ISACA Cloud Audit/Assurance Program

Just when you thought it was safe to start your assessment of a cloud, ISACA releases yet one more methodology, which I will call the CCMAAP. The introduction on the ISACA site to CCMAAP is not very clear about how this fits with other assessment projects. It gets called a program, tool, template and road map all in the first sentence.

Objective—The cloud computing audit/assurance review will:

* Provide stakeholders with an assessment of the effectiveness of the cloud computing service provider’s internal controls and security
* Identify internal control deficiencies within the customer organization and its interface with the service provider
* Provide audit stakeholders with an assessment of the quality of and their ability to rely upon the service provider’s attestations regarding internal controls.

It looks quite useful for anyone already using COBIT or wondering how COSO works with a cloud. The first thing that jumps to my mind is that the COBIT mappings look very sparse. Page after page of audit questions have no COBIT reference. Even the CSA has only a few questions without a COBIT reference.

BP to Compete on Security

The new CEO of BP is making a case for security as a competitive advantage. Reuters reports that he ousted his exploration chief as part of a vow to boost safety

“There is a pressing need to rebuild trust in BP around the world,” [Chief Executive Bob] Dudley added.

Neither in the official or internal statements did Dudley admit that safety failings particular to BP played a role in the oil spill.

Instead, he repeated BP’s position that the disaster highlighted industry shortcomings — a line of argument which has enraged BP’s rivals, who accuse the London-based company of having a weak focus on safety and technical excellence.

I guess as long as BP is part of the industry they are in a well-informed position to talk about its shortcomings.

Abuse of the Body Scanners

The SF Chronicle has been reporting on full body scanners lately. They say 28 airports in the US are scheduled to get them by the end of the year:

The agency is accelerating use of the scanners after the U.S. said Nigerian Umar Farouk Abdulmutallab tried to blow up a Northwest Airlines flight on approach to Detroit Dec. 25 by igniting explosives in his underpants. The 1,000 scanners due at airports by the end of next year will put the devices at more than half the security lanes at major U.S. airports.

Privacy is more than just a theoretical concern, however. allAfrica calls this “Now Showing at MMIA: Nude Images of Passengers

The 3D full-body scanners procured for thorough body check of passengers at the nation’s major airports for security reasons are now being abused by security officials from the Federal Airports Authority of Nigeria (FAAN), THISDAY can confirm.
They use the machines, installed in the wake of the Farouk AbdulMutallab affair, to watch the naked images of female passengers for fun.

Passengers are not required to use the scanners, despite the TSA investment. A medical-software consultant quoted in the SF Chronicle makes it clear that she will always opt out.

Powell said she will continue to allow extra time before her flights to find the line that won’t force her to walk through the body scanners, even if they are upgraded [with privacy enhancements]. The devices are still capable of transmitting and storing images, she said, and that “is scary.”

Updated to add (28/10/10):

I now make it a regular habit to opt out of the scanners. Each time I am asked “you realize this will take longer” and I say yes. I am not dissuaded.

Given delays I am subjected to during travel another delay is no big deal. Losing my privacy is a big deal. Being subjected to harmful rays also a concern. So, yes, I realize it will take longer but I don’t mind.

Once I was asked to explain myself to management. A weary-looking woman pulled out a pen and paper pad while another TSA agent slowly ran his hands down my legs. She said “I am required to document your reason.” She stared at me with the look of “this better be good”.

“Privacy” I said.

She paused. Then she asked “That’s it? Your reason is privacy?”

“Yes, privacy” I repeated.

She grew a large smile and said “Wow, that’s easy! Great. Some are so long.” Then she let out a small laugh and said “Have a nice day” as she walked away.

Indeed. Nice day.

Non-human Payment Application Logs

The Assessor Update for September 2010 has an amusing clarification about what to log. Apparently some PA-QSA believed that if there was no human interaction with a system then “individual access” was not required for logs. Not true, says the PCI SSC. They give the following details:

10.2.1 All individual accesses to cardholder data

10.2.2 All actions taken by any individual with root or administrative privileges

10.2.3 Access to all audit trails

10.2.4 Invalid logical access attempts

10.2 5 Use of identification and authentication mechanisms

10.2.6 Initialization of the audit logs

10.2.7 Creation and deletion of system-level objects

Even if a payment application cannot be configured to provide individual access to cardholder data (possibly supporting a finding of N/A for 10.2.1), the application must still be assessed against each of the other requirements listed above. Again, not all of these events require active interaction by a human user to be performed, and these activities must be logged regardless of what type of account is performing them.


Thus, individual access now clearly means for human or non-human accounts.

One can only assume that someone might have thought they could get around log requirements by hiring a parrot to run their POS. “Squawk! Credit card number please. Squawk!”