IS) security prescriptions:

IS security rulebookvírus preventioninternet usagemail usage(IT & non-IT) BCP &disaster recovery - new: BC management! documentational prescriptions backup - restore, (=/= archiving)physical security rulebook

new: IS security short practical guidetake care: with the use of the term "policy"?!


64

back to the 3 pillars - technical

requirement:to contribute to the transportation of the info to its destination +to ensure its proper access (to those and only those who need it to their work)

to the elements of the technical solution belong:

o develop & align network topology to our tasks and size o to choose, implement & maintain defense equipments

to prevent + detect:firewallsintrusion defense: network-, resident sensors

o tracing the activities - logging



65

back to the criteria - they have to be polished, e.g. availability

"Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities." [COBIT 4.1]

proposal for the IT case: Availability of the information: if it concerns a given matter, then it is available to every competent employee, who is competent in this

matter, in a planned, predictable, and documented way, according to the preliminary agreements on its accessibility.

√ to a measurable extent, the predictability of the availability; the way of access, the time interval for which the information is available, etc.

The COBIT definition mixes confidentiality into availabilitythe mutual dependence of the criteria had to be clarified, too


66

back to the criteria - compliance: regulatory aspects

regulatory requirements:laws from: laws relevant:

national to the given branch of industryEuropean Union to the order of the governmental unit

branch specific prescriptions:supervisory regulations & advice

(best practice recommendations - not only conventions for decorum)

to these the IS SDLC - information system's system development life cycle

has to be aligned mostly by the means of information security methods



67


general - Hungarian:

Data Protection Act of 1992 LXIII.

branch specific - financial institution specific amendment:effective from 2004:

in the financial institutions there must be:data protection officerdata protection procedural rulebookobligatory reports on handling personal data

modified: 2011. évi CXII. törvény az információs önrendelkezési jogról és az információszabadságról

right to self-determination concerning information; freedom of info.NAIH (National DP Office) with new authorization - finestalk on data transfer, etc.


68


general - Hungarian: - cont'dAuthors' Right Act of 1999 LXXVI.

licence mgmgt. costly technical ctrl. measures

Act On The Recording of the Personal Data and Home Address of Citizens 1992 LXVI.

brand new, different sources:2013. évi L. törvény: Az állami és önkormányzati szervek elektronikus

információbiztonságáról (MK 69. szám, 2013. április 25.)on the electronic information security of gov. and munic. units

classification of the (application) systems, based on CMM -Capability Maturity Model, taken from COBIT, not from SEI -SW Eng. Inst. - alas! this relates to organizations, not to systems

∃ information strategy - ...



69


Hungarian laws concerning financial institutions:

Act on Credit Institutions & Financial Enterprises of 1996 CXIIinformation security requirements: "Hpt. § 13" purpose: availability, confidentiality, integrity

"modification": 2004. XXII. - reorg. of the Supervisory Authorityothers: enterprise governance, risk mgmgt., capital requirements

numerous modifications

new! 196, 200/2007 government decrees on credit / operational risk


70


the good old:Directive 95/46/EC of the European Parliament and of the Council of 24

October 1995 on the protection of individuals with regard to theprocessing of personal data and on the free movement of such dataOfficial Journal L 281 , 23/11/1995 P. 0031 - 0050

EU general, e.g.:

NATO Security Policy - [C-M(2002)49]Personnel Security Directive - [NATO AC/35-D/2000]Physical Security Directive - [NATO AC/35-D/2001]EU Council’s Security Regulations - [2001/264/EC]



71


EU laws concerning financial institutions:2006/48, 49/EK, 2007/18/EK - BASEL2permission for the activities, capital requirements (the fulfillment of requrirements characterizing the quality of IT support enlightens capital requirements)

2004/39/EK – Investment Services Directive - Markets in Financial Instruments Directive (MiFID)

responsibilities of the actors in card payment:Payment Card Industry - PCI - Security Standards Council requirementsPCI DSS: Payment Card Industry Data Security Standardsee e.g.https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdfhttps://www.pcisecuritystandards.org/security_standards/index.php


72

governance excellence criteria (+) - example for the necessity of improvement: e.g. availability

"Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities." [COBIT 4.1]

proposal for the IT case: Availability of the information: if it concerns a given matter, then it is available to every competent employee, who is competent in this

matter, in a planned, predictable, and documented way, according to the preliminary agreements on its accessibility.

√ to a measurable extent, the predictability of the availability; the way of access, the time interval for which the information is available, etc.

The COBIT definition mixes confidentiality into availabilitythe mutual dependence of the criteria had to be clarified, too



73

governance excellence criteria (+) - example for the necessity of improvement: e.g. availability

"Availability" - my proposal for the IT case:

Availability of the information means, that if it concerns a given matter, then it is available to every competent employee, who is competent in this

matter,in a planned, predictable, and documented way according to the preliminary agreements on its accessibility.


74

supporting references - ISACA

CISA Review Technical Information Manualed.: Information Systems Audit and

Control AssociationRolling Meadows, Illinois, USA

- personal involvement: I have been member of the Quality Assurance Team, 1998

COBIT® and related materials(COBIT = Control Objectives for Information Technology) Copyright © IT Governance Institute®

COBIT improvements, e.g.:Capability Maturity Model - maturityperformance - Balanced ScoreCard



75


COBIT Executive Summary, April 1998 2nd EditionReleased by the COBIT Steering Committee and the Information Systems Audit and Control Foundation

COBIT® 3rd Edition, July 2000Released by the COBIT Steering Committee and the IT Governance Institute™editor: Information Systems Audit and Control Association - ISACA

COBIT® 4.0 Control Objectives, Management Guidelines, Maturity ModelsCopyright © IT Governance Institute® , 2005

COBIT® 4.1 Framework, Management Guidelines, Maturity ModelsCopyright © IT Governance Institute® , 2007


76


COBIT® 5 Design Paper Exposure Draft© 2010 ISACA

other COBIT® 5 materials followed- personal involvement: I was member of the Subject Matter Expert Group

COBIT 5.0 Vol. I – The Framework” and “COBIT 5.0 Vol. IIa – Process Reference Guide © 2011 ISACA, working paper

Enabling Processes - COBIT 5 An ISACA FrameworkCopyright © 2012 ISACA



77

supporting references – ISO

the 27000 family:

International Standard ISO/IEC 27000 First edition 2009-05-01, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Reference number: ISO/IEC 27000:2009(E) Copyright © ISO/IEC 2009

International Standard ISO/IEC 27001 2700227005

others, such as:ISO Guide 73:2009

. /.


78

supporting references – ISO

ISO/IEC 15408Information technology — Security techniques — Evaluation criteria for IT security(Common Criteria)(ITCSEC, majd ITSEC, majd CC)

Magyar Szabvány MSZ ISO/IEC 12207:2000Magyar Szabványügyi TestületInformatika. Szoftveréletciklus-folyamatokInformation technology. Software life cycle processesmegfelel: az ISO/IEC 12207:1995 verziónak

etc.



79

a short sample from my publications used in the transparents

2010: "IT GRC versus ? Enterprise GRC but: IT GRC is a Basis of Strategic Governance"; EuroCACS 2010

2011: Enterprise Governance Against Hacking. Procds. of the 3rd IEEE International Symposium on Logistics and Industrial Informatics -LINDI 2011 August 25–27, 2011, Budapest, Hungary

2011:Serving Strategy by Corporate Governance - Case Study: Outsourcing of Operational Activities; Procds. of 17th International Business Information Management Association - IBIMA November 14-15, 2011, Milan, Italy, ed. Khalid S. Soliman

2012: Extending IT security methods to support enterprise management, operations and risk management - Hungarian(Informatikai biztonsági módszerek kiterjesztése a vállalatirányítás, a működés, és a kockázatkezelés támogatására) in Hungarian JournalQuality and Reliability (Minőség és Megbízhatóság)


80

some of my publications on outsource

2010: Auditing outsourcing of IT resources, Part I., Part II. - Hungarian(Az informatikai erőforrás-kihelyezés auditálási szempontjai, I., II. rész)in: Information Security Handbook(Az Informatikai biztonság kézikönyve)Verlag Dashöfer, Budapest, Hungary

Part I. February, 2010 p. 8.10. 1. – 26. (26 pages)Part II. December, 2010 p. 8.10. 27. – 158. (132 pages)total 158 pages

2011: Serving Strategy by Corporate Governance - Case Study: Outsourcing of Operational Activities; Procds. of 17th International Business Information Management Association - IBIMA November 14-15, 2011, Milan, Italy



81

publications on my opinion concerning legislation and its use

K.: Informatikai biztonsági megfontolások a Sarbanes - Oxley törvény ürügyén; (A 2002-es Sarbanes - Oxley törvény hatásai az informatikai biztonsági rendszerekre és az informatikai ellenőrök feladataira. A jelentésszolgálat és a többi kulcsfontosságú alkalmazás felügyeletének kérdései); Hungarian - IT security considerations triggered by SOX; in: Az Informatikai biztonság kézikönyve, 22. aktualizálásVerlag Dashöfer, 2006. október, 2.2.1.1. old. - 2.2.8.8. old. - 96 oldalp. 2.2.1.1. - 2.2.8.8. total: 96 pages

Az informatikai biztonsággal kapcsolatos törvényekről és rendeletekről; Hungarian - On the Hungarian laws and regulations dealing with IT security in: Az Informatikai biztonság kézikönyve, 33. aktualizálásVerlag Dashöfer, 2009. május, 3.4.1. old. - 3.4.34. old. - 34 oldalp. 3.4.1. - 3.4.34. total: 34 pages

information security and audit of financial institutions...

Documents